Delegation Revalidation by DNS Resolvers
draft-ietf-dnsop-ns-revalidation-00
Document Type Active Internet-Draft (dnsop WG)
Authors Shumon Huque  , Paul Vixie  , Ralph Dolmans 
Last updated 2020-09-08
Replaces draft-huque-dnsop-ns-revalidation
Stream Internent Engineering Task Force (IETF)
Intended RFC status (None)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Internet Engineering Task Force                                 S. Huque
Internet-Draft                                                Salesforce
Intended status: Standards Track                                P. Vixie
Expires: March 11, 2021                                Farsight Security
                                                              R. Dolmans
                                                              NLnet Labs
                                                       September 7, 2020

                Delegation Revalidation by DNS Resolvers
                  draft-ietf-dnsop-ns-revalidation-00

Abstract

   This document recommends improved DNS [RFC1034] [RFC1035] resolver
   behavior with respect to the processing of Name Server (NS) resource
   record sets (RRset) during iterative resolution.  When following a
   referral response from an authoritative server to a child zone, DNS
   resolvers should explicitly query the authoritative NS RRset at the
   apex of the child zone and cache this in preference to the NS RRset
   on the parent side of the zone cut.  Resolvers should also
   periodically revalidate the child delegation by re-quering the parent
   zone at the expiration of the TTL of the parent side NS RRset.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 11, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Huque, et al.            Expires March 11, 2021                 [Page 1]
Internet-Draft         DNS Delegation Revalidation        September 2020

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Motivation  . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Upgrading NS RRset Credibility  . . . . . . . . . . . . . . .   4
   4.  Delegation Revalidation . . . . . . . . . . . . . . . . . . .   5
     4.1.  Using the DS Record TTL . . . . . . . . . . . . . . . . .   6
   5.  Optimizations . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  Re-delegations and Delegation Removals  . . . . . . . . . . .   7
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH BEFORE PUBLISHING: The
   source for this draft is maintained in GitHub at:
   https://github.com/shuque/ns-revalidation

   This document recommends improved DNS resolver behavior with respect
   to the processing of NS record sets during iterative resolution.  The
   first recommendation is that resolvers, when following a referral
   response from an authoritative server to a child zone, should
   explicitly query the authoritative NS RRset at the apex of the child
   zone and cache this in preference to the NS RRset on the parent side
   of the zone cut.  The second recommendation is to revalidate the
   delegation by re-quering the parent zone at the expiration of the TTL
   of the parent side NS RRset.

Huque, et al.            Expires March 11, 2021                 [Page 2]
Internet-Draft         DNS Delegation Revalidation        September 2020

2.  Motivation

   There is wide variability in the behavior of deployed DNS resolvers
   today with respect to how they process delegation records.  Some of
   them prefer the parent NS set, some prefer the child, and for others,
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools