idnits 2.17.1 draft-ietf-dnsop-terminology-bis-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 866: '...s. An in-domain name server name MUST...' RFC 2119 keyword, line 1089: '...se, the resolver SHOULD treat the chil...' -- The draft header indicates that this document obsoletes RFC7719, but the abstract doesn't seem to directly say this. It does mention RFC7719 though, so this could be OK. -- The draft header indicates that this document updates RFC3757, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC2308, but the abstract doesn't seem to directly say this. It does mention RFC2308 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC2308, updated by this document, for RFC5378 checks: 1997-01-17) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 1, 2017) is 2488 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DNSSEC' is mentioned on line 1173, but not defined ** Obsolete normative reference: RFC 882 (Obsoleted by RFC 1034, RFC 1035) ** Downref: Normative reference to an Informational RFC: RFC 6561 ** Downref: Normative reference to an Informational RFC: RFC 6781 ** Downref: Normative reference to an Informational RFC: RFC 6841 ** Obsolete normative reference: RFC 7719 (Obsoleted by RFC 8499) -- Obsolete informational reference (is this intentional?): RFC 2133 (Obsoleted by RFC 2553) -- Obsolete informational reference (is this intentional?): RFC 3757 (Obsoleted by RFC 4033, RFC 4034, RFC 4035) -- Obsolete informational reference (is this intentional?): RFC 4641 (Obsoleted by RFC 6781) -- Obsolete informational reference (is this intentional?): RFC 7482 (Obsoleted by RFC 9082) -- Obsolete informational reference (is this intentional?): RFC 7483 (Obsoleted by RFC 9083) -- Obsolete informational reference (is this intentional?): RFC 7484 (Obsoleted by RFC 9224) Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft ICANN 4 Obsoletes: 7719 (if approved) A. Sullivan 5 Updates: 2308, 3757 (if approved) Oracle 6 Intended status: Best Current Practice K. Fujiwara 7 Expires: January 2, 2018 JPRS 8 July 1, 2017 10 DNS Terminology 11 draft-ietf-dnsop-terminology-bis-06 13 Abstract 15 The DNS is defined in literally dozens of different RFCs. The 16 terminology used by implementers and developers of DNS protocols, and 17 by operators of DNS systems, has sometimes changed in the decades 18 since the DNS was first defined. This document gives current 19 definitions for many of the terms used in the DNS in a single 20 document. 22 This document will be the successor to RFC 7719, and thus will 23 obsolete RFC 7719. It will also update RFC 2308 and RFC 3758. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on January 2, 2018. 42 Copyright Notice 44 Copyright (c) 2017 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. DNS Header and Response Codes . . . . . . . . . . . . . . . . 9 62 4. Resource Records . . . . . . . . . . . . . . . . . . . . . . 10 63 5. DNS Servers and Clients . . . . . . . . . . . . . . . . . . . 12 64 6. Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 65 7. Registration Model . . . . . . . . . . . . . . . . . . . . . 21 66 8. General DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 22 67 9. DNSSEC States . . . . . . . . . . . . . . . . . . . . . . . . 27 68 10. Security Considerations . . . . . . . . . . . . . . . . . . . 28 69 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 70 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 71 12.1. Normative References . . . . . . . . . . . . . . . . . . 28 72 12.2. Informative References . . . . . . . . . . . . . . . . . 31 73 Appendix A. Definitions Updated by this Document . . . . . . . . 34 74 Appendix B. Definitions First Defined in this Document . . . . . 34 75 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 36 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 78 1. Introduction 80 The Domain Name System (DNS) is a simple query-response protocol 81 whose messages in both directions have the same format. (See 82 Section 2 for a fuller definition.) The protocol and message format 83 are defined in [RFC1034] and [RFC1035]. These RFCs defined some 84 terms, but later documents defined others. Some of the terms from 85 [RFC1034] and [RFC1035] now have somewhat different meanings than 86 they did in 1987. 88 This document collects a wide variety of DNS-related terms. Some of 89 them have been precisely defined in earlier RFCs, some have been 90 loosely defined in earlier RFCs, and some are not defined in any 91 earlier RFC at all. 93 Most of the definitions here are the consensus definition of the DNS 94 community -- both protocol developers and operators. Some of the 95 definitions differ from earlier RFCs, and those differences are 96 noted. In this document, where the consensus definition is the same 97 as the one in an RFC, that RFC is quoted. Where the consensus 98 definition has changed somewhat, the RFC is mentioned but the new 99 stand-alone definition is given. See Appendix A for a list of the 100 definitions that this document updates. 102 It is important to note that, during the development of this 103 document, it became clear that some DNS-related terms are interpreted 104 quite differently by different DNS experts. Further, some terms that 105 are defined in early DNS RFCs now have definitions that are generally 106 agreed to, but that are different from the original definitions. 107 Therefore, this document is a substantial revision to [RFC7719]. 109 The terms are organized loosely by topic. Some definitions are for 110 new terms for things that are commonly talked about in the DNS 111 community but that never had terms defined for them. 113 Other organizations sometimes define DNS-related terms their own way. 114 For example, the W3C defines "domain" at 115 https://specs.webplatform.org/url/webspecs/develop/. The Root Server 116 System Advisory Committee (RSSAC) has a good lexicon [RSSAC026]. 118 Note that there is no single consistent definition of "the DNS". It 119 can be considered to be some combination of the following: a commonly 120 used naming scheme for objects on the Internet; a distributed 121 database representing the names and certain properties of these 122 objects; an architecture providing distributed maintenance, 123 resilience, and loose coherency for this database; and a simple 124 query-response protocol (as mentioned below) implementing this 125 architecture. Section 2 defines "global DNS" and "private DNS" as a 126 way to deal with these differing definitions. 128 Capitalization in DNS terms is often inconsistent among RFCs and 129 various DNS practitioners. The capitalization used in this document 130 is a best guess at current practices, and is not meant to indicate 131 that other capitalization styles are wrong or archaic. In some 132 cases, multiple styles of capitalization are used for the same term 133 due to quoting from different RFCs. 135 2. Names 137 Naming system: A naming system associates names with data. Naming 138 systems have many significant facets that help differentiate them. 139 Some commonly-identified facets include: 141 * Composition of names 143 * Format of names 144 * Administration of names 146 * Types of data that can be associated with names 148 * Types of metadata for names 150 * Protocol for getting data from a name 152 * Context for resolving a name 154 Note that this list is a small subset of facets that people have 155 identified over time for naming systems, and the IETF has yet to 156 agree on a good set of facets that can be used to compare naming 157 systems. For example, other facets might include "protocol to 158 update data in a name", "privacy of names", and "privacy of data 159 associated with names", but those do not not have a clear 160 definitions as the ones listed above. The list here is chosen 161 because it helps describe the DNS and naming systems similar to 162 the DNS. 164 Domain name: An ordered list of one or more labels. 166 Note that this is a definition independent of the DNS RFCs, and 167 the definition here also applies to systems other than the DNS. 168 [RFC1034] defines the "domain name space" using mathematical trees 169 and their nodes in graph theory, and the definition in [RFC1034] 170 has the same practical result as the definition here. Using graph 171 theory, a domain name is a list of labels identifying a portion 172 along one edge of an acyclic directed graph. A domain name can be 173 relative to other parts of the tree, or it can be fully qualified 174 (in which case, it ends at the common root of the graph). 176 Also note that different IETF and non-IETF documents have used the 177 term "domain name" in many different ways. It is common for 178 earlier documents to use "domain name" to mean "names that match 179 the syntax in [RFC1035]", but possibly with additional rules such 180 as "and are, or will be, resolvable in the global DNS" or "but 181 only using the presentation format". 183 Label: An ordered list of zero or more octets and which makes up a 184 portion of a domain name. Using graph theory, a label identifies 185 one node in a portion of the graph of all possible domain names. 187 Global DNS: Using the short set of facets listed in "Naming system", 188 the global DNS can be defined as follows. Most of the rules here 189 come from [RFC1034] and [RFC1035], although the term "global DNS" 190 has not been defined before now. 192 Composition of names -- A name in the global DNS has one or more 193 labels. The length of each label is between 0 and 63 octets 194 inclusive. In a fully-qualified domain name, the first label 195 (logically speaking) is 0 octets long; it is the only label whose 196 length may be 0 octets, and it is called the "root" or "root 197 label". A domain name in the global DNS has a maximum total 198 length of 255 octets in the wire format; the root represents one 199 octet for this calculation. 201 Format of names -- Names in the global DNS are domain names. 202 There are three formats: wire format, presentation format, and 203 common display. 205 The basic wire format for names in the global DNS is a list of 206 labels with the root label last. Each label is preceded by a 207 length octet. [RFC1035] also defines a compression scheme that 208 modifies this format. 210 The presentation format for names in the global DNS is a list of 211 labels, encoded as ASCII, with the root label last, and a "." 212 character between each label. In presentation format, a fully- 213 qualified domain name includes the root label and the associated 214 separator dot. In presentation format, a fully-qualified domain 215 name with two additional labels is always shown as "example.tld." 216 instead of "example.tld". [RFC1035] defines a method for showing 217 octets that do not display in ASCII. 219 The common display format is used in applications and free text. 220 It is the same as the presentation format, but showing the root 221 label and the "." before it is optional and is rarely done. In 222 common display format, a fully-qualified domain name with two 223 additional labels is usually shown as "example.tld" instead of 224 "example.tld.". Names in the common display format are normally 225 written such that the first label in the ordered list is in the 226 last position from the point of view of the directionality of the 227 writing system (so, in both English and C the first label is the 228 right-most label; but in Arabic it may be the left-most label, 229 depending on local conventions). 231 Administration of names -- Administration is specified by 232 delegation (see the definition of to "delegation" in Section 6). 233 Policies for administration of the root zone in the global DNS are 234 determined by the names operational community, which convenes 235 itself in the Internet Corporation for Assigned Names and Numbers 236 (ICANN). The names operational community selects the IANA 237 Functions Operator for the global DNS root zone. At the time this 238 document is published, that operator is Public Technical 239 Identifiers (PTI). The name servers that serve the root zone are 240 provided by independent root operators. Other zones in the global 241 DNS have their own policies for administration. 243 Types of data that can be associated with names -- A name can have 244 zero or more resource records associated with it. There are 245 numerous types of resource records with unique data structures 246 defined in many different RFCs and in the IANA registry at 247 [IANA_Resource_Registry]. 249 Types of metadata for names -- Any name that is published in the 250 DNS appears as a set of resource records (see the definition of 251 "RRset" in Section 4). Some names do not themselves have data 252 associated with them in the DNS, but "appear" in the DNS anyway 253 because they form part of a longer name that does have data 254 associated with it (see the defintion of "empty non-terminals" in 255 Section 6). 257 Protocol for getting data from a name -- The protocol described in 258 [RFC1035]. 260 Context for resolving a name -- The global DNS root zone 261 distributed by PTI. 263 Private DNS: Names that use the protocol described in [RFC1035] but 264 that do not rely on the global DNS root zone, or names that are 265 otherwise not generally available on the Internet but are using 266 the protocol described in [RFC1035]. A system can use both the 267 global DNS and one or more private DNS systems; for example, see 268 "Split DNS" in Section 7. 270 Note that domain names that do not appear in the DNS, and that are 271 intended never to be looked up using the DNS protocol, are not 272 part of the global DNS or a private DNS even though they are 273 domain names. 275 Locally served DNS zone: A locally served DNS zone is a special case 276 of private DNS. Names are resolved using the DNS protocol in a 277 local context. [RFC6303] defines subdomains of IN-ADDR.ARPA that 278 are locally served zones. Resolution of names through locally 279 served zones may result in ambiguous results. For example, the 280 same name may resolve to different results in different locally 281 served DNS zone contexts. The context through which a locally 282 served zone may be explicit, for example, as defined in [RFC6303], 283 or implicit, as defined by local DNS administration and not known 284 to the resolution client. 286 Fully qualified domain name (FQDN): This is often just a clear way 287 of saying the same thing as "domain name of a node", as outlined 288 above. However, the term is ambiguous. Strictly speaking, a 289 fully qualified domain name would include every label, including 290 the final, zero-length label of the root: such a name would be 291 written "www.example.net." (note the terminating dot). But 292 because every name eventually shares the common root, names are 293 often written relative to the root (such as "www.example.net") and 294 are still called "fully qualified". This term first appeared in 295 [RFC0819]. In this document, names are often written relative to 296 the root. 298 The need for the term "fully qualified domain name" comes from the 299 existence of partially qualified domain names, which are names 300 where some of the right-most names are left off and are understood 301 only by context. 303 Host name: This term and its equivalent, "hostname", have been 304 widely used but are not defined in [RFC1034], [RFC1035], 305 [RFC1123], or [RFC2181]. The DNS was originally deployed into the 306 Host Tables environment as outlined in [RFC0952], and it is likely 307 that the term followed informally from the definition there. Over 308 time, the definition seems to have shifted. "Host name" is often 309 meant to be a domain name that follows the rules in Section 3.5 of 310 [RFC1034], the "preferred name syntax". Note that any label in a 311 domain name can contain any octet value; hostnames are generally 312 considered to be domain names where every label follows the rules 313 in the "preferred name syntax", with the amendment that labels can 314 start with ASCII digits (this amendment comes from Section 2.1 of 315 [RFC1123]). 317 People also sometimes use the term hostname to refer to just the 318 first label of an FQDN, such as "printer" in 319 "printer.admin.example.com". (Sometimes this is formalized in 320 configuration in operating systems.) In addition, people 321 sometimes use this term to describe any name that refers to a 322 machine, and those might include labels that do not conform to the 323 "preferred name syntax". 325 TLD: A Top-Level Domain, meaning a zone that is one layer below the 326 root, such as "com" or "jp". There is nothing special, from the 327 point of view of the DNS, about TLDs. Most of them are also 328 delegation-centric zones, and there are significant policy issues 329 around their operation. TLDs are often divided into sub-groups 330 such as Country Code Top-Level Domains (ccTLDs), Generic Top-Level 331 Domains (gTLDs), and others; the division is a matter of policy, 332 and beyond the scope of this document. 334 IDN: The common abbreviation for "Internationalized Domain Name". 335 The IDNA protocol is the standard mechanism for handling domain 336 names with non-ASCII characters in applications in the DNS. The 337 current standard, normally called "IDNA2008", is defined in 338 [RFC5890], [RFC5891], [RFC5892], [RFC5893], and [RFC5894]. These 339 documents define many IDN-specific terms such as "LDH label", 340 "A-label", and "U-label". [RFC6365] defines more terms that 341 relate to internationalization (some of which relate to IDNs), and 342 [RFC6055] has a much more extensive discussion of IDNs, including 343 some new terminology. 345 Subdomain: "A domain is a subdomain of another domain if it is 346 contained within that domain. This relationship can be tested by 347 seeing if the subdomain's name ends with the containing domain's 348 name." (Quoted from [RFC1034], Section 3.1). For example, in the 349 host name "nnn.mmm.example.com", both "mmm.example.com" and 350 "nnn.mmm.example.com" are subdomains of "example.com". 352 Alias: The owner of a CNAME resource record, or a subdomain of the 353 owner of a DNAME resource record. See also "canonical name". 355 Canonical name: A CNAME resource record "identifies its owner name 356 as an alias, and specifies the corresponding canonical name in the 357 RDATA section of the RR." (Quoted from [RFC1034], Section 3.6.2) 358 This usage of the word "canonical" is related to the mathematical 359 concept of "canonical form". 361 CNAME: "It is traditional to refer to the owner of a CNAME record as 362 'a CNAME'. This is unfortunate, as 'CNAME' is an abbreviation of 363 'canonical name', and the owner of a CNAME record is an alias, not 364 a canonical name." (Quoted from [RFC2181], Section 10.1.1) 366 Public suffix: "A domain that is controlled by a public registry." 367 (Quoted from [RFC6265], Section 5.3) A common definition for this 368 term is a domain under which subdomains can be registered, and on 369 which HTTP cookies ([RFC6265]) should not be set. There is no 370 indication in a domain name whether it is a public suffix; that 371 can only be determined by outside means. In fact, both a domain 372 and a subdomain of that domain can be public suffixes. 374 There is nothing inherent in a domain name to indicate whether it 375 is a public suffix. One resource for identifying public suffixes 376 is the Public Suffix List (PSL) maintained by Mozilla 377 (http://publicsuffix.org/). 379 For example, at the time this document is published, the "com.au" 380 domain is listed as a public suffix in the PSL. (Note that this 381 example might change in the future.) 382 Note that the term "public suffix" is controversial in the DNS 383 community for many reasons, and may be significantly changed in 384 the future. One example of the difficulty of calling a domain a 385 public suffix is that designation can change over time as the 386 registration policy for the zone changes, such as was the case 387 with the "uk" TLD in 2014. 389 3. DNS Header and Response Codes 391 The header of a DNS message is its first 12 octets. Many of the 392 fields and flags in the header diagram in Sections 4.1.1 through 393 4.1.3 of [RFC1035] are referred to by their names in that diagram. 