DNS Extensions (dnsext)

Last Modified: 2006-03-30

Additional information is available at tools.ietf.org/wg/dnsext

Chair(s):

  • Olafur Gudmundsson <ogud@ogud.com>

  • Olaf Kolkman <olaf@nlnetlabs.nl>

    Internet Area Director(s):

  • Jari Arkko <jari.arkko@piuha.net>
  • Mark Townsley <townsley@cisco.com>

    Internet Area Advisor:

  • Mark Townsley <townsley@cisco.com>

    Mailing Lists:

    General Discussion: namedroppers@ops.ietf.org
    To Subscribe: namedroppers-request@ops.ietf.org
    Archive: http://ops.ietf.org/lists/namedroppers/

    Description of Working Group:

    DNS was originally specified in RFC's 1034 and 1035, with subsequent
    updates.  Within the scope of this WG are DNS protocol issues,
    including the specification of message formats, message handling, and
    data formats used for DNS client-server and server-server
    communication.

    This WG is focused on advancing the zone transfer, update, notify
    and DNSSECbis documents to Draft standard.

    The WG works on solutions for DNSSEC deployment issues that may
    require protocol modifications. Two of these issues are identified
    and are worked on under the umbrella of this WG. 1] (a) method(s) to
    prevent the possibility of trivial zone enumeration and 2] a method
    for automated rollover of trust-anchors configured in validating
    resolvers.

    Issues surrounding the operation of DNS, recommendations concerning
    the configuration of DNS servers, and other issues with the use of
    the protocol are out of scope for this Working Group.  These issues
    are considered in other venues, such as the DNS Operations Working
    Group.

    The DNSEXT Working Group sometimes uses an additional mailing list
    for discussion of DNS Security related issues. This list is open to
    all

      Discussion: dnssec@cafax.se
      To Subscribe: dnssec-request@cafax.se
      Archive:  http://www.cafax.se/dnssec/ and
                ftp://ftp.cafax.se/pub/archives/dnssec.list

    The 2535bis document set was edited by a team. This team was
    chartered with making editorial changes only, with all substantiative
    changes discussed on the WG list. The archive of this editors-only
    mailing list is available at:
     
      http://www.east.isi.edu/projects/DNSSEC

    Specific work items are:

          o Advance the DNSSECbis document set through the standards
            process.

          o Clarification of RFC1034/1035 relating to DNSEXT ongoing work.
            + Clarification of wildcard processing rules.

          o After the work items above have been completed the working
            group will continue on reviewing the following existing
            proposed standard and examine if there is a possibility to
            progress them on the standards track.

            + RFC1995 (IXFR)  to Draft standard.
            + RFC1996 (Notify) to Draft standard.
            + RFC2136bis (Dynamic Update) to Draft Standard.
            + RFC2181 (Clarify) to IESG for advancement to Draft Standard.
            + RFC2308 (Neg Caching) to Draft Standard.
            + RFC2671 (EDNS0) to Draft Standard.
            + RFC2672 (DNAME) to Draft Standard, or revision.
            + RFC2845 (TSIG)to Draft standard.
            + RFC2930 (TKEY) to Draft standard.
            + RFC3007 (Secure Update) to Draft standard.
            + RFC3645 GSS/TSIG to Draft Standard       
            + RFC3??? AXFR clarify to Draft Standard.

          o Identify (a) method(s) to prevent the possibility of trivial
            zone enumeration.

          o Define a method for automated rollover of trust-anchors
            configured in validating resolvers.

          o Foster the development of Link Local Multicast Name
            Resolution (LLMNR) standard. The WG has taken up this work
            since LLMNR it is very similar to the DNS protocol.  LLMNR is
            targeted as proposed standard.

    The lifetime of the group is set by the work items above but while
    these are ongoing the working group has additional tasks:

          o Reviewing and providing recommendations about the
            specification, by other working groups, of RR types that do
    not
            require any special processing and that do not require any
            special naming conventions.

