Delegation Revalidation by DNS Resolvers
draft-ietf-dnsop-ns-revalidation-00
Internet Engineering Task Force S. Huque
Internet-Draft Salesforce
Intended status: Standards Track P. Vixie
Expires: March 11, 2021 Farsight Security
R. Dolmans
NLnet Labs
September 7, 2020
Delegation Revalidation by DNS Resolvers
draft-ietf-dnsop-ns-revalidation-00
Abstract
This document recommends improved DNS [RFC1034] [RFC1035] resolver
behavior with respect to the processing of Name Server (NS) resource
record sets (RRset) during iterative resolution. When following a
referral response from an authoritative server to a child zone, DNS
resolvers should explicitly query the authoritative NS RRset at the
apex of the child zone and cache this in preference to the NS RRset
on the parent side of the zone cut. Resolvers should also
periodically revalidate the child delegation by re-quering the parent
zone at the expiration of the TTL of the parent side NS RRset.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 11, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
Huque, et al. Expires March 11, 2021 [Page 1]
Internet-Draft DNS Delegation Revalidation September 2020
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Upgrading NS RRset Credibility . . . . . . . . . . . . . . . 4
4. Delegation Revalidation . . . . . . . . . . . . . . . . . . . 5
4.1. Using the DS Record TTL . . . . . . . . . . . . . . . . . 6
5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Re-delegations and Delegation Removals . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . 8
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH BEFORE PUBLISHING: The
source for this draft is maintained in GitHub at:
https://github.com/shuque/ns-revalidation
This document recommends improved DNS resolver behavior with respect
to the processing of NS record sets during iterative resolution. The
first recommendation is that resolvers, when following a referral
response from an authoritative server to a child zone, should
explicitly query the authoritative NS RRset at the apex of the child
zone and cache this in preference to the NS RRset on the parent side
of the zone cut. The second recommendation is to revalidate the
delegation by re-quering the parent zone at the expiration of the TTL
of the parent side NS RRset.
Huque, et al. Expires March 11, 2021 [Page 2]
Internet-Draft DNS Delegation Revalidation September 2020
2. Motivation
There is wide variability in the behavior of deployed DNS resolvers
today with respect to how they process delegation records. Some of
them prefer the parent NS set, some prefer the child, and for others,
Show full document text