< draft-ietf-dnsop-glue-is-not-optional-03.txt   draft-ietf-dnsop-glue-is-not-optional-04.txt >
DNSOP M. Andrews DNSOP M. Andrews
Internet-Draft ISC Internet-Draft ISC
Updates: 1034 (if approved) S. Huque Updates: 1034 (if approved) S. Huque
Intended status: Standards Track Salesforce Intended status: Standards Track Salesforce
Expires: 14 April 2022 P. Wouters Expires: 12 August 2022 P. Wouters
Aiven Aiven
D. Wessels D. Wessels
Verisign Verisign
11 October 2021 8 February 2022
Glue In DNS Referral Responses Is Not Optional DNS Referral Glue Requirements
draft-ietf-dnsop-glue-is-not-optional-03 draft-ietf-dnsop-glue-is-not-optional-04
Abstract Abstract
The DNS uses glue records to allow iterative clients to find the The DNS uses referral glue records to allow iterative clients to find
addresses of nameservers that are contained within a delegated zone. the addresses of nameservers that are contained within a delegated
Authoritative Servers are expected to return all available glue zone. Authoritative Servers are expected to return all available
records in referrals. If message size constraints prevent the referral glue records in a referral response. If message size
inclusion of all glue records in a UDP response, the server MUST set constraints prevent the inclusion of all in-domain referral glue
the TC flag to inform the client that the response is incomplete, and records, the server MUST set the TC flag to inform the client that
that the client SHOULD use TCP to retrieve the full response. This the response is incomplete, and that the client SHOULD use another
document updates RFC 1034 to clarify correct server behavior. transport to retrieve the full response. This document updates RFC
1034 to clarify correct server behavior.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 14 April 2022. This Internet-Draft will expire on 12 August 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . 3 1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . 3
2. Types of Glue . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Types of Referral Glue . . . . . . . . . . . . . . . . . . . 3
2.1. In-Domain Glue . . . . . . . . . . . . . . . . . . . . . 3 2.1. In-Domain Referral Glue . . . . . . . . . . . . . . . . . 3
2.2. Sibling Glue . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Sibling Referral Glue . . . . . . . . . . . . . . . . . . 4
2.3. Sibling Cyclic Glue . . . . . . . . . . . . . . . . . . . 4 2.3. Cyclic Sibling Referral Glue . . . . . . . . . . . . . . 5
2.4. Missing glue . . . . . . . . . . . . . . . . . . . . . . 5 2.4. Missing Referral Glue . . . . . . . . . . . . . . . . . . 5
3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. In-Domain Glue . . . . . . . . . . . . . . . . . . . . . 6 3.1. In-Domain Referral Glue . . . . . . . . . . . . . . . . . 6
3.2. Sibling Glue . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Sibling Referral Glue . . . . . . . . . . . . . . . . . . 7
3.3. Updates to RFC 1034 . . . . . . . . . . . . . . . . . . . 6 3.3. Updates to RFC 1034 . . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. Operational Considerations . . . . . . . . . . . . . . . . . 8
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. Normative References . . . . . . . . . . . . . . . . . . . . 8 8. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
9. Informative References . . . . . . . . . . . . . . . . . . . 8 9. Normative References . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 10. Informative References . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
The Domain Name System (DNS) [RFC1034], [RFC1035] uses glue records The Domain Name System (DNS) [RFC1034], [RFC1035] uses referral glue
to allow iterative clients to find the addresses of nameservers that records to allow iterative clients to find the addresses of
are contained within a delegated zone. Glue records are added to the nameservers that are contained within a delegated zone. Referral
parent zone as part of the delegation process and returned in glue records are added to the parent zone as part of the delegation
referral responses, otherwise a resolver following the referral has process and returned in referral responses, otherwise a resolver
no way of finding these addresses. Authoritative servers are following the referral has no way of finding these addresses.
expected to return all available glue records in referrals. If Authoritative servers are expected to return all available in-domain
message size constraints prevent the inclusion of all glue records in referral glue records in a referral response. If message size
a UDP response, the server MUST set the TC (Truncated) flag to inform constraints prevent the inclusion of all in-domain glue records over
the client that the response is incomplete, and that the client the chosen transport, the server MUST set the TC (Truncated) flag to
SHOULD use TCP to retrieve the full response. This document inform the client that the response is incomplete, and that the
clarifies that expectation. client SHOULD use another transport retrieve the full response. This
document clarifies that expectation.