    Goals and Milestones:

    Done  Forward NSEC rdata to IESG for Proposed Standard
    Done  Forward RFC2535-bis to IESG for proposed standard
    Done  Forward Case Insensitive to IESG for Proposed Standard
    Done  Forward LLMNR to IESG for Proposed Standard
    Feb 2005  Update boilerplate text on OPT-IN
    Feb 2005  Submit KEY algorithm documents RFC253[69]bis and RFC3110 to IESG for proposed standard
    Mar 2005  Finalize Zone Enumeration Requirements
    Done  Forward Wildcard clarification to IESG for proposed standard
    Apr 2005  Start of process of reviewing the following RFCs and to move them to Draft Standard status
    May 2005  Submit to IESG RFC2845 (TSIG)to Draft standard
    Jun 2005  RFC2671 (EDNS0) to Draft Standard
    Jun 2005  RFC2672 (DNAME) to Draft Standard or revision
    Jul 2005  RFC2136 (Dynamic Update) to Draft Standard
    Jul 2005  RFC3007 (Secure Update) to Draft Standard
    Jul 2005  RFC1995 (IXFR) to Draft standard
    Jul 2005  RFC1996 (Notify) to Draft Standard
    Sep 2005  RFC2930 (TKEY) to Draft standard
    Sep 2005  RFC2181 (Clarify) to Draft Standard
    Sep 2005  RFC2308 (Neg Caching) to Draft Standard
    Nov 2005  RFC2782 (SRV RR) to Draft Standard
    Nov 2005  RFC1982 (Serial Number Arithmetic)
    Nov 2005  FRC2539 (DH Key RR) to Draft Standard
    Nov 2005  RFC3226 (Message Size) to Draft Standard
    Done  RFC2538 (CERT RR) to Draft Standard

    Internet-Drafts:

    A DNS RR for Encoding DHCP Information (DHCID RR) (25276 bytes)
    Link-local Multicast Name Resolution (LLMNR) (70036 bytes)
    DNSSEC Opt-In (32949 bytes)
    DSA Keying and Signature Information in the DNS (13589 bytes)
    Storage of Diffie-Hellman Keying Information in the DNS (18486 bytes)
    Elliptic Curve Keys and Signatures in the Domain Name System (DNS) (35544 bytes)
    Evaluating DNSSEC Transition Mechanisms (29670 bytes)
    Requirements related to DNSSEC Signed Proof of Non-Existence (28510 bytes)
    Automated Updates of DNSSEC Trust Anchors (30836 bytes)
    DNSSEC Hashed Authenticated Denial of Existence (107699 bytes)
    DNSSEC Experiments (17161 bytes)
    Clarifications and Implementation Notes for DNSSECbis (23363 bytes)
    Domain Name System (DNS) IANA Considerations (33210 bytes)
    DNS Name Server Identifier Option (NSID) (24194 bytes)
    Use of RSA/SHA-256 DNSKEY and RRSIG Resource Records in DNSSEC (12206 bytes)
    Requirements related to DNSSEC Trust Anchor Rollover (23985 bytes)

    Request For Comments:

