rfc9499xml2.original.xml | rfc9499.xml | |||
---|---|---|---|---|
<?xml version="1.0" encoding="US-ASCII"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | <!DOCTYPE rfc [ | |||
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ | <!ENTITY nbsp " "> | |||
<!ENTITY zwsp "​"> | ||||
<!ENTITY nbhy "‑"> | ||||
<!ENTITY wj "⁠"> | ||||
]> | ]> | |||
<?rfc toc="yes"?> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-dnsop-rfc849 | |||
<?rfc tocdepth="4"?> | 9bis-10" number="9499" ipr="trust200902" submissionType="IETF" category="bcp" co | |||
<?rfc sortrefs="yes"?> | nsensus="true" obsoletes="8499" updates="2308" xml:lang="en" tocInclude="true" t | |||
<?rfc symrefs="yes"?> | ocDepth="4" sortRefs="false" symRefs="true" version="3"> | |||
<?rfc compact="yes"?> | ||||
<?rfc subcompact="no"?> | ||||
<rfc docName="draft-ietf-dnsop-rfc8499bis-10" | ||||
ipr="trust200902" category="bcp" obsoletes="8499" updates="2308" consensu | ||||
s="yes"> | ||||
<front> | ||||
<title abbrev="DNS Terminology">DNS Terminology</title> | ||||
<author initials="P." surname="Hoffman" fullname="Paul Hoffman"> | ||||
<organization>ICANN</organization> | ||||
<address> | ||||
<email>paul.hoffman@icann.org</email> | ||||
</address> | ||||
</author> | ||||
<author initials="K." surname="Fujiwara" fullname="Kazunori Fujiwara"> | ||||
<organization abbrev="JPRS">Japan Registry Services Co., Ltd.</organization> | ||||
<address> | ||||
<email>fujiwara@jprs.co.jp</email> | ||||
</address> | ||||
</author> | ||||
<date/> | ||||
<area>Internet</area> | ||||
<keyword>vocabulary, domain name system</keyword> | ||||
<abstract> | ||||
<t>The Domain Name System (DNS) is defined in literally dozens of | <!-- xml2rfc v2v3 conversion 3.18.0 --> | |||
<front> | ||||
<title abbrev="DNS Terminology">DNS Terminology</title> | ||||
<seriesInfo name="RFC" value="9499"/> | ||||
<seriesInfo name="BCP" value="219"/> | ||||
<author initials="P." surname="Hoffman" fullname="Paul Hoffman"> | ||||
<organization>ICANN</organization> | ||||
<address> | ||||
<email>paul.hoffman@icann.org</email> | ||||
</address> | ||||
</author> | ||||
<author initials="K." surname="Fujiwara" fullname="Kazunori Fujiwara"> | ||||
<organization abbrev="JPRS">Japan Registry Services Co., Ltd.</organizatio | ||||
n> | ||||
<address> | ||||
<email>fujiwara@jprs.co.jp</email> | ||||
</address> | ||||
</author> | ||||
<date year="2024" month="March"/> | ||||
<area>ops</area> | ||||
<workgroup>dnsop</workgroup> | ||||
<keyword>vocabulary</keyword> | ||||
<keyword>domain name system</keyword> | ||||
<abstract> | ||||
<t>The Domain Name System (DNS) is defined in literally dozens of | ||||
different RFCs. The terminology used by implementers and developers of | different RFCs. The terminology used by implementers and developers of | |||
DNS protocols, and by operators of DNS systems, has changed | DNS protocols, and by operators of DNS systems, has changed | |||
in the decades since the DNS was first defined. This document gives | in the decades since the DNS was first defined. This document gives | |||
current definitions for many of the terms used in the DNS in a single | current definitions for many of the terms used in the DNS in a single | |||
document.</t> | document.</t> | |||
<t>This document updates RFC 2308 by clarifying the definitions of "forwar | ||||
<t>This document updates RFC 2308 by clarifying the definitions of "forwarder" a | der" and "QNAME". | |||
nd "QNAME". | ||||
It obsoletes RFC 8499 by adding multiple terms and clarifications. | It obsoletes RFC 8499 by adding multiple terms and clarifications. | |||
Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t> | Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t> | |||
</abstract> | ||||
</abstract> | </front> | |||
<middle> | ||||
</front> | <section anchor="introduction" numbered="true" toc="default"> | |||
<name>Introduction</name> | ||||
<middle> | <t>The Domain Name System (DNS) is a simple query-response protocol | |||
whose messages in both directions have the same format. (<xref target="names" f | ||||
<section anchor="introduction" title="Introduction"> | ormat="default"/> gives a definition of "global DNS", which is often | |||
<t>The Domain Name System (DNS) is a simple query-response protocol | ||||
whose messages in both directions have the same format. (<xref | ||||
target="names"/> gives a definition of "global DNS", which is often | ||||
what people mean when they say "the DNS".) The protocol and message | what people mean when they say "the DNS".) The protocol and message | |||
format are defined in <xref target="RFC1034"/> and <xref | format are defined in <xref target="RFC1034" format="default"/> and <xref target | |||
target="RFC1035"/>. These RFCs defined some terms, and later documents | ="RFC1035" format="default"/>. These RFCs defined some terms, and later document | |||
defined others. Some of the terms from <xref target="RFC1034"/> and | s | |||
<xref target="RFC1035"/> have somewhat different meanings now than | defined others. Some of the terms from <xref target="RFC1034" format="default"/> | |||
and | ||||
<xref target="RFC1035" format="default"/> have somewhat different meanings now t | ||||
han | ||||
they did in 1987.</t> | they did in 1987.</t> | |||
<t>This document contains a collection of a wide variety of DNS-related te | ||||
<t>This document contains a collection of a wide variety of DNS-related terms, | rms, | |||
organized loosely by topic. Some of them have been precisely defined in earlier | organized loosely by topic. Some of them have been precisely defined in earlier | |||
RFCs, some have been loosely defined in earlier RFCs, and some are not defined | RFCs, some have been loosely defined in earlier RFCs, and some are not defined | |||
in an earlier RFC at all.</t> | in an earlier RFC at all.</t> | |||
<t>Other organizations sometimes define DNS-related terms in their own way | ||||
<t>Other organizations sometimes define DNS-related terms their own way. | . | |||
For example, the WHATWG defines "domain" at | For example, the WHATWG defines "domain" at <eref brackets="angle" target="https | |||
<https://url.spec.whatwg.org/>. | ://url.spec.whatwg.org/"/>. | |||
The Root Server System Advisory Committee (RSSAC) has a good | The Root Server System Advisory Committee (RSSAC) has a good | |||
lexicon <xref target="RSSAC026"/>. | lexicon <xref target="RSSAC026" format="default"/>. | |||
</t> | </t> | |||
<t>Most of the definitions listed here represent the consensus definition | ||||
<t>Most of the definitions listed here represent the consensus definition of the | of the DNS | |||
DNS | ||||
community -- both protocol developers and operators. Some of the definitions | community -- both protocol developers and operators. Some of the definitions | |||
differ from earlier RFCs, and those differences are noted. | differ from earlier RFCs, and those differences are noted. | |||
In this document, where the consensus definition is the same as the one in | In this document, where the consensus definition is the same as the one in | |||
an RFC, that RFC is quoted. Where the consensus definition has changed somewhat, | an RFC, that RFC is quoted. Where the consensus definition has changed somewhat, | |||
the RFC is mentioned but the new stand-alone definition is given. | the RFC is mentioned but the new stand-alone definition is given. | |||
See <xref target="updates-list"/> for a list of the definitions | See <xref target="updates-list" format="default"/> for a list of the definitions | |||
that this document updates.</t> | that this document updates.</t> | |||
<t>It is important to note that, | ||||
<t>It is important to note that, | ||||
during the development of this document, it became clear that some DNS-related t erms | during the development of this document, it became clear that some DNS-related t erms | |||
are interpreted quite differently by different DNS experts. Further, some terms | are interpreted quite differently by different DNS experts. Further, some terms | |||
that are defined in early DNS RFCs now have definitions that are generally agree d to, but | that are defined in early DNS RFCs now have definitions that are generally agree d to, but | |||
that are different from the original definitions. | that are different from the original definitions. | |||
This document is a small revision to <xref target="RFC8499"/>; that document was | This document is a small revision to <xref target="RFC8499" format="default"/>; | |||
a substantial revision to <xref target="RFC7719"/>.</t> | that document was | |||
a substantial revision to <xref target="RFC7719" format="default"/>.</t> | ||||
<t>Note that there is no single consistent definition of "the DNS". It can be co | <t>Note that there is no single consistent definition of "the DNS". It can | |||
nsidered to be some | be considered to be some | |||
combination of the following: a commonly used naming scheme for objects on the I nternet; a distributed database representing | combination of the following: a commonly used naming scheme for objects on the I nternet; a distributed database representing | |||
the names and certain properties of these objects; an architecture providing dis tributed | the names and certain properties of these objects; an architecture providing dis tributed | |||
maintenance, resilience, and loose coherency for this database; and a simple que ry-response protocol | maintenance, resilience, and loose coherency for this database; and a simple que ry-response protocol | |||
(as mentioned below) implementing this architecture. <xref target="names"/> defi nes | (as mentioned below) implementing this architecture. <xref target="names" format ="default"/> defines | |||
"global DNS" and "private DNS" as a way to deal with these differing definitions .</t> | "global DNS" and "private DNS" as a way to deal with these differing definitions .</t> | |||
<t>Capitalization in DNS terms is often inconsistent among RFCs and | ||||
<t>Capitalization in DNS terms is often inconsistent among RFCs and | ||||
various DNS practitioners. The capitalization used in this document is a best | various DNS practitioners. The capitalization used in this document is a best | |||
guess at current practices, and is not meant to indicate that other | guess at current practices, and is not meant to indicate that other | |||
capitalization styles are wrong or archaic. | capitalization styles are wrong or archaic. | |||
In some cases, multiple styles of capitalization are used for the same term due to quoting | In some cases, multiple styles of capitalization are used for the same term due to quoting | |||
from different RFCs.</t> | from different RFCs.</t> | |||
<t>In this document, the words "byte" and "octet" are used interchangeably | ||||
<t>In this document, the words "byte" and "octet" are used interchangably. | . | |||
They both appear here because they both appear in the earlier RFCs that defined | They appear here because they both appear in the earlier RFCs that defined terms | |||
terms in the DNS.</t> | in the DNS.</t> | |||
<t>Readers should note that the terms in this document are grouped by topi | ||||
<t>Readers should note that the terms in this document are grouped by topic. | c. | |||
Someone who is not already familiar with the DNS probably cannot | Someone who is not already familiar with the DNS probably cannot | |||
learn about the DNS from scratch by reading this document from front to back. | learn about the DNS from scratch by reading this document from front to back. | |||
Instead, skipping around may be the only way to get enough context to | Instead, skipping around may be the only way to get enough context to | |||
understand some of the definitions. This document has an index that might be use ful for | understand some of the definitions. This document has an index that might be use ful for | |||
readers who are attempting to learn the DNS by reading this document.</t> | readers who are attempting to learn the DNS by reading this document.</t> | |||
</section> | ||||
</section> | <section anchor="names" numbered="true" toc="default"> | |||
<name>Names</name> | ||||
<section anchor="names" title="Names"> | <dl newline="false" spacing="normal"> | |||
<t><list style="hanging"> | <dt>Naming system:</dt> | |||
<dd> | ||||
<t hangText='Naming system:'> | <t><iref item="Naming system" subitem="" primary="false"/> | |||
<iref item='Naming system'/> | ||||
A naming system associates names with data. Naming systems have many significant facets | A naming system associates names with data. Naming systems have many significant facets | |||
that help differentiate them from each other. Some commonly identified facets in clude: | that help differentiate them from each other. Some commonly identified facets in clude: | |||
<list style="symbols"> | </t> | |||
<t>Composition of names</t> | <ul spacing="normal"> | |||
<t>Format of names</t> | <li>Composition of names</li> | |||
<t>Administration of names</t> | <li>Format of names</li> | |||
<t>Types of data that can be associated with names</t> | <li>Administration of names</li> | |||
<t>Types of metadata for names</t> | <li>Types of data that can be associated with names</li> | |||
<t>Protocol for getting data from a name</t> | <li>Types of metadata for names</li> | |||
<t>Context for resolving a name</t> | <li>Protocol for getting data from a name</li> | |||
</list></t> | <li>Context for resolving a name</li> | |||
</ul> | ||||
<t>Note that this list is a small subset of facets that people have identified o | </dd> | |||
ver time | <dt/> | |||
<dd>Note that this list is a small subset of facets that people have ide | ||||
ntified over time | ||||
for naming systems, and the IETF has yet to agree on a good set of facets that c an be used | for naming systems, and the IETF has yet to agree on a good set of facets that c an be used | |||
to compare naming systems. For example, other facets might include "protocol to update | to compare naming systems. For example, other facets might include "protocol to update | |||
data in a name", "privacy of names", and "privacy of data associated with names" , but | data in a name", "privacy of names", and "privacy of data associated with names" , but | |||
those are not as well defined as the ones listed above. The list here is chosen because it | those are not as well defined as the ones listed above. The list here is chosen because it | |||
helps describe the DNS and naming systems similar to the DNS.</t> | helps describe the DNS and naming systems similar to the DNS.</dd> | |||
<dt>Domain name:</dt> | ||||
<t hangText='Domain name:'> | <dd> | |||
<iref item='Domain name'/> | <iref item="Domain name" subitem="" primary="false"/> | |||
An ordered list of one or more labels.</t> | An ordered list of one or more labels.</dd> | |||
<dt/> | ||||
<t>Note that this is a definition independent of the DNS RFCs (<xref target="RFC | <dd>Note that this is a definition independent of the DNS RFCs (<xref ta | |||
1034"/> and <xref target="RFC1035"/>), and the definition here | rget="RFC1034" format="default"/> and <xref target="RFC1035" format="default"/>) | |||
also applies to systems other than the DNS. <xref target="RFC1034"/> defines the | , and the definition here | |||
"domain | also applies to systems other than the DNS. <xref target="RFC1034" format="defau | |||
lt"/> defines the "domain | ||||
name space" using mathematical trees and their nodes in graph theory, and that d efinition | name space" using mathematical trees and their nodes in graph theory, and that d efinition | |||
has the same practical result as the definition here. Any path of a directed acy clic graph | has the same practical result as the definition here. Any path of a directed acy clic graph | |||
can be represented by a domain name consisting of the labels of its nodes, order ed by | can be represented by a domain name consisting of the labels of its nodes, order ed by | |||
decreasing distance from the root(s) (which is the normal convention within the DNS, | decreasing distance from the root(s) (which is the normal convention within the DNS, | |||
including this document). A domain name whose last label identifies a root of th e graph is | including this document). A domain name whose last label identifies a root of th e graph is | |||
fully qualified; other domain names whose labels form a strict prefix of a fully | fully qualified; other domain names whose labels form a strict prefix of a fully | |||
-qualified | qualified | |||
domain name are relative to its first omitted node.</t> | domain name are relative to its first omitted node.</dd> | |||
<dt/> | ||||
<t>Also note that different IETF and non-IETF documents have used the term "doma | <dd>Also note that different IETF and non-IETF documents have used the t | |||
in name" | erm "domain name" | |||
in many different ways. It is common for earlier documents to use "domain name" to mean | in many different ways. It is common for earlier documents to use "domain name" to mean | |||
"names that match the syntax in <xref target="RFC1035"/>", but possibly with add itional | "names that match the syntax in <xref target="RFC1035" format="default"/>", but possibly with additional | |||
rules such as "and are, or will be, resolvable in the global DNS" or "but only u sing the | rules such as "and are, or will be, resolvable in the global DNS" or "but only u sing the | |||
presentation format".</t> | presentation format".</dd> | |||
<dt>Label:</dt> | ||||
<t hangText='Label:'> | <dd> | |||
<iref item='Label'/> | <iref item="Label" subitem="" primary="false"/> | |||
An ordered list of zero or more octets that makes up a portion of a domain name. | An ordered list of zero or more octets that makes up a portion of a domain name. | |||
Using graph theory, a label identifies one node in a portion of the graph of all possible | Using graph theory, a label identifies one node in a portion of the graph of all possible | |||
domain names.</t> | domain names.</dd> | |||
<dt>Global DNS:</dt> | ||||
<t hangText='Global DNS:'> | <dd> | |||
<iref item='Global DNS'/> | <iref item="Global DNS" subitem="" primary="false"/> | |||
Using the short set of facets listed in "Naming system", the global DNS can be d efined as | Using the short set of facets listed in "Naming system", the global DNS can be d efined as | |||
follows. Most of the rules here come from <xref target="RFC1034"/> and <xref | follows. Most of the rules here come from <xref target="RFC1034" format="default | |||
target="RFC1035"/>, although the term "global DNS" has not been defined before n | "/> and <xref target="RFC1035" format="default"/>, although the term "global DNS | |||
ow.</t> | " has not been defined before now.</dd> | |||
<dt/><dd> | ||||
<t>Composition of names: A name in the global DNS has one or more | <dl newline="false"> | |||
<dt> | ||||
Composition of names:</dt><dd>A name in the global DNS has one or more | ||||
labels. The length of each label is between 0 and 63 octets | labels. The length of each label is between 0 and 63 octets | |||
inclusive. In a fully-qualified domain name, the last label | inclusive. In a fully qualified domain name, the last label | |||
in the ordered list is 0 octets long; it is the only label whose | in the ordered list is 0 octets long; it is the only label whose | |||
length may be 0 octets, and it is called the "root" or "root label". | length may be 0 octets, and it is called the "root" or "root label". | |||
A domain name in the global DNS has a maximum total length of 255 | A domain name in the global DNS has a maximum total length of 255 | |||
octets in the wire format; the root represents one octet for this | octets in the wire format; the root represents one octet for this | |||
calculation. | calculation. | |||
(Multicast DNS <xref target="RFC6762"/> allows names up to 255 bytes plus a term inating zero byte | (Multicast DNS <xref target="RFC6762" format="default"/> allows names up to 255 bytes plus a terminating zero byte | |||
based on a different interpretation of RFC 1035 and what is included in the 255 octets.) | based on a different interpretation of RFC 1035 and what is included in the 255 octets.) | |||
</t> | </dd> | |||
<dt>Format of names:</dt><dd>Names in the global DNS are domain names. | ||||
<t>Format of names: Names in the global DNS are domain names. There are three fo | There are three formats: | |||
rmats: | wire format, presentation format, and common display.</dd><dt/><dd> | |||
wire format, presentation format, and common display. | <dl spacing="normal"> | |||
<list style="empty"> | <dt>Wire format:</dt><dd>The basic wire format for names in the | |||
<t>The basic wire format for names in the global DNS is a list of labels ordered | global DNS is a list of labels ordered by decreasing distance from | |||
by | the root, with the root label last. Each label is preceded by a | |||
decreasing distance from the root, with the root label last. Each label is prece | length octet. <xref target="RFC1035" format="default"/> also | |||
ded by a | defines a compression scheme that modifies this format.</dd> | |||
length octet. <xref target="RFC1035"/> also defines a compression scheme that mo | <dt>Presentation format:</dt><dd>The presentation format for names | |||
difies | in the global DNS is a list of labels ordered by decreasing | |||
this format.</t> | distance from the root, encoded as ASCII, with a "." character | |||
between each label. In presentation format, a fully qualified | ||||
<t>The presentation format for names in the global DNS is a list of labels order | domain name includes the root label and the associated separator | |||
ed by | dot. For example, in presentation format, a fully qualified domain | |||
decreasing distance from the root, encoded as ASCII, with a "." character betwee | name with two non-root labels is always shown as "example.tld." | |||
n each | instead of "example.tld". <xref target="RFC1035" | |||
label. In presentation format, a fully-qualified domain name includes the root l | format="default"/> defines a method for showing octets that do not | |||
abel and | display in ASCII.</dd> | |||
the associated separator dot. For example, in presentation format, a fully-quali | <dt>Common display format:</dt><dd>The common display format is | |||
fied | used in applications and free text. It is the same as the | |||
domain name with two non-root labels is always shown as "example.tld." instead o | presentation format, but showing the root label and the "." before | |||
f | it is optional and is rarely done. For example, in common display | |||
"example.tld". <xref target="RFC1035"/> defines a method for showing octets that | format, a fully qualified domain name with two non-root labels is | |||
do not | usually shown as "example.tld" instead of "example.tld.". Names in | |||
display in ASCII.</t> | the common display format are normally written such that the | |||
directionality of the writing system presents labels by decreasing | ||||
<t>The common display format is used in applications and free text. It is the sa | distance from the root (so, in both English and the C programming | |||
me as the | language, the root or Top-Level Domain (TLD) label in the ordered | |||
presentation format, but showing the root label and the "." before it is optiona | list is rightmost; but in Arabic, it may be leftmost, depending on | |||
l and is | local conventions).</dd> | |||
rarely done. For example, in common display format, a fully-qualified domain nam | </dl> | |||
e with two | </dd> | |||
non-root labels is usually shown as "example.tld" instead of "example.tld.". Nam | <dt>Administration of names:</dt><dd>Administration is specified by dele | |||
es in the | gation (see the | |||
common display format are normally written such that the directionality of the w | definition of "delegation" in <xref target="zones" format="default"/>). Policie | |||
riting | s for administration of | |||
system presents labels by decreasing distance from the root (so, in both English | ||||
and the C programming language the | ||||
root or Top-Level Domain (TLD) label in the ordered list is rightmost; but in Ar | ||||
abic, it may be leftmost, | ||||
depending on local conventions).</t></list></t> | ||||
<t>Administration of names: Administration is specified by delegation (see the | ||||
definition of "delegation" in <xref target="zones"/>). Policies for administrat | ||||
ion of | ||||
the root zone in the global DNS are determined by the names operational communit y, which | the root zone in the global DNS are determined by the names operational communit y, which | |||
convenes itself in the Internet Corporation for Assigned Names and Numbers (ICAN N). The | convenes itself in the Internet Corporation for Assigned Names and Numbers (ICAN N). The | |||
names operational community selects the IANA Functions Operator for the global D NS root | names operational community selects the IANA Functions Operator for the global D NS root | |||
zone. | zone. | |||
The name servers that serve the root zone are provided by independent | The name servers that serve the root zone are provided by independent | |||
root operators. Other zones in the global DNS have their own policies for | root operators. Other zones in the global DNS have their own policies for | |||
administration.</t> | administration.</dd> | |||
<dt>Types of data that can be associated with names:</dt><dd>A name can | ||||
<t>Types of data that can be associated with names: A name can have zero or more | have zero or more | |||
resource records associated with it. There are numerous types of resource record s with | resource records associated with it. There are numerous types of resource record s with | |||
unique data structures defined in many different RFCs and in the IANA registry a | unique data structures defined in many different RFCs and in the IANA registry a | |||
t <xref | t <xref target="IANA_Resource_Registry" format="default"/>.</dd> | |||
target="IANA_Resource_Registry"/>.</t> | <dt>Types of metadata for names:</dt><dd>Any name that is published in t | |||
he DNS appears as a set | ||||
<t>Types of metadata for names: Any name that is published in the DNS appears as | of resource records (see the definition of "RRset" in <xref target="rrs" format= | |||
a set | "default"/>). Some names | |||
of resource records (see the definition of "RRset" in <xref target="rrs"/>). So | ||||
me names | ||||
do not, themselves, have data associated with them in the DNS, but they "appear" in the DNS | do not, themselves, have data associated with them in the DNS, but they "appear" in the DNS | |||
anyway because they form part of a longer name that does have data associated wi th it (see | anyway because they form part of a longer name that does have data associated wi th it (see | |||
the definition of "empty non-terminals" in <xref target="zones"/>).</t> | the definition of "empty non-terminals" in <xref target="zones" format="default" | |||
/>).</dd> | ||||
<t>Protocol for getting data from a name: The protocol described in <xref | <dt>Protocol for getting data from a name:</dt><dd>The protocol describe | |||
target="RFC1035"/>.</t> | d in <xref target="RFC1035" format="default"/>.</dd> | |||
<dt>Context for resolving a name:</dt><dd>The global DNS root zone distr | ||||
<t>Context for resolving a name: The global DNS root zone distributed by Public | ibuted by Public Technical Identifiers (PTIs).</dd> | |||
Technical Identifiers (PTI).</t> | </dl></dd> | |||
<dt>Private DNS:</dt> | ||||
<t hangText='Private DNS:'> | <dd> | |||
<iref item='Private DNS'/> | <iref item="Private DNS" subitem="" primary="false"/> | |||
Names that use the protocol described in <xref target="RFC1035"/> but that do no | Names that use the protocol described in <xref target="RFC1035" format="default" | |||
t rely on | /> but do not rely on | |||
the global DNS root zone or names that are otherwise not generally available on the | the global DNS root zone or names that are otherwise not generally available on the | |||
Internet but are using the protocol described in <xref target="RFC1035"/>. A sy stem can | Internet but are using the protocol described in <xref target="RFC1035" format=" default"/>. A system can | |||
use both the global DNS and one or more private DNS systems; for example, see "S plit DNS" | use both the global DNS and one or more private DNS systems; for example, see "S plit DNS" | |||
in <xref target="dns-servers-and-clients"/>.</t> | in <xref target="dns-servers-and-clients" format="default"/>.</dd> | |||
<dt/> | ||||
<t>Note that domain names that do not appear in the DNS, and that are intended n | <dd>Note that domain names that do not appear in the DNS and that are in | |||
ever to be | tended never to be | |||
looked up using the DNS protocol, are not part of the global DNS or a private DN | looked up using the DNS protocol are not part of the global DNS or a private DNS | |||
S even | , even | |||
though they are domain names.</t> | though they are domain names.</dd> | |||
<dt>Multicast DNS (mDNS):</dt> | ||||
<t hangText='Multicast DNS (mDNS):'> | <dd> | |||
<iref item='Multicast DNS'/> | <iref item="Multicast DNS" subitem="" primary="false"/> | |||
<iref item='mDNS'/> | <iref item="mDNS" subitem="" primary="false"/> | |||
<!--Begin DNE text --> | ||||
<!--Begin DNE text --> | ||||
"Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the | "Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the | |||
absence of any conventional Unicast DNS server. In addition, Multicast DNS desi gnates a portion of | absence of any conventional Unicast DNS server. In addition, Multicast DNS desi gnates a portion of | |||
the DNS namespace to be free for local use, without the need to pay any annual f ee, and without the | the DNS namespace to be free for local use, without the need to pay any annual f ee, and without the | |||
