1 Internet Engineering Task Force (IETF)                       D. Lawrence   
    2 Request for Comments: 8767                                        Oracle   
    3 Updates: 1034, 1035, 2181                                      W. Kumari   
    4 Category: Standards Track                                        P. Sood   
    5 ISSN: 2070-1721                                                   Google   
    6                                                               March 2020   
    9               Serving Stale Data to Improve DNS Resiliency                 
   11 Abstract                                                                   
   13    This document defines a method (serve-stale) for recursive resolvers    
   14    to use stale DNS data to avoid outages when authoritative nameservers   
   15    cannot be reached to refresh expired data.  One of the motivations      
   16    for serve-stale is to make the DNS more resilient to DoS attacks and    
   17    thereby make them less attractive as an attack vector.  This document   
   18    updates the definitions of TTL from RFCs 1034 and 1035 so that data     
   19    can be kept in the cache beyond the TTL expiry; it also updates RFC     
   20    2181 by interpreting values with the high-order bit set as being        
   21    positive, rather than 0, and suggests a cap of 7 days.                  
   23 Status of This Memo                                                        
   25    This is an Internet Standards Track document.                           
   27    This document is a product of the Internet Engineering Task Force       
   28    (IETF).  It represents the consensus of the IETF community.  It has     
   29    received public review and has been approved for publication by the     
   30    Internet Engineering Steering Group (IESG).  Further information on     
   31    Internet Standards is available in Section 2 of RFC 7841.               
   33    Information about the current status of this document, any errata,      
   34    and how to provide feedback on it may be obtained at                    
   35    https://www.rfc-editor.org/info/rfc8767.                                
   37 Copyright Notice                                                           
   39    Copyright (c) 2020 IETF Trust and the persons identified as the         
   40    document authors.  All rights reserved.                                 
   42    This document is subject to BCP 78 and the IETF Trust's Legal           
   43    Provisions Relating to IETF Documents                                   
   44    (https://trustee.ietf.org/license-info) in effect on the date of        
   45    publication of this document.  Please review these documents            
   46    carefully, as they describe your rights and restrictions with respect   
   47    to this document.  Code Components extracted from this document must    
   48    include Simplified BSD License text as described in Section 4.e of      
   49    the Trust Legal Provisions and are provided without warranty as         
   50    described in the Simplified BSD License.                                
   52 Table of Contents                                                          
   54    1.  Introduction                                                        
   55    2.  Terminology                                                         
   56    3.  Background                                                          
   57    4.  Standards Action                                                    
   58    5.  Example Method                                                      
   59    6.  Implementation Considerations                                       
   60    7.  Implementation Caveats                                              
   61    8.  Implementation Status                                               
   62    9.  EDNS Option                                                         
   63    10. Security Considerations                                             
   64    11. Privacy Considerations                                              
   65    12. NAT Considerations                                                  
   66    13. IANA Considerations                                                 
   67    14. References                                                          
   68      14.1.  Normative References                                           
   69      14.2.  Informative References                                         
   70    Acknowledgements                                                        
   71    Authors' Addresses                                                      
   73 1.  Introduction                                                           
   75    Traditionally, the Time To Live (TTL) of a DNS Resource Record (RR)     
   76    has been understood to represent the maximum number of seconds that a   
   77    record can be used before it must be discarded, based on its            
   78    description and usage in [RFC1035] and clarifications in [RFC2181].     
   80    This document expands the definition of the TTL to explicitly allow     
   81    for expired data to be used in the exceptional circumstance that a      
   82    recursive resolver is unable to refresh the information.  It is         
   83    predicated on the observation that authoritative answer                 
   84    unavailability can cause outages even when the underlying data those    
   85    servers would return is typically unchanged.                            
   87    We describe a method below for this use of stale data, balancing the    
   88    competing needs of resiliency and freshness.                            
   90    This document updates the definitions of TTL from [RFC1034] and         
   91    [RFC1035] so that data can be kept in the cache beyond the TTL          
   92    expiry; it also updates [RFC2181] by interpreting values with the       
   93    high-order bit set as being positive, rather than 0, and also           
   94    suggests a cap of 7 days.                                               
   96 2.  Terminology                                                            
   98    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",     
  100    "OPTIONAL" in this document are to be interpreted as described in       
  101    BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all      
  102    capitals, as shown here.                                                
  104    For a glossary of DNS terms, please see [RFC8499].                      
  106 3.  Background                                                             
  108    There are a number of reasons why an authoritative server may become    
  109    unreachable, including Denial-of-Service (DoS) attacks, network         
  110    issues, and so on.  If a recursive server is unable to contact the      
  111    authoritative servers for a query but still has relevant data that      
  112    has aged past its TTL, that information can still be useful for         
  113    generating an answer under the metaphorical assumption that "stale      
  114    bread is better than no bread."                                         
  116    [RFC1035], Section 3.2.1 says that the TTL "specifies the time          
  117    interval that the resource record may be cached before the source of    
  118    the information should again be consulted."  [RFC1035], Section 4.1.3   
  119    further says that the TTL "specifies the time interval (in seconds)     
  120    that the resource record may be cached before it should be              
  121    discarded."                                                             
  123    A natural English interpretation of these remarks would seem to be      
  124    clear enough that records past their TTL expiration must not be used.   
  125    However, [RFC1035] predates the more rigorous terminology of            
  126    [RFC2119], which softened the interpretation of "may" and "should".     
  128    [RFC2181] aimed to provide "the precise definition of the Time to       
  129    Live," but Section 8 of [RFC2181] was mostly concerned with the         
  130    numeric range of values rather than data expiration behavior.  It       
  131    does, however, close that section by noting, "The TTL specifies a       
  132    maximum time to live, not a mandatory time to live."  This wording      
  133    again does not contain BCP 14 key words [RFC2119], but it does convey   
  134    the natural language connotation that data becomes unusable past TTL    
  135    expiry.                                                                 
  137    As of the time of this writing, several large-scale operators use       
  138    stale data for answers in some way.  A number of recursive resolver     
  139    packages, including BIND, Knot Resolver, OpenDNS, and Unbound,          
  140    provide options to use stale data.  Apple macOS can also use stale      
  141    data as part of the Happy Eyeballs algorithms in mDNSResponder.  The    
  142    collective operational experience is that using stale data can          
  143    provide significant benefit with minimal downside.                      
  145 4.  Standards Action                                                       
  147    The definition of TTL in Sections 3.2.1 and 4.1.3 of [RFC1035] is       
  148    amended to read:                                                        
  150    TTL  a 32-bit unsigned integer number of seconds that specifies the     
  151         duration that the resource record MAY be cached before the         
  152         source of the information MUST again be consulted.  Zero values    
  153         are interpreted to mean that the RR can only be used for the       
  154         transaction in progress, and should not be cached.  Values         
  155         SHOULD be capped on the order of days to weeks, with a             
  156         recommended cap of 604,800 seconds (7 days).  If the data is       
  157         unable to be authoritatively refreshed when the TTL expires, the   
  158         record MAY be used as though it is unexpired.  See Sections 5      
  159         and 6 of [RFC8767] for details.                                    
  161    Interpreting values that have the high-order bit set as being           
  162    positive, rather than 0, is a change from [RFC2181], the rationale      
  163    for which is explained in Section 6.  Suggesting a cap of 7 days,       
  164    rather than the 68 years allowed by the full 31 bits of Section 8 of    
  165    [RFC2181], reflects the current practice of major modern DNS            
  166    resolvers.                                                              
  168    When returning a response containing stale records, a recursive         
  169    resolver MUST set the TTL of each expired record in the message to a    
  170    value greater than 0, with a RECOMMENDED value of 30 seconds.  See      
  171    Section 6 for explanation.                                              
  173    Answers from authoritative servers that have a DNS response code of     
  174    either 0 (NoError) or 3 (NXDomain) and the Authoritative Answer (AA)    
  175    bit set MUST be considered to have refreshed the data at the            
  176    resolver.  Answers from authoritative servers that have any other       
  177    response code SHOULD be considered a failure to refresh the data and    
  178    therefore leave any previous state intact.  See Section 6 for a         
  179    discussion.                                                             
  181 5.  Example Method                                                         
  183    There is more than one way a recursive resolver could responsibly       
  184    implement this resiliency feature while still respecting the intent     
  185    of the TTL as a signal for when data is to be refreshed.                
  187    In this example method, four notable timers drive considerations for    
  188    the use of stale data:                                                  
  190    *  A client response timer, which is the maximum amount of time a       
  191       recursive resolver should allow between the receipt of a             
  192       resolution request and sending its response.                         
  194    *  A query resolution timer, which caps the total amount of time a      
  195       recursive resolver spends processing the query.                      
  197    *  A failure recheck timer, which limits the frequency at which a       
  198       failed lookup will be attempted again.                               
  200    *  A maximum stale timer, which caps the amount of time that records    
  201       will be kept past their expiration.                                  
  203    Most recursive resolvers already have the query resolution timer and,   
  204    effectively, some kind of failure recheck timer.  The client response   
  205    timer and maximum stale timer are new concepts for this mechanism.      
  207    When a recursive resolver receives a request, it should start the       
  208    client response timer.  This timer is used to avoid client timeouts.    
  209    It should be configurable, with a recommended value of 1.8 seconds as   
  210    being just under a common timeout value of 2 seconds while still        
  211    giving the resolver a fair shot at resolving the name.                  
  213    The resolver then checks its cache for any unexpired records that       
  214    satisfy the request and returns them if available.  If it finds no      
  215    relevant unexpired data and the Recursion Desired flag is not set in    
  216    the request, it should immediately return the response without          
  217    consulting the cache for expired records.  Typically, this response     
  218    would be a referral to authoritative nameservers covering the zone,     
  219    but the specifics are implementation dependent.                         
  221    If iterative lookups will be done, then the failure recheck timer is    
  222    consulted.  Attempts to refresh from non-responsive or otherwise        
  223    failing authoritative nameservers are recommended to be done no more    
  224    frequently than every 30 seconds.  If this request was received         
  225    within this period, the cache may be immediately consulted for stale    
  226    data to satisfy the request.                                            
  228    Outside the period of the failure recheck timer, the resolver should    
  229    start the query resolution timer and begin the iterative resolution     
  230    process.  This timer bounds the work done by the resolver when          
  231    contacting external authorities and is commonly around 10 to 30         
  232    seconds.  If this timer expires on an attempted lookup that is still    
  233    being processed, the resolution effort is abandoned.                    
  235    If the answer has not been completely determined by the time the        
  236    client response timer has elapsed, the resolver should then check its   
  237    cache to see whether there is expired data that would satisfy the       
  238    request.  If so, it adds that data to the response message with a TTL   
  239    greater than 0 (as specified in Section 4).  The response is then       
  240    sent to the client while the resolver continues its attempt to          
  241    refresh the data.                                                       
  243    When no authorities are able to be reached during a resolution          
  244    attempt, the resolver should attempt to refresh the delegation and      
  245    restart the iterative lookup process with the remaining time on the     
  246    query resolution timer.  This resumption should be done only once per   
  247    resolution effort.                                                      
  249    Outside the resolution process, the maximum stale timer is used for     
  250    cache management and is independent of the query resolution process.    
  251    This timer is conceptually different from the maximum cache TTL that    
  252    exists in many resolvers, the latter being a clamp on the value of      
  253    TTLs as received from authoritative servers and recommended to be       
  254    7 days in the TTL definition in Section 4.  The maximum stale timer     
  255    should be configurable.  It defines the length of time after a record   
  256    expires that it should be retained in the cache.  The suggested value   
  257    is between 1 and 3 days.                                                
  259 6.  Implementation Considerations                                          
  261    This document mainly describes the issues behind serving stale data     
  262    and intentionally does not provide a formal algorithm.  The concept     
  263    is not overly complex, and the details are best left to resolver        
  264    authors to implement in their codebases.  The processing of serve-      
  265    stale is a local operation, and consistent variables between            
  266    deployments are not needed for interoperability.  However, we would     
  267    like to highlight the impact of various implementation choices,         
  268    starting with the timers involved.                                      
  270    The most obvious of these is the maximum stale timer.  If this          
  271    variable is too large, it could cause excessive cache memory usage,     
  272    but if it is too small, the serve-stale technique becomes less          
  273    effective, as the record may not be in the cache to be used if          
  274    needed.  Shorter values, even less than a day, can effectively handle   
  275    the vast majority of outages.  Longer values, as much as a week, give   
  276    time for monitoring systems to notice a resolution problem and for      
  277    human intervention to fix it; operational experience has been that      
  278    sometimes the right people can be hard to track down and                
  279    unfortunately slow to remedy the situation.                             
  281    Increased memory consumption could be mitigated by prioritizing         
  282    removal of stale records over non-expired records during cache          
  283    exhaustion.  Eviction strategies could consider additional factors,     
  284    including the last time of use or the popularity of a record, to        
  285    retain active but stale records.  A feature to manually flush only      
  286    stale records could also be useful.                                     