    A DNS RR for specifying the location of services (DNS SRV) (RFC 2782) (24013 bytes) obsoletes RFC 2052
    Secret Key Transaction Authentication for DNS (TSIG) (RFC 2845) (32272 bytes) updates RFC 1035/ updated by RFC 3645
    Domain Name System (DNS) IANA Considerations (RFC 2929) (22454 bytes)
    Secret Key Establishment for DNS (TKEY RR) (RFC 2930) (34894 bytes)
    DNS Request and Transaction Signatures ( SIG(0)s ) (RFC 2931) (19073 bytes) updates RFC 2535
    Secure Domain Name System (DNS) Dynamic Update (RFC 3007) (18056 bytes) obsoletes RFC 2136,RFC 2535/ updates RFC 2137/ updated by RFC 4033,RFC 4034,RFC 4035
    Domain Name System Security (DNSSEC) Signing Authority (RFC 3008) (13484 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 2535/ updated by RFC 3658
    DNS Security Extension Clarification on Zone Status (RFC 3090) (24166 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updated by RFC 3658
    RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) (RFC 3110) (14587 bytes)
    A DNS RR Type for Lists of Address Prefixes (APL RR) (RFC 3123) (14648 bytes)
    Applicability Statement for DNS MIB Extensions (RFC 3197) (8610 bytes)
    Indicating Resolver Support of DNSSEC (RFC 3225) (11548 bytes) updated by RFC 4033,RFC 4034,RFC 4035
    DNSSEC and IPv6 A6 aware server/resolver message size requirements (RFC 3226) (12078 bytes) updates RFC 2535,RFC 2874/ updated by RFC 4033,RFC 4034,RFC 4035
    Representing IPv6 addresses in DNS (RFC 3363) (11055 bytes) updates RFC 2673,RFC 2874
    Tradeoffs in DNS support for IPv6 (RFC 3364) (26544 bytes) updates RFC 2874
    Obsoleting IQUERY (RFC 3425) (8615 bytes) updates RFC 1035
    Limiting the Scope of the KEY Resource Record out (RFC 3445) (20947 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 2535
    Handling of Unknown DNS Resource Record (RR) Types (RFC 3597) (17559 bytes) updated by RFC 4033,RFC 4034,RFC 4035
    DNS Extensions to support IP version 6 (RFC 3596) (14093 bytes)
    GSS Algorithm for TSIG (GSS-TSIG) (RFC 3645) (56162 bytes) updates RFC 2845
    Redefinition of DNS AD bit (RFC 3655) (15646 bytes) obsoletes RFC 2535/ obsoleted by RFC 4033,RFC 4034,RFC 4035
    Delegation Signer Resource Record (RFC 3658) (42120 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 1035,RFC 2535,RFC 3008,RFC 3090/ updated by RFC 3755
    Legacy Resolver Compatibility for Delegation Signer (RFC 3755) (19812 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 2535,RFC 3658/ updated by RFC 3757,RFC 3845
    KEY RR Secure Entry Point Flag (RFC 3757) (16868 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 2535,RFC 3755
    DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format (RFC 3845) (14793 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 2535,RFC 3755
    Threat Analysis Of The Domain Name System (RFC 3833) (39303 bytes)
    Protocol Modifications for the DNS Security Extensions (RFC 4035) (130589 bytes) obsoletes RFC 2535,RFC 3008,RFC 3090,RFC 3445,RFC 3655,RFC 3658,RFC 3755,RFC 3757,RFC 3845/ updates RFC 1034,RFC 1035,RFC 2136,RFC 2181,RFC 2308,RFC 3007,RFC 3225,RFC 3226,RFC 3597/ updated by RFC 4470
    Resource Records for the DNS Security Extensions (RFC 4034) (63879 bytes) obsoletes RFC 2535,RFC 3008,RFC 3090,RFC 3445,RFC 3655,RFC 3658,RFC 3755,RFC 3757,RFC 3845/ updates RFC 1034,RFC 1035,RFC 2136,RFC 2181,RFC 2308,RFC 3007,RFC 3225,RFC 3226,RFC 3597/ updated by RFC 4470
    DNS Security Introduction and Requirements (RFC 4033) (52445 bytes) obsoletes RFC 2535,RFC 3008,RFC 3090,RFC 3445,RFC 3655,RFC 3658,RFC 3755,RFC 3757,RFC 3845/ updates RFC 1034,RFC 1035,RFC 2136,RFC 2181,RFC 2308,RFC 3007,RFC 3225,RFC 3226,RFC 3597
    Domain Name System (DNS) Case Insensitivity Clarification (RFC 4343) (22899 bytes) updates RFC 1034,RFC 1035,RFC 2181
    Storing Certificates in the Domain Name System (DNS) (RFC 4398) (35652 bytes) obsoletes RFC 2538
    Minimally Covering NSEC Records and DNSSEC On-line Signing (RFC 4470) (17471 bytes) updates RFC 4034,RFC 4035
    Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) (RFC 4509) (14155 bytes)
    The Role of Wildcards in the Domain Name System (RFC 4592) (43991 bytes) updates RFC 1034,RFC 2672
    HMAC SHA (Hashed Message Authentication Code, Secure Hash Algorithm) TSIG Algorithm Identifiers (RFC 4635) (16533 bytes)
    Derivation of DNS Name Predecessor and Successor (RFC 4471) (42430 bytes)
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.