need to set up delegations or otherwise configure a conventional DNS server to a nswer for those | need to set up delegations or otherwise configure a conventional DNS server to a nswer for those | |||
names." (Quoted from <xref target="RFC6762"/>, Abstract) | names." (Quoted from <xref target="RFC6762" format="default"/>, Abstract) | |||
<!--End DNE text --> | <!--End DNE text --> | |||
Although it uses a compatible wire format, mDNS is, strictly speaking, a differe nt protocol than DNS. | Although it uses a compatible wire format, mDNS is, strictly speaking, a differe nt protocol than DNS. | |||
Also, where the above quote says "a portion of the DNS namespace", it would be c learer to say "a | Also, where the above quote says "a portion of the DNS namespace", it would be c learer to say "a | |||
portion of the domain name space". The names in mDNS are not intended to be loo ked up in the | portion of the domain name space". The names in mDNS are not intended to be loo ked up in the | |||
DNS.</t> | DNS.</dd> | |||
<dt>Locally served DNS zone:</dt> | ||||
<t hangText='Locally served DNS zone:'> | <dd> | |||
<iref item='Locally served DNS zone'/> | <iref item="Locally served DNS zone" subitem="" primary="false"/> | |||
A locally served DNS zone is a special case of private DNS. | A locally served DNS zone is a special case of private DNS. | |||
Names are resolved using the DNS protocol in a local context. | Names are resolved using the DNS protocol in a local context. | |||
<xref target="RFC6303"/> defines subdomains of IN-ADDR.ARPA | <xref target="RFC6303" format="default"/> defines subdomains of IN-ADDR.ARPA | |||
that are locally served zones. | that are locally served zones. | |||
Resolution of names through locally served zones may result in ambiguous results . | Resolution of names through locally served zones may result in ambiguous results . | |||
For example, the same name may resolve to different results in different locally served DNS | For example, the same name may resolve to different results in different locally served DNS | |||
zone contexts. The context for a locally served DNS zone may be explicit, such as those that are listed in | zone contexts. The context for a locally served DNS zone may be explicit, such as those that are listed in | |||
<xref target="RFC6303"/> and <xref target="RFC7793"/>, or implicit, such as thos | <xref target="RFC6303" format="default"/> and <xref target="RFC7793" format="def | |||
e defined by local DNS administration and not known to the | ault"/>, or implicit, such as those defined by local DNS administration and not | |||
resolution client.</t> | known to the | |||
resolution client.</dd> | ||||
<t hangText='Fully-Qualified Domain Name (FQDN):'> | <dt>Fully Qualified Domain Name (FQDN):</dt> | |||
<iref item='Fully-qualified domain name (FQDN)'/> | <dd> | |||
<iref item="Fully Qualified Domain Name (FQDN)" subitem="" primary="fa | ||||
lse"/> | ||||
This is often just a clear way | This is often just a clear way | |||
of saying the same thing as "domain name of a node", as outlined | of saying the same thing as "domain name of a node", as outlined | |||
above. However, the term is ambiguous. Strictly speaking, a fully-qualified | above. However, the term is ambiguous. Strictly speaking, a fully qualified | |||
domain name would include every label, including the zero-length label | domain name would include every label, including the zero-length label | |||
of the root: such a name would be written "www.example.net." | of the root; such a name would be written "www.example.net." | |||
(note the terminating dot). But, because every name eventually shares | (note the terminating dot). But, because every name eventually shares | |||
the common root, names are often written relative to the root | the common root, names are often written relative to the root | |||
(such as "www.example.net") and are still called "fully qualified". | (such as "www.example.net") and are still called "fully qualified". | |||
This term first appeared in <xref target="RFC0819"/>. In this document, names | This term first appeared in <xref target="RFC0819" format="default"/>. In this d | |||
are often written relative to the root.</t> | ocument, names | |||
<t>The need for the term "fully-qualified domain name" comes from the existence | are often written relative to the root.</dd> | |||
<dt/> | ||||
<dd>The need for the term "fully qualified domain name" comes from the e | ||||
xistence | ||||
of partially qualified domain names, which are names where one or more | of partially qualified domain names, which are names where one or more | |||
of the last labels in the ordered list are omitted (for example, | of the last labels in the ordered list are omitted (for example, | |||
a domain name of "www" relative to "example.net" identifies "www.example.net"). | a domain name of "www" relative to "example.net" identifies "www.example.net"). | |||
Such relative names are understood only by context.</t> | Such relative names are understood only by context.</dd> | |||
<dt>Host name:</dt> | ||||
<t hangText='Host name:'> | <dd> | |||
<iref item='Host name'/> | <iref item="Host name" subitem="" primary="false"/> | |||
This term and its equivalent, "hostname", have been | This term and its equivalent, "hostname", have been | |||
widely used but are not defined in <xref target="RFC1034"/>, <xref target="RFC10 | widely used but are not defined in <xref target="RFC1034" format="default"/>, <x | |||
35"/>, | ref target="RFC1035" format="default"/>, | |||
<xref target="RFC1123"/>, or <xref target="RFC2181"/>. The | <xref target="RFC1123" format="default"/>, or <xref target="RFC2181" format="def | |||
ault"/>. The | ||||
DNS was originally deployed into the Host Tables environment as | DNS was originally deployed into the Host Tables environment as | |||
outlined in <xref target="RFC0952"/>, and it is likely that the term followed | outlined in <xref target="RFC0952" format="default"/>, and it is likely that the term followed | |||
informally from the definition there. | informally from the definition there. | |||
Over time, the definition seems | Over time, the definition seems | |||
to have shifted. "Host name" is often meant to be a domain name that follows | to have shifted. "Host name" is often meant to be a domain name that follows | |||
the rules in Section 3.5 of <xref target="RFC1034"/>, which is also called the " preferred name | the rules in <xref target="RFC1034" sectionFormat="of" section="3.5"/>, which is also called the "preferred name | |||
syntax". (In that syntax, every character in each label is a letter, | syntax". (In that syntax, every character in each label is a letter, | |||
a digit, or a hyphen). Note that any label in a domain name can contain any octe t | a digit, or a hyphen). Note that any label in a domain name can contain any octe t | |||
value; hostnames are generally considered to be domain names where | value; hostnames are generally considered to be domain names where | |||
every label follows the rules in the "preferred name syntax", with the | every label follows the rules in the "preferred name syntax", with the | |||
amendment that labels can start with ASCII digits (this amendment | amendment that labels can start with ASCII digits (this amendment | |||
comes from Section 2.1 of <xref target="RFC1123"/>). | comes from <xref target="RFC1123" sectionFormat="of" section="2.1"/>). | |||
</t> | </dd> | |||
<t>People also sometimes use the term "hostname" to refer to just the first | <dt/> | |||
<dd>People also sometimes use the term "hostname" to refer to just the f | ||||
irst | ||||
label of an FQDN, such as "printer" in "printer.admin.example.com". | label of an FQDN, such as "printer" in "printer.admin.example.com". | |||
(Sometimes this is formalized in configuration in operating systems.) | (Sometimes this is formalized in configuration in operating systems.) | |||
In addition, people sometimes use this term to | In addition, people sometimes use this term to | |||
describe any name that refers to a machine, and those might include | describe any name that refers to a machine, and those might include | |||
labels that do not conform to the "preferred name syntax".</t> | labels that do not conform to the "preferred name syntax".</dd> | |||
<dt>Top-Level Domain (TLD):</dt> | ||||
<t hangText='Top-Level Domain (TLD):'> | <dd> | |||
<iref item='TLD'/> | <iref item="TLD" subitem="" primary="false"/> | |||
A Top-Level Domain is a zone that is one layer below the | A Top-Level Domain is a zone that is one layer below the | |||
root, such as "com" or "jp". There is nothing special, from the point | root, such as "com" or "jp". There is nothing special, from the point | |||
of view of the DNS, about TLDs. Most of them are also | of view of the DNS, about TLDs. Most of them are also | |||
delegation-centric zones (defined in <xref target="zones"/>), and there are sign ificant policy issues | delegation-centric zones (defined in <xref target="zones" format="default"/>), a nd there are significant policy issues | |||
around their operation. | around their operation. | |||
TLDs are often divided into sub-groups such as Country Code Top-Level Domains | TLDs are often divided into sub-groups such as Country Code Top-Level Domains | |||
(ccTLDs), Generic Top-Level Domains (gTLDs), and others; the | (ccTLDs), Generic Top-Level Domains (gTLDs), and others; the | |||
division is a matter of policy and beyond the scope of this document.</t> | division is a matter of policy and beyond the scope of this document.</dd> | |||
<dt>Internationalized Domain Name (IDN):</dt> | ||||
<t hangText='Internationalized Domain Name (IDN):'> | <dd> | |||
<iref item='Internationalized Domain Name'/> | <iref item="Internationalized Domain Name" subitem="" primary="false"/ | |||
<iref item='IDN'/> | > | |||
<iref item="IDN" subitem="" primary="false"/> | ||||
The Internationalized Domain Names for Applications (IDNA) protocol is | The Internationalized Domain Names for Applications (IDNA) protocol is | |||
the standard mechanism for handling domain names with non-ASCII | the standard mechanism for handling domain names with non-ASCII | |||
characters in applications in the DNS. The current standard at the | characters in applications in the DNS. The current standard at the | |||
time of this writing, normally called "IDNA2008", is defined in <xref | time of this writing, normally called "IDNA2008", is defined in <xref target="RF | |||
target="RFC5890"/>, <xref target="RFC5891"/>, <xref | C5890" format="default"/>, <xref target="RFC5891" format="default"/>, <xref targ | |||
target="RFC5892"/>, <xref target="RFC5893"/>, and <xref | et="RFC5892" format="default"/>, <xref target="RFC5893" format="default"/>, and | |||
target="RFC5894"/>. These documents define many IDN-specific terms | <xref target="RFC5894" format="default"/>. These documents define many IDN-spec | |||
such as "LDH label", "A-label", and "U-label". <xref | ific terms | |||
target="RFC6365"/> defines more terms that relate to | such as "LDH label", "A-label", and "U-label". <xref target="RFC6365" format="d | |||
internationalization (some of which relate to IDNs); <xref | efault"/> defines more terms that relate to | |||
target="RFC6055"/> has a much more extensive discussion of IDNs, | internationalization (some of which relate to IDNs); <xref target="RFC6055" form | |||
including some new terminology.</t> | at="default"/> has a much more extensive discussion of IDNs, | |||
including some new terminology.</dd> | ||||
<t hangText='Subdomain:'> | <dt>Subdomain:</dt> | |||
<iref item='Subdomain'/> | <dd> | |||
<iref item="Subdomain" subitem="" primary="false"/> | ||||
<!--Begin DNE text --> | <!--Begin DNE text --> | |||
"A domain is a subdomain of another domain if it is contained within that domain . This relationship can be tested by | "A domain is a subdomain of another domain if it is contained within that domain . This relationship can be tested by | |||
seeing if the subdomain's name ends with the containing domain's name." (Quoted | seeing if the subdomain's name ends with the containing domain's name." (Quoted | |||
from <xref target="RFC1034"/>, Section 3.1) | from <xref target="RFC1034" sectionFormat="comma" section="3.1"/>) | |||
<!--End DNE text --> | <!--End DNE text --> | |||
For | For | |||
example, in the host name "nnn.mmm.example.com", both "mmm.example.com" and "nnn .mmm.example.com" are subdomains of "example.com". | example, in the host name "nnn.mmm.example.com", both "mmm.example.com" and "nnn .mmm.example.com" are subdomains of "example.com". | |||
Note that the comparisons here are done on whole labels; that is, | Note that the comparisons here are done on whole labels; that is, | |||
"ooo.example.com" is not a subdomain of "oo.example.com".</t> | "ooo.example.com" is not a subdomain of "oo.example.com".</dd> | |||
<dt>Alias:</dt> | ||||
<t hangText='Alias:'> | <dd> | |||
<iref item='Alias'/> | <iref item="Alias" subitem="" primary="false"/> | |||
The owner of a CNAME resource record, or a subdomain of the owner of a | The owner of a CNAME resource record, or a subdomain of the owner of a | |||
DNAME resource record (DNAME records are defined in <xref target="RFC6672"/>). S | DNAME resource record (DNAME records are defined in <xref target="RFC6672" forma | |||
ee also "canonical name".</t> | t="default"/>). See also "canonical name".</dd> | |||
<dt>Canonical name:</dt> | ||||
<t hangText='Canonical name:'> | <dd> | |||
<iref item='Canonical name'/> | <iref item="Canonical name" subitem="" primary="false"/> | |||
A CNAME resource record | A CNAME resource record | |||
<!--Begin DNE text --> | <!--Begin DNE text --> | |||
"identifies its owner name as an | "identifies its owner name as an | |||
alias, and specifies the corresponding canonical name in the RDATA | alias, and specifies the corresponding canonical name in the RDATA | |||
section of the RR." (Quoted from <xref target="RFC1034"/>, Section 3.6.2) | section of the RR." (Quoted from <xref target="RFC1034" sectionFormat="comma" se ction="3.6.2"/>) | |||
<!--END DNE text --> | <!--END DNE text --> | |||
This usage of the word "canonical" is related to the mathematical | This usage of the word "canonical" is related to the mathematical | |||
concept of "canonical form".</t> | concept of "canonical form".</dd> | |||
<dt>CNAME:</dt> | ||||
<t hangText='CNAME:'> | <dd> | |||
<iref item='CNAME'/> | <iref item="CNAME" subitem="" primary="false"/> | |||
<!--Begin DNE--> | <!--Begin DNE--> | |||
"It has been traditional to refer to the [owner] of a CNAME record as 'a | "It has been traditional to refer to the [owner] of a CNAME record as 'a | |||
CNAME'. This is unfortunate, as 'CNAME' is an abbreviation of | CNAME'. This is unfortunate, as 'CNAME' is an abbreviation of | |||
'canonical name', and the [owner] of a CNAME record is most certainly | 'canonical name', and the [owner] of a CNAME record is most certainly | |||
not a canonical name." | not a canonical name." | |||
<!--End DNE text --> | <!--End DNE text --> | |||
(Quoted from <xref target="RFC2181"/>, Section 10.1.1. The quoted | (Quoted from <xref target="RFC2181" sectionFormat="comma" section="10.1.1"/>. Th | |||
text has been changed from "label" to "owner".)</t></list></t> | e quoted | |||
text has been changed from "label" to "owner".)</dd> | ||||
</section> | </dl> | |||
</section> | ||||
<section anchor="dns-response-codes" title="DNS Response Codes"> | <section anchor="dns-response-codes" numbered="true" toc="default"> | |||
<name>DNS Response Codes</name> | ||||
<t>Some of the response codes (RCODEs) that are defined in <xref target="RFC1035 | <t>Some of the response codes (RCODEs) that are defined in <xref target="R | |||
"/> have acquired their own | FC1035" format="default"/> have acquired their own | |||
shorthand names. All of the RCODEs are listed at | shorthand names. All of the RCODEs are listed at | |||
<xref target="IANA_Resource_Registry"/>, although | <xref target="IANA_Resource_Registry" format="default"/>, although | |||
that list uses mixed-case capitalization, while most documents use all caps. | that list uses mixed-case capitalization, while most documents use all caps. | |||
Some of the common names for values defined in <xref target="RFC1035"/> are desc ribed in this section. | Some of the common names for values defined in <xref target="RFC1035" format="de fault"/> are described in this section. | |||
This section also includes an additional RCODE and a general definition. | This section also includes an additional RCODE and a general definition. | |||
The official list of all RCODEs is in the IANA registry.</t> | The official list of all RCODEs is in the IANA registry.</t> | |||
<dl newline="false" spacing="normal"> | ||||
<t><list style="hanging"> | <dt>NOERROR:</dt> | |||
<dd> | ||||
<t hangText='NOERROR:'> | <iref item="NOERROR" subitem="" primary="false"/> | |||
<iref item='NOERROR'/> | This RCODE appears as "No error condition" in <xref target="RFC1035" sectionFor | |||
This RCODE appears as "No error condition" in Section 4.1.1 of <xref target="RFC | mat="of" section="4.1.1"/>.</dd> | |||
1035"/>.</t> | <dt>FORMERR:</dt> | |||
<dd> | ||||
<t hangText='FORMERR:'> | <iref item="FORMERR" subitem="" primary="false"/> | |||
<iref item='FORMERR'/> | This RCODE appears as "Format error - The name server was unable to interpret th | |||
This RCODE appears as "Format error - The name server was unable to interpret th | e query" in <xref target="RFC1035" sectionFormat="of" section="4.1.1"/>.</dd> | |||
e query" in Section 4.1.1 of <xref target="RFC1035"/>.</t> | <dt>SERVFAIL:</dt> | |||
<dd> | ||||
<t hangText='SERVFAIL:'> | <iref item="SERVFAIL" subitem="" primary="false"/> | |||
<iref item='SERVFAIL'/> | ||||
This RCODE appears as "Server failure - The name server was unable to process th is query due to a problem with the name | This RCODE appears as "Server failure - The name server was unable to process th is query due to a problem with the name | |||
server" in Section 4.1.1 of <xref target="RFC1035"/>.</t> | server" in <xref target="RFC1035" sectionFormat="of" section="4.1.1"/>.</dd> | |||
<dt>NXDOMAIN:</dt> | ||||
<t hangText='NXDOMAIN:'> | <dd> | |||
<iref item='NXDOMAIN'/> | <iref item="NXDOMAIN" subitem="" primary="false"/> | |||
This RCODE appears as "Name Error [...] this code signifies that the domain name | This RCODE appears as "Name Error [...] this code signifies that the domain name | |||
referenced in the query does not exist." in Section 4.1.1 of <xref target="RFC10 | referenced in the query does not exist." in <xref target="RFC1035" sectionFormat | |||
35"/>. | ="of" section="4.1.1"/>. | |||
<xref target="RFC2308"/> established NXDOMAIN as a synonym for Name Error.</t> | <xref target="RFC2308"/> established NXDOMAIN as a synonym for Name Error.</dd> | |||
<dt>NOTIMP:</dt> | ||||
<t hangText='NOTIMP:'> | <dd> | |||
<iref item='NOTIMP'/> | <iref item="NOTIMP" subitem="" primary="false"/> | |||
This RCODE appears as "Not Implemented - The name server does not support the re | This RCODE appears as "Not Implemented - The name server does not support the re | |||
quested kind of query" in Section 4.1.1 of <xref target="RFC1035"/>.</t> | quested kind of query" in <xref target="RFC1035" sectionFormat="of" section="4.1 | |||
.1"/>.</dd> | ||||
<t hangText='REFUSED:'> | <dt>REFUSED:</dt> | |||
<iref item='REFUSED'/> | <dd> | |||
<iref item="REFUSED" subitem="" primary="false"/> | ||||
This RCODE appears as "Refused - The name server refuses to perform the specifie d operation for policy reasons. For | This RCODE appears as "Refused - The name server refuses to perform the specifie d operation for policy reasons. For | |||
example, a name server may not wish to provide the information to the particular requester, or a | example, a name server may not wish to provide the information to the particular requester, or a | |||
name server may not wish to perform a particular operation (e.g., zone transfer) for particular | name server may not wish to perform a particular operation (e.g., zone transfer) for particular | |||
data." in Section 4.1.1 of <xref target="RFC1035"/>.</t> | data." in <xref target="RFC1035" sectionFormat="of" section="4.1.1"/>.</dd> | |||
<dt>NODATA:</dt> | ||||
<t hangText='NODATA:'> | <dd> | |||
<iref item='NODATA'/> | <iref item="NODATA" subitem="" primary="false"/> | |||
"A pseudo RCODE which indicates that the name is valid, for | "A pseudo RCODE which indicates that the name is valid, for | |||
the given class, but [there] are no records of the given type. A NODATA | the given class, but [there] are no records of the given type. A NODATA | |||
response has to be inferred from the answer." (Quoted from <xref target="RFC2308 "/>, Section 1) | response has to be inferred from the answer." (Quoted from <xref target="RFC2308 " sectionFormat="comma" section="1"/>) | |||
"NODATA is indicated by an answer with the RCODE set to NOERROR and no | "NODATA is indicated by an answer with the RCODE set to NOERROR and no | |||
relevant answers in the Answer section. The authority section will | relevant answers in the Answer section. The Authority section will | |||
contain an SOA record, or there will be no NS records there." (Quoted from <xref | contain an SOA record, or there will be no NS records there." (Quoted from <xref | |||
target="RFC2308"/>, Section 2.2) | target="RFC2308" sectionFormat="comma" section="2.2"/>) | |||
Note that referrals have a similar format to NODATA replies; <xref target="RFC23 | Note that referrals have a similar format to NODATA replies; <xref target="RFC23 | |||
08"/> | 08" format="default"/> | |||
explains how to distinguish them.</t> | explains how to distinguish them.</dd> | |||
<dt/> | ||||
<t>The term "NXRRSET" is sometimes used as a synonym for NODATA. However, this i | <dd>The term "NXRRSET" is sometimes used as a synonym for NODATA. Howeve | |||
s a mistake, given | r, this is a mistake, given | |||
that NXRRSET is a specific error code defined in <xref target="RFC2136"/>.</t> | that NXRRSET is a specific error code defined in <xref target="RFC2136" format=" | |||
default"/>.</dd> | ||||
<t hangText='Negative response:'> | <dt>Negative response:</dt> | |||
<iref item='Negative response'/> | <dd> | |||
<iref item="Negative response" subitem="" primary="false"/> | ||||
A response that indicates that a particular RRset does not exist | A response that indicates that a particular RRset does not exist | |||
or whose RCODE indicates that the nameserver cannot answer. | or whose RCODE indicates that the nameserver cannot answer. | |||
Sections 2 and 7 of <xref target="RFC2308"/> describe the types of negative resp | Sections <xref target="RFC2308" sectionFormat="bare" section="2"/> and <xref tar | |||
onses in detail.</t> | get="RFC2308" sectionFormat="bare" section="7"/> of <xref target="RFC2308"/> de | |||
scribe the types of negative responses in detail.</dd> | ||||
</list></t> | </dl> | |||
</section> | ||||
</section> | <section anchor="dns-transactions" numbered="true" toc="default"> | |||
<name>DNS Transactions</name> | ||||
<section anchor="dns-transactions" title="DNS Transactions"> | <t>The header of a DNS message is its first 12 octets. Many of the fields | |||
and flags in | ||||
<t>The header of a DNS message is its first 12 octets. Many of the fields and fl | the diagrams in Sections <xref target="RFC1035" sectionFormat="bare" section="4. | |||
ags in | 1.1"/> through <xref target="RFC1035" sectionFormat="bare" section="4.1.3"/> of | |||
the diagrams in Sections 4.1.1 through 4.1.3 of <xref target="RFC1035"/> are ref | <xref target="RFC1035"/> are referred to by their names | |||
erred to by their names | ||||
in each diagram. | in each diagram. | |||
For example, the response codes are called "RCODEs", | For example, the response codes are called "RCODEs", | |||
the data for a record is called the "RDATA", and the | the data for a record is called the "RDATA", and the | |||
authoritative answer bit is often called "the AA flag" or "the AA bit".</t> | authoritative answer bit is often called "the AA flag" or "the AA bit".</t> | |||
<dl newline="false" spacing="normal"> | ||||
<t><list style="hanging"> | <dt>Class:</dt> | |||
<dd> | ||||
<t hangText='Class:'> | <iref item="Class" subitem="" primary="false"/> | |||
<iref item='Class'/> | A class "identifies a protocol family or instance of a protocol". (Quoted from | |||
A class "identifies a protocol family or instance of a protocol". (Quoted from | <xref target="RFC1034" sectionFormat="comma" section="3.6"/>) | |||
<xref | ||||
target="RFC1034"/>, Section 3.6) | ||||
<!--Begin DNE text --> | <!--Begin DNE text --> | |||
"The DNS tags all data with a class as well as the type, so that we can allow pa rallel use | "The DNS tags all data with a class as well as the type, so that we can allow pa rallel use | |||
of different formats for data of type address." (Quoted from <xref target="RFC1 034"/>, Section 2.2) | of different formats for data of type address." (Quoted from <xref target="RFC1 034" sectionFormat="comma" section="2.2"/>) | |||
<!--End DNE text --> | <!--End DNE text --> | |||
In practice, the class for nearly every query is "IN" (the Internet). | In practice, the class for nearly every query is "IN" (the Internet). | |||
There are some queries for "CH" (the Chaos class), but they are usually for the purposes of | There are some queries for "CH" (the Chaos class), but they are usually for the purposes of | |||
information about the server itself rather than for a different type of address. | information about the server itself rather than for a different type of address. | |||
</t> | </dd> | |||
<dt>QNAME:</dt> | ||||
<t hangText='QNAME:'> | <dd> | |||
<iref item='QNAME'/> | <iref item="QNAME" subitem="" primary="false"/> | |||
The most commonly used rough definition is that the QNAME is a field in the Ques tion section of a | The most commonly used rough definition is that the QNAME is a field in the Ques tion section of a | |||
query. | query. | |||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"A standard query specifies a target domain name (QNAME), query type (QTYPE), an d query | "A standard query specifies a target domain name (QNAME), query type (QTYPE), an d query | |||
class (QCLASS) and asks for RRs which match." (Quoted from <xref target="RFC103 | class (QCLASS) and asks for RRs which match." (Quoted from <xref target="RFC103 | |||
4"/>, Section | 4" sectionFormat="comma" section="3.7.1"/>) | |||
3.7.1) | ||||
<!--END DNE --> | <!--END DNE --> | |||
Strictly speaking, the definition comes from <xref target="RFC1035"/>, | Strictly speaking, the definition comes from <xref target="RFC1035" sectionForma | |||
Section 4.1.2, where the QNAME is defined in respect of the Question | t="comma" section="4.1.2"/>, where the QNAME is defined in respect of the Questi | |||
section. This definition appears to be applied consistently: the | on | |||
discussion of inverse queries in Section 6.4.1 refers to the "owner name | section. | |||
of the query RR and its TTL", because inverse queries populate the | This definition appears to be applied consistently, as the discussion | |||
Answer section and leave the Question section empty. (Inverse queries | of inverse queries in <xref target="RFC1035" sectionFormat="of" section="6.4.1"/ | |||
are deprecated in <xref target="RFC3425"/>; thus, relevant | > refers to the "owner name of | |||
the query RR and its TTL" because inverse queries populate the Answer section | ||||
and leave the Question section empty. (Inverse queries | ||||
are deprecated in <xref target="RFC3425" format="default"/>; thus, relevant | ||||
definitions do not appear in this document.) | definitions do not appear in this document.) | |||
</t> | </dd> | |||
<dt/> | ||||
<t> | <dd> | |||
However, <xref target="RFC2308"/> has an alternate definition that | However, <xref target="RFC2308" format="default"/> has an alternate definition t | |||
hat | ||||
puts the QNAME in the answer (or series of answers) instead of the | puts the QNAME in the answer (or series of answers) instead of the | |||
query. It defines QNAME as | query. It defines QNAME as | |||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"...the name in the query section of an | "...the name in the query section of an | |||
answer, or where this resolves to a CNAME, or CNAME chain, the data | answer, or where this resolves to a CNAME, or CNAME chain, the data | |||
field of the last CNAME. The last CNAME in this sense is that which | field of the last CNAME. The last CNAME in this sense is that which | |||
contains a value which does not resolve to another CNAME." | contains a value which does not resolve to another CNAME." | |||
<!--END DNE --> | <!--END DNE --> | |||
This definition has a certain internal logic, because of the way CNAME | This definition has a certain internal logic, because of the way CNAME | |||
substitution works and the definition of CNAME. If a name server does | substitution works and the definition of CNAME. If a name server does | |||
not find an RRset that matches a query, but does find the same name in | not find an RRset that matches a query, but does find the same name in | |||
the same class with a CNAME record, then the name server "includes the | the same class with a CNAME record, then the name server "includes the | |||
CNAME record in the response and restarts the query at the domain name | CNAME record in the response and restarts the query at the domain name | |||
specified in the data field of the CNAME record." (Quoted from <xref | specified in the data field of the CNAME record." (Quoted from <xref target="RFC | |||
target="RFC1034"/>, Section 3.6.2) This is made explicit in the | 1034" sectionFormat="comma" section="3.6.2"/>) This is made explicit in the | |||
