| < draft-ietf-dnsop-nsec-ttl-03.txt | draft-ietf-dnsop-nsec-ttl-04.txt > | |||
|---|---|---|---|---|
| dnsop P. van Dijk | dnsop P. van Dijk | |||
| Internet-Draft PowerDNS | Internet-Draft PowerDNS | |||
| Updates: 4034, 4035, 5155, 8198 (if approved) 9 February 2021 | Updates: 4034, 4035, 5155, 8198 (if approved) 18 February 2021 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 13 August 2021 | Expires: 22 August 2021 | |||
| NSEC and NSEC3 TTLs and NSEC Aggressive Use | NSEC and NSEC3 TTLs and NSEC Aggressive Use | |||
| draft-ietf-dnsop-nsec-ttl-03 | draft-ietf-dnsop-nsec-ttl-04 | |||
| Abstract | Abstract | |||
| Due to a combination of unfortunate wording in earlier documents, | Due to a combination of unfortunate wording in earlier documents, | |||
| aggressive use of NSEC and NSEC3 records may deny names far beyond | aggressive use of NSEC and NSEC3 records may deny names far beyond | |||
| the intended lifetime of a denial. This document changes the | the intended lifetime of a denial. This document changes the | |||
| definition of the NSEC and NSEC3 TTL to correct that situation. This | definition of the NSEC and NSEC3 TTL to correct that situation. This | |||
| document updates RFC 4034, RFC 4035, RFC 5155, and RFC 8198. | document updates RFC 4034, RFC 4035, RFC 5155, and RFC 8198. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 13 August 2021. | This Internet-Draft will expire on 22 August 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 11 ¶ | skipping to change at page 2, line 11 ¶ | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 | |||
| 3. NSEC and NSEC3 TTL changes . . . . . . . . . . . . . . . . . 4 | 3. NSEC and NSEC3 TTL changes . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Updates to RFC4034 . . . . . . . . . . . . . . . . . . . 4 | 3.1. Updates to RFC4034 . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Updates to RFC4035 . . . . . . . . . . . . . . . . . . . 4 | 3.2. Updates to RFC4035 . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. Updates to RFC5155 . . . . . . . . . . . . . . . . . . . 5 | 3.3. Updates to RFC5155 . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4. Updates to RFC8198 . . . . . . . . . . . . . . . . . . . 5 | 3.4. Updates to RFC8198 . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.5. A note on incremental signers . . . . . . . . . . . . . . 6 | ||||
| 4. Zone Operator Considerations . . . . . . . . . . . . . . . . 6 | 4. Zone Operator Considerations . . . . . . . . . . . . . . . . 6 | |||
| 4.1. A Note On Wildcards . . . . . . . . . . . . . . . . . . . 6 | 4.1. A Note On Wildcards . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 | 7. Normative References . . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. Informative References . . . . . . . . . . . . . . . . . . . 7 | 8. Informative References . . . . . . . . . . . . . . . . . . . 7 | |||
| Appendix A. Implementation Status . . . . . . . . . . . . . . . 7 | Appendix A. Implementation Status . . . . . . . . . . . . . . . 7 | |||
| Appendix B. Document history . . . . . . . . . . . . . . . . . . 8 | Appendix B. Document history . . . . . . . . . . . . . . . . . . 8 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC editor: please remove this block before publication. | [RFC editor: please remove this block before publication. | |||
| Earlier notes on this: | Earlier notes on this: | |||
| * https://indico.dns-oarc.net/event/29/sessions/98/#20181013 | * https://indico.dns-oarc.net/event/29/sessions/98/#20181013 | |||
| (https://indico.dns-oarc.net/event/29/sessions/98/#20181013) | (https://indico.dns-oarc.net/event/29/sessions/98/#20181013) | |||
| skipping to change at page 4, line 21 ¶ | skipping to change at page 4, line 21 ¶ | |||
| 2. Conventions and Definitions | 2. Conventions and Definitions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. NSEC and NSEC3 TTL changes | 3. NSEC and NSEC3 TTL changes | |||
| The existing texts in [RFC4034], [RFC4035], and [RFC5155] use the | ||||
| SHOULD requirement level, but they were written when [RFC4035] still | ||||
| said 'However, it seems prudent for resolvers to avoid blocking new | ||||
| authoritative data or synthesizing new data on their own'. [RFC8198] | ||||
| updated that text to contain 'DNSSEC-enabled validating resolvers | ||||
| SHOULD use wildcards and NSEC/NSEC3 resource records to generate | ||||
| positive and negative responses until the effective TTLs or | ||||
| signatures for those records expire'. This means that correctness of | ||||
| NSEC and NSEC3 records, and their TTLs, has become much more | ||||
| important. Because of that, the updates in this document upgrade the | ||||
| requirement level to MUST. | ||||
| 3.1. Updates to RFC4034 | 3.1. Updates to RFC4034 | |||
| Where [RFC4034] says: | Where [RFC4034] says: | |||
| | The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL | | The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL | |||
| | field. This is in the spirit of negative caching ([RFC2308]). | | field. This is in the spirit of negative caching ([RFC2308]). | |||
| This is updated to say: | This is updated to say: | |||
| | The TTL of the NSEC RR that is returned MUST be the lesser of the | | The TTL of the NSEC RR that is returned MUST be the lesser of the | |||
| | MINIMUM field of the SOA record and the TTL of the SOA itself. | | MINIMUM field of the SOA record and the TTL of the SOA itself. | |||
| | This matches the definition of the TTL for negative responses in | | This matches the definition of the TTL for negative responses in | |||
| | [RFC2308]. | | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a | |||
| | deviating value after the SOA record has been updated, to allow | ||||
| | for an incremental update of the NSEC chain. | ||||
| 3.2. Updates to RFC4035 | 3.2. Updates to RFC4035 | |||
| Where [RFC4035] says: | Where [RFC4035] says: | |||
| | The TTL value for any NSEC RR SHOULD be the same as the minimum | | The TTL value for any NSEC RR SHOULD be the same as the minimum | |||
| | TTL value field in the zone SOA RR. | | TTL value field in the zone SOA RR. | |||
| This is updated to say: | This is updated to say: | |||
| | The TTL of the NSEC RR that is returned MUST be the lesser of the | | The TTL of the NSEC RR that is returned MUST be the lesser of the | |||
| | MINIMUM field of the SOA record and the TTL of the SOA itself. | | MINIMUM field of the SOA record and the TTL of the SOA itself. | |||
| | This matches the definition of the TTL for negative responses in | | This matches the definition of the TTL for negative responses in | |||
| | [RFC2308]. | | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a | |||
| | deviating value after the SOA record has been updated, to allow | ||||
| | for an incremental update of the NSEC chain. | ||||
| 3.3. Updates to RFC5155 | 3.3. Updates to RFC5155 | |||
| Where [RFC5155] says: | Where [RFC5155] says: | |||
| | The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL | | The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL | |||
| | field. This is in the spirit of negative caching [RFC2308]. | | field. This is in the spirit of negative caching [RFC2308]. | |||
| This is updated to say: | This is updated to say: | |||
| | The TTL of the NSEC3 RR that is returned MUST be the lesser of the | | The TTL of the NSEC3 RR that is returned MUST be the lesser of the | |||
| | MINIMUM field of the SOA record and the TTL of the SOA itself. | | MINIMUM field of the SOA record and the TTL of the SOA itself. | |||
| | This matches the definition of the TTL for negative responses in | | This matches the definition of the TTL for negative responses in | |||
| | [RFC2308]. | | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a | |||
| | deviating value after the SOA record has been updated, to allow | ||||
| | for an incremental update of the NSEC chain. | ||||
| Where [RFC5155] says: | Where [RFC5155] says: | |||
| | o The TTL value for any NSEC3 RR SHOULD be the same as the minimum | | o The TTL value for any NSEC3 RR SHOULD be the same as the minimum | |||
| | TTL value field in the zone SOA RR. | | TTL value field in the zone SOA RR. | |||
| This is updated to say: | This is updated to say: | |||
| | o The TTL value for each NSEC3 RR MUST be the lesser of the | | o The TTL value for each NSEC3 RR MUST be the lesser of the | |||
| | MINIMUM field of the zone SOA RR and the TTL of the zone SOA RR | | MINIMUM field of the zone SOA RR and the TTL of the zone SOA RR | |||
| | itself. | | itself. A signer MAY cause the TTL of the NSEC RR to have a | |||
| | deviating value after the SOA record has been updated, to allow | ||||
| | for an incremental update of the NSEC chain. | ||||
| 3.4. Updates to RFC8198 | 3.4. Updates to RFC8198 | |||
| [RFC8198] section 5.4 (Consideration on TTL) is completely replaced | [RFC8198] section 5.4 (Consideration on TTL) is completely replaced | |||
| by the following text: | by the following text: | |||
| | The TTL value of negative information is especially important, | | The TTL value of negative information is especially important, | |||
| | because newly added domain names cannot be used while the negative | | because newly added domain names cannot be used while the negative | |||
| | information is effective. | | information is effective. | |||
| | | | | |||
| skipping to change at page 6, line 5 ¶ | skipping to change at page 6, line 29 ¶ | |||
| | A resolver that supports aggressive use of NSEC and NSEC3 MAY | | A resolver that supports aggressive use of NSEC and NSEC3 MAY | |||
| | limit the TTL of NSEC and NSEC3 records to the lesser of the | | limit the TTL of NSEC and NSEC3 records to the lesser of the | |||
| | SOA.MINIMUM field and the TTL of the SOA in a response, if | | SOA.MINIMUM field and the TTL of the SOA in a response, if | |||
| | present. It MAY also use a previously cached SOA for a zone to | | present. It MAY also use a previously cached SOA for a zone to | |||
| | find these values. | | find these values. | |||
| (The third paragraph of the original is removed, and the fourth | (The third paragraph of the original is removed, and the fourth | |||
| paragraph is updated to allow resolvers to also take the lesser of | paragraph is updated to allow resolvers to also take the lesser of | |||
| the SOA TTL and SOA MINIMUM.) | the SOA TTL and SOA MINIMUM.) | |||
| 3.5. A note on incremental signers | ||||
| Some DNSSEC signer implementations might not (re-)sign whole zones in | ||||
| one go, instead spreading the work of updating inception/expiration | ||||
| times over some period. Such implementations would not be able to | ||||
| update all NSEC or NSEC3 records in the zone instantly either. To | ||||
| aid these implementations, we additionally specify the following: | ||||
| | If an implementation cannot update all NSEC or NSEC3 TTLs after a | ||||
| | SOA change immediately, it MUST still attempt to do so as soon as | ||||
| | possible during the signing process. | ||||
| 4. Zone Operator Considerations | 4. Zone Operator Considerations | |||
| If signers & DNS servers for a zone cannot immediately be updated to | If signers & DNS servers for a zone cannot immediately be updated to | |||
| conform to this document, zone operators are encouraged to consider | conform to this document, zone operators are encouraged to consider | |||
| setting their SOA record TTL and the SOA MINIMUM field to the same | setting their SOA record TTL and the SOA MINIMUM field to the same | |||
| value. That way, the TTL used for aggressive NSEC and NSEC3 use | value. That way, the TTL used for aggressive NSEC and NSEC3 use | |||
| matches the SOA TTL for negative responses. | matches the SOA TTL for negative responses. | |||
| 4.1. A Note On Wildcards | 4.1. A Note On Wildcards | |||
| skipping to change at page 6, line 50 ¶ | skipping to change at page 7, line 13 ¶ | |||
| than the zone operator intended. | than the zone operator intended. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| IANA is requested to add a reference to this document in the | IANA is requested to add a reference to this document in the | |||
| "Resource Record (RR) TYPEs" subregistry of the "Domain Name System | "Resource Record (RR) TYPEs" subregistry of the "Domain Name System | |||
| (DNS) Parameters" registry, for the NSEC and NSEC3 types. | (DNS) Parameters" registry, for the NSEC and NSEC3 types. | |||
| 7. Normative References | 7. Normative References | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | ||||
| Rose, "Protocol Modifications for the DNS Security | ||||
| Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4035>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, | ||||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <https://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | |||
| NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | |||
| <https://www.rfc-editor.org/info/rfc2308>. | <https://www.rfc-editor.org/info/rfc2308>. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security Extensions", | Rose, "Resource Records for the DNS Security Extensions", | |||
| RFC 4034, DOI 10.17487/RFC4034, March 2005, | RFC 4034, DOI 10.17487/RFC4034, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4034>. | <https://www.rfc-editor.org/info/rfc4034>. | |||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <https://www.rfc-editor.org/info/rfc5155>. | <https://www.rfc-editor.org/info/rfc5155>. | |||
| [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of | [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of | |||
| DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, | DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, | |||
| July 2017, <https://www.rfc-editor.org/info/rfc8198>. | July 2017, <https://www.rfc-editor.org/info/rfc8198>. | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | ||||
| Rose, "Protocol Modifications for the DNS Security | ||||
| Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4035>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, | ||||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <https://www.rfc-editor.org/info/rfc2119>. | ||||
| 8. Informative References | 8. Informative References | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| Appendix A. Implementation Status | Appendix A. Implementation Status | |||
| [RFC Editor: please remove this section before publication] | [RFC Editor: please remove this section before publication] | |||
| Implemented in PowerDNS Authoritative Server 4.3.0 | Implemented in PowerDNS Authoritative Server 4.3.0 | |||
| https://doc.powerdns.com/authoritative/dnssec/ | https://doc.powerdns.com/authoritative/dnssec/ | |||
| operational.html?highlight=ttl#some-notes-on-ttl-usage | operational.html?highlight=ttl#some-notes-on-ttl-usage | |||
| (https://doc.powerdns.com/authoritative/dnssec/ | (https://doc.powerdns.com/authoritative/dnssec/ | |||
| operational.html?highlight=ttl#some-notes-on-ttl-usage) . | operational.html?highlight=ttl#some-notes-on-ttl-usage) . | |||
| Implemented in BIND 9.16 and up, to be released early 2021 | Implemented in BIND 9.16 and up, to be released early 2021 | |||
| https://mailarchive.ietf.org/arch/msg/dnsop/ga41J2PPUbmc21-- | https://mailarchive.ietf.org/arch/msg/dnsop/ga41J2PPUbmc21-- | |||
| dqf3i7_IY6M (https://mailarchive.ietf.org/arch/msg/dnsop/ | dqf3i7_IY6M (https://mailarchive.ietf.org/arch/msg/dnsop/ | |||
| ga41J2PPUbmc21--dqf3i7_IY6M) https://gitlab.isc.org/isc-projects/ | ga41J2PPUbmc21--dqf3i7_IY6M) https://gitlab.isc.org/isc-projects/ | |||
| skipping to change at page 9, line 4 ¶ | skipping to change at page 9, line 17 ¶ | |||
| * reduced requirement level from MUST to SHOULD, like the original | * reduced requirement level from MUST to SHOULD, like the original | |||
| texts | texts | |||
| From draft-ietf-dnsop-nsec-ttl-01 to draft-ietf-dnsop-nsec-ttl-02: | From draft-ietf-dnsop-nsec-ttl-01 to draft-ietf-dnsop-nsec-ttl-02: | |||
| * updated the second bit of wrong text in 5155 | * updated the second bit of wrong text in 5155 | |||
| From draft-ietf-dnsop-nsec-ttl-02 to draft-ietf-dnsop-nsec-ttl-03: | From draft-ietf-dnsop-nsec-ttl-02 to draft-ietf-dnsop-nsec-ttl-03: | |||
| * document now updates resolver behaviour in 8198 | * document now updates resolver behaviour in 8198 | |||
| * lots of extra text to clarify what behaviour goes where (thanks | * lots of extra text to clarify what behaviour goes where (thanks | |||
| Paul Hoffman) | Paul Hoffman) | |||
| * replace 'any' with 'each' (thanks Duane) | * replace 'any' with 'each' (thanks Duane) | |||
| * upgraded requirement level to MUST, plus a note on incremental | * upgraded requirement level to MUST, plus a note on incremental | |||
| signers | signers | |||
| From draft-ietf-dnsop-nsec-ttl-03 to draft-ietf-dnsop-nsec-ttl-04: | ||||
| * the 'incremental signer exception' is now part of all relevant | ||||
| document updates | ||||
| * added an explanation for the upgraded requirement level | ||||
| Acknowledgements | Acknowledgements | |||
| This document was made possible with the help of the following | This document was made possible with the help of the following | |||
| people: | people: | |||
| * Ralph Dolmans | * Ralph Dolmans | |||
| * Warren Kumari | * Warren Kumari | |||
| * Matthijs Mekking | * Matthijs Mekking | |||
| End of changes. 19 change blocks. | ||||
| 37 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||