2.3.7 DNS Extensions (dnsext)

NOTE: This charter is a snapshot of the 66th IETF Meeting in Montreal, Quebec Canada. It may now be out-of-date.

Last Modified: 2006-03-30


Olafur Gudmundsson <ogud@ogud.com>
Olaf Kolkman <olaf@nlnetlabs.nl>

Internet Area Director(s):

Jari Arkko <jari.arkko@piuha.net>
Mark Townsley <townsley@cisco.com>

Internet Area Advisor:

Mark Townsley <townsley@cisco.com>

Mailing Lists:

General Discussion: namedroppers@ops.ietf.org
To Subscribe: namedroppers-request@ops.ietf.org
Archive: http://ops.ietf.org/lists/namedroppers/

Description of Working Group:

DNS was originally specified in RFC's 1034 and 1035, with subsequent
updates.  Within the scope of this WG are DNS protocol issues,
including the specification of message formats, message handling, and
data formats used for DNS client-server and server-server

This WG is focused on advancing the zone transfer, update, notify
and DNSSECbis documents to Draft standard.

The WG works on solutions for DNSSEC deployment issues that may
require protocol modifications. Two of these issues are identified
and are worked on under the umbrella of this WG. 1] (a) method(s) to
prevent the possibility of trivial zone enumeration and 2] a method
for automated rollover of trust-anchors configured in validating

Issues surrounding the operation of DNS, recommendations concerning
the configuration of DNS servers, and other issues with the use of
the protocol are out of scope for this Working Group.  These issues
are considered in other venues, such as the DNS Operations Working

The DNSEXT Working Group sometimes uses an additional mailing list
for discussion of DNS Security related issues. This list is open to

  Discussion: dnssec@cafax.se
  To Subscribe: dnssec-request@cafax.se
  Archive:  http://www.cafax.se/dnssec/ and

The 2535bis document set was edited by a team. This team was
chartered with making editorial changes only, with all substantiative
changes discussed on the WG list. The archive of this editors-only
mailing list is available at:

Specific work items are:

      o Advance the DNSSECbis document set through the standards

      o Clarification of RFC1034/1035 relating to DNSEXT ongoing work.
        + Clarification of wildcard processing rules.

      o After the work items above have been completed the working
        group will continue on reviewing the following existing
        proposed standard and examine if there is a possibility to
        progress them on the standards track.

        + RFC1995 (IXFR)  to Draft standard.
        + RFC1996 (Notify) to Draft standard.
        + RFC2136bis (Dynamic Update) to Draft Standard.
        + RFC2181 (Clarify) to IESG for advancement to Draft Standard.
        + RFC2308 (Neg Caching) to Draft Standard.
        + RFC2671 (EDNS0) to Draft Standard.
        + RFC2672 (DNAME) to Draft Standard, or revision.
        + RFC2845 (TSIG)to Draft standard.
        + RFC2930 (TKEY) to Draft standard.
        + RFC3007 (Secure Update) to Draft standard.
        + RFC3645 GSS/TSIG to Draft Standard       
        + RFC3??? AXFR clarify to Draft Standard.

      o Identify (a) method(s) to prevent the possibility of trivial
        zone enumeration.

      o Define a method for automated rollover of trust-anchors
        configured in validating resolvers.

      o Foster the development of Link Local Multicast Name
        Resolution (LLMNR) standard. The WG has taken up this work
        since LLMNR it is very similar to the DNS protocol.  LLMNR is
        targeted as proposed standard.

The lifetime of the group is set by the work items above but while
these are ongoing the working group has additional tasks:

      o Reviewing and providing recommendations about the
        specification, by other working groups, of RR types that do
        require any special processing and that do not require any
        special naming conventions.

Goals and Milestones:

Done  Forward NSEC rdata to IESG for Proposed Standard
Done  Forward RFC2535-bis to IESG for proposed standard
Done  Forward Case Insensitive to IESG for Proposed Standard
Done  Forward LLMNR to IESG for Proposed Standard
Feb 2005  Update boilerplate text on OPT-IN
Feb 2005  Submit KEY algorithm documents RFC253[69]bis and RFC3110 to IESG for proposed standard
Mar 2005  Finalize Zone Enumeration Requirements
Done  Forward Wildcard clarification to IESG for proposed standard
Apr 2005  Start of process of reviewing the following RFCs and to move them to Draft Standard status
May 2005  Submit to IESG RFC2845 (TSIG)to Draft standard
Jun 2005  RFC2671 (EDNS0) to Draft Standard
Jun 2005  RFC2672 (DNAME) to Draft Standard or revision
Jul 2005  RFC2136 (Dynamic Update) to Draft Standard
Jul 2005  RFC3007 (Secure Update) to Draft Standard
Jul 2005  RFC1995 (IXFR) to Draft standard
Jul 2005  RFC1996 (Notify) to Draft Standard
Sep 2005  RFC2930 (TKEY) to Draft standard
Sep 2005  RFC2181 (Clarify) to Draft Standard
Sep 2005  RFC2308 (Neg Caching) to Draft Standard
Nov 2005  RFC2782 (SRV RR) to Draft Standard
Nov 2005  RFC1982 (Serial Number Arithmetic)
Nov 2005  FRC2539 (DH Key RR) to Draft Standard
Nov 2005  RFC3226 (Message Size) to Draft Standard
Done  RFC2538 (CERT RR) to Draft Standard


  • draft-ietf-dnsext-dhcid-rr-13.txt
  • draft-ietf-dnsext-mdns-47.txt
  • draft-ietf-dnsext-dnssec-opt-in-09.txt
  • draft-ietf-dnsext-rfc2536bis-dsa-08.txt
  • draft-ietf-dnsext-rfc2539bis-dhk-08.txt
  • draft-ietf-dnsext-ecc-key-09.txt
  • draft-ietf-dnsext-dnssec-trans-04.txt
  • draft-ietf-dnsext-signed-nonexistence-requirements-03.txt
  • draft-ietf-dnsext-trustupdate-timers-04.txt
  • draft-ietf-dnsext-nsec3-08.txt
  • draft-ietf-dnsext-dnssec-experiments-03.txt
  • draft-ietf-dnsext-dnssec-bis-updates-04.txt
  • draft-ietf-dnsext-2929bis-03.txt
  • draft-ietf-dnsext-nsid-02.txt
  • draft-ietf-dnsext-rollover-requirements-03.txt
  • draft-ietf-dnsext-rfc2672bis-dname-00.txt

    Request For Comments:

    RFC2782 PS A DNS RR for specifying the location of services (DNS SRV)
    RFC2845 Standard Secret Key Transaction Authentication for DNS (TSIG)
    RFC2929 BCP Domain Name System (DNS) IANA Considerations
    RFC2930 PS Secret Key Establishment for DNS (TKEY RR)
    RFC2931 PS DNS Request and Transaction Signatures ( SIG(0)s )
    RFC3007 PS Secure Domain Name System (DNS) Dynamic Update
    RFC3008 PS Domain Name System Security (DNSSEC) Signing Authority
    RFC3090 PS DNS Security Extension Clarification on Zone Status
    RFC3110 PS RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)
    RFC3123 E A DNS RR Type for Lists of Address Prefixes (APL RR)
    RFC3197 I Applicability Statement for DNS MIB Extensions
    RFC3225 PS Indicating Resolver Support of DNSSEC
    RFC3226 PS DNSSEC and IPv6 A6 aware server/resolver message size requirements
    RFC3363 I Representing IPv6 addresses in DNS
    RFC3364 I Tradeoffs in DNS support for IPv6
    RFC3425 PS Obsoleting IQUERY
    RFC3445 PS Limiting the Scope of the KEY Resource Record out
    RFC3596 Standard DNS Extensions to support IP version 6
    RFC3597 PS Handling of Unknown DNS Resource Record (RR) Types
    RFC3645 Standard GSS Algorithm for TSIG (GSS-TSIG)
    RFC3655 Standard Redefinition of DNS AD bit
    RFC3658 Standard Delegation Signer Resource Record
    RFC3755 Standard Legacy Resolver Compatibility for Delegation Signer
    RFC3757 Standard KEY RR Secure Entry Point Flag
    RFC3833 I Threat Analysis Of The Domain Name System
    RFC3845 Standard DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
    RFC4033 Standard DNS Security Introduction and Requirements
    RFC4034 Standard Resource Records for the DNS Security Extensions
    RFC4035 Standard Protocol Modifications for the DNS Security Extensions
    RFC4343 Standard Domain Name System (DNS) Case Insensitivity Clarification
    RFC4398 PS Storing Certificates in the Domain Name System (DNS)
    RFC4470 PS Minimally Covering NSEC Records and DNSSEC On-line Signing
    RFC4471 E Derivation of DNS Name Predecessor and Successor
    RFC4509 PS Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
    RFC4592 PS The Role of Wildcards in the Domain Name System
    RFC4635 PS HMAC SHA (Hashed Message Authentication Code, Secure Hash Algorithm) TSIG Algorithm Identifiers

    Meeting Minutes


    Agenda slides and discusion items by chairs
    NSEC3 status and open issues
    DNAME issues initial list
    RFC2929bis update
    DNS Cookies draft presentation