< draft-wkumari-dnsop-multiple-responses-02.txt   draft-wkumari-dnsop-multiple-responses-03.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Standards Track Z. Yan Intended status: Standards Track Z. Yan
Expires: July 8, 2016 CNNIC Expires: December 28, 2016 CNNIC
W. Hardaker W. Hardaker
Parsons, Inc. Parsons, Inc.
January 05, 2016 June 26, 2016
Returning multiple answers in DNS responses. Returning extra answers in DNS responses.
draft-wkumari-dnsop-multiple-responses-02 draft-wkumari-dnsop-multiple-responses-03
Abstract Abstract
This document (re)introduces the ability to provide multiple answers This document (re)introduces the ability to provide multiple answers
in a DNS response. in a DNS response.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 8, 2016. This Internet-Draft will expire on December 28, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 11 skipping to change at page 2, line 11
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Returning multiple answers . . . . . . . . . . . . . . . . . 3 4. Returning multiple answers . . . . . . . . . . . . . . . . . 4
5. Additional records pseudo-RR . . . . . . . . . . . . . . . . 5 5. The EXTRA Resource Record . . . . . . . . . . . . . . . . . . 4
5.1. File Format . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. File Format . . . . . . . . . . . . . . . . . . . . . . . 5
5.2. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 5 5.2. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 5
6. Signaling support . . . . . . . . . . . . . . . . . . . . . . 6 6. Signaling support . . . . . . . . . . . . . . . . . . . . . . 6
7. Stub-Resolver Considerations . . . . . . . . . . . . . . . . 6 7. Stub-Resolver Considerations . . . . . . . . . . . . . . . . 6
8. Use of Additional information . . . . . . . . . . . . . . . . 6 8. Use of Additional information . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
10. Security Considerations . . . . . . . . . . . . . . . . . . . 7 10. Security Considerations . . . . . . . . . . . . . . . . . . . 6
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 12. Normative References . . . . . . . . . . . . . . . . . . . . 7
12.1. Normative References . . . . . . . . . . . . . . . . . . 7
12.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
Often the name being resolved in the DNS provides information about In many cases a name being resolved in the DNS provides the reason
why the name is being resolved, allowing the nameserver to predict behind why the name is being resolved. This may allow the
what other answers the client will soon query for. By providing authoritative nameserver to predict what other answers a recursive
multiple answers in the response, the authoritative name server resolver will soon query for. By providing multiple answers in the
operator can ensure that the recursive server that the client is response, the authoritative name server operator can assist a caching
using has all the answers in its cache. recursive resolver in pre-populating its cache before a stub resolver
or other client asks for the subsequent queries. Apart from
decreasing the latency for end users [RFC6555], this also decreases
the total number of queries that the recursive resolver needs to send
and the autorative server needs to answer.
For example, the name server operator of Example Widgets, Inc For example, the domain name administrator of Example Widgets, Inc
(example.com) knows that the example.com web page at www.example.com (example.com) knows that the web page at www.example.com contains
contains various other resources, including some images (served from various other resources, including some images (served from
images.example.com), some Cascading Style Sheets (served from images.example.com), some Cascading Style Sheets (served from
css.example.com) and some JavaScript (data.example.com). A client css.example.com) and some JavaScript (served from data.example.com).
attempting to resolve www.example.com is very likely to be a web An application attempting to resolve www.example.com is very likely
browser rendering the page and so will need to also resolve all of to be a web browser rendering the page and will likely also need to
the other names to obtain these other resources. Providing all of resolve all of these additional names as well. Providing all of
these answers in response to a query for www.example.com allows the these answers in response to a query for www.example.com allows the
recursive server to populate its cache and have all of the answers recursive resolver to pre-populate its cache and have these answers
available when the client asks for them. available immediately when a stub resolver or other DNS client asks
for them.
Other examples where this technique is useful include SMTP (including Other examples where this technique may be useful include SMTP (by
the mail server address when serving the MX record), SRV (providing including mail server addresses, SPF and DKIM records when serving
the target information in addition to the SRV response) and TLSA the MX record), SRV (by providing the target information in addition
(providing any TLSA records associated with a name). to the SRV response) and TLSA (by providing any TLSA records
associated with a name). This same technique can also be used to
include both the IPv4 (A) and IPv6 (AAAA) addresses for any singular
address query.
This is purely an optimization - by providing all of other, related This technique, described in this document, is purely an optimization
answers that the client is likely to need along with the answer that and enables a zone publisher to distribute other related answers that
they requested, users get a better experience, iterative servers need the client is likely to need along with an answer to the original
to perform less queries, authoritative servers have to answer fewer request. Users get a better experience, recursive resolvers need to
send less queries, authoritative servers have to answer fewer
queries, etc. queries, etc.
1.1. Requirements notation 1.1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Background 2. Background
The existing DNS specifications allow for additional information to The existing DNS specifications [RFC1034] allow for supplemental
be included in the "additional" section of the DNS response, but in information to be included in the "additional" section of the DNS
order to defeat cache poisoning attacks most implementations either response, but in order to defeat cache poisoning attacks most
ignore or don't trust additional information (other than for "glue"). implementations either ignore or don't trust additional records they
For some more background, see [Ref.Bellovin], [RFC1034], [RFC2181]. didn't ask for. For more background, see [Ref.Bellovin] and
[RFC2181].
Not trusting the information in the additional section was necessary Not trusting the information in the additional section was necessary
because there was no way to authenticate it. If you queried for since there was no way to authenticate it. If a resolver queries for
www.example.com and got back answers for www.invalid.com you couldn't www.example.com and received answers for www.invalid.com as well, it
tell if these were actually from invalid.com or if an attacker was is impossible for a non-validating resolver to tell if these were
trying to get bad information for invalid.com into your cache. In a actually from invalid.com or if an attacker was trying to push bad
world of ubiquitous DNSSEC deployment [Ed note: By the time this information for invalid.com into the resolver's cache. In a world of
document is published, there *will* be ubiquitous DNSSEC :-) ] the ubiquitous DNSSEC deployment [Ed note: By the time this document is
iterative server can validate the information and trust it. published, there *will* be ubiquitous DNSSEC :-) ], a validating
resolver can validate, authenticate and trust the records in the
additional information.
3. Terminology 3. Terminology
Additional records Additional records are records that the Additional records Additional records are records that the
authoritative nameserver has included in the Additional section. authoritative nameserver has included in the Additional section.
EXTRTA Resource Record The EXTRA resource record (defined below)
carries a list fo additional records to send.
Primary query A Primary query (or primary question) is a QNAME that Primary query A Primary query (or primary question) is a QNAME that
the name server operator would like to return additional answers the name server operator would like to return additional answers
for. for.
Supporting information Supporting information is the DNSSEC RRSIGs Supporting DNSSEC information Supporting DNSSEC information is the
that prove the authenticity of the Additional records. DNSSEC RRSIGs that prove the authenticity of the Additional
records.
Stub Resolver The term "Stub Resolver" is used in this document to
refer to the most common instance of a DNS client sending DNS
requests to a Recursive Resolver. However, other DNS clients are
not excluded from these usages and where we write "Stub Resolver"
you may read it as "Stub Resolver or other DNS client".
4. Returning multiple answers 4. Returning multiple answers
The authoritative nameserver should include as many of the instructed The authoritative nameserver should include as many of the instructed
Additional records and Supporting information as will fit in the additional records identified by the Extra Resource Record and
response packet. Supporting DNSSEC information as will fit in the response packet.
These additional records (and Supporting DNSSEC information) are
In order to include Additional records in a response, certain appended to the additional section of the response.
conditions need to be met. [Ed note: Some discussion on each rule is
below]
1. Additional records MUST only be included when the primary name
and each additional record are signed using DNSSEC "valid".
2. Additional records MUST only be served over TCP connections, or
when DNS Cookies [ToDo: Ref] are in use. This is to mitigate
Denial of Service reflection attacks.[1]
3. Additional records SHOULD be contained within the same zone as
the primary name[2], or MAY be additionally be contained within a
child zone for which the name server is authoritative for,
assuming all DNSSEC validation records required to validate the
child(ren) are included as well. Note that the DS record, and NS
and glue records for a child zone may be returned even when no
other additional data for the child will be included.
4. The DNSSEC supporting information necessary to perform validation
on the records must be included. I.E., the RRSIGs required to
validate the Additional record information must be included.
5. The authoritative nameserver SHOULD include as many of the In order to include additional records in a response, these
additional records as will fit in the response. Each Additional conditions need to be met:
record MUST have its matching Supporting information. Additional
records MUST be inserted in the order specified in the Additional
records list.
6. Operators SHOULD only include Additional answers that they expect 1. Additional records MUST only be included when the Name Server is
a client to actually need. [3] authoritative for the zone, and the records to be returned are
DNSSEC signed.
[Ed note 1: The above MAY be troll bait. I'm not really sure if this 2. The supporting DNSSEC information necessary to perform validation
is a good idea or not - moving folk towards TCP is probably a good on the records MUST be included.
idea, and this is somewhat of an optional record type. Then again,
special handing (TCP only) for a record would be unusual. Additional
records could cause responses to become really large, but there are
already enough large records that can be used for reflection attacks
that we can just give up on the whole "keep responses as small as
possible" ship. ]
[Ed note 2: This is poorly worded. I mumbled about bailiwick, 3. The Authoritative Name Server SHOULD include as many of the
subdomains, etc but nothing I could come up with was better. Also, additional records as will fit in the response. Additional
is this rule actually needed? I *think* it would be bad for .com records SHOULD be inserted in the order specified in the
servers to be able to include Additional records for Additional records list.
www.foo.bar.baz.example.com, but perhaps <handwave>public-suffix-
list?! This rule also makes it easier to decide what all DNSSEC
information is required.]
[Ed note 3: This is not enforceable. ] 4. Zone administrators SHOULD only include records identified in the
EXTRA Resource Records that they expect a client to need.
5. Additional records pseudo-RR 5. The EXTRA Resource Record
To allow the authoritative nameserver operator to configure the name To allow a zone content administrator to instruct the name server
server with the additional records to serve when it receives a query which additional records to serve when it receives a query to a
to a label, we introduce the Additional Resource Record (RR). label, we introduce the EXTRA Resource Record (RR). These additional
records are appended to the additional section (note that the EXTRA
RR itself is not appended). The EXTRA resource record MAY still be
queried for directly (e.g for debugging), in which case the record
itself is returned.
5.1. File Format 5.1. File Format
The format of the Additional RR is: The format of the Extra RR is:
label ADD "label,type; label,type; label,type; ..." label EXTRA "label,type; label,type; label,type; ..."
For example, if the operator of example.com would like to also return For example, if the operator of example.com would like to also return
A record answers for images.example.com, css.html.example.com and A record answers for images.example.com, css.html.example.com and
both an A and AAAA for data.example.com when queried for both an A and AAAA for data.example.com when queried for
www.example.com he would enter: www.example.com, they would create the following record:
www ADD "images,A; css.html,A; data,A; data,AAA;" www.example.com. EXTRA "images,A; css,A; data,A; data,AAA;"
The entries in the ADD list are ordered. An authoritative nameserver The entries in the EXRTA list are ordered. An authoritative
SHOULD insert the records in the order listed when filling the nameserver SHOULD insert the records in the order listed when filling
response packet. This is to allow the operator to express a the response packet. This is to allow the operator to express a
preference in case all the records to not fit. The TTL of the preference in case all the records will not fit in the response. The
records added to the Additional section are MUST be the same as if TTL of the records added to the Additional section are MUST be the
queried directly. same as if queried directly.
In some cases the operator might not know what all additional records In some cases a zone content administrator might not know what all
clients need. For example, the owner of www.example.com may have additional records clients need. For example, the owner of
outsourced his DNS operations to a third party. DNS operators may be www.example.com may have outsourced his DNS operations to a third
able to mine their query logs, and see that, in a large majority of party. DNS administrators may be able to mine their query logs, and
cases, a recursive server asks for foo.example.com and then very soon see that, in a large majority of cases, a recursive server asks for
after asks for bar.example.com, and so may decide to optimize this by foo.example.com and then very soon after asks for bar.example.com,
opportunistically returning bar when queried for foo. This and so may decide to optimize this by opportunistically returning bar
functionality could also be included in the authoritative name server when queried for foo. This functionality could also be included in
software itself, but discussions of these re outside the scope of the authoritative name server software itself, but discussions of
this document. these are outside the scope of this document.
5.2. Wire Format 5.2. Wire Format
The wire format of the Additional RR is the same as the wire format The wire format of the EXTRA RR is the same as the wire format for a
for a TXT RR: TXT RR:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA / / TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Where TXT-DATA is one or more charter-strings. Where TXT-DATA is one or more <character-string>s.
The Additional RR has RR type TBD [RFC Editor: insert the IANA The Extra RR has RR type TBD [RFC Editor: insert the IANA assigned
assigned value and delete this note] value and delete this note]
6. Signaling support 6. Signaling support
Iterative nameservers that support Additional records signal this by Recursive Resolvers (or other DNS clients) that support EXTRA records
setting the OPT record's PL ("plus") bit (bit NN [TBD: assigned by MAY signal this by setting the OPT record's EXTRA bit (bit NN [TBD:
IANA] in the EDNS0 extension header to 1. assigned by IANA] in the EDNS0 extension header to 1.
7. Stub-Resolver Considerations 7. Stub-Resolver Considerations
No modifications need to be made to stub-resolvers to get the No modifications need to be made to stub-resolvers to get the
predominate benefit of this protocol, since the majority of the speed predominate benefit of this protocol, since the majority of the speed
gain will take place between the validating recursive resolver and gain will take place between the validating recursive resolver and
the authoritative name server. However, stub resolvers may wish to the authoritative name server. However, stub resolvers may choose to
query directly for the Additional RR if it wants to pre-query for support this technique, and / or may query directly for the EXTRA RR
data that will likely be needed in the process of supporting its if it wants to pre-query for data that will likely be needed in the
application. process of supporting its application.
8. Use of Additional information 8. Use of Additional information
When receiving Additional information, an iterative server follows When receiving additional records in the additional section, a
certain rules: resolver follows certain rules:
1. Additional records MUST be validated before being used. 1. Additional records MUST be validated before being used.
2. Additional records SHOULD be annotated in the cache as having 2. Additional records SHOULD be annotated in the cache as having
been received as Additional records. been received as Additional records.
3. Additional records SHOULD have lower priority in the cache than 3. Additional records SHOULD have lower priority in the cache than
answers received because they were requested. This is to help answers received because they were requested. This is to help
evict Additional records from the cache first, and help stop evict Additional records from the cache first (to help prevent
cache filling attacks. cache filling attacks).
4. Iterative servers MAY choose to ignore Additional records for any 4. Recursive resolvers MAY choose to ignore Additional records for
reason, including CPU or cache space concerns, phase of the moon, any reason, including CPU or cache space concerns, phase of the
etc. It may choose to only accept all, some or none of the moon, etc. It may choose to accept all, some or none of the
Additional records. Additional records.
9. IANA Considerations 9. IANA Considerations
This document contains the following IANA assignment requirements: This document contains the following IANA assignment requirements:
1. The PL bit discussed in Section 6 needs to be allocated. 1. The EXTRA bit discussed in Section 6 needs to be allocated.
10. Security Considerations 10. Security Considerations
Additional records will make DNS responses even larger than they are Additional records will make DNS responses even larger than they are
currently, leading to more large records that can be used for DNS currently, leading to larger records that can be used in DNS
reflection attacks. We mitigate this by only serving these over TCP. reflection attacks. One could mitigate this by only serving
responses to EXTRA requests over TCP or when using Cookies [RFC5395],
although there is no easy way to signal this to a client other than
through the use of the truncate bit.
A malicious authoritative server could include a large number of A malicious authoritative server could include a large number of
Additional records (and associated DNSSEC information) and attempt to extra records (and associated DNSSEC information) and attempt to DoS
DoS the recursive by making it do lots of DNSSEC validation. I don't the recursive by making it do lots of DNSSEC validation. However,
view this as a very serious threat (CPU for validation is cheap this is not considered a realistic threat; CPU for validation is
compared to bandwidth), but we mitigate this by allowing the cheap compared to bandwidth. This can be mitigated by allowing the
iterative to ignore Additional records whenever it wants. recursive resolver to ignore Additional records whenever it considers
itself under attack or its CPU resources are otherwise over-
committed.
By requiring the ALL of the Additional records are signed, and all This specification requires that the all of the Additional records
necessary DNSSEC information for validation be included we avoid are signed, and all necessary DNSSEC information for validation be
cache poisoning (I hope :-)) included to avoid cache poisoning attacks.
11. Acknowledgements 11. Acknowledgements
The authors wish to thank some folk. The authors wish to thank some folk.
12. References 12. Normative References
12.1. Normative References
[Ref.Bellovin] [Ref.Bellovin]
Bellovin, S., "Using the Domain Name System for System Bellovin, S., "Using the Domain Name System for System
Break-Ins", 1995, Break-Ins", 1995,
<https://www.cs.columbia.edu/~smb/papers/dnshack.pdf>. <https://www.cs.columbia.edu/~smb/papers/dnshack.pdf>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <http://www.rfc-editor.org/info/rfc1034>.
skipping to change at page 8, line 5 skipping to change at page 7, line 48
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
<http://www.rfc-editor.org/info/rfc2181>. <http://www.rfc-editor.org/info/rfc2181>.
[RFC5395] Eastlake 3rd, D., "Domain Name System (DNS) IANA [RFC5395] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", RFC 5395, DOI 10.17487/RFC5395, November Considerations", RFC 5395, DOI 10.17487/RFC5395, November
2008, <http://www.rfc-editor.org/info/rfc5395>. 2008, <http://www.rfc-editor.org/info/rfc5395>.
12.2. Informative References [RFC6555] Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with
Dual-Stack Hosts", RFC 6555, DOI 10.17487/RFC6555, April
2012, <http://www.rfc-editor.org/info/rfc6555>.
[I-D.ietf-sidr-iana-objects] [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Manderson, T., Vegoda, L., and S. Kent, "RPKI Objects Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
issued by IANA", draft-ietf-sidr-iana-objects-03 (work in <http://www.rfc-editor.org/info/rfc7873>.
progress), May 2011.
Appendix A. Changes / Author Notes. Appendix A. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
From -00 to -01. From -00 to -01.
o Nothing changed in the template! o Nothing changed in the template!
From -02 to -3:
Sat down and rewrote and cleaned up large sections of text.
Changed name of RR from Additional to EXTRA (the term "Additional"
is overloaded in general)
Clarified that stub resolvers and other clients MAY use this
specification.
Attempted to clarify that the individual RRs are added to the
response, not the EXTRA record itself. The EXTRA RR can be
queried directly.
Authors' Addresses Authors' Addresses
Warren Kumari Warren Kumari
Google Google
1600 Amphitheatre Parkway 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
US US
Email: warren@kumari.net Email: warren@kumari.net
 End of changes. 47 change blocks. 
158 lines changed or deleted 169 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/