394 For example, the response codes are called "RCODEs", the data for a 395 record is called the "RDATA", and the authoritative answer bit is 396 often called "the AA flag" or "the AA bit". 398 QNAME The most commonly-used definition is that the QNAME is a field 399 in the Question section of a query. "A standard query specifies a 400 target domain name (QNAME), query type (QTYPE), and query class 401 (QCLASS) and asks for RRs which match." (Quoted from [RFC1034], 402 Section 3.7.1.) 404 [RFC2308], however, has an alternate definition that puts the 405 QNAME in the answer (or series of answers) instead of the query. 406 It defines QNAME as: "...the name in the query section of an 407 answer, or where this resolves to a CNAME, or CNAME chain, the 408 data field of the last CNAME. The last CNAME in this sense is 409 that which contains a value which does not resolve to another 410 CNAME." 412 Some of response codes that are defined in [RFC1035] have acquired 413 their own shorthand names. Some common response code names that 414 appear without reference to the numeric value are "FORMERR", 415 "SERVFAIL", and "NXDOMAIN" (the latter of which is also referred to 416 as "Name Error"). All of the RCODEs are listed at 417 http://www.iana.org/assignments/dns-parameters, although that site 418 uses mixed-case capitalization, while most documents use all-caps. 420 NODATA: "A pseudo RCODE which indicates that the name is valid for 421 the given class, but there are no records of the given type. A 422 NODATA response has to be inferred from the answer." (Quoted from 423 [RFC2308], Section 1.) "NODATA is indicated by an answer with the 424 RCODE set to NOERROR and no relevant answers in the answer 425 section. The authority section will contain an SOA record, or 426 there will be no NS records there." (Quoted from [RFC2308], 427 Section 2.2.) Note that referrals have a similar format to NODATA 428 replies; [RFC2308] explains how to distinguish them. 430 The term "NXRRSET" is sometimes used as a synonym for NODATA. 431 However, this is a mistake, given that NXRRSET is a specific error 432 code defined in [RFC2136]. 434 Negative response: A response that indicates that a particular RRset 435 does not exist, or whose RCODE indicates the nameserver cannot 436 answer. Sections 2 and 7 of [RFC2308] describe the types of 437 negative responses in detail. 439 Referrals: Data from the authority section of a non-authoritative 440 answer. [RFC1035] Section 2.1 defines "authoritative" data. 441 However, referrals at zone cuts (defined in Section 6) are not 442 authoritative. Referrals may be zone cut NS resource records and 443 their glue records. NS records on the parent side of a zone cut 444 are an authoritative delegation, but are normally not treated as 445 authoritative data. In general, a referral is a way for a server 446 to send an answer saying that the server does not know the answer, 447 but knows where the query should be directed in order to get an 448 answer. Historically, many authoritative servers answered with a 449 referral to the root zone when queried for a name for which they 450 were not authoritative, but this practice has declined. 452 4. Resource Records 454 RR: An acronym for resource record. ([RFC1034], Section 3.6.) 456 RRset: A set of resource records with the same label, class and 457 type, but with different data. (Definition from [RFC2181]) Also 458 spelled RRSet in some documents. As a clarification, "same label" 459 in this definition means "same owner name". In addition, 460 [RFC2181] states that "the TTLs of all RRs in an RRSet must be the 461 same". (This definition is definitely not the same as "the 462 response one gets to a query for QTYPE=ANY", which is an 463 unfortunate misunderstanding.) 465 Master file: "Master files are text files that contain RRs in text 466 form. Since the contents of a zone can be expressed in the form 467 of a list of RRs a master file is most often used to define a 468 zone, though it can be used to list a cache's contents." 469 ([RFC1035], Section 5.) 471 Presentation format: The text format used in master files. This 472 format is shown but not formally defined in [RFC1034] and 473 [RFC1035]. The term "presentation format" first appears in 474 [RFC4034]. 476 EDNS: The extension mechanisms for DNS, defined in [RFC6891]. 477 Sometimes called "EDNS0" or "EDNS(0)" to indicate the version 478 number. EDNS allows DNS clients and servers to specify message 479 sizes larger than the original 512 octet limit, to expand the 480 response code space, and potentially to carry additional options 481 that affect the handling of a DNS query. 483 OPT: A pseudo-RR (sometimes called a "meta-RR") that is used only to 484 contain control information pertaining to the question-and-answer 485 sequence of a specific transaction. (Definition from [RFC6891], 486 Section 6.1.1) It is used by EDNS. 488 Owner: The domain name where a RR is found ([RFC1034], Section 3.6). 489 Often appears in the term "owner name". 491 SOA field names: DNS documents, including the definitions here, 492 often refer to the fields in the RDATA of an SOA resource record 493 by field name. Those fields are defined in Section 3.3.13 of 494 [RFC1035]. The names (in the order they appear in the SOA RDATA) 495 are MNAME, RNAME, SERIAL, REFRESH, RETRY, EXPIRE, and MINIMUM. 496 Note that the meaning of MINIMUM field is updated in Section 4 of 497 [RFC2308]; the new definition is that the MINIMUM field is only 498 "the TTL to be used for negative responses". This document tends 499 to use field names instead of terms that describe the fields. 501 TTL: The maximum "time to live" of a resource record. "A TTL value 502 is an unsigned number, with a minimum value of 0, and a maximum 503 value of 2147483647. That is, a maximum of 2^31 - 1. When 504 transmitted, the TTL is encoded in the less significant 31 bits of 505 the 32 bit TTL field, with the most significant, or sign, bit set 506 to zero." (Quoted from [RFC2181], Section 8) (Note that [RFC1035] 507 erroneously stated that this is a signed integer; that was fixed 508 by [RFC2181].) 510 The TTL "specifies the time interval that the resource record may 511 be cached before the source of the information should again be 512 consulted". (Quoted from [RFC1035], Section 3.2.1) Also: "the 513 time interval (in seconds) that the resource record may be cached 514 before it should be discarded". (Quoted from [RFC1035], 515 Section 4.1.3). Despite being defined for a resource record, the 516 TTL of every resource record in an RRset is required to be the 517 same ([RFC2181], Section 5.2). 519 The reason that the TTL is the maximum time to live is that a 520 cache operator might decide to shorten the time to live for 521 operational purposes, such as if there is a policy to disallow TTL 522 values over a certain number. Also, if a value is flushed from 523 the cache when its value is still positive, the value effectively 524 becomes zero. Some servers are known to ignore the TTL on some 525 RRsets (such as when the authoritative data has a very short TTL) 526 even though this is against the advice in RFC 1035. 528 There is also the concept of a "default TTL" for a zone, which can 529 be a configuration parameter in the server software. This is 530 often expressed by a default for the entire server, and a default 531 for a zone using the $TTL directive in a zone file. The $TTL 532 directive was added to the master file format by [RFC2308]. 534 Class independent: A resource record type whose syntax and semantics 535 are the same for every DNS class. A resource record type that is 536 not class independent has different meanings depending on the DNS 537 class of the record, or the meaning is undefined for classes other 538 than IN (class 1, the Internet). 540 5. DNS Servers and Clients 542 This section defines the terms used for the systems that act as DNS 543 clients, DNS servers, or both. 545 For terminology specific to the public DNS root server system, see 546 [RSSAC026]. That document defines terms such as "root server", "root 547 server operator", and terms that are specific to the way that the 548 root zone of the public DNS is served. 550 Resolver: A program "that extract[s] information from name servers 551 in response to client requests." (Quoted from [RFC1034], 552 Section 2.4) "The resolver is located on the same machine as the 553 program that requests the resolver's services, but it may need to 554 consult name servers on other hosts." (Quoted from [RFC1034], 555 Section 5.1) A resolver performs queries for a name, type, and 556 class, and receives answers. The logical function is called 557 "resolution". In practice, the term is usually referring to some 558 specific type of resolver (some of which are defined below), and 559 understanding the use of the term depends on understanding the 560 context. 562 Stub resolver: A resolver that cannot perform all resolution itself. 563 Stub resolvers generally depend on a recursive resolver to 564 undertake the actual resolution function. Stub resolvers are 565 discussed but never fully defined in Section 5.3.1 of [RFC1034]. 566 They are fully defined in Section 6.1.3.1 of [RFC1123]. 568 Iterative mode: A resolution mode of a server that receives DNS 569 queries and responds with a referral to another server. 570 Section 2.3 of [RFC1034] describes this as "The server refers the 571 client to another server and lets the client pursue the query". A 572 resolver that works in iterative mode is sometimes called an 573 "iterative resolver". 575 Recursive mode: A resolution mode of a server that receives DNS 576 queries and either responds to those queries from a local cache or 577 sends queries to other servers in order to get the final answers 578 to the original queries. Section 2.3 of [RFC1034] describes this 579 as "The first server pursues the query for the client at another 580 server". A server operating in recursive mode may be thought of 581 as having a name server side (which is what answers the query) and 582 a resolver side (which performs the resolution function). Systems 583 operating in this mode are commonly called "recursive servers". 