resolution algorithm outlined in Section 4.3.2 of <xref | resolution algorithm outlined in <xref target="RFC1034" sectionFormat="of" secti | |||
target="RFC1034"/>, which says to "change QNAME to the canonical name | on="4.3.2"/>, which says to "change QNAME to the canonical name | |||
in the CNAME RR, and go back to step 1" in the case of a CNAME RR. | in the CNAME RR, and go back to step 1" in the case of a CNAME RR. | |||
Since a CNAME record explicitly declares that the owner name is | Since a CNAME record explicitly declares that the owner name is | |||
canonically named what is in the RDATA, then there is a way to view | canonically named what is in the RDATA, then there is a way to view | |||
the new name (i.e., the name that was in the RDATA of the CNAME RR) as | the new name (i.e., the name that was in the RDATA of the CNAME RR) as | |||
also being the QNAME. | also being the QNAME. | |||
</t> | </dd> | |||
<dt/> | ||||
<t> | <dd> | |||
However, this creates confusion because the response to a | However, this creates confusion because the response to a | |||
query that results in CNAME processing contains in the echoed Question | query that results in CNAME processing contains in the echoed Question | |||
section one QNAME (the name in the original query) and a second QNAME | section one QNAME (the name in the original query) and a second QNAME | |||
that is in the data field of the last CNAME. The confusion comes from | that is in the data field of the last CNAME. The confusion comes from | |||
the iterative/recursive mode of resolution, which finally returns an | the iterative/recursive mode of resolution, which finally returns an | |||
answer that need not actually have the same owner name as the QNAME | answer that need not actually have the same owner name as the QNAME | |||
contained in the original query. | contained in the original query. | |||
</t> | </dd> | |||
<dt/> | ||||
<t> | <dd> | |||
<t> | ||||
To address this potential confusion, it is helpful to distinguish | To address this potential confusion, it is helpful to distinguish | |||
between three meanings: | between three meanings: | |||
<list style="symbols"> | ||||
<t> | ||||
QNAME (original): The name actually sent in the Question section in the original | ||||
query, which is | ||||
always echoed in the (final) reply in the Question section when the QR bit is se | ||||
t to 1. | ||||
</t> | </t> | |||
<t> | <dl> | |||
QNAME (effective): A name actually resolved, which is either the name originally | <dt>QNAME (original):</dt><dd>The name actually sent in the Question section in | |||
queried | the original query, which is | |||
always echoed in the (final) reply in the Question section when the QR bit is se | ||||
t to 1. | ||||
</dd> | ||||
<dt>QNAME (effective):</dt><dd>A name actually resolved, which is either the nam | ||||
e originally queried | ||||
or a name received in a CNAME chain response. | or a name received in a CNAME chain response. | |||
</t> | </dd> | |||
<t> | ||||
QNAME (final): The name actually resolved, which is either the name actually que | ||||
ried or else | ||||
the last name in a CNAME chain response. | ||||
</t> | ||||
</list></t> | ||||
<t>Note that, because the definition in <xref target="RFC2308"/> is | <dt>QNAME (final):</dt><dd>The name actually resolved, which is either the name | |||
actually for a different concept than what was in <xref | actually queried or else | |||
target="RFC1034"/>, it would have been better if <xref | the last name in a CNAME chain response. | |||
target="RFC2308"/> had used a different name for that concept. In | </dd> | |||
</dl> | ||||
</dd> | ||||
<dt/> | ||||
<dd>Note that, because the definition in <xref target="RFC2308" format=" | ||||
default"/> is | ||||
actually for a different concept than what was in <xref target="RFC1034" format= | ||||
"default"/>, it would have been better if <xref target="RFC2308" format="default | ||||
"/> had used a different name for that concept. In | ||||
general use today, QNAME almost always means what is defined above as | general use today, QNAME almost always means what is defined above as | |||
"QNAME (original)".</t> | "QNAME (original)".</dd> | |||
<dt>Referrals:</dt> | ||||
<t hangText='Referrals:'> | <dd> | |||
<iref item='Referrals'/> | <iref item="Referrals" subitem="" primary="false"/> | |||
A type of response in which a server, signaling that it is not | A type of response in which a server, signaling that it is not | |||
(completely) authoritative for an answer, provides the querying | (completely) authoritative for an answer, provides the querying | |||
resolver with an alternative place to send its query. Referrals can | resolver with an alternative place to send its query. Referrals can | |||
be partial.</t> | be partial.</dd> | |||
<dt/> | ||||
<t>A referral arises when a server is not performing recursive service | <dd>A referral arises when a server is not performing recursive service | |||
while answering a query. It appears in step 3(b) of the algorithm in | while answering a query. It appears in step 3(b) of the algorithm in | |||
<xref target="RFC1034" />, Section 4.3.2.</t> | <xref target="RFC1034" sectionFormat="comma" section="4.3.2"/>.</dd> | |||
<dt/> | ||||
<t>There are two types of referral response. The first is a downward | <dd>There are two types of referral response. The first is a downward | |||
referral (sometimes described as "delegation response"), where the | referral (sometimes described as "delegation response"), where the | |||
server is authoritative for some portion of the QNAME. The authority | server is authoritative for some portion of the QNAME. The Authority | |||
section RRset's RDATA contains the name servers specified at the | section RRset's RDATA contains the name servers specified at the | |||
referred-to zone cut. In normal DNS operation, this kind of response | referred-to zone cut. In normal DNS operation, this kind of response | |||
is required in order to find names beneath a delegation. The bare | is required in order to find names beneath a delegation. The bare | |||
use of "referral" means this kind of referral, and many people believe | use of "referral" means this kind of referral, and many people believe | |||
that this is the only legitimate kind of referral in the DNS.</t> | that this is the only legitimate kind of referral in the DNS.</dd> | |||
<dt/> | ||||
<t>The second is an upward referral (sometimes described as "root | <dd>The second is an upward referral (sometimes described as "root | |||
referral"), where the server is not authoritative for any portion of | referral"), where the server is not authoritative for any portion of | |||
the QNAME. When this happens, the referred-to zone in the authority | the QNAME. When this happens, the referred-to zone in the Authority | |||
section is usually the root zone ("."). In normal DNS operation, this | section is usually the root zone ("."). In normal DNS operation, this | |||
kind of response is not required for resolution or for correctly | kind of response is not required for resolution or for correctly | |||
answering any query. There is no requirement that any server send | answering any query. There is no requirement that any server send | |||
upward referrals. Some people regard upward referrals as a sign of a | upward referrals. Some people regard upward referrals as a sign of a | |||
misconfiguration or error. Upward referrals always need some sort of | misconfiguration or error. Upward referrals always need some sort of | |||
qualifier (such as "upward" or "root") and are never identified simply by | qualifier (such as "upward" or "root") and are never identified simply by | |||
the word "referral".</t> | the word "referral".</dd> | |||
<dt/> | ||||
<t>A response that has only a referral contains an empty answer | <dd>A response that has only a referral contains an empty Answer | |||
section. It contains the NS RRset for the referred-to zone in the | section. It contains the NS RRset for the referred-to zone in the | |||
Authority section. It may contain RRs that provide addresses in the | Authority section. It may contain RRs that provide addresses in the | |||
additional section. The AA bit is clear.</t> | Additional section. The AA bit is clear.</dd> | |||
<dt/> | ||||
<t>In the case where the query matches an alias, and the server is not | <dd>In the case where the query matches an alias, and the server is not | |||
authoritative for the target of the alias but is authoritative for | authoritative for the target of the alias but is authoritative for | |||
some name above the target of the alias, the resolution algorithm will | some name above the target of the alias, the resolution algorithm will | |||
produce a response that contains both the authoritative answer for the | produce a response that contains both the authoritative answer for the | |||
alias and a referral. Such a partial answer and referral | alias and a referral. Such a partial answer and referral | |||
response has data in the Answer section. It has the NS RRset for the | response has data in the Answer section. It has the NS RRset for the | |||
referred-to zone in the Authority section. It may contain RRs that | referred-to zone in the Authority section. It may contain RRs that | |||
provide addresses in the additional section. The AA bit is set, | provide addresses in the Additional section. The AA bit is set | |||
because the first name in the Answer section matches the QNAME and the | because the first name in the Answer section matches the QNAME and the | |||
server is authoritative for that answer (see <xref target="RFC1035"/>, | server is authoritative for that answer (see <xref target="RFC1035" sectionForma | |||
Section 4.1.1).</t> | t="comma" section="4.1.1"/>).</dd> | |||
</dl> | ||||
</list></t> | </section> | |||
</section> | <section anchor="rrs" numbered="true" toc="default"> | |||
<name>Resource Records</name> | ||||
<section anchor="rrs" title="Resource Records"> | <dl newline="false" spacing="normal"> | |||
<t><list style="hanging"> | <dt>RR:</dt> | |||
<dd> | ||||
<t hangText='RR:'> | <iref item="RR" subitem="" primary="false"/> | |||
<iref item='RR'/> | An acronym for resource record. (See <xref target="RFC1034" sectionFormat="comm | |||
An acronym for resource record. (See <xref target="RFC1034"/>, Section 3.6.)</t | a" section="3.6"/>.)</dd> | |||
> | <dt>RRset:</dt> | |||
<dd> | ||||
<t hangText='RRset:'> | <iref item="RRset" subitem="" primary="false"/> | |||
<iref item='RRset'/> | ||||
A set of resource records "with the same label, class and type, but with differe nt | A set of resource records "with the same label, class and type, but with differe nt | |||
data" (according to <xref target="RFC2181"/>, Section 5). Also written as "RRSe t" in some documents. As a clarification, | data" (according to <xref target="RFC2181" sectionFormat="comma" section="5"/>). Also written as "RRSet" in some documents. As a clarification, | |||
"same label" in this definition means "same owner name". | "same label" in this definition means "same owner name". | |||
In addition, <xref target="RFC2181"/> states that "the TTLs of all RRs in an RRS | In addition, <xref target="RFC2181" format="default"/> states that "the TTLs of | |||
et must be the same". | all RRs in an RRSet must be the same". | |||
</t> | </dd> | |||
<dt/> | ||||
<dd> | ||||
<t>Note that RRSIG resource records do not match this definition. | ||||
<xref target="RFC4035" format="default"/> says:</t></dd> | ||||
<t>Note that RRSIG resource records do not match this definition. | <dt/><dd> | |||
<xref target="RFC4035"/> says: | <dl><dt/><dd> | |||
<list style="empty"><t> | <!--Begin DNE --> | |||
<!--Begin DNE --> | "An RRset <bcp14>MAY</bcp14> have multiple RRSIG RRs associated with it. Note th | |||
An RRset MAY have multiple RRSIG RRs associated with it. Note that | at | |||
as RRSIG RRs are closely tied to the RRsets whose signatures they | as RRSIG RRs are closely tied to the RRsets whose signatures they | |||
contain, RRSIG RRs, unlike all other DNS RR types, do not form | contain, RRSIG RRs, unlike all other DNS RR types, do not form | |||
RRsets. In particular, the TTL values among RRSIG RRs with a common | RRsets. In particular, the TTL values among RRSIG RRs with a common | |||
owner name do not follow the RRset rules described in <xref target="RFC2181"/>.< | owner name do not follow the RRset rules described in <xref target="RFC2181" for | |||
/t></list> | mat="default"/>".</dd> | |||
</dl> | ||||
<t> | ||||
<!--End DNE --> | <!--End DNE --> | |||
</t> | </t> | |||
</dd> | ||||
<t hangText='Master file:'> | <dt>Master file:</dt> | |||
<iref item='Master file'/> | <dd> | |||
<iref item="Master file" subitem="" primary="false"/> | ||||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"Master files are text files that contain RRs in text form. Since the contents of a zone | "Master files are text files that contain RRs in text form. Since the contents of a zone | |||
can be expressed in the form of a list of RRs a master file is most often used t o define a | can be expressed in the form of a list of RRs a master file is most often used t o define a | |||
zone, though it can be used to list a cache's contents." (Quoted from <xref tar | zone, though it can be used to list a cache's contents." (Quoted from <xref tar | |||
get="RFC1035"/>, | get="RFC1035" sectionFormat="comma" section="5"/>) | |||
Section 5) | ||||
<!--End DNE --> | <!--End DNE --> | |||
Master files are sometimes called "zone files".</t> | Master files are sometimes called "zone files".</dd> | |||
<dt>Presentation format:</dt> | ||||
<t hangText='Presentation format:'> | <dd> | |||
<iref item='Presentation format'/> | <iref item="Presentation format" subitem="" primary="false"/> | |||
The text format used in master files. This format is shown but not formally defi ned in | The text format used in master files. This format is shown but not formally defi ned in | |||
<xref target="RFC1034"/> or <xref target="RFC1035"/>. The term "presentation for | <xref target="RFC1034" format="default"/> or <xref target="RFC1035" format="defa | |||
mat" | ult"/>. The term "presentation format" | |||
first appears in <xref target="RFC4034"/>.</t> | first appears in <xref target="RFC4034" format="default"/>.</dd> | |||
<dt>EDNS:</dt> | ||||
<t hangText='EDNS:'> | <dd> | |||
<iref item='EDNS'/> | <iref item="EDNS" subitem="" primary="false"/> | |||
The extension mechanisms for DNS, defined in <xref | The extension mechanisms for DNS, defined in <xref target="RFC6891" format="defa | |||
target="RFC6891"/>. Sometimes called "EDNS0" or "EDNS(0)" | ult"/>. Sometimes called "EDNS0" or "EDNS(0)" | |||
to indicate the version number. EDNS allows DNS clients and servers to specify m | to indicate the version number. | |||
essage | EDNS allows DNS clients and servers to specify message | |||
sizes larger than the original 512 octet limit, to expand the response code spac | sizes larger than the original 512-octet limit, to expand the response code spac | |||
e and | e, and | |||
to carry additional options that affect the handling of a DNS query.</t> | to carry additional options that affect the handling of a DNS query.</dd> | |||
<dt>OPT:</dt> | ||||
<t hangText='OPT:'> | <dd> | |||
<iref item='OPT'/> | <iref item="OPT" subitem="" primary="false"/> | |||
A pseudo-RR (sometimes called a "meta-RR") that is used only to contain | A pseudo-RR (sometimes called a "meta-RR") that is used only to contain | |||
control information pertaining to the question-and-answer sequence of a specific | control information pertaining to the question-and-answer sequence of a specific | |||
transaction. (Definition paraphrased from <xref target="RFC6891"/>, Section 6.1. | transaction. (Definition paraphrased from <xref target="RFC6891" sectionFormat=" | |||
1.) | comma" section="6.1.1"/>.) It is used by EDNS.</dd> | |||
It is used by EDNS.</t> | <dt>Owner:</dt> | |||
<dd> | ||||
<t hangText='Owner:'> | <iref item="Owner" subitem="" primary="false"/> | |||
<iref item='Owner'/> | "The domain name where the RR is found." (Quoted from <xref target="RFC1034" se | |||
"The domain name where the RR is found." (Quoted from <xref target="RFC1034"/>, | ctionFormat="comma" section="3.6"/>) Often appears in the term "owner name".</d | |||
Section 3.6) Often appears in the term "owner name".</t> | d> | |||
<dt>SOA field names:</dt> | ||||
<t hangText='SOA field names:'> | <dd> | |||
<iref item='SOA field names'/> | <iref item="SOA field names" subitem="" primary="false"/> | |||
<iref item='SOA'/> | <iref item="SOA" subitem="" primary="false"/> | |||
DNS documents, including the definitions here, often refer to the fields in the | DNS documents, including the definitions here, often refer to the fields in the | |||
RDATA of an SOA resource record by field name. | RDATA of an SOA resource record by field name. | |||
"SOA" stands for "start of a zone of authority". | "SOA" stands for "start of a zone of authority". | |||
Those fields are defined in Section 3.3.13 of <xref target="RFC1035"/>. | Those fields are defined in <xref target="RFC1035" sectionFormat="of" section="3 .3.13"/>. | |||
The names (in the order they appear in the SOA RDATA) are MNAME, RNAME, SERIAL, REFRESH, RETRY, | The names (in the order they appear in the SOA RDATA) are MNAME, RNAME, SERIAL, REFRESH, RETRY, | |||
EXPIRE, and MINIMUM. | EXPIRE, and MINIMUM. | |||
Note that the meaning of the MINIMUM field is updated in Section 4 of <xref targ et="RFC2308"/>; the new definition | Note that the meaning of the MINIMUM field is updated in <xref target="RFC2308" sectionFormat="of" section="4"/>; the new definition | |||
is that the MINIMUM field is only "the TTL to be used for negative responses". | is that the MINIMUM field is only "the TTL to be used for negative responses". | |||
This document tends to use field names instead of terms that describe the fields | This document tends to use field names instead of terms that describe the fields | |||
.</t> | .</dd> | |||
<dt>TTL:</dt> | ||||
<t hangText='TTL:'> | <dd> | |||
<iref item='TTL'/> | <iref item="TTL" subitem="" primary="false"/> | |||
The maximum "time to live" of a resource record. | The maximum "time to live" of a resource record. | |||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"A TTL value is an unsigned | "A TTL value is an unsigned | |||
number, with a minimum value of 0, and a maximum value of 2147483647. That is, a | number, with a minimum value of 0, and a maximum value of 2147483647. That is, a | |||
maximum of 2^31 - 1. When transmitted, this value shall be encoded in the less | maximum of 2^31 - 1. When transmitted, this value shall be encoded in the less | |||
significant 31 bits of the 32 bit TTL field, with the most significant, or sign, | significant 31 bits of the 32 bit TTL field, with the most significant, or sign, | |||
bit set to zero." (Quoted from <xref target="RFC2181"/>, Section 8) | bit set to zero." (Quoted from <xref target="RFC2181" sectionFormat="comma" sec tion="8"/>) | |||
<!--End DNE --> | <!--End DNE --> | |||
(Note that <xref target="RFC1035"/> | Note that <xref target="RFC1035" format="default"/> | |||
erroneously stated that this is a signed integer; that was fixed by <xref target | erroneously stated that this is a signed integer; that was fixed by <xref target | |||
="RFC2181"/>.)</t> | ="RFC2181" format="default"/>.</dd> | |||
<dt/> | ||||
<t>The TTL "specifies the time interval that the resource record may be cached | <dd>The TTL "specifies the time interval that the resource record may be | |||
cached | ||||
before the source of the information should again be consulted." (Quoted from | before the source of the information should again be consulted." (Quoted from | |||
<xref target="RFC1035"/>, Section 3.2.1) Section 4.1.3 of the same document sta tes: "the time interval (in seconds) that the resource | <xref target="RFC1035" sectionFormat="comma" section="3.2.1"/>) <xref target="RF C1035" sectionFormat="of" section="4.1.3"/> states "the time interval (in second s) that the resource | |||
record may be cached before it should be discarded". Despite being defined for a resource record, the TTL of every | record may be cached before it should be discarded". Despite being defined for a resource record, the TTL of every | |||
resource record in an RRset is required to be the same (<xref target="RFC2181"/> | resource record in an RRset is required to be the same (<xref target="RFC2181" s | |||
, Section 5.2).</t> | ectionFormat="comma" section="5.2"/>).</dd> | |||
<dt/> | ||||
<t>The reason that the TTL is the maximum time to live is that a cache operator | <dd>The reason that the TTL is the maximum time to live is that a cache | |||
might decide to shorten the time to live for operational purposes, such as if | operator | |||
might decide to shorten the time to live for operational purposes, for example, | ||||
if | ||||
there is a policy to disallow TTL values over a certain number. | there is a policy to disallow TTL values over a certain number. | |||
Some servers are known to ignore the TTL on some RRsets (such as when the author itative data | Some servers are known to ignore the TTL on some RRsets (such as when the author itative data | |||
has a very short TTL) even though this is against the advice in RFC 1035. | has a very short TTL) even though this is against the advice in <xref target="RF C1035"/>. | |||
An RRset can be flushed from the cache before the end of the TTL interval, | An RRset can be flushed from the cache before the end of the TTL interval, | |||
at which point, the value of the TTL becomes unknown because the RRset | at which point, the value of the TTL becomes unknown because the RRset | |||
with which it was associated no longer exists.</t> | with which it was associated no longer exists.</dd> | |||
<dt/> | ||||
<t>There is also the concept of a "default TTL" for a zone, which can be a confi | <dd>There is also the concept of a "default TTL" for a zone, which can b | |||
guration | e a configuration | |||
parameter in the server software. This is often expressed by a default for the | parameter in the server software. This is often expressed by a default for the | |||
entire server, and a default for a zone using the $TTL directive | entire server, and a default for a zone using the $TTL directive | |||
in a zone file. The $TTL directive was added to the master file | in a zone file. The $TTL directive was added to the master file | |||
format by <xref target="RFC2308"/>.</t> | format by <xref target="RFC2308" format="default"/>.</dd> | |||
<dt>Class independent:</dt> | ||||
<t hangText='Class independent:'> | <dd> | |||
<iref item='Class independent'/> | <iref item="Class independent" subitem="" primary="false"/> | |||
A resource record type whose syntax and semantics are the same for every DNS | A resource record type whose syntax and semantics are the same for every DNS | |||
class. A resource record type that is not class independent has different meanin | class. | |||
gs depending on the | A resource record type that is not class independent has different meanings, dep | |||
DNS class of the record, or the meaning is undefined for some class. | ending on the | |||
DNS class of the record or if the meaning is undefined for some classes. | ||||
Most resource record types are defined for class 1 (IN, the Internet), | Most resource record types are defined for class 1 (IN, the Internet), | |||
but many are undefined for other classes.</t> | but many are undefined for other classes.</dd> | |||
<dt>Address records:</dt> | ||||
<t hangText='Address records:'> | <dd> | |||
<iref item='Address records'/> | <iref item="Address records" subitem="" primary="false"/> | |||
Records whose type is A or AAAA. | Records whose type is either A or AAAA. | |||
<xref target="RFC2181"/> informally defines these as "(A, AAAA, etc)". | <xref target="RFC2181" format="default"/> informally defines these as "(A, AAAA, | |||
Note that new types of address records could be defined in the future.</t> | etc)". | |||
Note that new types of address records could be defined in the future.</dd> | ||||
</list></t> | </dl> | |||
</section> | </section> | |||
<section anchor="dns-servers-and-clients" numbered="true" toc="default"> | ||||
<section anchor="dns-servers-and-clients" title="DNS Servers and Clients"> | <name>DNS Servers and Clients</name> | |||
<t>This section defines the terms used for the systems that act as DNS | ||||
<t>This section defines the terms used for the systems that act as DNS | ||||
clients, DNS servers, or both. In past RFCs, DNS servers are | clients, DNS servers, or both. In past RFCs, DNS servers are | |||
sometimes called "name servers", "nameservers", or just | sometimes called "name servers", "nameservers", or just | |||
"servers". There is no formal definition of "DNS server", but RFCs | "servers". There is no formal definition of "DNS server", but RFCs | |||
generally assume that it is an Internet server that listens for | generally assume that it is an Internet server that listens for | |||
queries and sends responses using the DNS protocol defined in <xref | queries and sends responses using the DNS protocol defined in <xref target="RFC1 | |||
target="RFC1035"/> and its successors.</t> | 035" format="default"/> and its successors.</t> | |||
<t>It is important to note that the terms "DNS server" and "name | ||||
<t>It is important to note that the terms "DNS server" and "name | ||||
server" require context in order to understand the services being | server" require context in order to understand the services being | |||
provided. Both authoritative servers and recursive resolvers are often | provided. Both authoritative servers and recursive resolvers are often | |||
called "DNS servers" and "name servers" even though they serve | called "DNS servers" and "name servers" even though they serve | |||
different roles (but may be part of the same software package).</t> | different roles (but may be part of the same software package).</t> | |||
<t>For terminology specific to the global DNS root server system, see | ||||
<t>For terminology specific to the global DNS root server system, see | <xref target="RSSAC026" format="default"/>. That document defines terms such as | |||
<xref target="RSSAC026"/>. That document defines terms such as "root | "root | |||
server", "root server operator", and terms that are specific to the | server", "root server operator", and terms that are specific to the | |||
way that the root zone of the global DNS is served.</t> | way that the root zone of the global DNS is served.</t> | |||
<dl newline="false" spacing="normal"> | ||||
<t><list style="hanging"> | <dt>Resolver:</dt> | |||
<dd> | ||||
<t hangText='Resolver:'> | <iref item="Resolver" subitem="" primary="false"/> | |||
<iref item='Resolver'/> | ||||
A program "that extract[s] information from name | A program "that extract[s] information from name | |||
servers in response to client requests." (Quoted from <xref target="RFC1034"/>, Section 2.4) A resolver performs | servers in response to client requests." (Quoted from <xref target="RFC1034" se ctionFormat="comma" section="2.4"/>) A resolver performs | |||
queries for a name, type, and class, and receives responses. The | queries for a name, type, and class, and receives responses. The | |||
logical function is called "resolution". In practice, the term is | logical function is called "resolution". In practice, the term is | |||
usually referring to some specific type of resolver | usually referring to some specific type of resolver | |||
(some of which are defined below), and understanding | (some of which are defined below), and understanding | |||
the use of the term depends on understanding the context.</t> | the use of the term depends on understanding the context.</dd> | |||
<dt/> | ||||
<t>A related term is "resolve", which is not formally defined in <xref target="R | <dd>A related term is "resolve", which is not formally defined in <xref | |||
FC1034"/> | target="RFC1034" format="default"/> | |||
or <xref target="RFC1035"/>. An imputed definition might be "asking a question t | or <xref target="RFC1035" format="default"/>. An imputed definition might be "as | |||
hat | king a question that | |||
consists of a domain name, class, and type, and receiving some sort of response" . | consists of a domain name, class, and type, and receiving some sort of response" . | |||
Similarly, an imputed definition of "resolution" might be "the response received | Similarly, an imputed definition of "resolution" might be "the response received | |||
from resolving".</t> | from resolving".</dd> | |||
<dt>Stub resolver:</dt> | ||||
<t hangText='Stub resolver:'> | <dd> | |||
<iref item='Stub resolver'/> | <iref item="Stub resolver" subitem="" primary="false"/> | |||
A resolver that cannot perform all resolution | A resolver that cannot perform all resolution | |||
itself. Stub resolvers generally depend on a recursive resolver to undertake the | itself. Stub resolvers generally depend on a recursive resolver to undertake the | |||
actual resolution function. Stub resolvers are discussed but never | actual resolution function. Stub resolvers are discussed but never | |||
fully defined in Section 5.3.1 of <xref target="RFC1034"/>. | fully defined in <xref target="RFC1034" sectionFormat="of" section="5.3.1"/>. | |||
They are fully defined in Section 6.1.3.1 of <xref target="RFC1123"/>.</t> | They are fully defined in <xref target="RFC1123" sectionFormat="of" section="6.1 | |||
.3.1"/>.</dd> | ||||
<t hangText='Iterative mode:'> | <dt>Iterative mode:</dt> | |||
<iref item='Iterative mode'/> | <dd> | |||
<iref item="Iterative mode" subitem="" primary="false"/> | ||||
A resolution mode of a server that receives DNS | A resolution mode of a server that receives DNS | |||
queries and responds with a referral to another server. Section 2.3 of <xref ta rget="RFC1034"/> | queries and responds with a referral to another server. <xref target="RFC1034" s ectionFormat="of" section="2.3"/> | |||
describes this as "The server refers the client to | describes this as "The server refers the client to | |||
another server and lets the client pursue the query." | another server and lets the client pursue the query." | |||
A resolver that works in iterative mode is sometimes called an "iterative | A resolver that works in iterative mode is sometimes called an "iterative | |||
resolver". | resolver". | |||
See also "iterative resolution" later in this section.</t> | See also "iterative resolution" later in this section.</dd> | |||
<dt>Recursive mode:</dt> | ||||
<t hangText='Recursive mode:'> | <dd> | |||
<iref item='Recursive mode'/> | <t><iref item="Recursive mode" subitem="" primary="false"/> | |||
A resolution mode of a server that receives DNS | A resolution mode of a server that receives DNS | |||
queries and either responds to those queries from a local cache or | queries and either responds to those queries from a local cache or | |||
sends queries to other servers in order to get the final answers to | sends queries to other servers in order to get the final answers to | |||
the original queries. Section 2.3 of <xref target="RFC1034"/> describes this as "the | the original queries. <xref target="RFC1034" sectionFormat="of" section="2.3"/> describes this as "the | |||
first server pursues the query for the client at another server". | first server pursues the query for the client at another server". | |||
Section 4.3.1 of <xref target="RFC1034"/> says: "in [recursive] | <xref target="RFC1034" sectionFormat="of" section="4.3.1"/> says: "in [recursive ] | |||
mode the name server acts in the role of a resolver and | mode the name server acts in the role of a resolver and | |||
returns either an error or the answer, but never referrals." | returns either an error or the answer, but never referrals." | |||
That same section also says: | That same section also says: | |||
<list style="empty"> | </t> | |||
<!--Begin DNE --> | <dl spacing="normal"> | |||
<t>The recursive mode occurs when a query with RD set arrives at a server | <!--Begin DNE --> | |||
<dt/><dd>"The recursive mode occurs when a query with RD set arrives at a serv | ||||
er | ||||
which is willing to provide recursive service; the client can verify that recurs ive mode was used by | which is willing to provide recursive service; the client can verify that recurs ive mode was used by | |||
checking that both RA and RD are set in the reply.</t></list></t> | checking that both RA and RD are set in the reply."</dd> | |||
<!--End DNE --> | </dl> | |||
</dd> | ||||
<!--End DNE --> | ||||
<t>A server operating in recursive mode may be thought of as having a name | <dt/> | |||
<dd>A server operating in recursive mode may be thought of as having a n | ||||
ame | ||||
server side (which is what answers the query) and a resolver side | server side (which is what answers the query) and a resolver side | |||
(which performs the resolution function). Systems operating | (which performs the resolution function). Systems operating | |||
in this mode are commonly called "recursive servers". Sometimes they | in this mode are commonly called "recursive servers". Sometimes they | |||
are called "recursive resolvers". In practice, it is not possible to know | are called "recursive resolvers". In practice, it is not possible to know | |||
in advance whether the server that one is querying will also perform | in advance whether the server that one is querying will also perform | |||
recursion; both terms can be observed in use interchangeably.</t> | recursion; both terms can be observed in use interchangeably.</dd> | |||
<dt>Recursive resolver:</dt> | ||||
<t hangText='Recursive resolver:'> | <dd> | |||
<iref item='Recursive resolver'/> | <iref item="Recursive resolver" subitem="" primary="false"/> | |||
A resolver that acts in recursive mode. | A resolver that acts in recursive mode. | |||
In general, a recursive resolver is expected to cache the answers it receives | In general, a recursive resolver is expected to cache the answers it receives | |||
(which would make it a full-service resolver), but some recursive resolvers migh | (which would make it a full-service resolver), but some recursive resolvers migh | |||
t not cache.</t> | t not cache.</dd> | |||
<dt/> | ||||
<t><xref target="RFC4697"/> tried to differentiate between a | <dd> | |||
recursive resolver and an iterative resolver.</t> | <xref target="RFC4697" format="default"/> tried to differentiate betwe | |||
en a | ||||
<t hangText='Recursive query:'> | recursive resolver and an iterative resolver.</dd> | |||
<iref item='Recursive query'/> | <dt>Recursive query:</dt> | |||
A query with the Recursion Desired (RD) bit set to 1 in the header. (See Section | <dd> | |||
4.1.1 of <xref | <iref item="Recursive query" subitem="" primary="false"/> | |||
target="RFC1035"/>.) If recursive service is available and is requested by the R | A query with the Recursion Desired (RD) bit set to 1 in the header. (See <xref t | |||
D bit in the query, | arget="RFC1035" sectionFormat="of" section="4.1.1"/>.) If recursive service is a | |||
the server uses its resolver to answer the query. (See Section 4.3.2 of <xref ta | vailable and is requested by the RD bit in the query, | |||
rget="RFC1034"/>.)</t> | the server uses its resolver to answer the query. (See <xref target="RFC1034" se | |||
ctionFormat="of" section="4.3.2"/>.)</dd> | ||||
<t hangText='Non-recursive query:'> | <dt>Non-recursive query:</dt> | |||
<iref item='Non-recursive query'/> | <dd> | |||
<iref item="Non-recursive query" subitem="" primary="false"/> | ||||
A query with the Recursion Desired (RD) bit set to 0 in the header. A server can answer | A query with the Recursion Desired (RD) bit set to 0 in the header. A server can answer | |||
non-recursive queries using only local information: the response contains either an error, the | non-recursive queries using only local information: the response contains either an error, the | |||
answer, or a referral to some other server "closer" to the answer. | answer, or a referral to some other server "closer" to the answer. | |||
(See Section 4.3.1 of <xref target="RFC1034"/>.)</t> | (See <xref target="RFC1034" sectionFormat="of" section="4.3.1"/>.)</dd> | |||
<dt>Iterative resolution:</dt> | ||||
<t hangText='Iterative resolution:'> | <dd> | |||
<iref item='Iterative resolution'/> | <iref item="Iterative resolution" subitem="" primary="false"/> | |||
A name server may be presented with a query that can only be answered by some ot her server. The two | A name server may be presented with a query that can only be answered by some ot her server. The two | |||
general approaches to dealing with this problem are "recursive", in which the fi rst server pursues | general approaches to dealing with this problem are "recursive", in which the fi rst server pursues | |||
the query on behalf of the client at another server, and "iterative", in which t he server refers the client | the query on behalf of the client at another server, and "iterative", in which t he server refers the client | |||
to another server and lets the client pursue the query there. (See Section 2.3 o | to another server and lets the client pursue the query there. (See <xref target= | |||
f <xref | "RFC1034" sectionFormat="of" section="2.3"/>.)</dd> | |||
target="RFC1034"/>.)</t> | <dt/> | |||
<dd>In iterative resolution, the client repeatedly makes non-recursive q | ||||
<t>In iterative resolution, the client repeatedly makes non-recursive queries an | ueries and follows referrals | |||
d follows referrals | and/or aliases. The iterative resolution algorithm is described in <xref target= | |||
and/or aliases. The iterative resolution algorithm is described in Section 5.3.3 | "RFC1034" sectionFormat="of" section="5.3.3"/>.</dd> | |||
of <xref | <dt>Full resolver:</dt> | |||
target="RFC1034"/>.</t> | <dd> | |||
<iref item="Full resolver" subitem="" primary="false"/> | ||||
<t hangText='Full resolver:'> | This term is used in <xref target="RFC1035" format="default"/>, but it is not de | |||
<iref item='Full resolver'/> | fined there. RFC | |||
This term is used in <xref target="RFC1035"/>, but it is not defined there. RFC | ||||
1123 defines a "full-service resolver" that may or may not be what was intended | 1123 defines a "full-service resolver" that may or may not be what was intended | |||
by "full resolver" in <xref target="RFC1035"/>. | by "full resolver" in <xref target="RFC1035" format="default"/>. | |||
This term is not properly defined in any RFC, and there is no consensus on what the term means. | This term is not properly defined in any RFC, and there is no consensus on what the term means. | |||
The use of this term without proper context is discouraged.</t> | The use of this term without proper context is discouraged.</dd> | |||
<dt>Full-service resolver:</dt> | ||||
<t hangText='Full-service resolver:'> | <dd> | |||
<iref item='Full-service resolver'/> | <iref item="Full-service resolver" subitem="" primary="false"/> | |||
Section 6.1.3.1 of <xref target="RFC1123"/> defines this term | <xref target="RFC1123" sectionFormat="of" section="6.1.3.1"/> defines this term | |||
to mean a resolver that acts in recursive mode with a cache (and meets | as a resolver that acts in recursive mode with a cache (and meets | |||
other requirements).</t> | other requirements).</dd> | |||
<dt>Priming:</dt> | ||||
<t hangText='Priming:'> | <dd> | |||
<iref item='Priming'/> | <iref item="Priming" subitem="" primary="false"/> | |||
"The act of finding the list of root servers from a | "The act of finding the list of root servers from a | |||
configuration that lists some or all of the purported IP addresses of | configuration that lists some or all of the purported IP addresses of | |||
some or all of those root servers." (Quoted from <xref target="RFC8109"/>, Secti on 2) | some or all of those root servers." (Quoted from <xref target="RFC8109" sectionF ormat="comma" section="2"/>) | |||
In order to operate in recursive mode, a resolver needs to know the address of a t least one root server. | In order to operate in recursive mode, a resolver needs to know the address of a t least one root server. | |||
Priming is most often done from a configuration setting that contains a | Priming is most often done from a configuration setting that contains a | |||
list of authoritative servers for the root zone.</t> | list of authoritative servers for the root zone.</dd> | |||
<dt>Root hints:</dt> | ||||
<t hangText='Root hints:'> | <dd> | |||
<iref item='Root hints'/>"Operators who manage a DNS recursive resolver typicall | <iref item="Root hints" subitem="" primary="false"/>"Operators who man | |||
y need to configure | age a DNS recursive resolver typically need to configure | |||
a 'root hints file'. | a 'root hints file'. | |||
This file contains the names and IP addresses of the authoritative name servers | This file contains the names and IP addresses of the authoritative name servers | |||
for the root zone, so the software can bootstrap the DNS resolution process. | for the root zone, so the software can bootstrap the DNS resolution process. | |||
For many pieces of software, this list comes built into the software." (Quoted | For many pieces of software, this list comes built into the software." (Quoted | |||
from <xref target="IANA_RootFiles"/>) | from <xref target="IANA_RootFiles" format="default"/>) | |||
This file is often used in priming.</t> | This file is often used in priming.</dd> | |||
<dt>Negative caching:</dt> | ||||
<t hangText='Negative caching:'> | <dd> | |||
<iref item='Negative caching'/> | <iref item="Negative caching" subitem="" primary="false"/> | |||
"The storage of knowledge that something does not exist, cannot | "The storage of knowledge that something does not exist, cannot | |||
or does not give an answer." (Quoted from <xref target="RFC2308"/>, Section 1)</ | or does not give an answer." (Quoted from <xref target="RFC2308" sectionFormat=" | |||
t> | comma" section="1"/>)</dd> | |||
<dt>Authoritative server:</dt> | ||||
<t hangText='Authoritative server:'> | <dd> | |||
<iref item='Authoritative server'/> | <iref item="Authoritative server" subitem="" primary="false"/> | |||
<iref item='NS'/> | <iref item="NS" subitem="" primary="false"/> | |||
"A server that knows the content of a DNS zone from local knowledge, and thus ca n answer | "A server that knows the content of a DNS zone from local knowledge, and thus ca n answer | |||
queries about that zone without needing to query other servers." (Quoted from <x ref target="RFC2182"/>, Section 2) | queries about that zone without needing to query other servers." (Quoted from <x ref target="RFC2182" sectionFormat="comma" section="2"/>) | |||
An authoritative server is named in the NS ("name server") record in a zone. | An authoritative server is named in the NS ("name server") record in a zone. | |||
It is a system that responds to DNS queries with information about | It is a system that responds to DNS queries with information about | |||
zones for which it has been configured to answer with the AA flag in | zones for which it has been configured to answer with the AA flag in | |||
the response header set to 1. It is a server that has authority over | the response header set to 1. It is a server that has authority over | |||
one or more DNS zones. Note that it is possible for an authoritative | one or more DNS zones. Note that it is possible for an authoritative | |||
server to respond to a query without the parent zone delegating | server to respond to a query without the parent zone delegating | |||
authority to that server. Authoritative servers also provide | authority to that server. Authoritative servers also provide | |||
"referrals", usually to child zones delegated from them; these | "referrals", usually to child zones delegated from them; these | |||
referrals have the AA bit set to 0 and come with referral data in the | referrals have the AA bit set to 0 and come with referral data in the | |||
Authority and (if needed) the Additional sections.</t> | Authority and (if needed) the Additional sections.</dd> | |||
<dt>Authoritative-only server:</dt> | ||||
<t hangText='Authoritative-only server:'> | <dd> | |||
<iref item='Authoritative-only server'/> | <iref item="Authoritative-only server" subitem="" primary="false"/> | |||
A name server that only serves authoritative data and ignores requests for recur sion. | A name server that only serves authoritative data and ignores requests for recur sion. | |||
It will "not normally generate any queries of its own. Instead it answers non-r ecursive | It will "not normally generate any queries of its own. Instead it answers non-r ecursive | |||
queries from iterative resolvers looking for information in zones it serves." ( Quoted from <xref target="RFC4697"/>, Section 2.4) | queries from iterative resolvers looking for information in zones it serves." ( Quoted from <xref target="RFC4697" sectionFormat="comma" section="2.4"/>) | |||
In this case, "ignores requests for recursion" means "responds to requests for | In this case, "ignores requests for recursion" means "responds to requests for | |||
recursion with responses indicating that recursion was not performed".</t> | recursion with responses indicating that recursion was not performed".</dd> | |||
<dt>Zone transfer:</dt> | ||||
<t hangText='Zone transfer:'> | <dd> | |||
<iref item='Zone transfer'/> | <iref item="Zone transfer" subitem="" primary="false"/> | |||
The act of a client requesting a copy of a zone and an authoritative server | The act of a client requesting a copy of a zone and an authoritative server | |||
sending the needed information. | sending the needed information. | |||
(See <xref target="zones"/> for a description of zones.) | (See <xref target="zones" format="default"/> for a description of zones.) | |||
There are two common standard ways to do zone transfers: | There are two common standard ways to do zone transfers: | |||
the AXFR ("Authoritative Transfer") mechanism to copy the full zone (described i | the AXFR ("Authoritative Transfer") mechanism to copy the full zone (described i | |||
n <xref target="RFC5936"/>, and | n <xref target="RFC5936" format="default"/>, and | |||
the IXFR ("Incremental Transfer") mechanism to copy only parts of the zone that | the IXFR ("Incremental Transfer") mechanism to copy only parts of the zone that | |||
have changed (described in <xref target="RFC1995"/>). | have changed (described in <xref target="RFC1995" format="default"/>). | |||
Many systems use non-standard methods for zone transfer outside the DNS protocol | Many systems use non-standard methods for zone transfers outside the DNS protoco | |||
.</t> | l.</dd> | |||
<dt>Slave server:</dt> | ||||
<t hangText='Slave server:'> | <dd> | |||
<iref item='Slave server'/> | <iref item="Slave server" subitem="" primary="false"/> | |||
See "Secondary server".</t> | See "Secondary server".</dd> | |||
<dt>Secondary server:</dt> | ||||
<t hangText='Secondary server:'> | <dd> | |||
<iref item='Secondary server'/> | <iref item="Secondary server" subitem="" primary="false"/> | |||
"An authoritative server which uses zone transfer to retrieve the | "An authoritative server which uses zone transfer to retrieve the | |||
zone." (Quoted from <xref target="RFC1996"/>, Section 2.1) | zone." (Quoted from <xref target="RFC1996" sectionFormat="comma" section="2.1"/> | |||
Secondary servers are also discussed in <xref target="RFC1034"/>. | ) | |||
<xref target="RFC2182"/> describes secondary servers in | Secondary servers are also discussed in <xref target="RFC1034" format="default"/ | |||
more detail. Although early DNS RFCs such as <xref target="RFC1996"/> referred | >. | |||
to this as a "slave", the | <xref target="RFC2182" format="default"/> describes secondary servers in | |||
more detail. Although early DNS RFCs such as <xref target="RFC1996" format="def | ||||
ault"/> referred to this as a "slave", the | ||||
current common usage has shifted to calling it a "secondary". | current common usage has shifted to calling it a "secondary". | |||
</t> | </dd> | |||
<dt>Master server:</dt> | ||||
<t hangText='Master server:'> | <dd> | |||
<iref item='Master server'/> | <iref item="Master server" subitem="" primary="false"/> | |||
See "Primary server".</t> | See "Primary server".</dd> | |||
<dt>Primary server:</dt> | ||||
<t hangText='Primary server:'> | <dd> | |||
<iref item='Primary server'/> | <iref item="Primary server" subitem="" primary="false"/> | |||
"Any authoritative server configured to be the source of zone transfer | "Any authoritative server configured to be the source of zone transfer | |||
for one or more [secondary] servers." (Quoted from <xref target="RFC1996"/>, Sec | for one or more [secondary] servers." (Quoted from <xref target="RFC1996" sectio | |||
tion 2.1) Or, more | nFormat="comma" section="2.1"/>) Or, more | |||
specifically, <xref target="RFC2136"/> calls it "an authoritative server configu | specifically, <xref target="RFC2136" format="default"/> calls it "an authoritati | |||
red to be the source of AXFR or IXFR data | ve server configured to be the source of AXFR or IXFR data | |||
for one or more [secondary] servers". | for one or more [secondary] servers". | |||
Primary servers are also discussed in <xref target="RFC1034"/>. | Primary servers are also discussed in <xref target="RFC1034" format="default"/>. | |||
Although early DNS RFCs such as <xref target="RFC1996"/> referred to this as a " | Although early DNS RFCs such as <xref target="RFC1996" format="default"/> referr | |||
master", the current | ed to this as a "master", the current | |||
common usage has shifted to "primary".</t> | common usage has shifted to "primary".</dd> | |||
<dt>Primary master:</dt> | ||||
<t hangText='Primary master:'> | <dd> | |||
<iref item='Primary master'/> | <iref item="Primary master" subitem="" primary="false"/> | |||
"The primary master is named in the zone's SOA MNAME field and | "The primary master is named in the zone's SOA MNAME field and | |||
optionally by an NS RR." (Quoted from <xref target="RFC1996"/>, Section 2.1) | optionally by an NS RR." (Quoted from <xref target="RFC1996" sectionFormat="comm | |||
<xref target="RFC2136"/> defines "primary master" as | a" section="2.1"/>) | |||
<xref target="RFC2136" format="default"/> defines "primary master" as | ||||
"Master server at the root of the AXFR/IXFR dependency graph. | "Master server at the root of the AXFR/IXFR dependency graph. | |||
The primary master is named in the zone's SOA MNAME field and optionally by an N S RR. There is by | The primary master is named in the zone's SOA MNAME field and optionally by an N S RR. There is by | |||
definition only one primary master server per zone." | definition only one primary master server per zone." | |||
</t> | </dd> | |||
<dt/> | ||||
<t>The idea of a primary master is only used in <xref target="RFC1996"/> and <xr | <dd>The idea of a primary master is only used in <xref target="RFC1996" | |||
ef target="RFC2136"/>. | format="default"/> and <xref target="RFC2136" format="default"/>. | |||
A modern interpretation of the term "primary master" is a server that is both au thoritative for a zone | A modern interpretation of the term "primary master" is a server that is both au thoritative for a zone | |||
and that gets its updates to the zone from configuration (such as a master file) | and that gets its updates to the zone from configuration (such as a master file) | |||
or from UPDATE transactions.</t> | or from UPDATE transactions.</dd> | |||
<dt>Stealth server:</dt> | ||||
<t hangText='Stealth server:'> | <dd> | |||
<iref item='Stealth server'/> | <iref item="Stealth server" subitem="" primary="false"/> | |||
This is "like a slave server except not listed in an NS RR for | This is "like a slave server except not listed in an NS RR for | |||
the zone." (Quoted from <xref target="RFC1996"/>, Section 2.1)</t> | the zone." (Quoted from <xref target="RFC1996" sectionFormat="comma" section="2. | |||
1"/>)</dd> | ||||
<t hangText='Hidden master:'> | <dt>Hidden master:</dt> | |||
<iref item='Hidden master'/> | <dd> | |||
<iref item="Hidden master" subitem="" primary="false"/> | ||||
A stealth server that is a primary server for zone transfers. "In this arrangeme nt, the | A stealth server that is a primary server for zone transfers. "In this arrangeme nt, the | |||
master name server that processes the updates is unavailable to general hosts on the | master name server that processes the updates is unavailable to general hosts on the | |||
Internet; it is not listed in the NS RRset." (Quoted from | Internet; it is not listed in the NS RRset." (Quoted from | |||
<xref target="RFC6781"/>, Section 3.4.3) An earlier RFC, <xref target="RFC4641" | <xref target="RFC6781" sectionFormat="comma" section="3.4.3"/>) | |||
/>, said | <xref target="RFC4641" format="default"/> said | |||
that the hidden master's name "appears in the SOA RRs MNAME field", although, in | that the hidden master's name "appears in the SOA RRs MNAME field"; however, the | |||
some | name does not appear at all in the global DNS in some setups. A hidden master | |||
setups, the name does not appear at all in the global DNS. A hidden master can | can also be a | |||
also be a | secondary server for the zone itself.</dd> | |||
secondary server for the zone itself.</t> | <dt>Forwarding:</dt> | |||
<dd> | ||||
<t hangText='Forwarding:'> | <iref item="Forwarding" subitem="" primary="false"/> | |||
<iref item='Forwarding'/> | ||||
The process of one server sending a DNS query with the | The process of one server sending a DNS query with the | |||
RD bit set to 1 to another server to resolve that query. Forwarding is | RD bit set to 1 to another server to resolve that query. Forwarding is | |||
a function of a DNS resolver; it is different than simply blindly | a function of a DNS resolver; it is different than simply blindly | |||
relaying queries.</t> | relaying queries.</dd> | |||
<t><xref target="RFC5625"/> does not give a specific definition for forwarding, | <dt/> | |||
but | <dd> | |||
<xref target="RFC5625" format="default"/> does not give a specific def | ||||
inition for forwarding, but | ||||
describes in detail what features a system that forwards needs to | describes in detail what features a system that forwards needs to | |||
support. Systems that forward are sometimes called "DNS proxies", but | support. Systems that forward are sometimes called "DNS proxies", but | |||
that term has not yet been defined (even in <xref target="RFC5625"/>).</t> | that term has not yet been defined (even in <xref target="RFC5625" format="defau | |||
lt"/>).</dd> | ||||
<t hangText='Forwarder:'> | <dt>Forwarder:</dt> | |||
<iref item='Forwarder'/> | <dd> | |||
Section 1 of <xref target="RFC2308"/> describes a forwarder as "a | <iref item="Forwarder" subitem="" primary="false"/> | |||
<xref target="RFC2308" sectionFormat="of" section="1"/> describes a forwarder as | ||||
"a | ||||
nameserver used to resolve queries instead of directly using the | nameserver used to resolve queries instead of directly using the | |||
authoritative nameserver chain". <xref target="RFC2308"/> further says "The | authoritative nameserver chain". <xref target="RFC2308" format="default"/> furt her says "The | |||
forwarder typically either has better access to the internet, or | forwarder typically either has better access to the internet, or | |||
maintains a bigger cache which may be shared amongst many resolvers." | maintains a bigger cache which may be shared amongst many resolvers." | |||
That definition appears to suggest that forwarders | That definition appears to suggest that forwarders | |||
normally only query authoritative servers. In current use, however, | normally only query authoritative servers. In current use, however, | |||
forwarders often stand between stub resolvers and recursive servers. | forwarders often stand between stub resolvers and recursive servers. | |||
<xref target="RFC2308"/> is silent on whether a forwarder is iterative-only or | <xref target="RFC2308" format="default"/> is silent on whether a forwarder is it | |||
can be a full-service resolver.</t> | erative-only or | |||
can be a full-service resolver.</dd> | ||||
<t hangText='Policy-implementing resolver:'> | <dt>Policy-implementing resolver:</dt> | |||
<iref item='Policy-implementing resolver'/> | <dd> | |||
<iref item="Policy-implementing resolver" subitem="" primary="false"/> | ||||
A resolver acting in recursive mode that changes some of the answers | A resolver acting in recursive mode that changes some of the answers | |||
that it returns based on policy criteria, such as to prevent access to | that it returns based on policy criteria, such as to prevent access to | |||
malware sites or objectionable content. In general, a stub resolver has no idea | malware sites or objectionable content. In general, a stub resolver has no idea | |||
whether upstream resolvers implement such policy or, if they do, the exact | whether upstream resolvers implement such policy or, if they do, the exact | |||
policy about what changes will be made. | policy about what changes will be made. | |||
In some cases, the user of the stub resolver has selected the policy-implementin g resolver | In some cases, the user of the stub resolver has selected the policy-implementin g resolver | |||
with the explicit intention of using it to implement the policies. In other cas es, | with the explicit intention of using it to implement the policies. In other cas es, | |||
policies are imposed without the user of the stub resolver being informed.</t> | policies are imposed without the user of the stub resolver being informed.</dd> | |||
<dt>Open resolver:</dt> | ||||
<t hangText='Open resolver:'> | <dd> | |||
<iref item='Open resolver'/> | <iref item="Open resolver" subitem="" primary="false"/> | |||
A full-service resolver that accepts and processes queries from any (or nearly a ny) client. | A full-service resolver that accepts and processes queries from any (or nearly a ny) client. | |||
This is sometimes also called a "public resolver", although the term "public res olver" | This is sometimes also called a "public resolver", although the term "public res olver" | |||
is used more with open resolvers that are meant to be open, as compared to the v ast majority of open | is used more with open resolvers that are meant to be open, as compared to the v ast majority of open | |||
resolvers that are probably misconfigured to be open. | resolvers that are probably misconfigured to be open. | |||
Open resolvers are discussed in <xref target="RFC5358"/>.</t> | Open resolvers are discussed in <xref target="RFC5358" format="default"/>.</dd> | |||
<dt>Split DNS:</dt> | ||||
<t hangText='Split DNS:'> | <dd> | |||
<iref item='Split DNS'/> | <iref item="Split DNS" subitem="" primary="false"/> | |||
<iref item='Split-horizon DNS'/> | <iref item="Split-horizon DNS" subitem="" primary="false"/> | |||
The terms "split DNS" and "split-horizon DNS" have long been used in the DNS com munity without | The terms "split DNS" and "split-horizon DNS" have long been used in the DNS com munity without | |||
formal definition. In general, they refer to situations in which | formal definition. In general, they refer to situations in which | |||
DNS servers that are authoritative for a particular set of domains | DNS servers that are authoritative for a particular set of domains | |||
provide partly or completely different answers in those domains depending | provide partly or completely different answers in those domains depending | |||
on the source of the query. The effect of this is that a domain name that | on the source of the query. | |||
is notionally globally unique nevertheless has different meanings for | Nevertheless, the effect of this is that a domain name that | |||
is notionally globally unique has different meanings for | ||||
different network users. This can sometimes be the result of a "view" | different network users. This can sometimes be the result of a "view" | |||
configuration, described below.</t> | configuration, as described below.</dd> | |||
<dt/> | ||||
<t>Section 3.8 of <xref target="RFC2775"/> gives a related definition that is to | <dd><xref target="RFC2775" sectionFormat="of" section="3.8"/> gives a re | |||
o specific to be generally useful.</t> | lated definition that is too specific to be generally useful.</dd> | |||
<dt>View:</dt> | ||||
<t hangText='View:'> | <dd> | |||
<iref item='View'/> | <iref item="View" subitem="" primary="false"/> | |||
A configuration for a DNS server that allows it to provide | A configuration for a DNS server that allows it to provide | |||
different responses depending on attributes of the query, such as for "split DNS ". Typically, views differ | different responses depending on attributes of the query, such as for "split DNS ". Typically, views differ | |||
by the source IP address of a query, but can also be based on the destination IP address, | by the source IP address of a query, but can also be based on the destination IP address, | |||
the type of query (such as AXFR), whether it is recursive, and so on. | the type of query (such as AXFR), whether it is recursive, and so on. | |||
Views are often used to | Views are often used to | |||
provide more names or different addresses to queries from "inside" a protected n etwork | provide more names or different addresses to queries from "inside" a protected n etwork | |||
than to those "outside" that network. Views are not a standardized | than to those "outside" that network. Views are not a standardized | |||
part of the DNS, but they are widely implemented in server software.</t> | part of the DNS, but they are widely implemented in server software.</dd> | |||
<dt>Passive DNS:</dt> | ||||
<t hangText='Passive DNS:'> | <dd> | |||
<iref item='Passive DNS'/> | <iref item="Passive DNS" subitem="" primary="false"/> | |||
A mechanism to collect DNS data by storing DNS responses from name servers. Some of these systems | A mechanism to collect DNS data by storing DNS responses from name servers. Some of these systems | |||
also collect the DNS queries associated with the responses, although doing so ra ises some privacy | also collect the DNS queries associated with the responses, although doing so ra ises some privacy | |||
concerns. Passive DNS databases can be used to answer historical questions about DNS zones such as | concerns. Passive DNS databases can be used to answer historical questions about DNS zones, such as | |||
which values were present at a given time in the past, or when a name was spotte d first. | which values were present at a given time in the past, or when a name was spotte d first. | |||
Passive DNS databases allow searching of the stored records on keys other than | Passive DNS databases allow searching of the stored records on keys other than | |||
just the name and type, such as "find all names which have A records of a | just the name and type, such as "find all names which have A records of a | |||
particular value".</t> | particular value".</dd> | |||
<dt>Anycast:</dt> | ||||
<t hangText='Anycast:'> | <dd> | |||
<iref item='Anycast'/> | <iref item="Anycast" subitem="" primary="false"/> | |||
"The practice of making a particular service address available in multiple, disc rete, autonomous | "The practice of making a particular service address available in multiple, disc rete, autonomous | |||
locations, such that datagrams sent are routed to one of several available locat ions." | locations, such that datagrams sent are routed to one of several available locat ions." | |||
(Quoted from <xref target="RFC4786"/>, Section 2) | (Quoted from <xref target="RFC4786" sectionFormat="comma" section="2"/>) | |||
See <xref target="RFC4786"/> for more detail on Anycast and other terms that are | See <xref target="RFC4786" format="default"/> for more detail on Anycast and oth | |||
specific to its use.</t> | er terms that are | |||
specific to its use.</dd> | ||||
<t hangText='Instance:'> | <dt>Instance:</dt> | |||
<iref item='Instance'/> | <dd> | |||
<iref item="Instance" subitem="" primary="false"/> | ||||
"When anycast routing is used to allow more than one server to have the same IP | "When anycast routing is used to allow more than one server to have the same IP | |||
address, each one of those servers is commonly referred to as an 'instance'." | address, each one of those servers is commonly referred to as an 'instance'." | |||
It goes on to say: "An instance of a server, such as a root server, is often ref erred to as an 'Anycast | It goes on to say: "An instance of a server, such as a root server, is often ref erred to as an 'Anycast | |||
instance'." (Quoted from <xref target="RSSAC026" />)</t> | instance'." (Quoted from <xref target="RSSAC026" format="default"/>)</dd> | |||
<dt>Privacy-enabling DNS server:</dt> | ||||
<t hangText='Privacy-enabling DNS server:'> | <dd> | |||
<iref item='Privacy-enabling DNS server'/> | <iref item="Privacy-enabling DNS server" subitem="" primary="false"/> | |||
"A DNS server that implements | "A DNS server that implements | |||
DNS over TLS <xref target="RFC7858"/> and may optionally implement DNS over DTLS | DNS over TLS <xref target="RFC7858" format="default"/> and may optionally implem | |||
<xref target="RFC8094"/>." (Quoted from <xref target="RFC8310"/>, Section 2) | ent DNS over DTLS | |||
<xref target="RFC8094" format="default"/>." (Quoted from <xref target="RFC8310" | ||||
sectionFormat="comma" section="2"/>) | ||||
Other types of DNS servers might also be considered privacy-enabling, such as th ose | Other types of DNS servers might also be considered privacy-enabling, such as th ose | |||
running DNS-over-HTTPS <xref target="RFC8484" /> or DNS-over-QUIC <xref target=" | running DNS-over-HTTPS <xref target="RFC8484" format="default"/> or DNS-over-QUI | |||
RFC9250" />.</t> | C <xref target="RFC9250" format="default"/>.</dd> | |||
<dt>DNS-over-TLS (DoT):</dt> | ||||
<t hangText='DNS-over-TLS (DoT):'> | <dd> | |||
<iref item='DNS-over-TLS'/> | <iref item="DNS-over-TLS" subitem="" primary="false"/> | |||
<iref item='DoT'/> | <iref item="DoT" subitem="" primary="false"/> | |||
DNS over TLS as defined in <xref target="RFC7858"/> and its successors.</t> | DNS over TLS as defined in <xref target="RFC7858" format="default"/> and its suc | |||
cessors.</dd> | ||||
<t hangText='DNS-over-HTTPS (DoH):'> | <dt>DNS-over-HTTPS (DoH):</dt> | |||
<iref item='DNS-over-HTTPS'/> | <dd> | |||
<iref item='DoH'/> | <iref item="DNS-over-HTTPS" subitem="" primary="false"/> | |||
DNS over HTTPS as defined in <xref target="RFC8484" /> and its successors.</t> | <iref item="DoH" subitem="" primary="false"/> | |||
DNS over HTTPS as defined in <xref target="RFC8484" format="default"/> and its s | ||||
<t hangText='DNS-over-QUIC (DoQ):'> | uccessors.</dd> | |||
<iref item='DNS-over-QUIC'/> | <dt>DNS-over-QUIC (DoQ):</dt> | |||
<iref item='DoQ'/> | <dd> | |||
DNS over QUIC as defined in <xref target="RFC9250" /> and its successors. | <iref item="DNS-over-QUIC" subitem="" primary="false"/> | |||
<xref target="RFC9250" /> specifically defines DoQ as a general purpose transpor | <iref item="DoQ" subitem="" primary="false"/> | |||
t | DNS over QUIC as defined in <xref target="RFC9250" format="default"/> and its su | |||
for DNS that can be used in stub to recursive, recursive to authoritative or | ccessors. | |||
zone transfer scenarios.</t> | <xref target="RFC9250" format="default"/> specifically defines DoQ as general-pu | |||
rpose transport | ||||
<t hangText='Classic DNS:'> | for DNS that can be used in stub to recursive, recursive to authoritative, and | |||
<iref item='Classic DNS'/> | zone transfer scenarios.</dd> | |||
DNS over UDP or TCP as defined in <xref target="RFC1035" /> and its successors. | <dt>Classic DNS:</dt> | |||
<dd> | ||||
<iref item="Classic DNS" subitem="" primary="false"/> | ||||
DNS over UDP or DNS over TCP as defined in <xref target="RFC1035" format="defaul | ||||
t"/> and its successors. | ||||
Classic DNS applies to DNS communication between stub resolvers and recursive | Classic DNS applies to DNS communication between stub resolvers and recursive | |||
resolvers, and between recursive resolvers and authoritative servers. | resolvers, and between recursive resolvers and authoritative servers. | |||
This has sometimes been called "Do53". | This has sometimes been called "Do53". | |||
Classic DNS is not encrypted.</t> | Classic DNS is not encrypted.</dd> | |||
<dt>Recursive DoT (RDoT):</dt> | ||||
<t hangText='Recursive DoT (RDoT):'> | <dd> | |||
<iref item='Recursive DoT'/> | <iref item="Recursive DoT" subitem="" primary="false"/> | |||
<iref item='RDoT'/> | <iref item="RDoT" subitem="" primary="false"/> | |||
RDoT specifically means DNS-over-TLS for transport between a stub resolver and a | RDoT specifically means DNS-over-TLS for transport between a stub resolver and a | |||
recursive resolver, or between a recursive resolver and another recursive resolv er. | recursive resolver, or between a recursive resolver and another recursive resolv er. | |||
This term is necessary because it is expected that DNS-over-TLS will later be | This term is necessary because it is expected that DNS-over-TLS will later be | |||
defined as a transport between recursive resolvers and authoritative servers.</t | defined as a transport between recursive resolvers and authoritative servers.</d | |||
> | d> | |||
<dt>Authoritative DoT (ADoT):</dt> | ||||
<t hangText='Authoritative DoT (ADoT):'> | <dd> | |||
<iref item='ADoT'/> | <iref item="ADoT" subitem="" primary="false"/> | |||
If DNS-over-TLS is later defined as a transport between recursive resolvers and | If DNS-over-TLS is later defined as a transport between recursive resolvers and | |||
authoritative servers, ADoT specifically means DNS-over-TLS for transport | authoritative servers, ADoT specifically means DNS-over-TLS for transport | |||
between recursive resolvers and authoritative servers.</t> | between recursive resolvers and authoritative servers.</dd> | |||
<dt>XFR-over-TLS (XoT):</dt> | ||||
<t hangText='XFR-over-TLS (XoT):'> | <dd> | |||
<iref item='XoT'/> | <iref item="XoT" subitem="" primary="false"/> | |||
<iref item='AXoT'/> | <iref item="AXoT" subitem="" primary="false"/> | |||
<iref item='IXoT'/> | <iref item="IXoT" subitem="" primary="false"/> | |||
DNS zone transfer over TLS, as specified in <xref target="RFC9103"/>. | DNS zone transfer over TLS, as specified in <xref target="RFC9103" format="defau | |||
This term applies to both AXFR over TLS (AXoT) and IXFR over TLS (IXoT).</t> | lt"/>. | |||
This term applies to both AXFR over TLS (AXoT) and IXFR over TLS (IXoT).</dd> | ||||
</list></t> | </dl> | |||
</section> | </section> | |||
<section anchor="zones" numbered="true" toc="default"> | ||||
<section anchor="zones" title="Zones"> | <name>Zones</name> | |||
<t>This section defines terms that are used when discussing zones that are | ||||
<t>This section defines terms that are used when discussing zones that are being | being served or retrieved.</t> | |||
served or retrieved.</t> | <dl newline="false" spacing="normal"> | |||
<dt>Zone:</dt> | ||||
<t><list style="hanging"> | <dd> | |||
<iref item="Zone" subitem="" primary="false"/> | ||||
<t hangText='Zone:'> | ||||
<iref item='Zone'/> | ||||
"Authoritative information is | "Authoritative information is | |||
organized into units called ZONEs, and these zones can be | organized into units called ZONEs, and these zones can be | |||
automatically distributed to the name servers which provide | automatically distributed to the name servers which provide | |||
redundant service for the data in a zone." (Quoted from <xref target="RFC1034"/ | redundant service for the data in a zone." (Quoted from <xref target="RFC1034" | |||
>, Section 2.4)</t> | sectionFormat="comma" section="2.4"/>)</dd> | |||
<dt>Child:</dt> | ||||
<t hangText='Child:'> | <dd> | |||
<iref item='Child'/> | <iref item="Child" subitem="" primary="false"/> | |||
"The entity on record that has the delegation of the domain from the | "The entity on record that has the delegation of the domain from the | |||
Parent." (Quoted from <xref target="RFC7344"/>, Section 1.1)</t> | Parent." (Quoted from <xref target="RFC7344" sectionFormat="comma" section="1.1" | |||
/>)</dd> | ||||
<t hangText='Parent:'> | <dt>Parent:</dt> | |||
<iref item='Parent'/> | <dd> | |||
"The domain in which the Child is registered." (Quoted from <xref target="RFC73 | <iref item="Parent" subitem="" primary="false"/> | |||
44"/>, Section 1.1) Earlier, | "The domain in which the Child is registered." (Quoted from <xref target="RFC73 | |||
"parent name server" was defined in <xref target="RFC0882"/> as "the name server | 44" sectionFormat="comma" section="1.1"/>) Earlier, | |||
that has authority over the place | "parent name server" was defined in <xref target="RFC0882" format="default"/> as | |||
"the name server that has authority over the place | ||||
in the domain name space that will hold the new domain". (Note | in the domain name space that will hold the new domain". (Note | |||
that <xref target="RFC0882"/> was obsoleted by <xref target="RFC1034"/> and <xre | that <xref target="RFC0882" format="default"/> was obsoleted by <xref target="RF | |||
f target="RFC1035"/>.) <xref target="RFC0819"/> also has some description of | C1034" format="default"/> and <xref target="RFC1035" format="default"/>.) | |||
the relationship between parents and children.</t> | ||||
<t hangText='Origin:'> | <xref target="RFC0819" format="default"/> also has some description of | |||
<iref item='Origin'/> | the relationship between parents and children.</dd> | |||
</t> | <dt>Origin:</dt> | |||
<t>There are two different uses for this term:<list style="format (%c)"> | <dd> | |||
<t>"The domain name that | <iref item="Origin" subitem="" primary="false"/> | |||
</dd> | ||||
<dt/> | ||||
<dd> | ||||
<t>There are two different uses for this term:</t> | ||||
<ol spacing="normal" type="(%c)"><li>"The domain name that | ||||
appears at the top of a zone (just below the cut that separates the | appears at the top of a zone (just below the cut that separates the | |||
zone from its parent)... The name of the zone is the same as the name | zone from its parent)... The name of the zone is the same as the name | |||
of the domain at the zone's origin." (Quoted from <xref target="RFC2181"/>, Sec tion 6) These days, this sense of | of the domain at the zone's origin." (Quoted from <xref target="RFC2181" sectio nFormat="comma" section="6"/>) These days, this sense of | |||
"origin" and "apex" (defined below) are often used | "origin" and "apex" (defined below) are often used | |||
interchangeably.</t> | interchangeably.</li> | |||
<t>The domain name within which a given relative domain name | <li>The domain name within which a given relative domain name | |||
appears in zone files. Generally seen in the context of "$ORIGIN", which is a | appears in zone files. Generally seen in the context of "$ORIGIN", which is a | |||
control entry defined in <xref target="RFC1035"/>, Section 5.1, as part of the m aster | control entry defined in <xref target="RFC1035" sectionFormat="comma" section="5 .1"/>, as part of the master | |||
file format. For example, if the $ORIGIN is set to "example.org.", | file format. For example, if the $ORIGIN is set to "example.org.", | |||
then a master file line for "www" is in fact an entry for | then a master file line for "www" is in fact an entry for | |||
"www.example.org.".</t></list></t> | "www.example.org.".</li> | |||
</ol> | ||||
<t hangText='Apex:'> | </dd> | |||
<iref item='Apex'/> | <dt>Apex:</dt> | |||
<dd> | ||||
<iref item="Apex" subitem="" primary="false"/> | ||||
The point in the tree at an owner of an SOA and corresponding authoritative NS R Rset. | The point in the tree at an owner of an SOA and corresponding authoritative NS R Rset. | |||
This is also called the "zone apex". | This is also called the "zone apex". | |||
<xref target="RFC4033"/> defines it as "the name at the child's side of a zone c ut". | <xref target="RFC4033" format="default"/> defines it as "the name at the child's side of a zone cut". | |||
The "apex" can usefully be thought of as a data-theoretic description of a tree structure, | The "apex" can usefully be thought of as a data-theoretic description of a tree structure, | |||
and "origin" is the name of the same concept when it is implemented in | and "origin" is the name of the same concept when it is implemented in | |||
zone files. The distinction is not always maintained in use, however, | zone files. The distinction is not always maintained in use, however, | |||
and one can find uses that conflict subtly with this definition. | and one can find uses that conflict subtly with this definition. | |||
<xref target="RFC1034"/> uses the term "top node of the zone" as a synonym of "a | <xref target="RFC1034" format="default"/> uses the term "top node of the zone" a | |||
pex", but that term is not widely used. | s a synonym of "apex", but that term is not widely used. | |||
These days, the first sense of "origin" (above) and "apex" are often used interc | These days, the first sense of "origin" (above) and "apex" are often used interc | |||
hangeably.</t> | hangeably.</dd> | |||
<dt>Zone cut:</dt> | ||||
<t hangText='Zone cut:'> | <dd> | |||
<iref item='Zone cut'/> | <iref item="Zone cut" subitem="" primary="false"/> | |||
The delimitation point between two zones where the origin | The delimitation point between two zones where the origin | |||
of one of the zones is the child of the other zone.</t> | of one of the zones is the child of the other zone.</dd> | |||
<t>"Zones are delimited by 'zone cuts'. Each zone cut separates a | <dt/> | |||
'child' zone (below the cut) from a 'parent' zone (above the cut)." (Quoted fro | <dd>"Zones are delimited by 'zone cuts'. Each zone cut separates a | |||
m <xref target="RFC2181"/>, Section 6; note that this is barely an ostensive | 'child' zone (below the cut) from a 'parent' zone (above the cut)." (Quoted fro | |||
m <xref target="RFC2181" sectionFormat="comma" section="6"/>; note that this is | ||||
barely an ostensive | ||||
definition.) | definition.) | |||
Section 4.2 of <xref target="RFC1034"/> uses "cuts" instead of "zone cut".</t> | <xref target="RFC1034" sectionFormat="of" section="4.2"/> uses "cuts" instead of | |||
"zone cut".</dd> | ||||
<t hangText='Delegation:'> | <dt>Delegation:</dt> | |||
<iref item='Delegation'/> | <dd> | |||
<iref item="Delegation" subitem="" primary="false"/> | ||||
The process by which a separate zone is created in the | The process by which a separate zone is created in the | |||
name space beneath the apex of a given domain. Delegation happens when an NS | name space beneath the apex of a given domain. Delegation happens when an NS | |||
RRset is added in the parent zone for the child origin. Delegation | RRset is added in the parent zone for the child origin. Delegation | |||
inherently happens at a zone cut. | inherently happens at a zone cut. | |||
The term is also commonly a noun: the new zone that is created by the act of del | The term is also commonly a noun: the new zone that is created by the act of del | |||
egating.</t> | egating.</dd> | |||
<dt>Authoritative data:</dt> | ||||
<t hangText='Authoritative data:'> | <dd> | |||
<iref item='Authoritative data'/> | <iref item="Authoritative data" subitem="" primary="false"/> | |||
"All of the RRs attached to all of the nodes from the top node of the zone | "All of the RRs attached to all of the nodes from the top node of the zone | |||
down to leaf nodes or nodes above cuts around the bottom edge of the zone." (Quo ted from | down to leaf nodes or nodes above cuts around the bottom edge of the zone." (Quo ted from | |||
<xref target="RFC1034"/>, Section 4.2.1) | <xref target="RFC1034" sectionFormat="comma" section="4.2.1"/>) | |||
Note that this definition might inadvertently also cause any NS records | Note that this definition might inadvertently also cause any NS records | |||
that appear in the zone to be included, even those that might not truly be autho ritative because there are | that appear in the zone to be included, even those that might not truly be autho ritative, because there are | |||
identical NS RRs below the zone cut. This reveals the ambiguity in | identical NS RRs below the zone cut. This reveals the ambiguity in | |||
the notion of authoritative data, because the parent-side NS records | the notion of authoritative data, because the parent-side NS records | |||
authoritatively indicate the delegation, even though they are not | authoritatively indicate the delegation, even though they are not | |||
themselves authoritative data.</t> | themselves authoritative data.</dd> | |||
<dt/> | ||||
<t><xref target="RFC4033"/>, Section 2, defines "Authoritative RRset", which is | <dd> | |||
related | <xref target="RFC4033" sectionFormat="comma" section="2"/>, defines "A | |||
to authoritative data but has a more precise definition.</t> | uthoritative RRset", which is related | |||
to authoritative data but has a more precise definition.</dd> | ||||
<t hangText='Lame delegation:'> | <dt>Lame delegation:</dt> | |||
<iref item='Lame delegation'/> | <dd> | |||
<iref item="Lame delegation" subitem="" primary="false"/> | ||||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"A lame delegations exists [sic] when a nameserver is delegated responsibility f or providing nameservice | "A lame delegations exists [sic] when a nameserver is delegated responsibility f or providing nameservice | |||
for a zone (via NS records) but is not performing nameservice for that zone (usu ally because it is | for a zone (via NS records) but is not performing nameservice for that zone (usu ally because it is | |||
not set up as a primary or secondary for the zone)." (Quoted from <xref target=" RFC1912"/>, Section 2.8) | not set up as a primary or secondary for the zone)." (Quoted from <xref target=" RFC1912" sectionFormat="comma" section="2.8"/>) | |||
<!--End DNE --> | <!--End DNE --> | |||
Another definition is that a lame delegation | Another definition is that a lame delegation | |||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"...happens when a name server is listed in the NS records for some domain and in fact it is not a | "...happens when a name server is listed in the NS records for some domain and in fact it is not a | |||
server for that domain. Queries are thus sent to the wrong servers, who don't kn ow nothing [sic] (at least | server for that domain. Queries are thus sent to the wrong servers, who don't kn ow nothing [sic] (at least | |||
not as expected) about the queried domain. Furthermore, sometimes these hosts (i f they exist!) don't | not as expected) about the queried domain. Furthermore, sometimes these hosts (i f they exist!) don't | |||
even run name servers." (Quoted from <xref target="RFC1713"/>, Section 2.3)</t> | even run name servers." (Quoted from <xref target="RFC1713" sectionFormat="comm | |||
<!--End DNE --> | a" section="2.3"/>)</dd> | |||
<!--End DNE --> | ||||
<t>These early definitions do not match the current use of the term "lame delega | <dt/> | |||
tion", | <dd> | |||
but there is not consensus on what a lame delegation is. | <t>These early definitions do not match the current use of the term "l | |||
ame delegation", | ||||
but there is no consensus on what a lame delegation is. | ||||
The term is used not only for the specific case described above, | The term is used not only for the specific case described above, | |||
but for a variety of other flaws in delegations that lead to non-authoritative | but for a variety of other flaws in delegations that lead to non-authoritative | |||
answers or no answers at all, such as: | answers or no answers at all, such as: | |||
<list style="symbols"> | ||||
<t> | ||||
a nameserver with an NS record for a zone that does not answer DNS queries | ||||
</t> | ||||
<t> | ||||
a nameserver with an IP address that is not reachable by the resolver | ||||
</t> | </t> | |||
<t> | <ul spacing="normal"> | |||
<li> | ||||
a nameserver with an NS record for a zone that does not answer DNS queries; | ||||
</li> | ||||
<li> | ||||
a nameserver with an IP address that is not reachable by the resolver; and | ||||
</li> | ||||
<li> | ||||
a nameserver that responds to a query for a specific name with an error or | a nameserver that responds to a query for a specific name with an error or | |||
without the authoritative bit set | without the authoritative bit set. | |||
</t> | </li> | |||
</list></t> | </ul> | |||
</dd> | ||||
<t>Because the term in current usage has drifted from the original definition, a | <dt/> | |||
nd now | <dd>Because the term in current usage has drifted from the original defi | |||
is not specific or clear as to the intended meaning, it should be considered his | nition, and now | |||
toric, | is not specific or clear as to the intended meaning, it should be considered his | |||
and avoided in favor of terms that are specific and clear.</t> | toric | |||
and avoided in favor of terms that are specific and clear.</dd> | ||||
<t hangText='Glue records:'> | <dt>Glue records:</dt> | |||
<iref item='Glue records'/> | <dd> | |||
<iref item="Glue records" subitem="" primary="false"/> | ||||
<!--begin DNE --> | <!--begin DNE --> | |||
"...[Resource records] which are not part of the authoritative data [of the zone ], | "...[Resource records] which are not part of the authoritative data [of the zone ], | |||
and are address RRs for the [name] servers [in subzones]. These RRs are only | and are address RRs for the [name] servers [in subzones]. These RRs are only | |||
necessary if the name server's name is 'below' the cut, and are only used as par t of a | necessary if the name server's name is 'below' the cut, and are only used as par t of a | |||
referral response." Without glue "we could be faced with the situation where the NS RRs | referral response." Without glue "we could be faced with the situation where the NS RRs | |||
tell us that in order to learn a name server's address, we should contact the se rver using | tell us that in order to learn a name server's address, we should contact the se rver using | |||
the address we wish to learn." (Quoted from <xref target="RFC1034"/>, Section 4 | the address we wish to learn." (Quoted from <xref target="RFC1034" sectionForma | |||
.2.1)</t> | t="comma" section="4.2.1"/>)</dd> | |||
<!--End DNE --> | <!--End DNE --> | |||
<t>A later definition is that glue | <dt/> | |||
<dd>A later definition is that glue | ||||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"includes any record in a zone file that is not properly | "includes any record in a zone file that is not properly | |||
part of that zone, including nameserver records of delegated sub-zones (NS recor ds), | part of that zone, including nameserver records of delegated sub-zones (NS recor ds), | |||
address records that accompany those NS records (A, AAAA, etc), and any other st ray data | address records that accompany those NS records (A, AAAA, etc), and any other st ray data | |||
that might appear." (Quoted from <xref target="RFC2181"/>, Section 5.4.1) | that might appear." (Quoted from <xref target="RFC2181" sectionFormat="comma" s ection="5.4.1"/>) | |||
<!--End DNE --> | <!--End DNE --> | |||
Although glue is sometimes used today | Although glue is sometimes used today | |||
with this wider definition in mind, the context surrounding the definition in <x ref target="RFC2181"/> | with this wider definition in mind, the context surrounding the definition in <x ref target="RFC2181" format="default"/> | |||
suggests it is intended to apply to the use of glue within the document itself a nd not | suggests it is intended to apply to the use of glue within the document itself a nd not | |||
necessarily beyond.</t> | necessarily beyond.</dd> | |||
<dt/> | ||||
<t>In an NS record, there are three types of relationships between the owner nam | <dd>In an NS record, there are three types of relationships between the | |||
e of the record | owner name of the record, the name in the NS RDATA, and the zone origin: unrelat | |||
and the name in the NS RDATA and the zone origin: unrelated, in-domain, and sibl | ed, in-domain, and sibling domain. | |||
ing domain. | ||||
The application of these three types of relationships to glue records is defined in | The application of these three types of relationships to glue records is defined in | |||
<xref target="I-D.ietf-dnsop-glue-is-not-optional"/>. | <xref target="RFC9471" format="default"/>. | |||
</t> | </dd> | |||
<dt/> | ||||
<t>An unrelated relationship is one where the NS RDATA contains a name server | <dd>An unrelated relationship is one where the NS RDATA contains a name | |||
server | ||||
that is not subordinate to the zone origin and therefore is not part of the same zone. | that is not subordinate to the zone origin and therefore is not part of the same zone. | |||
</t> | </dd> | |||
<dt/> | ||||
<t> | <dd> | |||
<iref item='In-domain'/> | <iref item="In-domain" subitem="" primary="false"/> | |||
An in-domain relationship is one where the NS RDATA contains a name server | An in-domain relationship is one where the NS RDATA contains a name server | |||
whose name is either | whose name is either | |||
subordinate to or (rarely) the same as the owner name of the NS resource records . | subordinate to or (rarely) the same as the owner name of the NS resource records . | |||
For example, a delegation for "child.example.com" might have an in-domain name | For example, a delegation for "child.example.com" might have an in-domain name | |||
server called "ns.child.example.com". | server called "ns.child.example.com". | |||
</t> | </dd> | |||
<dt/> | ||||
<t> | <dd> | |||
<iref item='Sibling domain'/> | <iref item="Sibling domain" subitem="" primary="false"/> | |||
A sibling domain relationship is one where the NS RDATA contains a name server | A sibling domain relationship is one where the NS RDATA contains a name server | |||
whose name is either subordinate to or | whose name is either subordinate to or | |||
(rarely) the same as the zone origin of the parent and not subordinate to or the same as the | (rarely) the same as the zone origin of the parent and not subordinate to or the same as the | |||
owner name of the NS resource records. | owner name of the NS resource records. | |||
For example, a delegation for "child.example.com" in "example.com" zone might ha ve | For example, a delegation for "child.example.com" in "example.com" zone might ha ve | |||
a sibling domain name server called "ns.another.example.com". | a sibling domain name server called "ns.another.example.com". | |||
</t> | </dd> | |||
<dt/> | ||||
<t>The following table shows examples of delegation types:</t> | <dd>The following table shows examples of delegation types:</dd> | |||
<dt/><dd> | ||||
<t><table anchor="delegation_types"> | <table anchor="delegation_types"> | |||
<thead> | <thead> | |||
<tr> <th>Delegation</th> <th>Parent</th> <th>Name Server Name</th> <th>T | <tr> | |||
ype</th></tr> | <th>Delegation</th> | |||
</thead> | <th>Parent</th> | |||
<tbody> | <th>Name Server Name</th> | |||
<tr> <td>com</td> <td>.</td> <td>a.gtld-servers.net</td> <td>sibling dom | <th>Type</th> | |||
ain</td></tr> | </tr> | |||
<tr> <td>net</td> <td>.</td> <td>a.gtld-servers.net</td> <td>in-domain</ | </thead> | |||
td></tr> | <tbody> | |||
<tr> <td>example.org</td> <td>org</td> <td>ns.example.org</td> <td>in-do | <tr> | |||
main</td></tr> | <td>com</td> | |||
<tr> <td>example.org</td> <td>org</td> <td>ns.ietf.org</td> <td>sibling | <td>.</td> | |||
domain</td></tr> | <td>a.gtld-servers.net</td> | |||
<tr> <td>example.org</td> <td>org</td> <td>ns.example.com</td> <td>unrel | <td>sibling domain</td> | |||
ated</td></tr> | </tr> | |||
<tr> <td>example.jp</td> <td>jp</td> <td>ns.example.jp</td> <td>in-domai | <tr> | |||
n</td></tr> | <td>net</td> | |||
<tr> <td>example.jp</td> <td>jp</td> <td>ns.example.ne.jp</td> <td>sibli | <td>.</td> | |||
ng domain</td></tr> | <td>a.gtld-servers.net</td> | |||
<tr> <td>example.jp</td> <td>jp</td> <td>ns.example.com</td> <td>unrelat | <td>in-domain</td> | |||
ed</td></tr> | </tr> | |||
</tbody> | <tr> | |||
</table></t> | <td>example.org</td> | |||
<td>org</td> | ||||
<t hangText='Bailiwick:'> | <td>ns.example.org</td> | |||
<iref item='Bailiwick'/> | <td>in-domain</td> | |||
<iref item='In-bailiwick'/> | </tr> | |||
<iref item='Out-of-bailiwick'/> | <tr> | |||
<td>example.org</td> | ||||
<td>org</td> | ||||
<td>ns.ietf.org</td> | ||||
<td>sibling domain</td> | ||||
</tr> | ||||
<tr> | ||||
<td>example.org</td> | ||||
<td>org</td> | ||||
<td>ns.example.com</td> | ||||
<td>unrelated</td> | ||||
</tr> | ||||
<tr> | ||||
<td>example.jp</td> | ||||
<td>jp</td> | ||||
<td>ns.example.jp</td> | ||||
<td>in-domain</td> | ||||
</tr> | ||||
<tr> | ||||
<td>example.jp</td> | ||||
<td>jp</td> | ||||
<td>ns.example.ne.jp</td> | ||||
<td>sibling domain</td> | ||||
</tr> | ||||
<tr> | ||||
<td>example.jp</td> | ||||
<td>jp</td> | ||||
<td>ns.example.com</td> | ||||
<td>unrelated</td> | ||||
</tr> | ||||
</tbody> | ||||
</table> | ||||
</dd> | ||||
<dt>Bailiwick:</dt> | ||||
<dd> | ||||
<iref item="Bailiwick" subitem="" primary="false"/> | ||||
<iref item="In-bailiwick" subitem="" primary="false"/> | ||||
<iref item="Out-of-bailiwick" subitem="" primary="false"/> | ||||
"In-bailiwick" and "Out-of-bailiwick" are modifiers used to describe the relatio nship between | "In-bailiwick" and "Out-of-bailiwick" are modifiers used to describe the relatio nship between | |||
a zone and the name servers for that zone. | a zone and the name servers for that zone. | |||
The dictionary definition of bailiwick has been observed to cause more co nfusion than meaning for this use. | The dictionary definition of bailiwick has been observed to cause more co nfusion than meaning for this use. | |||
These terms should be considered historic in nature.</t> | These terms should be considered historic in nature.</dd> | |||
<dt>Root zone:</dt> | ||||
<t hangText='Root zone:'> | <dd> | |||
<iref item='Root zone'/> | <iref item="Root zone" subitem="" primary="false"/> | |||
The zone of a DNS-based tree whose apex is the zero-length label. | The zone of a DNS-based tree whose apex is the zero-length label. | |||
Also sometimes called "the DNS root".</t> | Also sometimes called "the DNS root".</dd> | |||
<dt>Empty non-terminals (ENTs):</dt> | ||||
<t hangText='Empty non-terminals (ENT):'> | <dd> | |||
<iref item='Empty non-terminals (ENT)'/> | <iref item="Empty non-terminals (ENTs)" subitem="" primary="false"/> | |||
"Domain names that own no resource records but have subdomains that do." | "Domain names that own no resource records but have subdomains that do." | |||
(Quoted from <xref target="RFC4592"/>, Section 2.2.2) | (Quoted from <xref target="RFC4592" sectionFormat="comma" section="2.2.2"/>) | |||
A typical example is in SRV records: in the name | A typical example is in SRV records: in the name | |||
"_sip._tcp.example.com", it is likely that "_tcp.example.com" has no RRsets, but | "_sip._tcp.example.com", it is likely that "_tcp.example.com" has no RRsets, but | |||
that "_sip._tcp.example.com" has (at least) an SRV RRset.</t> | that "_sip._tcp.example.com" has (at least) an SRV RRset.</dd> | |||
<dt>Delegation-centric zone:</dt> | ||||
<t hangText='Delegation-centric zone:'> | <dd> | |||
<iref item='Delegation-centric zone'/> | <iref item="Delegation-centric zone" subitem="" primary="false"/> | |||
A zone that consists mostly of delegations to child zones. This term is | A zone that consists mostly of delegations to child zones. This term is | |||
used in contrast to a zone that might have some delegations to child zones but a lso has many data | used in contrast to a zone that might have some delegations to child zones but a lso has many data | |||
resource records for the zone itself and/or for child zones. | resource records for the zone itself and/or for child zones. | |||
The term is used in <xref target="RFC4956"/> and <xref target="RFC5155"/>, but i | The term is used in <xref target="RFC4956" format="default"/> and <xref target=" | |||
t is not defined in either document.</t> | RFC5155" format="default"/>, but it is not defined in either document.</dd> | |||
<dt>Occluded name:</dt> | ||||
<t hangText='Occluded name:'> | <dd> | |||
<iref item='Occluded name'/> | <iref item="Occluded name" subitem="" primary="false"/> | |||
<!--begin DNE --> | ||||
<!--begin DNE --> | ||||
"The addition of a delegation point via dynamic update will render all subordina te | "The addition of a delegation point via dynamic update will render all subordina te | |||
domain names to be in a limbo, still part of the zone but not available to the l ookup process. The | domain names to be in a limbo, still part of the zone but not available to the l ookup process. The | |||
addition of a DNAME resource record has the same impact. The subordinate names are said to be | addition of a DNAME resource record has the same impact. The subordinate names are said to be | |||
'occluded'." (Quoted from <xref target="RFC5936"/>, Section 3.5)</t> | 'occluded'." (Quoted from <xref target="RFC5936" sectionFormat="comma" section= | |||
"3.5"/>)</dd> | ||||
<t hangText='Fast flux DNS:'> | <dt>Fast flux DNS:</dt> | |||
<iref item='Fast flux DNS'/> | <dd> | |||
<iref item="Fast flux DNS" subitem="" primary="false"/> | ||||
This "occurs when a domain is [found] in DNS using A records to multiple IP addr esses, | This "occurs when a domain is [found] in DNS using A records to multiple IP addr esses, | |||
each of which has a very short Time-to-Live (TTL) value associated with it. Thi s means | each of which has a very short Time-to-Live (TTL) value associated with it. Thi s means | |||
that the domain resolves to varying IP addresses over a short period of time." | that the domain resolves to varying IP addresses over a short period of time." | |||
(Quoted from <xref target="RFC6561"/>, Section 1.1.5, with a typo corrected) | (Quoted from <xref target="RFC6561" sectionFormat="comma" section="1.1.5"/>, wit | |||
In addition to having legitimate uses, fast flux DNS can used to deliver malware | h a typo corrected) | |||
. | In addition to having legitimate uses, fast flux DNS can be used to deliver malw | |||
are. | ||||
Because the addresses change so rapidly, it is difficult to | Because the addresses change so rapidly, it is difficult to | |||
ascertain all the hosts. It should be noted that the technique also works | ascertain all the hosts. It should be noted that the technique also works | |||
with AAAA records, but such use is not frequently observed on the | with AAAA records, but such use is not frequently observed on the | |||
Internet as of this writing.</t> | Internet as of this writing.</dd> | |||
<dt>Reverse DNS, reverse lookup:</dt> | ||||
<t hangText='Reverse DNS, reverse lookup:'> | <dd> | |||
<iref item='Reverse DNS, reverse lookup'/> | <iref item="Reverse DNS, reverse lookup" subitem="" primary="false"/> | |||
"The process of mapping an address to a name is | "The process of mapping an address to a name is | |||
generally known as a 'reverse lookup', and the IN-ADDR.ARPA and | generally known as a 'reverse lookup', and the IN-ADDR.ARPA and | |||
IP6.ARPA zones are said to support the 'reverse DNS'." | IP6.ARPA zones are said to support the 'reverse DNS'." | |||
(Quoted from <xref target="RFC5855"/>, Section 1) | (Quoted from <xref target="RFC5855" sectionFormat="comma" section="1"/>) | |||
</t> | </dd> | |||
<dt>Forward lookup:</dt> | ||||
<t hangText='Forward lookup:'> | <dd> | |||
<iref item='Forward lookup'/> | <iref item="Forward lookup" subitem="" primary="false"/> | |||
"Hostname-to-address translation". (Quoted from | "Hostname-to-address translation". (Quoted from | |||
<xref target="RFC3493" />, Section 6) | <xref target="RFC3493" sectionFormat="comma" section="6"/>) | |||
</t> | ||||
<t hangText='arpa: Address and Routing Parameter Area Domain:'> | </dd> | |||
<iref item='arpa: Address and Routing Parameter Area Domain'/> | <dt>arpa (Address and Routing Parameter Area Domain):</dt><dd> | |||
<iref item="Address and Routing Parameter Area Domain (arpa)" subitem= | ||||
"" primary="false"/> | ||||
"The 'arpa' domain was originally established as part of the initial | "The 'arpa' domain was originally established as part of the initial | |||
deployment of the DNS, to provide a transition mechanism from the | deployment of the DNS to provide a transition mechanism from the | |||
Host Tables that were common in the ARPANET, as well as a home for | Host Tables that were common in the ARPANET, as well as a home for | |||
the IPv4 reverse mapping domain. During 2000, the abbreviation was | the IPv4 reverse mapping domain. During 2000, the abbreviation was | |||
redesignated to 'Address and Routing Parameter Area' in the hope of | redesignated to 'Address and Routing Parameter Area' in the hope of | |||
reducing confusion with the earlier network name." | reducing confusion with the earlier network name." | |||
(Quoted from <xref target="RFC3172"/>, Section 2) | (Quoted from <xref target="RFC3172" sectionFormat="comma" section="2"/>) | |||
.arpa is an "infrastructure domain", | .arpa is an "infrastructure domain", | |||
a domain whose "role is to | a domain whose "role is to | |||
support the operating infrastructure of the Internet". | support the operating infrastructure of the Internet". | |||
(Quoted from <xref target="RFC3172"/>, Section 2) | (Quoted from <xref target="RFC3172" sectionFormat="comma" section="2"/>) | |||
See <xref target="RFC3172"/> for more history of this name. | See <xref target="RFC3172" format="default"/> for more history of this name. | |||
</t> | </dd> | |||
<dt>Service name:</dt> | ||||
<t hangText='Service name:'> | <dd> | |||
<iref item='Service name'/> | <iref item="Service name" subitem="" primary="false"/> | |||
"Service names are the unique key in the Service Name and Transport | "Service names are the unique key in the Service Name and Transport | |||
Protocol Port Number registry. This unique symbolic name for a | Protocol Port Number registry. This unique symbolic name for a | |||
service may also be used for other purposes, such as in DNS SRV | service may also be used for other purposes, such as in DNS SRV | |||
records." (Quoted from <xref target="RFC6335"/>, Section 5) | records." (Quoted from <xref target="RFC6335" sectionFormat="comma" section="5"/ | |||
</t> | >) | |||
</dd> | ||||
</list></t> | </dl> | |||
</section> | </section> | |||
<section anchor="wildcards" numbered="true" toc="default"> | ||||
<section anchor="wildcards" title="Wildcards"> | <name>Wildcards</name> | |||
<t><list style="hanging"> | <dl newline="false" spacing="normal"> | |||
<dt>Wildcard:</dt> | ||||
<t hangText='Wildcard:'> | <dd> | |||
<iref item='Wildcard'/> | <iref item="Wildcard" subitem="" primary="false"/> | |||
<xref target="RFC1034"/> defined "wildcard", but in a way that turned out to be | <xref target="RFC1034" format="default"/> defined "wildcard", but in a | |||
way that turned out to be | ||||
confusing to implementers. | confusing to implementers. | |||
For an extended discussion of wildcards, including clearer definitions, see <xre f target="RFC4592"/>. | For an extended discussion of wildcards, including clearer definitions, see <xre f target="RFC4592" format="default"/>. | |||
Special treatment is given to RRs with owner names starting with the label "*". "Such RRs | Special treatment is given to RRs with owner names starting with the label "*". "Such RRs | |||
are called 'wildcards'. Wildcard RRs can be thought of as instructions for synth esizing RRs." | are called 'wildcards'. Wildcard RRs can be thought of as instructions for synth esizing RRs." | |||
(Quoted from <xref target="RFC1034"/>, Section 4.3.3) | (Quoted from <xref target="RFC1034" sectionFormat="comma" section="4.3.3"/>) | |||
</t> | </dd> | |||
<dt>Asterisk label:</dt> | ||||
<t hangText='Asterisk label:'> | <dd> | |||
<iref item='Asterisk label'/> | <iref item="Asterisk label" subitem="" primary="false"/> | |||
"The first octet is the normal label type and length for a 1-octet-long | "The first octet is the normal label type and length for a 1-octet-long | |||
label, and the second octet is the ASCII representation [RFC20] | label, and the second octet is the ASCII representation <xref target="RFC0020"/> | |||
for the '*' character. | for the '*' character. | |||
A descriptive name of a label equaling that value is an 'asterisk | A descriptive name of a label equaling that value is an 'asterisk | |||
label'." (Quoted from <xref target="RFC4592"/>, Section 2.1.1)</t> | label'." (Quoted from <xref target="RFC4592" sectionFormat="comma" section="2.1. | |||
1"/>)</dd> | ||||
<t hangText='Wildcard domain name:'> | <dt>Wildcard domain name:</dt> | |||
<iref item='Wildcard domain name'/> | <dd> | |||
<iref item="Wildcard domain name" subitem="" primary="false"/> | ||||
"A 'wildcard domain name' is defined by having its initial (i.e., | "A 'wildcard domain name' is defined by having its initial (i.e., | |||
leftmost or least significant) label, in binary format: 0000 0001 0010 1010 (bin ary) = 0x01 0x2a (hexadecimal)". | leftmost or least significant) label, in binary format: 0000 0001 0010 1010 (bin ary) = 0x01 0x2a (hexadecimal)". | |||
(Quoted from <xref target="RFC4592"/>, Section 2.1.1) The second octet in this | (Quoted from <xref target="RFC4592" sectionFormat="comma" section="2.1.1"/>) Th | |||
label is the ASCII representation for the "*" character.</t> | e second octet in this label is the ASCII representation for the "*" character.< | |||
/dd> | ||||
<t hangText='Closest encloser:'> | <dt>Closest encloser:</dt> | |||
<iref item='Closest encloser'/> | <dd> | |||
<iref item="Closest encloser" subitem="" primary="false"/> | ||||
"The longest existing ancestor of a name." | "The longest existing ancestor of a name." | |||
(Quoted from <xref target="RFC5155"/>, Section 1.3) | (Quoted from <xref target="RFC5155" sectionFormat="comma" section="1.3"/>) | |||
An earlier definition is "The node in the zone's tree of existing | An earlier definition is "The node in the zone's tree of existing | |||
domain names that has the most labels matching the query name | domain names that has the most labels matching the query name | |||
(consecutively, counting from the root label downward). Each match | (consecutively, counting from the root label downward). Each match | |||
is a 'label match' and the order of the labels is the same." | is a 'label match' and the order of the labels is the same." | |||
(Quoted from <xref target="RFC4592"/>, Section 3.3.1) | (Quoted from <xref target="RFC4592" sectionFormat="comma" section="3.3.1"/>) | |||
</t> | </dd> | |||
<dt>Closest provable encloser:</dt> | ||||
<t hangText='Closest provable encloser:'> | <dd> | |||
<iref item='Closest provable encloser'/> | <iref item="Closest provable encloser" subitem="" primary="false"/> | |||
"The longest ancestor of a name that can | "The longest ancestor of a name that can | |||
be proven to exist. Note that this is only different from the | be proven to exist. Note that this is only different from the | |||
closest encloser in an Opt-Out zone." | closest encloser in an Opt-Out zone." | |||
(Quoted from <xref target="RFC5155"/>, Section 1.3) | (Quoted from <xref target="RFC5155" sectionFormat="comma" section="1.3"/>) | |||
See <xref target="dnssec-general"/> for more on "opt-out". | See <xref target="dnssec-general" format="default"/> for more on "opt-out". | |||
</t> | </dd> | |||
<dt>Next closer name:</dt> | ||||
<t hangText='Next closer name:'> | <dd> | |||
<iref item='Next closer name'/> | <iref item="Next closer name" subitem="" primary="false"/> | |||
"The name one label longer than the closest | "The name one label longer than the closest | |||
provable encloser of a name." | provable encloser of a name." | |||
(Quoted from <xref target="RFC5155"/>, Section 1.3)</t> | (Quoted from <xref target="RFC5155" sectionFormat="comma" section="1.3"/>)</dd> | |||
<dt>Source of Synthesis:</dt> | ||||
<t hangText='Source of Synthesis:'> | <dd> | |||
<iref item='Source of Synthesis'/> | <t><iref item="Source of Synthesis" subitem="" primary="false"/> | |||
"The source of synthesis is defined in the context of a query process | "The source of synthesis is defined in the context of a query process | |||
as that wildcard domain name immediately descending from the closest | as that wildcard domain name immediately descending from the closest | |||
encloser, provided that this wildcard domain name exists. | encloser, provided that this wildcard domain name exists. | |||
'Immediately descending' means that the source of synthesis has a | 'Immediately descending' means that the source of synthesis has a | |||
name of the form: | name of the form: | |||
<vspace blankLines="0"/> | </t> | |||
<t> | ||||
<asterisk label>.<closest encloser>." | <asterisk label>.<closest encloser>." | |||
<vspace blankLines="0"/> | </t> | |||
(Quoted from <xref target="RFC4592"/>, Section 3.3.1)</t> | <t> | |||
(Quoted from <xref target="RFC4592" sectionFormat="comma" section="3.3.1"/>)</t> | ||||
</list></t> | </dd> | |||
</section> | </dl> | |||
</section> | ||||
<section anchor="reg-model" title="Registration Model"> | <section anchor="reg-model" numbered="true" toc="default"> | |||
<t><list style="hanging"> | <name>Registration Model</name> | |||
<dl newline="false" spacing="normal"> | ||||
<t hangText='Registry:'> | <dt>Registry:</dt> | |||
<iref item='Registry'/> | <dd> | |||
<iref item="Registry" subitem="" primary="false"/> | ||||
The administrative operation of a zone that allows registration of names within that | The administrative operation of a zone that allows registration of names within that | |||
zone. People often use this term to refer only to those organizations | zone. People often use this term to refer only to those organizations | |||
that perform registration in large delegation-centric zones (such as | that perform registration in large delegation-centric zones (such as | |||
TLDs); but formally, whoever decides what data goes into a zone is the | TLDs); but formally, whoever decides what data goes into a zone is the | |||
registry for that zone. | registry for that zone. | |||
This definition of "registry" is from a DNS point of view; for some zones, the p olicies | This definition of "registry" is from a DNS point of view; for some zones, the p olicies | |||
that determine what can go in the zone are decided by zones that are superordina | that determine what can go in the zone are decided by zones that are superordina | |||
te and not the registry operator.</t> | te and not the registry operator.</dd> | |||
<dt>Registrant:</dt> | ||||
<t hangText='Registrant:'> | <dd> | |||
<iref item='Registrant'/> | <iref item="Registrant" subitem="" primary="false"/> | |||
An individual or organization on whose behalf a name in | An individual or organization on whose behalf a name in | |||
a zone is registered by the registry. In many zones, the registry and | a zone is registered by the registry. In many zones, the registry and | |||
the registrant may be the same entity, but in TLDs they often are | the registrant may be the same entity, but in TLDs they often are | |||
not.</t> | not.</dd> | |||
<dt>Registrar:</dt> | ||||
<t hangText='Registrar:'> | <dd> | |||
<iref item='Registrar'/> | <iref item="Registrar" subitem="" primary="false"/> | |||
A service provider that acts as a go-between for | A service provider that acts as a go-between for | |||
registrants and registries. Not all registrations require a | registrants and registries. Not all registrations require a | |||
registrar, though it is common to have registrars involved in | registrar, though it is common to have registrars involved in | |||
registrations in TLDs.</t> | registrations in TLDs.</dd> | |||
<dt>EPP:</dt> | ||||
<t hangText='EPP:'> | <dd> | |||
<iref item='EPP'/> | <iref item="EPP" subitem="" primary="false"/> | |||
The Extensible Provisioning Protocol (EPP), which is commonly used for communica tion | The Extensible Provisioning Protocol (EPP), which is commonly used for communica tion | |||
of registration information between registries and registrars. EPP is defined in | of registration information between registries and registrars. EPP is defined in | |||
<xref target="RFC5730"/>.</t> | <xref target="RFC5730" format="default"/>.</dd> | |||
<dt>WHOIS:</dt> | ||||
<t hangText='WHOIS:'> | <dd> | |||
<iref item='WHOIS'/> | <iref item="WHOIS" subitem="" primary="false"/> | |||
A protocol specified in <xref target="RFC3912"/>, often used for querying regist | A protocol specified in <xref target="RFC3912" format="default"/>, often used fo | |||
ry databases. | r querying registry databases. | |||
WHOIS data is frequently used to associate registration data (such as zone manag ement | WHOIS data is frequently used to associate registration data (such as zone manag ement | |||
contacts) with domain names. | contacts) with domain names. | |||
The term "WHOIS data" is often used as a synonym for the registry database, even though | The term "WHOIS data" is often used as a synonym for the registry database, even though | |||
that database may be served by different protocols, particularly RDAP. | that database may be served by different protocols, particularly RDAP. | |||
The WHOIS protocol is also used with IP address registry data.</t> | The WHOIS protocol is also used with IP address registry data.</dd> | |||
<dt>RDAP:</dt> | ||||
<t hangText='RDAP:'> | <dd> | |||
<iref item='RDAP'/> | <iref item="RDAP" subitem="" primary="false"/> | |||
The Registration Data Access Protocol, defined in | The Registration Data Access Protocol, defined in | |||
<xref target="RFC7480"/>, <xref target="RFC7481"/>, <xref target="RFC7482"/>, <x | <xref target="RFC7480" format="default"/>, <xref target="RFC7481" format="defaul | |||
ref target="RFC7483"/>, | t"/>, <xref target="RFC7485" | |||
<xref target="RFC7484"/>, and <xref target="RFC7485"/>. | format="default"/>, <xref target="RFC9082" format="default"/>, <xref target="RFC | |||
The RDAP protocol and data format are meant as a replacement for WHOIS.</t> | 9083" format="default"/>, and | |||
<xref target="RFC9224" format="default"/>. | ||||
<t hangText='DNS operator:'> | The RDAP protocol and data format are meant as a replacement for WHOIS.</dd> | |||
<iref item='DNS operator'/> | <dt>DNS operator:</dt> | |||
<dd> | ||||
<iref item="DNS operator" subitem="" primary="false"/> | ||||
An entity responsible for running DNS servers. For a zone's authoritative server s, the registrant | An entity responsible for running DNS servers. For a zone's authoritative server s, the registrant | |||
may act as their own DNS operator, their registrar may do it on their behalf, or they may use a | may act as their own DNS operator, their registrar may do it on their behalf, or they may use a | |||
third-party operator. | third-party operator. | |||
For some zones, the registry function is performed by the DNS operator plus othe r entities | For some zones, the registry function is performed by the DNS operator plus othe r entities | |||
who decide about the allowed contents of the zone.</t> | who decide about the allowed contents of the zone.</dd> | |||
<dt>Public suffix:</dt> | ||||
<t hangText='Public suffix:'> | <dd> | |||
<iref item='Public suffix'/> | <iref item="Public suffix" subitem="" primary="false"/> | |||
"A domain that is controlled by a public registry." (Quoted from <xref target="R | "A domain that is controlled by a public registry." (Quoted from <xref target="R | |||
FC6265"/>, Section 5.3) | FC6265" sectionFormat="comma" section="5.3"/>) A common definition for this term | |||
A common definition for this term is a domain under which subdomains can be regi | is a domain under which subdomains can be registered by third parties and on wh | |||
stered by third parties and on which HTTP cookies | ich HTTP cookies | |||
(which are described in detail in <xref target="RFC6265"/>) should not be set. | (which are described in detail in <xref target="RFC6265" format="default"/>) sho | |||
uld not be set. | ||||
There is no indication in a domain name whether it is a public suffix; that can only be | There is no indication in a domain name whether it is a public suffix; that can only be | |||
determined by outside means. | determined by outside means. | |||
In fact, both a domain and a subdomain of that domain can be public suffixes. | In fact, both a domain and a subdomain of that domain can be public suffixes. | |||
</t> | </dd> | |||
<dt/> | ||||
<t>There is nothing inherent in a domain name to indicate whether it is | <dd>There is nothing inherent in a domain name to indicate whether it is | |||
a public suffix. One | a public suffix. One | |||
resource for identifying public suffixes is the Public Suffix List (PSL) | resource for identifying public suffixes is the Public Suffix List (PSL) | |||
maintained by Mozilla (https://publicsuffix.org/).</t> | maintained by Mozilla <eref brackets="angle" target="https://publicsuffix.org/"/ | |||
>.</dd> | ||||
<t>For example, at the time this document is published, | <dt/> | |||
<dd>For example, at the time this document is published, | ||||
the "com.au" domain is listed as a public suffix in the PSL. | the "com.au" domain is listed as a public suffix in the PSL. | |||
(Note that this example might change in the future.)</t> | (Note that this example might change in the future.)</dd> | |||
<dt/> | ||||
<t>Note that the term "public suffix" is controversial in the DNS | <dd>Note that the term "public suffix" is controversial in the DNS | |||
community for many reasons, and it may be significantly changed in the future. O ne example of the | community for many reasons, and it may be significantly changed in the future. O ne example of the | |||
difficulty of calling a domain a public suffix is that designation can change ov er time as the | difficulty of calling a domain a public suffix is that designation can change ov er time as the | |||
registration policy for the zone changes, such as was the case with the "uk" TLD | registration policy for the zone changes, such as was the case with the "uk" TLD | |||
in 2014.</t> | in 2014.</dd> | |||
<dt>Subordinate and Superordinate:</dt> | ||||
<t hangText='Subordinate and Superordinate:'> | <dd> | |||
<iref item='Subordinate'/> | <iref item="Subordinate" subitem="" primary="false"/> | |||
<iref item='Superordinate'/> | <iref item="Superordinate" subitem="" primary="false"/> | |||
These terms are introduced in <xref target="RFC5731"/> for use in the registrati | These terms are introduced in <xref target="RFC5731" format="default"/> for use | |||
on model, but not defined there. | in the registration model, but not defined there. | |||
Instead, they are given in examples. | Instead, they are given in examples. | |||
"For example, domain name 'example.com' has a superordinate relationship to host name | "For example, domain name 'example.com' has a superordinate relationship to host name | |||
ns1.example.com'... For example, host ns1.example1.com is a subordinate host of domain example1.com, | ns1.example.com'... For example, host ns1.example1.com is a subordinate host of domain example1.com, | |||
but it is a not a subordinate host of domain example2.com." | but it is a not a subordinate host of domain example2.com." | |||
(Quoted from <xref target="RFC5731"/>, Section 1.1) | (Quoted from <xref target="RFC5731" sectionFormat="comma" section="1.1"/>) | |||
These terms are strictly ways of referring to the relationship standing of two d omains | These terms are strictly ways of referring to the relationship standing of two d omains | |||
where one is a subdomain of the other.</t> | where one is a subdomain of the other.</dd> | |||
</dl> | ||||
</list></t> | </section> | |||
</section> | <section anchor="dnssec-general" numbered="true" toc="default"> | |||
<name>General DNSSEC</name> | ||||
<section anchor="dnssec-general" title="General DNSSEC"> | <t>Most DNSSEC terms are defined in <xref target="RFC4033" format="default | |||
"/>, | ||||
<t>Most DNSSEC terms are defined in <xref target="RFC4033"/>, | <xref target="RFC4034" format="default"/>, <xref target="RFC4035" format="defaul | |||
<xref target="RFC4034"/>, <xref target="RFC4035"/>, and <xref target="RFC5155"/> | t"/>, and <xref target="RFC5155" format="default"/>. The | |||
. The | ||||
terms that have caused confusion in the DNS community are highlighted here.</t> | terms that have caused confusion in the DNS community are highlighted here.</t> | |||
<dl newline="false" spacing="normal"> | ||||
<t><list style="hanging"> | <dt>DNSSEC-aware and DNSSEC-unaware:</dt> | |||
<dd> | ||||
<t hangText='DNSSEC-aware and DNSSEC-unaware:'> | <iref item="DNSSEC-aware and DNSSEC-unaware" subitem="" primary="false | |||
<iref item='DNSSEC-aware and DNSSEC-unaware'/> | "/> | |||
These two terms, which are used in some RFCs, have not been formally defined. | These two terms, which are used in some RFCs, have not been formally defined. | |||
However, Section 2 of <xref target="RFC4033"/> defines many types of resolvers a nd | However, <xref target="RFC4033" sectionFormat="of" section="2"/> defines many ty pes of resolvers and | |||
validators, including "non-validating security-aware stub resolver", "non-valida ting | validators, including "non-validating security-aware stub resolver", "non-valida ting | |||
stub resolver", "security-aware name server", "security-aware recursive name ser ver", | stub resolver", "security-aware name server", "security-aware recursive name ser ver", | |||
"security-aware resolver", "security-aware stub resolver", and "security-oblivio us 'anything'". | "security-aware resolver", "security-aware stub resolver", and "security-oblivio us 'anything'". | |||
(Note that the term "validating resolver", which is used in some | (Note that the term "validating resolver", which is used in some | |||
places in DNSSEC-related documents, is also not defined in those RFCs, but is de | places in DNSSEC-related documents, is also not defined in those RFCs, but is de | |||
fined below.)</t> | fined below.)</dd> | |||
<dt>Signed zone:</dt> | ||||
<t hangText='Signed zone:'> | <dd> | |||
<iref item='Signed zone'/> | <iref item="Signed zone" subitem="" primary="false"/> | |||
"A zone whose RRsets are signed and that contains | "A zone whose RRsets are signed and that contains | |||
properly constructed DNSKEY, Resource Record Signature (RRSIG), | properly constructed DNSKEY, Resource Record Signature (RRSIG), | |||
Next Secure (NSEC), and (optionally) DS records." (Quoted from | Next Secure (NSEC), and (optionally) DS records." (Quoted from | |||
<xref target="RFC4033"/>, Section 2) | <xref target="RFC4033" sectionFormat="comma" section="2"/>) | |||
It has been noted in other contexts that the zone itself is not | It has been noted in other contexts that the zone itself is not | |||
really signed, but all the relevant RRsets in the zone are signed. | really signed, but all the relevant RRsets in the zone are signed. | |||
Nevertheless, if a zone that should be signed contains any RRsets that | Nevertheless, if a zone that should be signed contains any RRsets that | |||
are not signed (or opted out), those RRsets will be treated as bogus, | are not signed (or opted out), those RRsets will be treated as bogus, | |||
so the whole zone needs to be handled in some way.</t> | so the whole zone needs to be handled in some way.</dd> | |||
<t>It should also be noted that, since the publication of <xref target="RFC6840" | <dt/> | |||
/>, NSEC records are no | ||||
<dd>It should also be noted that, since the publication of <xref target="RFC6840 | ||||
" format="default"/>, NSEC records are no | ||||
longer required for signed zones: a signed zone might include NSEC3 records inst ead. | longer required for signed zones: a signed zone might include NSEC3 records inst ead. | |||
<xref target="RFC7129"/> provides additional background commentary and some cont ext for the NSEC and | <xref target="RFC7129" format="default"/> provides additional background comment ary and some context for the NSEC and | |||
NSEC3 mechanisms used by DNSSEC to provide authenticated denial-of-existence res ponses. | NSEC3 mechanisms used by DNSSEC to provide authenticated denial-of-existence res ponses. | |||
NSEC and NSEC3 are described below.</t> | NSEC and NSEC3 are described below.</dd> | |||
<dt>Online signing:</dt> | ||||
<t hangText='Online signing:'> | <dd> | |||
<iref item='online signing'/><iref item='on-line signing'/> | <iref item="online signing" subitem="" primary="false"/><iref item="on | |||
<xref target="RFC4470"/> defines "on-line signing" (note the hyphen) as | -line signing" subitem="" primary="false"/> | |||
<xref target="RFC4470" format="default"/> defines "on-line signing" (n | ||||
ote the hyphen) as | ||||
"generating and signing these records on demand", where "these" was defined | "generating and signing these records on demand", where "these" was defined | |||
as NSEC records. The current definition expands that to | as NSEC records. The current definition expands that to | |||
generating and signing RRSIG, NSEC, and NSEC3 records on demand. | generating and signing RRSIG, NSEC, and NSEC3 records on demand. | |||
</t> | </dd> | |||
<dt>Unsigned zone:</dt> | ||||
<t hangText='Unsigned zone:'> | <dd> | |||
<iref item='Unsigned zone'/> | <iref item="Unsigned zone" subitem="" primary="false"/> | |||
Section 2 of <xref target="RFC4033"/> defines this as "a zone that is not signed | <xref target="RFC4033" sectionFormat="of" section="2"/> defines this as "a zone | |||
". Section 2 of | that is not signed". <xref target="RFC4035" sectionFormat="of" section="2"/> def | |||
<xref target="RFC4035"/> defines this as a "zone that does not include these rec | ines this as a "zone that does not include these records [properly constructed D | |||
ords [properly constructed DNSKEY, | NSKEY, | |||
Resource Record Signature (RRSIG), Next Secure (NSEC), and (optionally) DS recor ds] according to the | Resource Record Signature (RRSIG), Next Secure (NSEC), and (optionally) DS recor ds] according to the | |||
rules in this section..." There is an important note at the end of Section 5.2 of <xref target="RFC4035"/> that defines an | rules in this section..." There is an important note at the end of <xref target ="RFC4035" sectionFormat="of" section="5.2"/> that defines an | |||
additional situation in which a zone is considered unsigned: | additional situation in which a zone is considered unsigned: | |||
<!--Begin DNE --> | <!--Begin DNE --> | |||
"If the resolver does not support any of | "If the resolver does not support any of | |||
the algorithms listed in an authenticated DS RRset, then the resolver will not b e able to verify the | the algorithms listed in an authenticated DS RRset, then the resolver will not b e able to verify the | |||
authentication path to the child zone. In this case, the resolver SHOULD treat the child zone as if | authentication path to the child zone. In this case, the resolver SHOULD treat the child zone as if | |||
it were unsigned." | it were unsigned." | |||
<!--End DNE --> | <!--End DNE --> | |||
</t> | </dd> | |||
<dt>NSEC:</dt> | ||||
<t hangText='NSEC:'> | <dd> | |||
<iref item='NSEC'/> | <iref item="NSEC" subitem="" primary="false"/> | |||
"The NSEC record allows a security-aware resolver to authenticate a negative rep ly for | "The NSEC record allows a security-aware resolver to authenticate a negative rep ly for | |||
either name or type non-existence with the same mechanisms used to authenticate other DNS replies." | either name or type non-existence with the same mechanisms used to authenticate other DNS replies." | |||
(Quoted from <xref target="RFC4033"/>, Section 3.2) In short, an NSEC record pro | (Quoted from <xref target="RFC4033" sectionFormat="comma" section="3.2"/>) In sh | |||
vides authenticated denial of | ort, an NSEC record provides authenticated denial of | |||
existence.</t> | existence.</dd> | |||
<dt/> | ||||
<t>"The NSEC resource record lists two separate things: the next owner name (in | <dd>"The NSEC resource record lists two separate things: the next owner | |||
the canonical | name (in the canonical | |||
ordering of the zone) that contains authoritative data or a delegation point NS RRset, and the set | ordering of the zone) that contains authoritative data or a delegation point NS RRset, and the set | |||
of RR types present at the NSEC RR's owner name." (Quoted from Section 4 of RFC | of RR types present at the NSEC RR's owner name." (Quoted from <xref target="RFC | |||
4034)</t> | 4034" sectionFormat="of" section="4"/>)</dd> | |||
<dt>NSEC3:</dt> | ||||
<t hangText='NSEC3:'> | <dd> | |||
<iref item='NSEC3'/> | <iref item="NSEC3" subitem="" primary="false"/> | |||
Like the NSEC record, the NSEC3 record also provides authenticated denial of exi stence; however, | Like the NSEC record, the NSEC3 record also provides authenticated denial of exi stence; however, | |||
NSEC3 records mitigate zone enumeration and support Opt-Out. | NSEC3 records mitigate zone enumeration and support Opt-Out. | |||
NSEC3 resource records require associated NSEC3PARAM resource records. | NSEC3 resource records require associated NSEC3PARAM resource records. | |||
NSEC3 and NSEC3PARAM resource records are defined in <xref target="RFC5155"/>.</ | NSEC3 and NSEC3PARAM resource records are defined in <xref target="RFC5155" form | |||
t> | at="default"/>.</dd> | |||
<dt/> | ||||
<t>Note that <xref target="RFC6840"/> says that <xref target="RFC5155"/> "is now | <dd>Note that <xref target="RFC6840" format="default"/> says that <xref | |||
considered part of the DNS Security Document Family | target="RFC5155" format="default"/> "is now considered part of the DNS Security | |||
as described by Section 10 of <xref target="RFC4033"/>". This means that some of | Document Family | |||
the definitions from earlier RFCs that | as described by <xref target="RFC4033" sectionFormat="of" section="10"/>". This | |||
only talk about NSEC records should probably be considered to be talking about b | means that some of the definitions from earlier RFCs that | |||
oth NSEC and NSEC3.</t> | only talk about NSEC records should probably be considered to be talking about b | |||
oth NSEC and NSEC3.</dd> | ||||
<t hangText='Opt-out:'> | <dt>Opt-out:</dt> | |||
<iref item='Opt-out'/> | <dd> | |||
<iref item="Opt-out" subitem="" primary="false"/> | ||||
"The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned delegations ." | "The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned delegations ." | |||
(Quoted from <xref target="RFC5155"/>, Section 3.1.2.1) | (Quoted from <xref target="RFC5155" sectionFormat="comma" section="3.1.2.1"/>) | |||
Opt-out tackles the high costs of securing a delegation to an insecure zone. Wh en using | Opt-out tackles the high costs of securing a delegation to an insecure zone. Wh en using | |||
Opt-Out, names that are an insecure delegation (and empty non-terminals that are only | Opt-Out, names that are an insecure delegation (and empty non-terminals that are only | |||
derived from insecure delegations) don't require an NSEC3 record or its correspo nding | derived from insecure delegations) don't require an NSEC3 record or its correspo nding | |||
RRSIG records. Opt-Out NSEC3 records are not able to prove or deny the existence of the | RRSIG records. Opt-Out NSEC3 records are not able to prove or deny the existence of the | |||
insecure delegations. (Adapted from <xref target="RFC7129"/>, Section 5.1)</t> | insecure delegations. (Adapted from <xref target="RFC7129" sectionFormat="comma" | |||
section="5.1"/>)</dd> | ||||
<t hangText='Insecure delegation:'> | <dt>Insecure delegation:</dt> | |||
<iref item='Insecure delegation'/> | <dd> | |||
<iref item="Insecure delegation" subitem="" primary="false"/> | ||||
"A signed name containing a delegation (NS RRset), but lacking a DS RRset, | "A signed name containing a delegation (NS RRset), but lacking a DS RRset, | |||
signifying a delegation to an unsigned subzone." (Quoted from <xref target="RFC4 | signifying a delegation to an unsigned subzone." (Quoted from <xref target="RFC4 | |||
956"/>, Section 2)</t> | 956" sectionFormat="comma" section="2"/>)</dd> | |||
<dt>Zone enumeration:</dt> | ||||
<t hangText='Zone enumeration:'> | <dd> | |||
<iref item='Zone enumeration'/> | <iref item="Zone enumeration" subitem="" primary="false"/> | |||
"The practice of discovering the full content of a zone via successive queries." | "The practice of discovering the full content of a zone via successive queries." | |||
(Quoted from <xref target="RFC5155"/>, Section 1.3) This is also sometimes calle d "zone walking". | (Quoted from <xref target="RFC5155" sectionFormat="comma" section="1.3"/>) This is also sometimes called "zone walking". | |||
Zone enumeration is different from zone content guessing where the guesser uses a large dictionary | Zone enumeration is different from zone content guessing where the guesser uses a large dictionary | |||
of possible labels and sends successive queries for them, or matches the content s of NSEC3 records | of possible labels and sends successive queries for them, or matches the content s of NSEC3 records | |||
against such a dictionary.</t> | against such a dictionary.</dd> | |||
<dt>Validation:</dt> | ||||
<t hangText='Validation:'> | <dd> | |||
<iref item='Validation'/> | <t><iref item="Validation" subitem="" primary="false"/> | |||
Validation, in the context of DNSSEC, refers to one of the following: | Validation, in the context of DNSSEC, refers to one of the following: | |||
<list style="symbols"> | </t> | |||
<ul spacing="normal"> | ||||
<t>Checking the validity of DNSSEC signatures,</t> | <li>Checking the validity of DNSSEC signatures,</li> | |||
<li>Checking the validity of DNS responses, such as those including | ||||
<t>Checking the validity of DNS responses, such as those including authenticated | authenticated denial of | |||
denial of | existence, or</li> | |||
existence, or</t> | <li>Building an authentication chain from a trust anchor to a DNS re | |||
sponse or individual | ||||
<t>Building an authentication chain from a trust anchor to a DNS response or ind | DNS RRsets in a response.</li> | |||
ividual | </ul> | |||
DNS RRsets in a response</t> | </dd> | |||
<dt/> | ||||
</list></t> | <dd>The first two definitions above consider only the validity of indivi | |||
dual DNSSEC | ||||
<t>The first two definitions above consider only the validity of individual DNSS | components, such as the RRSIG validity or NSEC proof validity. The third definit | |||
EC | ion | |||
components such as the RRSIG validity or NSEC proof validity. The third definiti | ||||
on | ||||
considers the components of the entire DNSSEC authentication chain; thus, it req uires | considers the components of the entire DNSSEC authentication chain; thus, it req uires | |||
"configured knowledge of at least one authenticated DNSKEY or DS RR" (as describ ed in | "configured knowledge of at least one authenticated DNSKEY or DS RR" (as describ ed in | |||
<xref target="RFC4035"/>, Section 5).</t> | <xref target="RFC4035" sectionFormat="comma" section="5"/>).</dd> | |||
<dt/> | ||||
<t><xref target="RFC4033"/>, Section 2, says that a "Validating Security-Aware S | <dd> | |||
tub | <xref target="RFC4033" sectionFormat="comma" section="2"/>, says that | |||
a "Validating Security-Aware Stub | ||||
Resolver... performs signature validation" and uses a trust anchor "as a startin g point | Resolver... performs signature validation" and uses a trust anchor "as a startin g point | |||
for building the authentication chain to a signed DNS response"; thus, it uses t he first | for building the authentication chain to a signed DNS response"; thus, it uses t he first | |||
and third definitions above. The process of validating an RRSIG resource record | and third definitions above. The process of validating an RRSIG resource record | |||
is described in <xref | is described in <xref target="RFC4035" sectionFormat="comma" section="5.3"/>.</ | |||
target="RFC4035"/>, Section 5.3.</t> | dd> | |||
<dt/> | ||||
<t><xref target="RFC5155"/> refers to validating responses throughout the docume | <dd> | |||
nt, in the | <xref target="RFC5155" format="default"/> refers to validating respons | |||
es throughout the document in the | ||||
context of hashed authenticated denial of existence; this uses the second defini tion | context of hashed authenticated denial of existence; this uses the second defini tion | |||
above.</t> | above.</dd> | |||
<dt/> | ||||
<t> | <dd> | |||
The term "authentication" is used interchangeably with "validation", in the sens e of the | The term "authentication" is used interchangeably with "validation", in the sens e of the | |||
third definition above. | third definition above. | |||
<xref target="RFC4033"/>, Section | <xref target="RFC4033" sectionFormat="comma" section="2"/>, describes the chain | |||
2, describes the chain linking trust anchor to DNS data as the "authentication c | linking trust anchor to DNS data as the "authentication chain". A | |||
hain". A | response is considered to be authentic if "all RRsets in the Answer and | |||
response is considered to be authentic if "all RRsets in the Answer and Authorit | Authority sections | |||
y sections | of the response [are considered] to be authentic" (Quoted from <xref target="RFC | |||
of the response [are considered] to be authentic" (Quoted from <xref target="RFC | 4035" format="default"/>) DNS data or | |||
4035"/>) DNS data or | responses deemed to be authentic or validated have a security status of "secure" | |||
responses deemed to be authentic or validated have a security status of "secure" | (<xref target="RFC4035" sectionFormat="comma" section="4.3"/>; <xref target="RF | |||
(<xref | C4033" sectionFormat="comma" section="5"/>). "Authenticating | |||
target="RFC4035"/>, Section 4.3; <xref target="RFC4033"/>, Section 5). "Authent | ||||
icating | ||||
both DNS keys and data is a matter of local policy, which may extend or even ove rride the | both DNS keys and data is a matter of local policy, which may extend or even ove rride the | |||
[DNSSEC] protocol extensions..." (Quoted from <xref target="RFC4033"/>, Section | [DNSSEC] protocol extensions..." (Quoted from <xref target="RFC4033" sectionForm | |||
3.1)</t> | at="comma" section="3.1"/>)</dd> | |||
<dt/> | ||||
<t>The term "verification", when used, is usually a synonym for "validation".</t | <dd>The term "verification", when used, is usually a synonym for "valida | |||
> | tion".</dd> | |||
<dt>Validating resolver:</dt> | ||||
<t hangText='Validating resolver:'> | <dd> | |||
<iref item='Validating resolver'/> | <iref item="Validating resolver" subitem="" primary="false"/> | |||
A security-aware recursive name server, security-aware resolver, or | A security-aware recursive name server, security-aware resolver, or | |||
security-aware stub resolver that is applying at least one of the | security-aware stub resolver that is applying at least one of the | |||
definitions of validation (above), as appropriate to the resolution | definitions of validation (above) as appropriate to the resolution | |||
context. For the same reason that the generic term "resolver" is | context. For the same reason that the generic term "resolver" is | |||
sometimes ambiguous and needs to be evaluated in context (see <xref | sometimes ambiguous and needs to be evaluated in context (see <xref target="dn | |||
target="dns-servers-and-clients" />), "validating resolver" is a | s-servers-and-clients" format="default"/>), "validating resolver" is a | |||
context-sensitive term. | context-sensitive term. | |||
</t> | </dd> | |||
<dt>Key signing key (KSK):</dt> | ||||
<t hangText='Key signing key (KSK):'> | <dd> | |||
<iref item='Key signing key (KSK)'/> | <iref item="Key Signing Key (KSK)" subitem="" primary="false"/> | |||
DNSSEC keys that "only sign the apex DNSKEY RRset in a zone." (Quoted from | DNSSEC keys that "only sign the apex DNSKEY RRset in a zone." (Quoted from | |||
<xref target="RFC6781"/>, Section 3.1)</t> | <xref target="RFC6781" sectionFormat="comma" section="3.1"/>)</dd> | |||
<dt>Zone signing key (ZSK):</dt> | ||||
<t hangText='Zone signing key (ZSK):'> | <dd> | |||
<iref item='Zone signing key (ZSK)'/> | <iref item="Zone Signing Key (ZSK)" subitem="" primary="false"/> | |||
"DNSSEC keys that can be used to sign all the RRsets in a zone that | "DNSSEC keys that can be used to sign all the RRsets in a zone that | |||
require signatures, other than the apex DNSKEY RRset." (Quoted from <xref target | require signatures, other than the apex DNSKEY RRset." (Quoted from <xref target | |||
="RFC6781"/>, Section 3.1) | ="RFC6781" sectionFormat="comma" section="3.1"/>) | |||
Also note that a ZSK is sometimes used to sign the apex DNSKEY RRset.</t> | Also note that a ZSK is sometimes used to sign the apex DNSKEY RRset.</dd> | |||
<dt>Combined signing key (CSK):</dt> | ||||
<t hangText='Combined signing key (CSK):'> | <dd> | |||
<iref item='Combined signing key (CSK)'/> | <iref item="Combined Signing Key (CSK)" subitem="" primary="false"/> | |||
"In cases where the differentiation between the KSK and ZSK is not made, | "In cases where the differentiation between the KSK and ZSK is not made, | |||
i.e., where keys have the role of both KSK and ZSK, we talk about a Single-Type Signing | i.e., where keys have the role of both KSK and ZSK, we talk about a Single-Type Signing | |||
Scheme." (Quoted from <xref target="RFC6781"/>, Section 3.1) This is sometimes c alled a "combined | Scheme." (Quoted from <xref target="RFC6781" sectionFormat="comma" section="3.1" />) This is sometimes called a "combined | |||
signing key" or "CSK". It is operational practice, not protocol, that determine s whether a | signing key" or "CSK". It is operational practice, not protocol, that determine s whether a | |||
particular key is a ZSK, a KSK, or a CSK.</t> | particular key is a ZSK, a KSK, or a CSK.</dd> | |||
<dt>Secure Entry Point (SEP):</dt> | ||||
<t hangText='Secure Entry Point (SEP):'> | <dd> | |||
<iref item='Secure Entry Point (SEP)'/> | <iref item="Secure Entry Point (SEP)" subitem="" primary="false"/> | |||
A flag in the DNSKEY RDATA that "can be used to distinguish between | A flag in the DNSKEY RDATA that "can be used to distinguish between | |||
keys that are intended to be used as the secure entry point into the zone when b uilding | keys that are intended to be used as the secure entry point into the zone when b uilding | |||
chains of trust, i.e., they are (to be) pointed to by parental DS RRs or configu red as a | chains of trust, i.e., they are (to be) pointed to by parental DS RRs or configu red as a | |||
trust anchor.... | trust anchor.... | |||
Therefore, it is suggested that the SEP flag be set on keys that are used as KSK s and not on keys | Therefore, it is suggested that the SEP flag be set on keys that are used as KSK s and not on keys | |||
that are used as ZSKs, while in those cases where a distinction between a KSK an d ZSK is not made | that are used as ZSKs, while in those cases where a distinction between a KSK an d ZSK is not made | |||
(i.e., for a Single-Type Signing Scheme), it is suggested that the SEP flag be s et on all keys." | (i.e., for a Single-Type Signing Scheme), it is suggested that the SEP flag be s et on all keys." | |||
(Quoted from <xref target="RFC6781"/>, Section 3.2.3) Note that the | (Quoted from <xref target="RFC6781" sectionFormat="comma" section="3.2.3"/>) No te that the | |||
SEP flag is only a hint, and its presence or absence may not be used to disquali fy a given | SEP flag is only a hint, and its presence or absence may not be used to disquali fy a given | |||
DNSKEY RR from use as a KSK or ZSK during validation.</t> | DNSKEY RR from use as a KSK or ZSK during validation.</dd> | |||
<dt/> | ||||
<t>The original definition of SEPs was in <xref target="RFC3757"/>. That definit | <dd>The original definition of SEPs was in <xref target="RFC3757" format | |||
ion | ="default"/>. That definition | |||
clearly indicated that the SEP was a key, not just a bit in the key. The | clearly indicated that the SEP was a key, not just a bit in the key. The | |||
abstract of <xref target="RFC3757"/> says: | abstract of <xref target="RFC3757" format="default"/> says: | |||
"With the Delegation Signer (DS) resource record (RR), the concept of | "With the Delegation Signer (DS) resource record (RR), the concept of | |||
a public key acting as a secure entry point (SEP) has been | a public key acting as a secure entry point (SEP) has been | |||
introduced. During exchanges of public keys with the parent there is | introduced. During exchanges of public keys with the parent there is | |||
a need to differentiate SEP keys from other public keys in the Domain | a need to differentiate SEP keys from other public keys in the Domain | |||
Name System KEY (DNSKEY) resource record set. A flag bit in the | Name System KEY (DNSKEY) resource record set. A flag bit in the | |||
DNSKEY RR is defined to indicate that DNSKEY is to be used as a SEP." | DNSKEY RR is defined to indicate that DNSKEY is to be used as a SEP." | |||
That definition of the SEP as a key was made obsolete by <xref target="RFC4034"/ | That definition of the SEP as a key was made obsolete by <xref target="RFC4034" | |||
>, | format="default"/>, | |||
and the definition from <xref target="RFC6781"/> is consistent with <xref target | and the definition from <xref target="RFC6781" format="default"/> is consistent | |||
="RFC4034"/>.</t> | with <xref target="RFC4034" format="default"/>.</dd> | |||
<dt>Trust anchor:</dt> | ||||
<t hangText='Trust anchor:'> | <dd> | |||
<iref item='Trust anchor'/> | <iref item="Trust anchor" subitem="" primary="false"/> | |||
"A configured DNSKEY RR or DS RR hash of a DNSKEY RR. A | "A configured DNSKEY RR or DS RR hash of a DNSKEY RR. A | |||
validating security-aware resolver uses this public key or hash as | validating security-aware resolver uses this public key or hash as | |||
a starting point for building the authentication chain to a signed | a starting point for building the authentication chain to a signed | |||
DNS response. In general, a validating resolver will have to | DNS response. In general, a validating resolver will have to | |||
obtain the initial values of its trust anchors via some secure or | obtain the initial values of its trust anchors via some secure or | |||
trusted means outside the DNS protocol." (Quoted from <xref target="RFC4033"/>, | trusted means outside the DNS protocol." (Quoted from <xref target="RFC4033" sec | |||
Section 2)</t> | tionFormat="comma" section="2"/>)</dd> | |||
<dt>DNSSEC Policy (DP):</dt> | ||||
<t hangText='DNSSEC Policy (DP):'> | <dd> | |||
<iref item='DNSSEC Policy (DP)'/> | <iref item="DNSSEC Policy (DP)" subitem="" primary="false"/> | |||
A statement that "sets forth the security requirements and | A statement that "sets forth the security requirements and | |||
standards to be implemented for a DNSSEC-signed zone." (Quoted from <xref target | standards to be implemented for a DNSSEC-signed zone." (Quoted from <xref target | |||
="RFC6841"/>, | ="RFC6841" sectionFormat="comma" section="2"/>)</dd> | |||
Section 2)</t> | <dt>DNSSEC Practice Statement (DPS):</dt> | |||
<dd> | ||||
<t hangText='DNSSEC Practice Statement (DPS):'> | <iref item="DNSSEC Practice Statement (DPS)" subitem="" primary="false | |||
<iref item='DNSSEC Practice Statement (DPS)'/>"A practices disclosure document t | "/>"A practices disclosure document that may | |||
hat may | ||||
support and be a supplemental document to the DNSSEC Policy (if such exists), | support and be a supplemental document to the DNSSEC Policy (if such exists), | |||
and it states how the management of a given zone implements procedures and | and it states how the management of a given zone implements procedures and | |||
controls at a high level." (Quoted from <xref target="RFC6841"/>, Section 2)</t> | controls at a high level." (Quoted from <xref target="RFC6841" sectionFormat="co | |||
mma" section="2"/>)</dd> | ||||
<t hangText='Hardware security module (HSM):'> | <dt>Hardware security module (HSM):</dt> | |||
<iref item='Hardware security module (HSM)'/> | <dd> | |||
<iref item="Hardware security module (HSM)" subitem="" primary="false" | ||||
/> | ||||
A specialized piece of hardware that is used to create keys for signatures and t o | A specialized piece of hardware that is used to create keys for signatures and t o | |||
sign messages without ever disclosing the private key. In DNSSEC, HSMs are often used to hold the private keys for | sign messages without ever disclosing the private key. In DNSSEC, HSMs are often used to hold the private keys for | |||
KSKs and ZSKs and to create the signatures used in RRSIG records at periodic int | KSKs and ZSKs and to create the signatures used in RRSIG records at periodic int | |||
ervals.</t> | ervals.</dd> | |||
<dt>Signing software:</dt> | ||||
<t hangText='Signing software:'> | <dd> | |||
<iref item='Signing software'/> | <iref item="Signing software" subitem="" primary="false"/> | |||
Authoritative DNS servers that support DNSSEC often contain software that | Authoritative DNS servers that support DNSSEC often contain software that | |||
facilitates the creation and maintenance of DNSSEC signatures in zones. | facilitates the creation and maintenance of DNSSEC signatures in zones. | |||
There is also stand-alone software that can be used to sign a zone regardless | There is also stand-alone software that can be used to sign a zone regardless | |||
of whether the authoritative server itself supports signing. Sometimes | of whether the authoritative server itself supports signing. Sometimes | |||
signing software can support particular HSMs as part of the signing process.</t> | signing software can support particular HSMs as part of the signing process.</dd | |||
> | ||||
</list></t> | </dl> | |||
</section> | </section> | |||
<section anchor="dnssec-states" numbered="true" toc="default"> | ||||
<section anchor="dnssec-states" title="DNSSEC States"> | <name>DNSSEC States</name> | |||
<t>A validating resolver can determine that a response is in one of four s | ||||
<t>A validating resolver can determine that a response is in one of four states: | tates: | |||
secure, insecure, bogus, or indeterminate. These states are defined in | secure, insecure, bogus, or indeterminate. These states are defined in | |||
<xref target="RFC4033"/> and <xref target="RFC4035"/>, although the definitions in the two documents differ a bit. This document makes no effort to reconcile t he definitions in the two documents, and takes no | <xref target="RFC4033" format="default"/> and <xref target="RFC4035" format="def ault"/>, although the definitions in the two documents differ a bit. This docum ent makes no effort to reconcile the definitions in the two documents and takes no | |||
position as to whether they need to be reconciled.</t> | position as to whether they need to be reconciled.</t> | |||
<!--Begin DNE text --> | ||||
<t><xref target="RFC4033" sectionFormat="of" section="5"/> says:</t> | ||||
<!--Begin DNE text --> | <blockquote><t>A validating resolver can determine the following 4 states:</t> | |||
<t>Section 5 of <xref target="RFC4033"/> says:</t> | ||||
<figure><artwork><![CDATA[ | ||||
A validating resolver can determine the following 4 states: | ||||
Secure: The validating resolver has a trust anchor, has a chain | <dl> | |||
<dt>Secure:</dt><dd>The validating resolver has a trust anchor, has a chain | ||||
of trust, and is able to verify all the signatures in the | of trust, and is able to verify all the signatures in the | |||
response. | response.</dd> | |||
Insecure: The validating resolver has a trust anchor, a chain | <dt>Insecure:</dt><dd>The validating resolver has a trust anchor, a chain | |||
of trust, and, at some delegation point, signed proof of the | of trust, and, at some delegation point, signed proof of the | |||
non-existence of a DS record. This indicates that subsequent | non-existence of a DS record. This indicates that subsequent | |||
branches in the tree are provably insecure. A validating | branches in the tree are provably insecure. A validating | |||
resolver may have a local policy to mark parts of the domain | resolver may have a local policy to mark parts of the domain | |||
space as insecure. | space as insecure.</dd> | |||
Bogus: The validating resolver has a trust anchor and a secure | <dt>Bogus:</dt><dd>The validating resolver has a trust anchor and a secure | |||
delegation indicating that subsidiary data is signed, but | delegation indicating that subsidiary data is signed, but | |||
the response fails to validate for some reason: missing | the response fails to validate for some reason: missing | |||
signatures, expired signatures, signatures with unsupported | signatures, expired signatures, signatures with unsupported | |||
algorithms, data missing that the relevant NSEC RR says | algorithms, data missing that the relevant NSEC RR says | |||
should be present, and so forth. | should be present, and so forth.</dd> | |||
Indeterminate: There is no trust anchor that would indicate that a | <dt>Indeterminate:</dt><dd>There is no trust anchor that would indicate that a | |||
specific portion of the tree is secure. This is the default | specific portion of the tree is secure. This is the default | |||
operation mode. | operation mode.</dd> | |||
]]></artwork></figure> | </dl> | |||
</blockquote> | ||||
<t>Section 4.3 of <xref target="RFC4035"/> says:</t> | <t><xref target="RFC4035" sectionFormat="of" section="4.3"/> says:</t> | |||
<blockquote> | ||||
<figure><artwork><![CDATA[ | <t>A security-aware resolver must be able to distinguish between four | |||
A security-aware resolver must be able to distinguish between four | cases:</t> | |||
cases: | ||||
Secure: An RRset for which the resolver is able to build a chain | <dl> | |||
<dt>Secure:</dt><dd>An RRset for which the resolver is able to build a chain | ||||
of signed DNSKEY and DS RRs from a trusted security anchor to | of signed DNSKEY and DS RRs from a trusted security anchor to | |||
the RRset. In this case, the RRset should be signed and is | the RRset. In this case, the RRset should be signed and is | |||
subject to signature validation, as described above. | subject to signature validation, as described above.</dd> | |||
Insecure: An RRset for which the resolver knows that it has no | <dt>Insecure:</dt><dd>An RRset for which the resolver knows that it has no | |||
chain of signed DNSKEY and DS RRs from any trusted starting | chain of signed DNSKEY and DS RRs from any trusted starting | |||
point to the RRset. This can occur when the target RRset lies | point to the RRset. This can occur when the target RRset lies | |||
in an unsigned zone or in a descendent [sic] of an unsigned | in an unsigned zone or in a descendent [sic] of an unsigned | |||
zone. In this case, the RRset may or may not be signed, but | zone. In this case, the RRset may or may not be signed, but | |||
the resolver will not be able to verify the signature. | the resolver will not be able to verify the signature.</dd> | |||
Bogus: An RRset for which the resolver believes that it ought to | <dt>Bogus:</dt><dd>An RRset for which the resolver believes that it ought to | |||
be able to establish a chain of trust but for which it is | be able to establish a chain of trust but for which it is | |||
unable to do so, either due to signatures that for some reason | unable to do so, either due to signatures that for some reason | |||
fail to validate or due to missing data that the relevant | fail to validate or due to missing data that the relevant | |||
DNSSEC RRs indicate should be present. This case may indicate | DNSSEC RRs indicate should be present. This case may indicate | |||
an attack but may also indicate a configuration error or some | an attack but may also indicate a configuration error or some | |||
form of data corruption. | form of data corruption.</dd> | |||
Indeterminate: An RRset for which the resolver is not able to | <dt>Indeterminate:</dt><dd>An RRset for which the resolver is not able to | |||
determine whether the RRset should be signed, as the resolver | determine whether the RRset should be signed, as the resolver | |||
is not able to obtain the necessary DNSSEC RRs. This can occur | is not able to obtain the necessary DNSSEC RRs. This can occur | |||
when the security-aware resolver is not able to contact | when the security-aware resolver is not able to contact | |||
security-aware name servers for the relevant zones. | security-aware name servers for the relevant zones.</dd> | |||
]]></artwork></figure> | </dl> | |||
</blockquote> | ||||
<!--End DNE --> | <!--End DNE --> | |||
</section> | ||||
<section anchor="securitycons" title="Security Considerations"> | ||||
<t>These definitions do not change any security considerations for either the gl | ||||
obal DNS or the private DNS.</t> | ||||
</section> | ||||
<section anchor="ianacons" title="IANA Considerations"> | ||||
<t>Any reference to RFC 8499 in the IANA registries should be replaced with a re | ||||
ference to this document.</t> | ||||
</section> | </section> | |||
<section anchor="securitycons" numbered="true" toc="default"> | ||||
<name>Security Considerations</name> | ||||
<t>These definitions do not change any security considerations for either | ||||
the global DNS or private DNS.</t> | ||||
</section> | ||||
<section anchor="ianacons" numbered="true" toc="default"> | ||||
<name>IANA Considerations</name> | ||||
<t>References to RFC 8499 in the IANA registries have been replaced with r | ||||
eferences to this document.</t> | ||||
</section> | ||||
</middle> | ||||
<back> | ||||
</middle> | <displayreference target="RFC0020" to="RFC20"/> | |||
<displayreference target="RFC0819" to="RFC819"/> | ||||
<back> | <displayreference target="RFC0952" to="RFC952"/> | |||
<references title='Normative References'> | ||||
<reference anchor="IANA_RootFiles" target="https://www.iana.org/domains/root/fil | ||||
es"> | ||||
<front><title>Root Files</title> | ||||
<author><organization>IANA</organization></author><date/></front> | ||||
</reference> | ||||
<?rfc include="reference.RFC.0882.xml" ?> | ||||
<?rfc include="reference.RFC.1034.xml" ?> | ||||
<?rfc include="reference.RFC.1035.xml" ?> | ||||
<?rfc include="reference.RFC.1123.xml" ?> | ||||
<?rfc include="reference.RFC.1912.xml" ?> | ||||
<?rfc include="reference.RFC.1996.xml" ?> | ||||
<?rfc include="reference.RFC.2136.xml" ?> | ||||
<?rfc include="reference.RFC.2181.xml" ?> | ||||
<?rfc include="reference.RFC.2182.xml" ?> | ||||
<?rfc include="reference.RFC.2308.xml" ?> | ||||
<?rfc include="reference.RFC.4033.xml" ?> | ||||
<?rfc include="reference.RFC.4034.xml" ?> | ||||
<?rfc include="reference.RFC.4035.xml" ?> | ||||
<?rfc include="reference.RFC.4592.xml" ?> | ||||
<?rfc include="reference.RFC.5155.xml" ?> | ||||
<?rfc include="reference.RFC.5358.xml" ?> | ||||
<?rfc include="reference.RFC.5730.xml" ?> | ||||
<?rfc include="reference.RFC.5731.xml" ?> | ||||
<?rfc include="reference.RFC.5855.xml" ?> | ||||
<?rfc include="reference.RFC.5936.xml" ?> | ||||
<?rfc include="reference.RFC.6561.xml" ?> | ||||
<?rfc include="reference.RFC.6781.xml" ?> | ||||
<?rfc include="reference.RFC.6840.xml" ?> | ||||
<?rfc include="reference.RFC.6841.xml" ?> | ||||
<?rfc include="reference.RFC.6891.xml" ?> | ||||
<?rfc include="reference.RFC.7344.xml" ?> | ||||
<?rfc include="reference.RFC.7719.xml" ?> | ||||
<?rfc include="reference.RFC.8310.xml" ?> | ||||
<?rfc include="reference.RFC.8499.xml" ?> | ||||
<?rfc include="reference.RFC.9250.xml" ?> | ||||
<?rfc include="reference.I-D.ietf-dnsop-glue-is-not-optional.xml"?> | ||||
</references> | ||||
<references title='Informative References'> | ||||
<reference anchor="IANA_Resource_Registry" target="https://www.iana.org/assignme | ||||
nts/dns-parameters/"> | ||||
<front><title>Resource Record (RR) TYPEs</title> | ||||
<author><organization>IANA</organization></author><date/></front> | ||||
</reference> | ||||
<?rfc include="reference.RFC.0819.xml" ?> | ||||
<?rfc include="reference.RFC.0952.xml" ?> | ||||
<?rfc include="reference.RFC.1713.xml" ?> | ||||
<?rfc include="reference.RFC.1995.xml" ?> | ||||
<?rfc include="reference.RFC.2775.xml" ?> | ||||
<?rfc include="reference.RFC.3172.xml" ?> | ||||
<?rfc include="reference.RFC.3425.xml" ?> | ||||
<?rfc include="reference.RFC.3493.xml" ?> | ||||
<?rfc include="reference.RFC.3757.xml" ?> | ||||
<?rfc include="reference.RFC.3912.xml" ?> | ||||
<?rfc include="reference.RFC.4470.xml" ?> | ||||
<?rfc include="reference.RFC.4641.xml" ?> | ||||
<?rfc include="reference.RFC.4697.xml" ?> | ||||
<?rfc include="reference.RFC.4786.xml" ?> | ||||
<?rfc include="reference.RFC.4956.xml" ?> | ||||
<?rfc include="reference.RFC.5625.xml" ?> | ||||
<?rfc include="reference.RFC.5890.xml" ?> | ||||
<?rfc include="reference.RFC.5891.xml" ?> | ||||
<?rfc include="reference.RFC.5892.xml" ?> | ||||
<?rfc include="reference.RFC.5893.xml" ?> | ||||
<?rfc include="reference.RFC.5894.xml" ?> | ||||
<?rfc include="reference.RFC.6055.xml" ?> | ||||
<?rfc include="reference.RFC.6265.xml" ?> | ||||
<?rfc include="reference.RFC.6303.xml" ?> | ||||
<?rfc include="reference.RFC.6335.xml" ?> | ||||
<?rfc include="reference.RFC.6365.xml" ?> | ||||
<?rfc include="reference.RFC.6672.xml" ?> | ||||
<?rfc include="reference.RFC.6762.xml" ?> | ||||
<?rfc include="reference.RFC.7129.xml" ?> | ||||
<?rfc include="reference.RFC.7480.xml" ?> | ||||
<?rfc include="reference.RFC.7481.xml" ?> | ||||
<?rfc include="reference.RFC.7482.xml" ?> | ||||
<?rfc include="reference.RFC.7483.xml" ?> | ||||
<?rfc include="reference.RFC.7484.xml" ?> | ||||
<?rfc include="reference.RFC.7485.xml" ?> | ||||
<?rfc include="reference.RFC.7858.xml" ?> | ||||
<?rfc include="reference.RFC.7793.xml" ?> | ||||
<?rfc include="reference.RFC.8094.xml" ?> | ||||
<?rfc include="reference.RFC.8109.xml" ?> | ||||
<?rfc include="reference.RFC.8484.xml" ?> | ||||
<?rfc include="reference.RFC.9103.xml" ?> | ||||
<reference anchor="RSSAC026" target="https://www.icann.org/en/system/files/files | <references> | |||
/rssac-026-14mar17-en.pdf"> | <name>References</name> | |||
<front><title>RSSAC Lexicon</title> | <references> | |||
<author><organization>Root Server System Advisory Committee (RSSAC)</organizatio | <name>Normative References</name> | |||
n></author><date year="2017"/></front> | ||||
</reference> | ||||
</references> | <reference anchor="IANA_RootFiles" target="https://www.iana.org/domains/ | |||
root/files"> | ||||
<front> | ||||
<title>Root Files</title> | ||||
<author> | ||||
<organization>IANA</organization> | ||||
</author> | ||||
<date/> | ||||
</front> | ||||
</reference> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0 | ||||
882.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | ||||
034.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | ||||
035.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | ||||
123.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | ||||
912.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | ||||
996.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
136.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
181.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
182.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
308.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
033.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
034.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
035.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
592.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
155.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
358.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
730.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
731.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
855.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
936.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
561.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
781.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
840.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
841.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
891.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
344.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
719.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
310.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
499.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
250.xml"/> | ||||
<section anchor="updates-list" title="Definitions Updated by This Document"> | <!-- [I-D.ietf-dnsop-glue-is-not-optional] Published as RFC 9471 --> | |||
<t>The following definitions from RFCs are updated by this document: | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 471.xml"/> | |||
<list style="symbols"> | </references> | |||
<references> | ||||
<name>Informative References</name> | ||||
<t>Forwarder in <xref target="RFC2308"/></t> | <reference anchor="IANA_Resource_Registry" target="https://www.iana.org/ | |||
assignments/dns-parameters/"> | ||||
<front> | ||||
<title>Resource Record (RR) TYPEs</title> | ||||
<author> | ||||
<organization>IANA</organization> | ||||
</author> | ||||
<date/> | ||||
</front> | ||||
</reference> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0 | ||||
020.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0 | ||||
819.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0 | ||||
952.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | ||||
713.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | ||||
995.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
775.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3 | ||||
172.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3 | ||||
425.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3 | ||||
493.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3 | ||||
757.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3 | ||||
912.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
470.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
641.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
697.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
786.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
956.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
625.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
890.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
891.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
892.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
893.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
894.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
055.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
265.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
303.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
335.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
365.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
672.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
762.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
129.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
480.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
481.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
082.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
083.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
224.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
485.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
793.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
858.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
094.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
109.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
484.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
103.xml"/> | ||||
<t>QNAME in <xref target="RFC2308"/></t> | <reference anchor="RSSAC026" target="https://www.icann.org/en/system/fil | |||
es/files/rssac-026-14mar17-en.pdf"> | ||||
<front> | ||||
<title>RSSAC0226 RSSAC Lexicon</title> | ||||
<author> | ||||
<organization>Root Server System Advisory Committee (RSSAC)</organ | ||||
ization> | ||||
</author> | ||||
<date year="2017"/> | ||||
</front> | ||||
</reference> | ||||
</references> | ||||
</references> | ||||
<section anchor="updates-list" numbered="true" toc="default"> | ||||
<name>Definitions Updated by This Document</name> | ||||
<t>The following definitions from RFCs are updated by this document: | ||||
<t>Secure Entry Point (SEP) in <xref target="RFC3757"/>; | </t> | |||
<ul spacing="normal"> | ||||
<li>Forwarder in <xref target="RFC2308" format="default"/></li> | ||||
<li>QNAME in <xref target="RFC2308" format="default"/></li> | ||||
<li>Secure Entry Point (SEP) in <xref target="RFC3757" format="default"/ | ||||
>; | ||||
note, however, that this RFC is already obsolete | note, however, that this RFC is already obsolete | |||
(see <xref target="RFC4033"/>, <xref target="RFC4034"/>, <xref target="RFC4035"/ | (see <xref target="RFC4033" format="default"/>, <xref target="RFC4034" format="d | |||
>).</t> | efault"/>, <xref target="RFC4035" format="default"/>).</li> | |||
</ul> | ||||
</list></t> | </section> | |||
<section anchor="new-def" numbered="true" toc="default"> | ||||
</section> | <name>Definitions First Defined in This Document</name> | |||
<t>The following definitions are first defined in this document: | ||||
<section anchor="new-def" title="Definitions First Defined in This Document"> | ||||
<t>The following definitions are first defined in this document: | ||||
<list style="symbols"> | ||||
<t>"Alias" in <xref target="names"/></t> | ||||
<t>"Apex" in <xref target="zones"/></t> | ||||
<t>"arpa" in <xref target="zones"/></t> | ||||
<t>"Authoritative DoT (ADot)" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Bailiwick" in <xref target="zones"/></t> | ||||
<t>"Class independent" in <xref target="rrs"/></t> | ||||
<t>"Classic DNS" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Delegation-centric zone" in <xref target="zones"/></t> | ||||
<t>"Delegation" in <xref target="zones"/></t> | ||||
<t>"DNS operator" in <xref target="reg-model"/></t> | ||||
<t>"DNSSEC-aware" in <xref target="dnssec-general"/></t> | ||||
<t>"DNSSEC-unaware" in <xref target="dnssec-general"/></t> | ||||
<t>"Forwarding" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Full resolver" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Fully-qualified domain name" in <xref target="names"/></t> | ||||
<t>"Global DNS" in <xref target="names"/></t> | ||||
<t>"Hardware Security Module (HSM)" in <xref target="dnssec-general"/></t> | ||||
<t>"Host name" in <xref target="names"/></t> | ||||
<t>"IDN" in <xref target="names"/></t> | ||||
<t>"In-domain" in <xref target="zones"/></t> | ||||
<t>"Iterative resolution" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Label" in <xref target="names"/></t> | ||||
<t>"Locally served DNS zone" in <xref target="names"/></t> | ||||
<t>"Naming system" in <xref target="names"/></t> | ||||
<t>"Negative response" in <xref target="dns-response-codes"/></t> | ||||
<t>"Non-recursive query" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Open resolver" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Passive DNS" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Policy-implementing resolver" in <xref target="dns-servers-and-clients"/></t | ||||
> | ||||
<t>"Presentation format" in <xref target="rrs"/></t> | ||||
<t>"Priming" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Private DNS" in <xref target="names"/></t> | ||||
<t>"Recrusive DoT (RDot)" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Recursive resolver" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Referrals" in <xref target="dns-transactions"/></t> | ||||
<t>"Registrant" in <xref target="reg-model"/></t> | ||||
<t>"Registrar" in <xref target="reg-model"/></t> | ||||
<t>"Registry" in <xref target="reg-model"/></t> | ||||
<t>"Root zone" in <xref target="zones"/></t> | ||||
<t>"Secure Entry Point (SEP)" in <xref target="dnssec-general"/></t> | ||||
<t>"Sibling domain" in <xref target="zones"/></t> | ||||
<t>"Signing software" in <xref target="dnssec-general"/></t> | ||||
<t>"Split DNS" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Stub resolver" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Subordinate" in <xref target="wildcards"/></t> | ||||
<t>"Superordinate" in <xref target="wildcards"/></t> | ||||
<t>"TLD" in <xref target="names"/></t> | ||||
<t>"Validating resolver" in <xref target="dnssec-general"/></t> | ||||
<t>"Validation" in <xref target="dnssec-general"/></t> | ||||
<t>"View" in <xref target="dns-servers-and-clients"/></t> | ||||
<t>"Zone transfer" in <xref target="dns-servers-and-clients"/></t> | ||||
</list></t> | ||||
</section> | ||||
<section anchor="acknowledgements" title="Acknowledgements" numbered="no"> | ||||
<t>RFC 8499 and its predecessor, RFC 7719, were co-authored by Andrew Sullivan. | </t> | |||
The current document, which is a small update to RFC 8499, has just two authors. | <ul spacing="normal"> | |||
<li>"Alias" in <xref target="names" format="default"/></li> | ||||
<li>"Apex" in <xref target="zones" format="default"/></li> | ||||
<li>"arpa" in <xref target="zones" format="default"/></li> | ||||
<li>"Authoritative DoT (ADot)" in <xref target="dns-servers-and-clients" | ||||
format="default"/></li> | ||||
<li>"Bailiwick" in <xref target="zones" format="default"/></li> | ||||
<li>"Class independent" in <xref target="rrs" format="default"/></li> | ||||
<li>"Classic DNS" in <xref target="dns-servers-and-clients" format="defa | ||||
ult"/></li> | ||||
<li>"Delegation-centric zone" in <xref target="zones" format="default"/> | ||||
</li> | ||||
<li>"Delegation" in <xref target="zones" format="default"/></li> | ||||
<li>"DNS operator" in <xref target="reg-model" format="default"/></li> | ||||
<li>"DNSSEC-aware" in <xref target="dnssec-general" format="default"/></ | ||||
li> | ||||
<li>"DNSSEC-unaware" in <xref target="dnssec-general" format="default"/> | ||||
</li> | ||||
<li>"Forwarding" in <xref target="dns-servers-and-clients" format="defau | ||||
lt"/></li> | ||||
<li>"Full resolver" in <xref target="dns-servers-and-clients" format="de | ||||
fault"/></li> | ||||
<li>"Fully Qualified Domain Name" in <xref target="names" format="defaul | ||||
t"/></li> | ||||
<li>"Global DNS" in <xref target="names" format="default"/></li> | ||||
<li>"Hardware Security Module (HSM)" in <xref target="dnssec-general" fo | ||||
rmat="default"/></li> | ||||
<li>"Host name" in <xref target="names" format="default"/></li> | ||||
<li>"IDN" in <xref target="names" format="default"/></li> | ||||
<li>"In-domain" in <xref target="zones" format="default"/></li> | ||||
<li>"Iterative resolution" in <xref target="dns-servers-and-clients" for | ||||
mat="default"/></li> | ||||
<li>"Label" in <xref target="names" format="default"/></li> | ||||
<li>"Locally served DNS zone" in <xref target="names" format="default"/> | ||||
</li> | ||||
<li>"Naming system" in <xref target="names" format="default"/></li> | ||||
<li>"Negative response" in <xref target="dns-response-codes" format="def | ||||
ault"/></li> | ||||
<li>"Non-recursive query" in <xref target="dns-servers-and-clients" form | ||||
at="default"/></li> | ||||
<li>"Open resolver" in <xref target="dns-servers-and-clients" format="de | ||||
fault"/></li> | ||||
<li>"Passive DNS" in <xref target="dns-servers-and-clients" format="defa | ||||
ult"/></li> | ||||
<li>"Policy-implementing resolver" in <xref target="dns-servers-and-clie | ||||
nts" format="default"/></li> | ||||
<li>"Presentation format" in <xref target="rrs" format="default"/></li> | ||||
<li>"Priming" in <xref target="dns-servers-and-clients" format="default" | ||||
/></li> | ||||
<li>"Private DNS" in <xref target="names" format="default"/></li> | ||||
<li>"Recursive DoT (RDot)" in <xref target="dns-servers-and-clients" for | ||||
mat="default"/></li> | ||||
<li>"Recursive resolver" in <xref target="dns-servers-and-clients" forma | ||||
t="default"/></li> | ||||
<li>"Referrals" in <xref target="dns-transactions" format="default"/></l | ||||
i> | ||||
<li>"Registrant" in <xref target="reg-model" format="default"/></li> | ||||
<li>"Registrar" in <xref target="reg-model" format="default"/></li> | ||||
<li>"Registry" in <xref target="reg-model" format="default"/></li> | ||||
<li>"Root zone" in <xref target="zones" format="default"/></li> | ||||
<li>"Secure Entry Point (SEP)" in <xref target="dnssec-general" format=" | ||||
default"/></li> | ||||
<li>"Sibling domain" in <xref target="zones" format="default"/></li> | ||||
<li>"Signing software" in <xref target="dnssec-general" format="default" | ||||
/></li> | ||||
<li>"Split DNS" in <xref target="dns-servers-and-clients" format="defaul | ||||
t"/></li> | ||||
<li>"Stub resolver" in <xref target="dns-servers-and-clients" format="de | ||||
fault"/></li> | ||||
<li>"Subordinate" in <xref target="wildcards" format="default"/></li> | ||||
<li>"Superordinate" in <xref target="wildcards" format="default"/></li> | ||||
<li>"TLD" in <xref target="names" format="default"/></li> | ||||
<li>"Validating resolver" in <xref target="dnssec-general" format="defau | ||||
lt"/></li> | ||||
<li>"Validation" in <xref target="dnssec-general" format="default"/></li | ||||
> | ||||
<li>"View" in <xref target="dns-servers-and-clients" format="default"/>< | ||||
/li> | ||||
<li>"Zone transfer" in <xref target="dns-servers-and-clients" format="de | ||||
fault"/></li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="acknowledgements" numbered="false" toc="default"> | ||||
<name>Acknowledgements</name> | ||||
<t><xref target="RFC8499"/> and its predecessor, <xref target="RFC7719"/>, | ||||
were co-authored by <contact fullname="Andrew Sullivan"/>. | ||||
The current document, which is a small update to <xref target="RFC8499"/>, has j | ||||
ust two authors. | ||||
Andrew's work on the earlier documents is greatly appreciated.</t> | Andrew's work on the earlier documents is greatly appreciated.</t> | |||
<t>Numerous people made significant contributions to <xref target="RFC8499 | ||||
<t>Numerous people made significant contributions to RFC 8499 and RFC 7719. | "/> and <xref target="RFC7719"/>. | |||
Please see the acknowledgements sections in those two documents for the | Please see the acknowledgements sections in those two documents for the | |||
extensive list of contributors.</t> | extensive list of contributors.</t> | |||
<t>Even though the current document is a small revision, many people in th | ||||
<t>Even though the current document is a small revision, many people in the | e | |||
DNSOP Working Group have contributed to it, and their work is greatly appreciate d.</t> | DNSOP Working Group have contributed to it, and their work is greatly appreciate d.</t> | |||
</section> | ||||
</section> | </back> | |||
</back> | ||||
</rfc> | </rfc> | |||
End of changes. 312 change blocks. | ||||
1585 lines changed or deleted | 1780 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |