Internet-Draft Ranking DNS data March 2024
Hoffman, et al. Expires 5 September 2024 [Page]
Domain Name System Operations
2181 (if approved)
Intended Status:
Standards Track
P. Hoffman
S. Huque
W. Toorop
NLnet Labs

Ranking Domain Name System data


This document extends the list ranking the trustworthiness of domain name system (DNS) data (see Section 5.4.1 of [RFC2181]). The list is extended with entries for root server names and addresses built-in resolvers, and provided via a root hints file with the lowest trustworthiness, as wel as an entry for data which is verifiable DNSSEC secure with the highest trustworthiness. This document furthermore assigns ranked values to the positions of the list for easier reference and comparison of trustworthiness of DNS data.

About This Document

This note is to be removed before publishing as an RFC.

Status information for this document may be found at

Discussion of this document takes place on the DNSOP Working Group mailing list (, which is archived at Subscribe at

Source for this draft and an issue tracker can be found at

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 5 September 2024.

Table of Contents

1. Introduction

This draft's intention is currently just to start re-evaluation and re-thinking of [RFC2181], Section 5.4.1 about ranking trustworthiness of DNS data.

2. Trustworthiness values

Table 1
Value Data
AAA Data from a primary zone file other than occluded data, and all data that is verifiable DNSSEC secure regardless off were it came from
AA Data from a zone transfer other than occluded data
A The authoritative data included in the answer section of an authoritative reply
A- Data from the authority section of an authoritative answer
BBB Occluded data from a primary zone, or occluded data from a zone transfer
BB Data from the answer section of a non-authoritative answer, and non-authoritative data from the answer section of authoritative answers
B Additional information from an authoritative answer, Data from the authority section of a non-authoritative answer, Additional information from non-authoritative answers.
CCC Names and addresses for the root servers from a hints file
CC Names and addresses for the root servers built into resolver software

3. IANA Considerations

This document does not require any IANA actions.

4. Security Considerations

The process of replacing RRsets in a resolvers cache with the RRsets with a higher trustworthiness ranking, either passively or pro-actively by explicit querying, is crucial to the security of the DNS.

5. Normative References

Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, DOI 10.17487/RFC2181, , <>.

Appendix A. Acknowledgements

Thanks to all the people that contributed to the discussion surrounding the re-evaluation of how the trustworthiness of DNS data should be ranked.

Authors' Addresses

Paul Hoffman
Shumon Huque
Willem Toorop
NLnet Labs
Science Park 400
1098 XH Amsterdam