584 Sometimes they are called "recursive resolvers". While strictly 585 the difference between these is that one of them sends queries to 586 another recursive server and the other does not, in practice it is 587 not possible to know in advance whether the server that one is 588 querying will also perform recursion; both terms can be observed 589 in use interchangeably. 591 Full resolver: This term is used in [RFC1035], but it is not defined 592 there. RFC 1123 defines a "full-service resolver" that may or may 593 not be what was intended by "full resolver" in [RFC1035]. This 594 term is not properly defined in any RFC. 596 Full-service resolver: Section 6.1.3.1 of [RFC1123] defines this 597 term to mean a resolver that acts in recursive mode with a cache 598 (and meets other requirements). 600 Recursive resolver: A resolver that acts in recursive mode. In 601 general, a recursive resolver is expected to cache the answers it 602 receives (which would make it a full-service resolver), but some 603 recursive resolvers might not cache. 605 Priming: "The act of finding the list of root servers from a 606 configuration that lists some or all of the purported IP addresses 607 of some or all of those root servers." (Quoted from [RFC8109], 608 Section 2.) Priming is most often done from a configuration 609 setting that contains a list of authoritative servers for the root 610 zone. 612 Root hints: "Operators who manage a DNS recursive resolver typically 613 need to configure a 'root hints file'. This file contains the 614 names and IP addresses of the authoritative name servers for the 615 root zone, so the software can bootstrap the DNS resolution 616 process. For many pieces of software, this list comes built into 617 the software." (Quoted from [IANA_RootFiles]) 619 Negative caching: "The storage of knowledge that something does not 620 exist, cannot give an answer, or does not give an answer." 621 (Quoted from [RFC2308], Section 1) 623 Authoritative server: "A server that knows the content of a DNS zone 624 from local knowledge, and thus can answer queries about that zone 625 without needing to query other servers." (Quoted from [RFC2182], 626 Section 2.) It is a system that responds to DNS queries with 627 information about zones for which it has been configured to answer 628 with the AA flag in the response header set to 1. It is a server 629 that has authority over one or more DNS zones. Note that it is 630 possible for an authoritative server to respond to a query without 631 the parent zone delegating authority to that server. 632 Authoritative servers also provide "referrals", usually to child 633 zones delegated from them; these referrals have the AA bit set to 634 0 and come with referral data in the Authority and (if needed) the 635 Additional sections. 637 Authoritative-only server: A name server that only serves 638 authoritative data and ignores requests for recursion. It will 639 "not normally generate any queries of its own. Instead, it 640 answers non-recursive queries from iterative resolvers looking for 641 information in zones it serves." (Quoted from [RFC4697], 642 Section 2.4) 644 Zone transfer: The act of a client requesting a copy of a zone and 645 an authoritative server sending the needed information. (See 646 Section 6 for a description of zones.) There are two common 647 standard ways to do zone transfers: the AXFR ("Authoritative 648 Transfer") mechanism to copy the full zone (described in 649 [RFC5936], and the IXFR ("Incremental Transfer") mechanism to copy 650 only parts of the zone that have changed (described in [RFC1995]). 651 Many systems use non-standard methods for zone transfer outside 652 the DNS protocol. 654 Secondary server: "An authoritative server which uses zone transfer 655 to retrieve the zone" (Quoted from [RFC1996], Section 2.1). 656 [RFC2182] describes secondary servers in detail. Although early 657 DNS RFCs such as [RFC1996] referred to this as a "slave", the 658 current common usage has shifted to calling it a "secondary". 659 Secondary servers are also discussed in [RFC1034]. 661 Slave server: See secondary server. 663 Primary server: "Any authoritative server configured to be the 664 source of zone transfer for one or more [secondary] servers" 665 (Quoted from [RFC1996], Section 2.1) or, more specifically, "an 666 authoritative server configured to be the source of AXFR or IXFR 667 data for one or more [secondary] servers" (Quoted from [RFC2136]). 668 Although early DNS RFCs such as [RFC1996] referred to this as a 669 "master", the current common usage has shifted to "primary". 670 Primary servers are also discussed in [RFC1034]. 672 Master server: See primary server. 674 Primary master: "The primary master is named in the zone's SOA MNAME 675 field and optionally by an NS RR". (Quoted from [RFC1996], 676 Section 2.1). [RFC2136] defines "primary master" as "Master 677 server at the root of the AXFR/IXFR dependency graph. The primary 678 master is named in the zone's SOA MNAME field and optionally by an 679 NS RR. There is by definition only one primary master server per 680 zone." The idea of a primary master is only used by [RFC2136], 681 and is considered archaic in other parts of the DNS. 683 Stealth server: This is "like a slave server except not listed in an 684 NS RR for the zone." (Quoted from [RFC1996], Section 2.1) 686 Hidden master: A stealth server that is a master for zone transfers. 687 "In this arrangement, the master name server that processes the 688 updates is unavailable to general hosts on the Internet; it is not 689 listed in the NS RRset." (Quoted from [RFC6781], Section 3.4.3.) 690 An earlier RFC, [RFC4641], said that the hidden master's name 691 appears in the SOA RRs MNAME field, although in some setups, the 692 name does not appear at all in the public DNS. A hidden master 693 can be either a secondary or a primary master. 695 Forwarding: The process of one server sending a DNS query with the 696 RD bit set to 1 to another server to resolve that query. 697 Forwarding is a function of a DNS resolver; it is different than 698 simply blindly relaying queries. 700 [RFC5625] does not give a specific definition for forwarding, but 701 describes in detail what features a system that forwards need to 702 support. Systems that forward are sometimes called "DNS proxies", 703 but that term has not yet been defined (even in [RFC5625]). 705 Forwarder: Section 1 of [RFC2308] describes a forwarder as "a 706 nameserver used to resolve queries instead of directly using the 707 authoritative nameserver chain". [RFC2308] further says "The 708 forwarder typically either has better access to the internet, or 709 maintains a bigger cache which may be shared amongst many 710 resolvers." That definition appears to suggest that forwarders 711 normally only query authoritative servers. In current use, 712 however, forwarders often stand between stub resolvers and 713 recursive servers. [RFC2308] is silent on whether a forwarder is 714 iterative-only or can be a full-service resolver. 716 Policy-implementing resolver: A resolver acting in recursive mode 717 that changes some of the answers that it returns based on policy 718 criteria, such as to prevent access to malware sites or 719 objectionable content. In general, a stub resolver has no idea 720 whether upstream resolvers implement such policy or, if they do, 721 the exact policy about what changes will be made. In some cases, 722 the user of the stub resolver has selected the policy-implementing 723 resolver with the explicit intention of using it to implement the 724 policies. In other cases, policies are imposed without the user 725 of the stub resolver being informed. 727 Open resolver: A full-service resolver that accepts and processes 728 queries from any (or nearly any) stub resolver. This is sometimes 729 also called a "public resolver", although the term "public 730 resolver" is used more with open resolvers that are meant to be 731 open, as compared to the vast majority of open resolvers that are 732 probably misconfigured to be open. 734 View: A configuration for a DNS server that allows it to provide 735 different answers depending on attributes of the query. 736 Typically, views differ by the source IP address of a query, but 737 can also be based on the destination IP address, the type of query 738 (such as AXFR), whether it is recursive, and so on. Views are 739 often used to provide more names or different addresses to queries 740 from "inside" a protected network than to those "outside" that 741 network. Views are not a standardized part of the DNS, but they 742 are widely implemented in server software. 744 Passive DNS: A mechanism to collect DNS data by storing DNS 745 transactions from name servers. Some of these systems also 746 collect the DNS queries associated with the responses. Passive 747 DNS databases can be used to answer historical questions about DNS 748 zones such as which answers were witnessed at what times in the 749 past. Passive DNS databases allow searching of the stored records 750 on keys other than just the name and type, such as "find all names 751 which have A records of a particular value". 753 Anycast: "The practice of making a particular service address 754 available in multiple, discrete, autonomous locations, such that 755 datagrams sent are routed to one of several available locations." 756 (Quoted from [RFC4786], Section 2) 758 Instance: "When anycast routing is used to allow more than one 759 server to have the same IP address, each one of those servers is 760 commonly referred to as an 'instance'." "An instance of a server, 761 such as a root server, is often referred to as an 'Anycast 762 instance'." (Quoted from [RSSAC026]) 764 Split DNS: "Where a corporate network serves up partly or completely 765 different DNS inside and outside its firewall. There are many 766 possible variants on this; the basic point is that the 767 correspondence between a given FQDN (fully qualified domain name) 768 and a given IPv4 address is no longer universal and stable over 769 long periods." (Quoted from [RFC2775], Section 3.8) 771 6. Zones 773 This section defines terms that are used when discussing zones that 774 are being served or retrieved. 776 Zone: "Authoritative information is organized into units called 777 'zones', and these zones can be automatically distributed to the 778 name servers which provide redundant service for the data in a 779 zone." (Quoted from [RFC1034], Section 2.4) 781 Child: "The entity on record that has the delegation of the domain 782 from the Parent." (Quoted from [RFC7344], Section 1.1) 784 Parent: "The domain in which the Child is registered." (Quoted from 785 [RFC7344], Section 1.1) Earlier, "parent name server" was defined 786 in [RFC0882] as "the name server that has authority over the place 787 in the domain name space that will hold the new domain". (Note 788 that [RFC0882] was obsoleted by [RFC1034] and [RFC1035].) 789 [RFC0819] also has some description of the relationship between 790 parents and children. 792 Origin: 794 (a) "The domain name that appears at the top of a zone (just below 795 the cut that separates the zone from its parent). The name of the 796 zone is the same as the name of the domain at the zone's origin." 797 (Quoted from [RFC2181], Section 6.) These days, this sense of 798 "origin" and "apex" (defined below) are often used 799 interchangeably. 801 (b) The domain name within which a given relative domain name 802 appears in zone files. Generally seen in the context of 803 "$ORIGIN", which is a control entry defined in [RFC1035], 804 Section 5.1, as part of the master file format. For example, if 805 the $ORIGIN is set to "example.org.", then a master file line for 806 "www" is in fact an entry for "www.example.org.". 808 Apex: The point in the tree at an owner of an SOA and corresponding 809 authoritative NS RRset. This is also called the "zone apex". 810 [RFC4033] defines it as "the name at the child's side of a zone 811 cut". The "apex" can usefully be thought of as a data-theoretic 812 description of a tree structure, and "origin" is the name of the 813 same concept when it is implemented in zone files. The 814 distinction is not always maintained in use, however, and one can 815 find uses that conflict subtly with this definition. [RFC1034] 816 uses the term "top node of the zone" as a synonym of "apex", but 817 that term is not widely used. These days, the first sense of 818 "origin" (above) and "apex" are often used interchangeably. 820 Zone cut: The delimitation point between two zones where the origin 821 of one of the zones is the child of the other zone. 823 "Zones are delimited by 'zone cuts'. Each zone cut separates a 824 'child' zone (below the cut) from a 'parent' zone (above the cut). 825 (Quoted from [RFC2181], Section 6; note that this is barely an 826 ostensive definition.) Section 4.2 of [RFC1034] uses "cuts" as 827 'zone cut'." 829 Delegation: The process by which a separate zone is created in the 830 name space beneath the apex of a given domain. Delegation happens 831 when an NS RRset is added in the parent zone for the child origin. 832 Delegation inherently happens at a zone cut. The term is also 833 commonly a noun: the new zone that is created by the act of 834 delegating. 836 Glue records: "[Resource records] which are not part of the 837 authoritative data [of the zone], and are address resource records 838 for the [name servers in subzones]. These RRs are only necessary 839 if the name server's name is 'below' the cut, and are only used as 840 part of a referral response." Without glue "we could be faced 841 with the situation where the NS RRs tell us that in order to learn 842 a name server's address, we should contact the server using the 843 address we wish to learn." (Definition from [RFC1034], 844 Section 4.2.1) 846 A later definition is that glue "includes any record in a zone 847 file that is not properly part of that zone, including nameserver 848 records of delegated sub-zones (NS records), address records that 849 accompany those NS records (A, AAAA, etc), and any other stray 850 data that might appear" ([RFC2181], Section 5.4.1). Although glue 851 is sometimes used today with this wider definition in mind, the 852 context surrounding the [RFC2181] definition suggests it is 853 intended to apply to the use of glue within the document itself 854 and not necessarily beyond. 856 In-bailiwick: An adjective to describe a name server whose name is 857 either subordinate to or (rarely) the same as the zone origin. 858 In-bailiwick name servers may have glue records in their parent 859 zone (using the first of the definitions of "glue records" in the 860 definition above). "In-bailiwick" names are divided into two type 861 of name server names: "in-domain" names and "sibling domain" 862 names: 864 * In-domain -- an adjective to describe a name server whose name 865 is either subordinate to or (rarely) the same as the owner name 866 of the NS resource records. An in-domain name server name MUST 867 have glue records or name resolution fails. For example, a 868 delegation for "child.example.com" may have "in-domain" name 869 server name "ns.child.example.com". 871 * Sibling domain: -- a name server's name that is either 872 subordinate to or (rarely) the same as the zone origin and not 873 subordinate to or the same as the owner name of the NS resource 874 records. Glue records for sibling domains are allowed, but not 875 necessary. For example, a delegation for "child.example.com" 876 in "example.com" zone may have "sibling" name server name 877 "ns.another.example.com". 879 Out-of-bailiwick: The antonym of in-bailiwick. An adjective to 880 describe a name server whose name is not subordinate to or the 881 same as the zone origin. Glue records for out-of-bailiwick name 882 servers are useless. 884 Authoritative data: "All of the RRs attached to all of the nodes 885 from the top node of the zone down to leaf nodes or nodes above 886 cuts around the bottom edge of the zone." (Quoted from [RFC1034], 887 Section 4.2.1) It is noted that this definition might 888 inadvertently also include any NS records that appear in the zone, 889 even those that might not truly be authoritative because there are 890 identical NS RRs below the zone cut. This reveals the ambiguity 891 in the notion of authoritative data, because the parent-side NS 892 records authoritatively indicate the delegation, even though they 893 are not themselves authoritative data. 895 Root zone: The zone of a DNS-based tree whose apex is the zero- 896 length label. Also sometimes called "the DNS root". 898 Empty non-terminals (ENT): "Domain names that own no resource 899 records but have subdomains that do." (Quoted from [RFC4592], 900 Section 2.2.2.) A typical example is in SRV records: in the name 901 "_sip._tcp.example.com", it is likely that "_tcp.example.com" has 902 no RRsets, but that "_sip._tcp.example.com" has (at least) an SRV 903 RRset. 905 Delegation-centric zone: A zone that consists mostly of delegations 906 to child zones. This term is used in contrast to a zone that 907 might have some delegations to child zones, but also has many data 908 resource records for the zone itself and/or for child zones. The 909 term is used in [RFC4956] and [RFC5155], but is not defined there. 911 Wildcard: [RFC1034] defined "wildcard", but in a way that turned out 912 to be confusing to implementers. Special treatment is given to 913 RRs with owner names starting with the label "*". "Such RRs are 914 called 'wildcards'. Wildcard RRs can be thought of as 915 instructions for synthesizing RRs." (Quoted from [RFC1034], 916 Section 4.3.3) For an extended discussion of wildcards, including 917 clearer definitions, see [RFC4592]. 919 Asterisk label: "The first octet is the normal label type and length 920 for a 1-octet-long label, and the second octet is the ASCII 921 representation for the '*' character. A descriptive name of a 922 label equaling that value is an 'asterisk label'." (Quoted from 923 [RFC4592], Section 2.1.1) 925 Wildcard domain name: "A 'wildcard domain name' is defined by having 926 its initial (i.e., leftmost or least significant) label be 927 asterisk label." (Quoted from [RFC4592], Section 2.1.1) 929 Closest encloser: "The longest existing ancestor of a name." 930 (Quoted from [RFC5155], Section 1.3) An earlier definition is "The 931 node in the zone's tree of existing domain names that has the most 932 labels matching the query name (consecutively, counting from the 933 root label downward). Each match is a 'label match' and the order 934 of the labels is the same." (Quoted from [RFC4592], 935 Section 3.3.1) 937 Closest provable encloser: "The longest ancestor of a name that can 938 be proven to exist. Note that this is only different from the 939 closest encloser in an Opt-Out zone." (Quoted from [RFC5155], 940 Section 1.3) 942 Next closer name: "The name one label longer than the closest 943 provable encloser of a name." (Quoted from [RFC5155], 944 Section 1.3) 946 Source of Synthesis: "The source of synthesis is defined in the 947 context of a query process as that wildcard domain name 948 immediately descending from the closest encloser, provided that 949 this wildcard domain name exists. 'Immediately descending' means 950 that the source of synthesis has a name of the form: .." (Quoted from [RFC4592], 952 Section 3.3.1) 954 Occluded name: "The addition of a delegation point via dynamic 955 update will render all subordinate domain names to be in a limbo, 956 still part of the zone, but not available to the lookup process. 957 The addition of a DNAME resource record has the same impact. The 958 subordinate names are said to be 'occluded'." (Quoted from 959 [RFC5936], Section 3.5) 961 Fast flux DNS: This "occurs when a domain is found in DNS using A 962 records to multiple IP addresses, each of which has a very short 963 Time-to-Live (TTL) value associated with it. This means that the 964 domain resolves to varying IP addresses over a short period of 965 time." (Quoted from [RFC6561], Section 1.1.5, with typo 966 corrected) It is often used to deliver malware. Because the 967 addresses change so rapidly, it is difficult to ascertain all the 968 hosts. It should be noted that the technique also works with AAAA 969 records, but such use is not frequently observed on the Internet 970 as of this writing. 972 Reverse DNS, reverse lookup: "The process of mapping an address to a 973 name is generally known as a 'reverse lookup', and the IN- 974 ADDR.ARPA and IP6.ARPA zones are said to support the 'reverse 975 DNS'." (Quoted from [RFC5855], Section 1) 977 Forward lookup: "Hostname-to-address translation". (Quoted from 978 [RFC2133], Section 6) 980 arpa: Address and Routing Parameter Area Domain: "The 'arpa' domain 981 was originally established as part of the initial deployment of 982 the DNS, to provide a transition mechanism from the Host Tables 983 that were common in the ARPANET, as well as a home for the IPv4 984 reverse mapping domain. During 2000, the abbreviation was 985 redesignated to 'Address and Routing Parameter Area' in the hope 986 of reducing confusion with the earlier network name." (Quoted 987 from [RFC3172], Section 2.) 989 Infrastructure domain: A domain whose "role is to support the 990 operating infrastructure of the Internet". (Quoted from 991 [RFC3172], Section 2.) 993 Service name: "Service names are the unique key in the Service Name 994 and Transport Protocol Port Number registry. This unique symbolic 995 name for a service may also be used for other purposes, such as in 996 DNS SRV records." (Quoted from [RFC6335], Section 5.) 998 7. Registration Model 1000 Registry: The administrative operation of a zone that allows 1001 registration of names within that zone. People often use this 1002 term to refer only to those organizations that perform 1003 registration in large delegation-centric zones (such as TLDs); but 1004 formally, whoever decides what data goes into a zone is the 1005 registry for that zone. This definition of "registry" is from a 1006 DNS point of view; for some zones, the policies that determine 1007 what can go in the zone are decided by superior zones and not the 1008 registry operator. 1010 Registrant: An individual or organization on whose behalf a name in 1011 a zone is registered by the registry. In many zones, the registry 1012 and the registrant may be the same entity, but in TLDs they often 1013 are not. 1015 Registrar: A service provider that acts as a go-between for 1016 registrants and registries. Not all registrations require a 1017 registrar, though it is common to have registrars involved in 1018 registrations in TLDs. 1020 EPP: The Extensible Provisioning Protocol (EPP), which is commonly 1021 used for communication of registration information between 1022 registries and registrars. EPP is defined in [RFC5730]. 1024 WHOIS: A protocol specified in [RFC3912], often used for querying 1025 registry databases. WHOIS data is frequently used to associate 1026 registration data (such as zone management contacts) with domain 1027 names. The term "WHOIS data" is often used as a synonym for the 1028 registry database, even though that database may be served by 1029 different protocols, particularly RDAP. The WHOIS protocol is 1030 also used with IP address registry data. 1032 RDAP: The Registration Data Access Protocol, defined in [RFC7480], 1033 [RFC7481], [RFC7482], [RFC7483], [RFC7484], and [RFC7485]. The 1034 RDAP protocol and data format are meant as a replacement for 1035 WHOIS. 1037 DNS operator: An entity responsible for running DNS servers. For a 1038 zone's authoritative servers, the registrant may act as their own 1039 DNS operator, or their registrar may do it on their behalf, or 1040 they may use a third-party operator. For some zones, the registry 1041 function is performed by the DNS operator plus other entities who 1042 decide about the allowed contents of the zone. 1044 8. General DNSSEC 1046 Most DNSSEC terms are defined in [RFC4033], [RFC4034], [RFC4035], and 1047 [RFC5155]. The terms that have caused confusion in the DNS community 1048 are highlighted here. 1050 DNSSEC-aware and DNSSEC-unaware: These two terms, which are used in 1051 some RFCs, have not been formally defined. However, Section 2 of 1053 [RFC4033] defines many types of resolvers and validators, 1054 including "non-validating security-aware stub resolver", "non- 1055 validating stub resolver", "security-aware name server", 1056 "security-aware recursive name server", "security-aware resolver", 1057 "security-aware stub resolver", and "security-oblivious 1058 'anything'". (Note that the term "validating resolver", which is 1059 used in some places in DNSSEC-related documents, is also not 1060 defined in those RFCs, but is defined below.) 1062 Signed zone: "A zone whose RRsets are signed and that contains 1063 properly constructed DNSKEY, Resource Record Signature (RRSIG), 1064 Next Secure (NSEC), and (optionally) DS records." (Quoted from 1065 [RFC4033], Section 2.) It has been noted in other contexts that 1066 the zone itself is not really signed, but all the relevant RRsets 1067 in the zone are signed. Nevertheless, if a zone that should be 1068 signed contains any RRsets that are not signed (or opted out), 1069 those RRsets will be treated as bogus, so the whole zone needs to 1070 be handled in some way. 1072 It should also be noted that, since the publication of [RFC6840], 1073 NSEC records are no longer required for signed zones: a signed 1074 zone might include NSEC3 records instead. [RFC7129] provides 1075 additional background commentary and some context for the NSEC and 1076 NSEC3 mechanisms used by DNSSEC to provide authenticated denial- 1077 of-existence responses. NSEC and NSEC3 are described below. 1079 Unsigned zone: Section 2 of [RFC4033] defines this as "a zone that 1080 is not signed". Section 2 of [RFC4035] defines this as "A zone 1081 that does not include these records [properly constructed DNSKEY, 1082 Resource Record Signature (RRSIG), Next Secure (NSEC), and 1083 (optionally) DS records] according to the rules in this section". 1084 There is an important note at the end of Section 5.2 of [RFC4035] 1085 that defines an additional situation in which a zone is considered 1086 unsigned: "If the resolver does not support any of the algorithms 1087 listed in an authenticated DS RRset, then the resolver will not be 1088 able to verify the authentication path to the child zone. In this 1089 case, the resolver SHOULD treat the child zone as if it were 1090 unsigned." 1092 NSEC: "The NSEC record allows a security-aware resolver to 1093 authenticate a negative reply for either name or type non- 1094 existence with the same mechanisms used to authenticate other DNS 1095 replies." (Quoted from [RFC4033], Section 3.2.) In short, an 1096 NSEC record provides authenticated denial of existence. 1098 "The NSEC resource record lists two separate things: the next 1099 owner name (in the canonical ordering of the zone) that contains 1100 authoritative data or a delegation point NS RRset, and the set of 1101 RR types present at the NSEC RR's owner name." (Quoted from 1102 Section 4 of RFC 4034) 1104 NSEC3: Like the NSEC record, the NSEC3 record also provides 1105 authenticated denial of existence; however, NSEC3 records mitigate 1106 against zone enumeration and support Opt-Out. NSEC resource 1107 records require associated NSEC3PARAM resource records. NSEC3 and 1108 NSEC3PARAM resource records are defined in [RFC5155]. 1110 Note that [RFC6840] says that [RFC5155] "is now considered part of 1111 the DNS Security Document Family as described by Section 10 of 1112 [RFC4033]". This means that some of the definitions from earlier 1113 RFCs that only talk about NSEC records should probably be 1114 considered to be talking about both NSEC and NSEC3. 1116 Opt-out: "The Opt-Out Flag indicates whether this NSEC3 RR may cover 1117 unsigned delegations." (Quoted from [RFC5155], Section 3.1.2.1.) 1118 Opt-out tackles the high costs of securing a delegation to an 1119 insecure zone. When using Opt-Out, names that are an insecure 1120 delegation (and empty non-terminals that are only derived from 1121 insecure delegations) don't require an NSEC3 record or its 1122 corresponding RRSIG records. Opt-Out NSEC3 records are not able 1123 to prove or deny the existence of the insecure delegations. 1124 (Adapted from [RFC7129], Section 5.1) 1126 Zone enumeration: "The practice of discovering the full content of a 1127 zone via successive queries." (Quoted from [RFC5155], 1128 Section 1.3.) This is also sometimes called "zone walking". Zone 1129 enumeration is different from zone content guessing where the 1130 guesser uses a large dictionary of possible labels and sends 1131 successive queries for them, or matches the contents of NSEC3 1132 records against such a dictionary. 1134 Validation: Validation, in the context of DNSSEC, refers to the 1135 following: 1137 * Checking the validity of DNSSEC signatures 1139 * Checking the validity of DNS responses, such as those including 1140 authenticated denial of existence 1142 * Building an authentication chain from a trust anchor to a DNS 1143 response or individual DNS RRsets in a response 1145 The first two definitions above consider only the validity of 1146 individual DNSSEC components such as the RRSIG validity or NSEC 1147 proof validity. The third definition considers the components of 1148 the entire DNSSEC authentication chain, and thus requires 1149 "configured knowledge of at least one authenticated DNSKEY or DS 1150 RR" (as described in [RFC4035], Section 5). 1152 [RFC4033], Section 2, says that a "Validating Security-Aware Stub 1153 Resolver... performs signature validation" and uses a trust anchor 1154 "as a starting point for building the authentication chain to a 1155 signed DNS response", and thus uses the first and third 1156 definitions above. The process of validating an RRSIG resource 1157 record is described in [RFC4035], Section 5.3. 1159 [RFC5155] refers to validating responses throughout the document, 1160 in the context of hashed authenticated denial of existence; this 1161 uses the second definition above. 1163 The term "authentication" is used interchangeably with 1164 "validation", in the sense of the third definition above. 1165 [RFC4033], Section 2, describes the chain linking trust anchor to 1166 DNS data as the "authentication chain". A response is considered 1167 to be authentic if "all RRsets in the Answer and Authority 1168 sections of the response [are considered] to be authentic" 1169 ([RFC4035]). DNS data or responses deemed to be authentic or 1170 validated have a security status of "secure" ([RFC4035], 1171 Section 4.3; [RFC4033], Section 5). "Authenticating both DNS keys 1172 and data is a matter of local policy, which may extend or even 1173 override the [DNSSEC] protocol extensions" ([RFC4033], 1174 Section 3.1). 1176 The term "verification", when used, is usually synonym for 1177 "validation". 1179 Validating resolver: A security-aware recursive name server, 1180 security-aware resolver, or security-aware stub resolver that is 1181 applying at least one of the definitions of validation (above), as 1182 appropriate to the resolution context. For the same reason that 1183 the generic term "resolver" is sometimes ambiguous and needs to be 1184 evaluated in context (see Section 5), "validating resolver" is a 1185 context-sensitive term. 1187 Key signing key (KSK): DNSSEC keys that "only sign the apex DNSKEY 1188 RRset in a zone."(Quoted from [RFC6781], Section 3.1) 1190 Zone signing key (ZSK): "DNSSEC keys that can be used to sign all 1191 the RRsets in a zone that require signatures, other than the apex 1192 DNSKEY RRset." (Quoted from [RFC6781], Section 3.1) Note that the 1193 roles KSK and ZSK are not mutually exclusive: a single key can be 1194 both KSK and ZSK at the same time. Also note that a ZSK is 1195 sometimes used to sign the apex DNSKEY RRset. 1197 Combined signing key (CSK): "In cases where the differentiation 1198 between the KSK and ZSK is not made, i.e., where keys have the 1199 role of both KSK and ZSK, we talk about a Single-Type Signing 1200 Scheme." (Quoted from [RFC6781], Section 3.1) This is sometimes 1201 called a "combined signing key" or CSK. It is operational 1202 practice, not protocol, that determines whether a particular key 1203 is a ZSK, a KSK, or a CSK. 1205 Secure Entry Point (SEP): A flag in the DNSKEY RDATA that "can be 1206 used to distinguish between keys that are intended to be used as 1207 the secure entry point into the zone when building chains of 1208 trust, i.e., they are (to be) pointed to by parental DS RRs or 1209 configured as a trust anchor. Therefore, it is suggested that the 1210 SEP flag be set on keys that are used as KSKs and not on keys that 1211 are used as ZSKs, while in those cases where a distinction between 1212 a KSK and ZSK is not made (i.e., for a Single-Type Signing 1213 Scheme), it is suggested that the SEP flag be set on all keys." 1214 (Quoted from [RFC6781], Section 3.2.3.) Note that the SEP flag is 1215 only a hint, and its presence or absence may not be used to 1216 disqualify a given DNSKEY RR from use as a KSK or ZSK during 1217 validation. 1219 The original defintion of SEPs was in [RFC3757]. That definition 1220 clearly indicated that the SEP was a key, not just a bit in the 1221 key. The abstract of [RFC3757] says: "With the Delegation Signer 1222 (DS) resource record (RR), the concept of a public key acting as a 1223 secure entry point (SEP) has been introduced. During exchanges of 1224 public keys with the parent there is a need to differentiate SEP 1225 keys from other public keys in the Domain Name System KEY (DNSKEY) 1226 resource record set. A flag bit in the DNSKEY RR is defined to 1227 indicate that DNSKEY is to be used as a SEP." That definition of 1228 the SEP as a key was made obsolete by [RFC4034], and the 1229 definition from [RFC6781] is consistent with [RFC4034]. 1231 Trust anchor: "A configured DNSKEY RR or DS RR hash of a DNSKEY RR. 1232 A validating security-aware resolver uses this public key or hash 1233 as a starting point for building the authentication chain to a 1234 signed DNS response." (Quoted from [RFC4033], Section 2) 1236 DNSSEC Policy (DP): A statement that "sets forth the security 1237 requirements and standards to be implemented for a DNSSEC-signed 1238 zone." (Quoted from [RFC6841], Section 2) 1240 DNSSEC Practice Statement (DPS): "A practices disclosure document 1241 that may support and be a supplemental document to the DNSSEC 1242 Policy (if such exists), and it states how the management of a 1243 given zone implements procedures and controls at a high level." 1244 (Quoted from [RFC6841], Section 2) 1246 Hardware security module (HSM): A specialized piece of hardware that 1247 is used to create keys for signatures and to sign messages. In 1248 DNSSEC, HSMs are often used to hold the private keys for KSKs and 1249 ZSKs and to create the RRSIG records at periodic intervals. 1251 Signing software: Authoritative DNS servers that supports DNSSEC 1252 often contains software that facilitates the creation and 1253 maintenance of DNSSEC signatures in zones. There is also stand- 1254 alone software that can be used to sign a zone regardless of 1255 whether the authoritative server itself supports signing. 1256 Sometimes signing software can support particular HSMs as part of 1257 the signing process. 1259 9. DNSSEC States 1261 A validating resolver can determine that a response is in one of four 1262 states: secure, insecure, bogus, or indeterminate. These states are 1263 defined in [RFC4033] and [RFC4035], although the two definitions 1264 differ a bit. This document makes no effort to reconcile the two 1265 definitions, and takes no position as to whether they need to be 1266 reconciled. 1268 Section 5 of [RFC4033] says: 1270 A validating resolver can determine the following 4 states: 1272 Secure: The validating resolver has a trust anchor, has a chain 1273 of trust, and is able to verify all the signatures in the 1274 response. 1276 Insecure: The validating resolver has a trust anchor, a chain 1277 of trust, and, at some delegation point, signed proof of the 1278 non-existence of a DS record. This indicates that subsequent 1279 branches in the tree are provably insecure. A validating 1280 resolver may have a local policy to mark parts of the domain 1281 space as insecure. 1283 Bogus: The validating resolver has a trust anchor and a secure 1284 delegation indicating that subsidiary data is signed, but 1285 the response fails to validate for some reason: missing 1286 signatures, expired signatures, signatures with unsupported 1287 algorithms, data missing that the relevant NSEC RR says 1288 should be present, and so forth. 1290 Indeterminate: There is no trust anchor that would indicate that a 1291 specific portion of the tree is secure. This is the default 1292 operation mode. 1294 Section 4.3 of [RFC4035] says: 1296 A security-aware resolver must be able to distinguish between four 1297 cases: 1299 Secure: An RRset for which the resolver is able to build a chain 1300 of signed DNSKEY and DS RRs from a trusted security anchor to 1301 the RRset. In this case, the RRset should be signed and is 1302 subject to signature validation, as described above. 1304 Insecure: An RRset for which the resolver knows that it has no 1305 chain of signed DNSKEY and DS RRs from any trusted starting 1306 point to the RRset. This can occur when the target RRset lies 1307 in an unsigned zone or in a descendent [sic] of an unsigned 1308 zone. In this case, the RRset may or may not be signed, but 1309 the resolver will not be able to verify the signature. 1311 Bogus: An RRset for which the resolver believes that it ought to 1312 be able to establish a chain of trust but for which it is 1313 unable to do so, either due to signatures that for some reason 1314 fail to validate or due to missing data that the relevant 1315 DNSSEC RRs indicate should be present. This case may indicate 1316 an attack but may also indicate a configuration error or some 1317 form of data corruption. 1319 Indeterminate: An RRset for which the resolver is not able to 1320 determine whether the RRset should be signed, as the resolver 1321 is not able to obtain the necessary DNSSEC RRs. This can occur 1322 when the security-aware resolver is not able to contact 1323 security-aware name servers for the relevant zones. 1325 10. Security Considerations 1327 These definitions do not change any security considerations for the 1328 DNS. 1330 11. IANA Considerations 1332 None. 1334 12. References 1336 12.1. Normative References 1338 [IANA_RootFiles] 1339 Internet Assigned Numbers Authority, "IANA Root Files", 1340 2016, . 1342 [RFC0882] Mockapetris, P., "Domain names: Concepts and facilities", 1343 RFC 882, DOI 10.17487/RFC0882, November 1983, 1344 . 1346 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1347 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 1348 . 1350 [RFC1035] Mockapetris, P., "Domain names - implementation and 1351 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1352 November 1987, . 1354 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - 1355 Application and Support", STD 3, RFC 1123, 1356 DOI 10.17487/RFC1123, October 1989, 1357 . 1359 [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone 1360 Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996, 1361 August 1996, . 1363 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 1364 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 1365 RFC 2136, DOI 10.17487/RFC2136, April 1997, 1366 . 1368 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 1369 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 1370 . 1372 [RFC2182] Elz, R., Bush, R., Bradner, S., and M. Patton, "Selection 1373 and Operation of Secondary DNS Servers", BCP 16, RFC 2182, 1374 DOI 10.17487/RFC2182, July 1997, 1375 . 1377 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 1378 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 1379 . 1381 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1382 Rose, "DNS Security Introduction and Requirements", 1383 RFC 4033, DOI 10.17487/RFC4033, March 2005, 1384 . 1386 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1387 Rose, "Resource Records for the DNS Security Extensions", 1388 RFC 4034, DOI 10.17487/RFC4034, March 2005, 1389 . 1391 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1392 Rose, "Protocol Modifications for the DNS Security 1393 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 1394 . 1396 [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name 1397 System", RFC 4592, DOI 10.17487/RFC4592, July 2006, 1398 . 1400 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 1401 Security (DNSSEC) Hashed Authenticated Denial of 1402 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 1403 . 1405 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 1406 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 1407 . 1409 [RFC5855] Abley, J. and T. Manderson, "Nameservers for IPv4 and IPv6 1410 Reverse Zones", BCP 155, RFC 5855, DOI 10.17487/RFC5855, 1411 May 2010, . 1413 [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol 1414 (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010, 1415 . 1417 [RFC6561] Livingood, J., Mody, N., and M. O'Reirdan, 1418 "Recommendations for the Remediation of Bots in ISP 1419 Networks", RFC 6561, DOI 10.17487/RFC6561, March 2012, 1420 . 1422 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 1423 Operational Practices, Version 2", RFC 6781, 1424 DOI 10.17487/RFC6781, December 2012, 1425 . 1427 [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and 1428 Implementation Notes for DNS Security (DNSSEC)", RFC 6840, 1429 DOI 10.17487/RFC6840, February 2013, 1430 . 1432 [RFC6841] Ljunggren, F., Eklund Lowinder, AM., and T. Okubo, "A 1433 Framework for DNSSEC Policies and DNSSEC Practice 1434 Statements", RFC 6841, DOI 10.17487/RFC6841, January 2013, 1435 . 1437 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 1438 for DNS (EDNS(0))", STD 75, RFC 6891, 1439 DOI 10.17487/RFC6891, April 2013, 1440 . 1442 [RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating 1443 DNSSEC Delegation Trust Maintenance", RFC 7344, 1444 DOI 10.17487/RFC7344, September 2014, 1445 . 1447 [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 1448 Terminology", RFC 7719, DOI 10.17487/RFC7719, December 1449 2015, . 1451 12.2. Informative References 1453 [IANA_Resource_Registry] 1454 Internet Assigned Numbers Authority, "Resource Record (RR) 1455 TYPEs", 2017, 1456 . 1458 [RFC0819] Su, Z. and J. Postel, "The Domain Naming Convention for 1459 Internet User Applications", RFC 819, 1460 DOI 10.17487/RFC0819, August 1982, 1461 . 1463 [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet 1464 host table specification", RFC 952, DOI 10.17487/RFC0952, 1465 October 1985, . 1467 [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, 1468 DOI 10.17487/RFC1995, August 1996, 1469 . 1471 [RFC2133] Gilligan, R., Thomson, S., Bound, J., and W. Stevens, 1472 "Basic Socket Interface Extensions for IPv6", RFC 2133, 1473 DOI 10.17487/RFC2133, April 1997, 1474 . 1476 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 1477 DOI 10.17487/RFC2775, February 2000, 1478 . 1480 [RFC3172] Huston, G., Ed., "Management Guidelines & Operational 1481 Requirements for the Address and Routing Parameter Area 1482 Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172, 1483 September 2001, . 1485 [RFC3757] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name 1486 System KEY (DNSKEY) Resource Record (RR) Secure Entry 1487 Point (SEP) Flag", RFC 3757, DOI 10.17487/RFC3757, April 1488 2004, . 1490 [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, 1491 DOI 10.17487/RFC3912, September 2004, 1492 . 1494 [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices", 1495 RFC 4641, DOI 10.17487/RFC4641, September 2006, 1496 . 1498 [RFC4697] Larson, M. and P. Barber, "Observed DNS Resolution 1499 Misbehavior", BCP 123, RFC 4697, DOI 10.17487/RFC4697, 1500 October 2006, . 1502 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 1503 Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786, 1504 December 2006, . 1506 [RFC4956] Arends, R., Kosters, M., and D. Blacka, "DNS Security 1507 (DNSSEC) Opt-In", RFC 4956, DOI 10.17487/RFC4956, July 1508 2007, . 1510 [RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines", 1511 BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009, 1512 . 1514 [RFC5890] Klensin, J., "Internationalized Domain Names for 1515 Applications (IDNA): Definitions and Document Framework", 1516 RFC 5890, DOI 10.17487/RFC5890, August 2010, 1517 . 1519 [RFC5891] Klensin, J., "Internationalized Domain Names in 1520 Applications (IDNA): Protocol", RFC 5891, 1521 DOI 10.17487/RFC5891, August 2010, 1522 . 1524 [RFC5892] Faltstrom, P., Ed., "The Unicode Code Points and 1525 Internationalized Domain Names for Applications (IDNA)", 1526 RFC 5892, DOI 10.17487/RFC5892, August 2010, 1527 . 1529 [RFC5893] Alvestrand, H., Ed. and C. Karp, "Right-to-Left Scripts 1530 for Internationalized Domain Names for Applications 1531 (IDNA)", RFC 5893, DOI 10.17487/RFC5893, August 2010, 1532 . 1534 [RFC5894] Klensin, J., "Internationalized Domain Names for 1535 Applications (IDNA): Background, Explanation, and 1536 Rationale", RFC 5894, DOI 10.17487/RFC5894, August 2010, 1537 . 1539 [RFC6055] Thaler, D., Klensin, J., and S. Cheshire, "IAB Thoughts on 1540 Encodings for Internationalized Domain Names", RFC 6055, 1541 DOI 10.17487/RFC6055, February 2011, 1542 . 1544 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 1545 DOI 10.17487/RFC6265, April 2011, 1546 . 1548 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, 1549 RFC 6303, DOI 10.17487/RFC6303, July 2011, 1550 . 1552 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 1553 Cheshire, "Internet Assigned Numbers Authority (IANA) 1554 Procedures for the Management of the Service Name and 1555 Transport Protocol Port Number Registry", BCP 165, 1556 RFC 6335, DOI 10.17487/RFC6335, August 2011, 1557 . 1559 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 1560 Internationalization in the IETF", BCP 166, RFC 6365, 1561 DOI 10.17487/RFC6365, September 2011, 1562 . 1564 [RFC7129] Gieben, R. and W. Mekking, "Authenticated Denial of 1565 Existence in the DNS", RFC 7129, DOI 10.17487/RFC7129, 1566 February 2014, . 1568 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the 1569 Registration Data Access Protocol (RDAP)", RFC 7480, 1570 DOI 10.17487/RFC7480, March 2015, 1571 . 1573 [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the 1574 Registration Data Access Protocol (RDAP)", RFC 7481, 1575 DOI 10.17487/RFC7481, March 2015, 1576 . 1578 [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access 1579 Protocol (RDAP) Query Format", RFC 7482, 1580 DOI 10.17487/RFC7482, March 2015, 1581 . 1583 [RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the 1584 Registration Data Access Protocol (RDAP)", RFC 7483, 1585 DOI 10.17487/RFC7483, March 2015, 1586 . 1588 [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data 1589 (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March 1590 2015, . 1592 [RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin, 1593 "Inventory and Analysis of WHOIS Registration Objects", 1594 RFC 7485, DOI 10.17487/RFC7485, March 2015, 1595 . 1597 [RFC8109] Koch, P., Larson, M., and P. Hoffman, "Initializing a DNS 1598 Resolver with Priming Queries", BCP 209, RFC 8109, 1599 DOI 10.17487/RFC8109, March 2017, 1600 . 1602 [RSSAC026] 1603 Root Server System Advisory Committee (RSSAC), "RSSAC 1604 Lexicon", 2017, 1605 . 1608 Appendix A. Definitions Updated by this Document 1610 The following definitions from RFCs are updated by this document: 1612 o Forwarder in [RFC2308] 1614 o Secure Entry Point (SEP) in [RFC3757] 1616 Appendix B. Definitions First Defined in this Document 1618 The following definitions are first defined in this document: 1620 o "Alias" in Section 2 1622 o "Apex" in Section 6 1624 o "arpa" in Section 6 1626 o "Class independent" in Section 4 1628 o "Delegation-centric zone" in Section 6 1630 o "Delegation" in Section 6 1631 o "DNS operator" in Section 7 1633 o "DNSSEC-aware" in Section 8 1635 o "DNSSEC-unaware" in Section 8 1637 o "Forwarding" in Section 5 1639 o "Full resolver" in Section 5 1641 o "Fully qualified domain name" in Section 2 1643 o "Global DNS" in Section 2 1645 o "Hardware Security Module (HSM)" in Section 8 1647 o "Host name" in Section 2 1649 o "IDN" in Section 2 1651 o "In-bailiwick" in Section 6 1653 o "Label" in Section 2 1655 o "Locally served DNS zone" in Section 2 1657 o "Naming system" in Section 2 1659 o "Negative response" in Section 3 1661 o "Open resolver" in Section 5 1663 o "Out-of-bailiwick" in Section 6 1665 o "Passive DNS" in Section 5 1667 o "Policy-implementing resolver" in Section 5 1669 o "Presentation format" in Section 4 1671 o "Priming" in Section 5 1673 o "Private DNS" in Section 2 1675 o "Recursive resolver" in Section 5 1677 o "Referrals" in Section 3 1678 o "Registrant" in Section 7 1680 o "Registrar" in Section 7 1682 o "Registry" in Section 7 1684 o "Root zone" in Section 6 1686 o "Secure Entry Point (SEP)" in Section 8 1688 o "Signing software" in Section 8 1690 o "Stub resolver" in Section 5 1692 o "TLD" in Section 2 1694 o "Validating resolver" in Section 8 1696 o "Validation" in Section 8 1698 o "View" in Section 5 1700 o "Zone transfer" in Section 5 1702 Acknowledgements 1704 The following is the Acknowledgements for RFC 7719. Additional 1705 acknowledgements may be added as this draft is worked on. 1707 The authors gratefully acknowledge all of the authors of DNS-related 1708 RFCs that proceed this one. Comments from Tony Finch, Stephane 1709 Bortzmeyer, Niall O'Reilly, Colm MacCarthaigh, Ray Bellis, John 1710 Kristoff, Robert Edmonds, Paul Wouters, Shumon Huque, Paul Ebersman, 1711 David Lawrence, Matthijs Mekking, Casey Deccio, Bob Harold, Ed Lewis, 1712 John Klensin, David Black, and many others in the DNSOP Working Group 1713 helped shape RFC 7719. 1715 Additional people contributed to this document, including: John 1716 Dickinson, Bob Harold, Peter Koch, [[ MORE NAMES WILL APPEAR HERE AS 1717 FOLKS CONTRIBUTE]]. 1719 Authors' Addresses 1721 Paul Hoffman 1722 ICANN 1724 Email: paul.hoffman@icann.org 1725 Andrew Sullivan 1726 Oracle 1727 100 Milverton Drive 1728 Mississauga, ON L5R 4H1 1729 Canada 1731 Email: andrew.s.sullivan@oracle.com 1733 Kazunori Fujiwara 1734 Japan Registry Services Co., Ltd. 1735 Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda 1736 Chiyoda-ku, Tokyo 101-0065 1737 Japan 1739 Phone: +81 3 5215 8451 1740 Email: fujiwara@jprs.co.jp