DNS responses sometimes contain optional data in the additional DNS responses sometimes contain optional data in the additional
section. Glue records however are not optional. Several other section. In-domain referral glue records, however, are not optional.
protocol extensions, when used, are also not optional. This includes Several other protocol extensions, when used, are also not optional.
TSIG [RFC2845], OPT [RFC6891], and SIG(0) [RFC2931]. This includes TSIG [RFC2845], OPT [RFC6891], and SIG(0) [RFC2931].
At the time of this writing, referral glue is the only type of glue
defined for the DNS. Referral glue records are always addresses (A
or AAAA records) of a delegation's authoritative name servers. New
work underway in the IETF may lead to definitions for other types of
glue data, with requirements that differ from referral glue. This
document only describes requirements for referral glue. Unless
stated otherwise, "glue" in the remainder of this document always
means "referral glue."
Note that this document only clarifies requirements of name server Note that this document only clarifies requirements of name server
software implementations. It does not place any requirements on data software implementations. It does not place any requirements on data
placed in DNS zones or registries. placed in DNS zones or registries.
1.1. Reserved Words 1.1. Reserved Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Types of Glue 2. Types of Referral Glue
This section describes different types of glue that may be found in This section describes different types of glue that may be found in
DNS referral responses. Note that the type of glue depends on the DNS referral responses. Note that the type of glue depends on the
QNAME. A particular record can be in-domain glue for one response QNAME. A particular record can be in-domain glue for one response
and sibling glue for another. and sibling glue for another.
2.1. In-Domain Glue 2.1. In-Domain Referral Glue
The following is a simple example of glue records present in the The following is a simple example of glue records present in the
delegating zone "test" for the child zone "foo.test". The delegating zone "test" for the child zone "foo.test". The
nameservers for foo.test (ns1.foo.test and ns2.foo.test) are both nameservers for foo.test (ns1.foo.test and ns2.foo.test) are both
below the delegation point. They are configured as glue records in below the delegation point. They are configured as glue records in
the "test" zone: the "test" zone:
foo.test. 86400 IN NS ns1.foo.test. foo.test. 86400 IN NS ns1.foo.test.
foo.test. 86400 IN NS ns2.foo.test. foo.test. 86400 IN NS ns2.foo.test.
ns1.foo.test. 86400 IN A 192.0.2.1 ns1.foo.test. 86400 IN A 192.0.2.1
skipping to change at page 4, line 5 skipping to change at page 4, line 16
;www.foo.test. IN A ;www.foo.test. IN A
;; AUTHORITY SECTION: ;; AUTHORITY SECTION:
foo.test. 86400 IN NS ns1.foo.test. foo.test. 86400 IN NS ns1.foo.test.
foo.test. 86400 IN NS ns2.foo.test. foo.test. 86400 IN NS ns2.foo.test.
;; ADDITIONAL SECTION: ;; ADDITIONAL SECTION:
ns1.foo.test. 86400 IN A 192.0.2.1 ns1.foo.test. 86400 IN A 192.0.2.1
ns2.foo.test. 86400 IN AAAA 2001:db8::2:2 ns2.foo.test. 86400 IN AAAA 2001:db8::2:2
2.2. Sibling Glue 2.2. Sibling Referral Glue
Sibling glue are glue records that are not contained in the delegated Sibling glue are glue records that are not contained in the delegated
zone itself, but in another delegated zone from the same parent. In zone itself, but in another zone delegated from the same parent. In
many cases, these are not strictly required for resolution, since the many cases, these are not strictly required for resolution, since the
resolver can make follow-on queries to the same zone to resolve the resolver can make follow-on queries to the other zone to resolve the
nameserver addresses after following the referral to the sibling nameserver addresses after following the referral to the sibling
zone. However, most nameserver implementations today provide them as zone. However, most nameserver implementations today provide them as
an optimization to obviate the need for extra traffic from iterative an optimization to obviate the need for extra traffic from iterative
resolvers. resolvers.
Here the delegating zone "test" contains 2 sub-delegations for the Here the delegating zone "test" contains two delegations for the
subzones "bar.test" and "foo.test": child zones "bar.test" and "foo.test":
bar.test. 86400 IN NS ns1.bar.test. bar.test. 86400 IN NS ns1.bar.test.
bar.test. 86400 IN NS ns2.bar.test. bar.test. 86400 IN NS ns2.bar.test.
ns1.bar.test. 86400 IN A 192.0.2.1 ns1.bar.test. 86400 IN A 192.0.2.1
ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns1.bar.test.
foo.test. 86400 IN NS ns2.bar.test. foo.test. 86400 IN NS ns2.bar.test.
A referral response from "test" for "foo.test" with sibling glue A referral response from "test" for "foo.test" with sibling glue
skipping to change at page 4, line 41 skipping to change at page 5, line 5
;www.foo.test. IN A ;www.foo.test. IN A
;; AUTHORITY SECTION: ;; AUTHORITY SECTION:
foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns1.bar.test.
foo.test. 86400 IN NS ns2.bar.test. foo.test. 86400 IN NS ns2.bar.test.
;; ADDITIONAL SECTION: ;; ADDITIONAL SECTION:
ns1.bar.test. 86400 IN A 192.0.2.1 ns1.bar.test. 86400 IN A 192.0.2.1
ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
2.3. Sibling Cyclic Glue 2.3. Cyclic Sibling Referral Glue
The use of sibling glue can introduce cyclic dependencies. This The use of sibling glue can introduce cyclic dependencies. This
happens when one domain specifies name servers from a sibling domain, happens when one domain specifies name servers from a sibling domain,
and vice versa. This type of cyclic dependency can only be broken and vice versa. This type of cyclic dependency can only be broken
when the delegating name server includes the sibling glue in a when the delegating name server includes the sibling glue in a
referral response. referral response.
Here the delegating zone "test" contains 2 sub-delegations for the Here the delegating zone "test" contains two delegations for the
subzones "bar.test" and "foo.test", and each use name servers under child zones "bar.test" and "foo.test", and each use name servers
the other: under the other:
bar.test. 86400 IN NS ns1.foo.test. bar.test. 86400 IN NS ns1.foo.test.
bar.test. 86400 IN NS ns2.foo.test. bar.test. 86400 IN NS ns2.foo.test.
ns1.bar.test. 86400 IN A 192.0.2.1 ns1.bar.test. 86400 IN A 192.0.2.1
ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns1.bar.test.
foo.test. 86400 IN NS ns2.bar.test. foo.test. 86400 IN NS ns2.bar.test.
ns1.foo.test. 86400 IN A 192.0.2.3 ns1.foo.test. 86400 IN A 192.0.2.3
ns2.foo.test. 86400 IN AAAA 2001:db8::2:4 ns2.foo.test. 86400 IN AAAA 2001:db8::2:4
skipping to change at page 5, line 29 skipping to change at page 5, line 41
;www.bar.test. IN A ;www.bar.test. IN A
;; AUTHORITY SECTION: ;; AUTHORITY SECTION:
bar.test. 86400 IN NS ns1.foo.test. bar.test. 86400 IN NS ns1.foo.test.
bar.test. 86400 IN NS ns2.foo.test. bar.test. 86400 IN NS ns2.foo.test.
;; ADDITIONAL SECTION: ;; ADDITIONAL SECTION:
ns1.foo.test. 86400 IN A 192.0.2.3 ns1.foo.test. 86400 IN A 192.0.2.3
ns2.foo.test. 86400 IN AAAA 2001:db8::2:4 ns2.foo.test. 86400 IN AAAA 2001:db8::2:4
2.4. Missing glue In late 2021 the authors analyzed zone file data available from
ICANN's Centralized Zone Data Service [CZDS] and found 222 out of
approximately 209,000,000 total delegations that had only sibling NS
RRs in a cyclic dependency as above.
An example of missing glue is included here, even though it is not 2.4. Missing Referral Glue
really a type of glue. While not common, real examples of responses
that lack required glue, and with TC=0, have been shown to occur and An example of missing glue is included here, even though it can not
cause resolution failures. be considered as a type of glue. While not common, real examples of
responses that lack required glue, and with TC=0, have been shown to
occur and cause resolution failures.
The example below is based on a response observed in June 2020. The The example below is based on a response observed in June 2020. The
names have been altered to fall under documentation domains. It names have been altered to fall under documentation domains. It
shows a case where none of the glue records present in the zone fit shows a case where none of the glue records present in the zone fit
into the available space of the UDP respose, and TC=1 was not set. into the available space of the UDP response, and the TC flag was not
While this example shows a referral with DNSSEC records [RFC4033], set. While this example shows a referral with DNSSEC records
[RFC4034], [RFC4035], this behaviour has been seen with plain DNS [RFC4033], [RFC4034], [RFC4035], this behavior has been seen with
responses as well. Some records have been truncated for display plain DNS responses as well. Some records have been truncated for
purposes. Note that at the time of this writing, the servers display purposes. Note that at the time of this writing, the servers
originally responsible for this example have been updated and now originally responsible for this example have been updated and now
correctly set the TC=1 flag. correctly set the TC flag.
% dig +norec +dnssec +bufsize=512 +ignore @ns.example.net \ % dig +norec +dnssec +bufsize=512 +ignore @ns.example.net \
rh202ns2.355.foo.example rh202ns2.355.foo.example
; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \ ; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \
@ns.example.net rh202ns2.355.foo.example @ns.example.net rh202ns2.355.foo.example
; (2 servers found) ; (2 servers found)
;; global options: +cmd ;; global options: +cmd
;; Got answer: ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8798 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8798
skipping to change at page 6, line 34 skipping to change at page 6, line 45
foo.example. 86400 IN NS rh120ns1.368.foo.example. foo.example. 86400 IN NS rh120ns1.368.foo.example.
foo.example. 86400 IN NS rh202ns1.355.foo.example. foo.example. 86400 IN NS rh202ns1.355.foo.example.
foo.example. 3600 IN DS 51937 8 1 ... foo.example. 3600 IN DS 51937 8 1 ...
foo.example. 3600 IN DS 635 8 2 ... foo.example. 3600 IN DS 635 8 2 ...
foo.example. 3600 IN DS 51937 8 2 ... foo.example. 3600 IN DS 51937 8 2 ...
foo.example. 3600 IN DS 635 8 1 ... foo.example. 3600 IN DS 635 8 1 ...
foo.example. 3600 IN RRSIG DS 8 2 3600 ... foo.example. 3600 IN RRSIG DS 8 2 3600 ...
3. Requirements 3. Requirements
3.1. In-Domain Glue This section describes updated requirements for including glue in
referral responses.
3.1. In-Domain Referral Glue
This document clarifies that when a name server generates a referral This document clarifies that when a name server generates a referral
response, it MUST include all available in-domain glue records in the response, it MUST include all available in-domain glue records in the
additional section. If all in-domain glue records do not fit in a additional section, or MUST set TC=1 if constrained by message size.
UDP response, the name server MUST set TC=1.
3.2. Sibling Glue At the time of writing, most iterative clients send initial queries
over UDP and retry over TCP upon receiving a response with the TC
flag set. UDP responses are generally limited to between 1232 and
4096 bytes, due to values commonly used for the EDNS0 UDP Message
Size field [RFC6891], [FLAGDAY2020]. TCP responses are limited to
65,536 bytes.
3.2. Sibling Referral Glue
This document clarifies that when a name server generates a referral This document clarifies that when a name server generates a referral
response, it MUST [SHOULD] include available sibling glue records in response, it SHOULD include all available glue records in the
the additional section. If all sibling glue records do not fit in a additional section. If after adding all in-domain glue records, not
UDP response, the name server MUST [is NOT REQUIRED to] set TC=1. all sibling glue records fit due to message size constraints, the
name server is NOT REQUIRED to set TC=1.
3.3. Updates to RFC 1034 Note that users may experience resolution failures for domains with
only sibling glue when a name servers chooses to omit them in a
referral response. As described in Section 2.3, such domains are
rare.
[this doesn't really account for SHOULD on sibling glue...] 3.3. Updates to RFC 1034
Replace Replace
"Copy the NS RRs for the subzone into the authority section of the "Copy the NS RRs for the subzone into the authority section of the
reply. Put whatever addresses are available into the additional reply. Put whatever addresses are available into the additional
section, using glue RRs if the addresses are not available from section, using glue RRs if the addresses are not available from
authoritative data or the cache. Go to step 4." authoritative data or the cache. Go to step 4."
with with
"Copy the NS RRs for the subzone into the authority section of the "Copy the NS RRs for the subzone into the authority section of the
reply. Put whatever addresses are available into the additional reply. Put whatever NS addresses are available into the additional
section, using glue RRs if the addresses are not available from section, using glue RRs if the addresses are not available from
authoritative data or the cache. If all glue RRs do not fit, set authoritative data or the cache. If all in-domain glue RRs do not
TC=1 in the header. Go to step 4." fit, set TC=1 in the header. Go to step 4."
4. Security Considerations 4. Security Considerations
This document clarifies correct DNS server behaviour and does not This document clarifies correct DNS server behavior and does not
introduce any changes or new security considerations. introduce any changes or new security considerations.
5. IANA Considerations 5. Operational Considerations
At the time of this writing, the behavior of most DNS server
implementations is to set the TC flag only if none of the available
glue records fit in a response over UDP transport. The updated
requirements in this document might lead to an increase in the
fraction of UDP responses with the TC flag set, and consequently an
increase in the number of queries to over TCP transport.
6. IANA Considerations
There are no actions for IANA. There are no actions for IANA.
6. Acknowledgements 7. Acknowledgements
The authors wish to thank Joe Abley, Brian Dickson, Geoff Huston, The authors wish to thank Joe Abley, Brian Dickson, Geoff Huston,
Jared Mauch, George Michaelson, Benno Overeinder, John R Levine, Jared Mauch, George Michaelson, Benno Overeinder, John R Levine,
Shinta Sato, Puneet Sood, Ralf Weber, Tim Wicinski, Suzanne Woolf, Shinta Sato, Puneet Sood, Ralf Weber, Tim Wicinski, Suzanne Woolf,
and other members of the DNSOP working group for their input. and other members of the DNSOP working group for their input.
7. Changes 8. Changes
RFC Editor: Please remove this section before publication. RFC Editor: Please remove this section before publication.
This section lists substantial changes to the document as it is being This section lists substantial changes to the document as it is being
worked on. worked on.
From -01 to -02: From -01 to -02:
* Clarified that "servers" means "authoritative servers". * Clarified that "servers" means "authoritative servers".
skipping to change at page 8, line 14 skipping to change at page 9, line 5
* Reorganized with section 2 as Types of Glue and section 3 as * Reorganized with section 2 as Types of Glue and section 3 as
Requirements. Requirements.
* Removed any discussion of promoted / orphan glue. * Removed any discussion of promoted / orphan glue.
* Use appropriate documentation addresses and domain names. * Use appropriate documentation addresses and domain names.
* Added Sibling Cyclic Glue example. * Added Sibling Cyclic Glue example.
8. Normative References From -03 to -04:
* Use "referral glue" on the assumption that other types of glue may
be defined in the future.
* Added Operational Considerations section.
* Note many current implementations set TC=1 only when no glue RRs
fit. New requirements may lead to more truncation and TCP.
* Sibling glue can be optional. Only require TC=1 when all in-
domain glue RRs don't fit.
* Avoid talking about requirements for UDP/TCP specifically, and
talk more generically about message size constraints regardless of
transport.
9. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
9. Informative References 10. Informative References
[CZDS] ICANN, "Centralized Zone Data Service", January 2022,
<https://czds.icann.org/>.
[FLAGDAY2020]
Various DNS software and service providers, "DNS Flag Day
2020", October 2020, <https://dnsflagday.net/2020/>.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000, (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000,
<https://www.rfc-editor.org/info/rfc2845>. <https://www.rfc-editor.org/info/rfc2845>.
[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September
2000, <https://www.rfc-editor.org/info/rfc2931>. 2000, <https://www.rfc-editor.org/info/rfc2931>.
 End of changes. 39 change blocks. 
86 lines changed or deleted 150 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/