  288    The client response timer is another variable that deserves             
  289    consideration.  If this value is too short, there exists the risk       
  290    that stale answers may be used even when the authoritative server is    
  291    actually reachable but slow; this may result in undesirable answers     
  292    being returned.  Conversely, waiting too long will negatively impact    
  293    user experience.                                                        
  295    The balance for the failure recheck timer is responsiveness in          
  296    detecting the renewed availability of authorities versus the extra      
  297    resource use for resolution.  If this variable is set too large,        
  298    stale answers may continue to be returned even after the                
  299    authoritative server is reachable; per [RFC2308], Section 7, this       
  300    should be no more than 5 minutes.  If this variable is too small,       
  301    authoritative servers may be targeted with a significant amount of      
  302    excess traffic.                                                         
  304    Regarding the TTL to set on stale records in the response,              
  305    historically TTLs of 0 seconds have been problematic for some           
  306    implementations, and negative values can't effectively be               
  307    communicated to existing software.  Other very short TTLs could lead    
  308    to congestive collapse as TTL-respecting clients rapidly try to         
  309    refresh.  The recommended value of 30 seconds not only sidesteps        
  310    those potential problems with no practical negative consequences, it    
  311    also rate-limits further queries from any client that honors the TTL,   
  312    such as a forwarding resolver.                                          
  314    As for the change to treat a TTL with the high-order bit set as         
  315    positive and then clamping it, as opposed to [RFC2181] treating it as   
  316    zero, the rationale here is basically one of engineering simplicity     
  317    versus an inconsequential operational history.  Negative TTLs had no    
  318    rational intentional meaning that wouldn't have been satisfied by       
  319    just sending 0 instead, and similarly there was realistically no        
  320    practical purpose for sending TTLs of 2^25 seconds (1 year) or more.    
  321    There's also no record of TTLs in the wild having the most              
  322    significant bit set in the DNS Operations, Analysis, and Research       
  323    Center's (DNS-OARC's) "Day in the Life" samples [DITL].  With no        
  324    apparent reason for operators to use them intentionally, that leaves    
  325    either errors or non-standard experiments as explanations as to why     
  326    such TTLs might be encountered, with neither providing an obviously     
  327    compelling reason as to why having the leading bit set should be        
  328    treated differently from having any of the next eleven bits set and     
  329    then capped per Section 4.                                              
  331    Another implementation consideration is the use of stale nameserver     
  332    addresses for lookups.  This is mentioned explicitly because, in some   
  333    resolvers, getting the addresses for nameservers is a separate path     
  334    from a normal cache lookup.  If authoritative server addresses are      
  335    not able to be refreshed, resolution can possibly still be successful   
  336    if the authoritative servers themselves are up.  For instance,          
  337    consider an attack on a top-level domain that takes its nameservers     
  338    offline; serve-stale resolvers that had expired glue addresses for      
  339    subdomains within that top-level domain would still be able to          
  340    resolve names within those subdomains, even those it had not            
  341    previously looked up.                                                   
  343    The directive in Section 4 that only NoError and NXDomain responses     
  344    should invalidate any previously associated answer stems from the       
  345    fact that no other RCODEs that a resolver normally encounters make      
  346    any assertions regarding the name in the question or any data           
  347    associated with it.  This comports with existing resolver behavior      
  348    where a failed lookup (say, during prefetching) doesn't impact the      
  349    existing cache state.  Some authoritative server operators have said    
  350    that they would prefer stale answers to be used in the event that       
  351    their servers are responding with errors like ServFail instead of       
  352    giving true authoritative answers.  Implementers MAY decide to return   
  353    stale answers in this situation.                                        
  355    Since the goal of serve-stale is to provide resiliency for all          
  356    obvious errors to refresh data, these other RCODEs are treated as       
  357    though they are equivalent to not getting an authoritative response.    
  358    Although NXDomain for a previously existing name might well be an       
  359    error, it is not handled that way because there is no effective way     
  360    to distinguish operator intent for legitimate cases versus error        
  361    cases.                                                                  
  363    During discussion in the IETF, it was suggested that, if all            
  364    authorities return responses with an RCODE of Refused, it may be an     
  365    explicit signal to take down the zone from servers that still have      
  366    the zone's delegation pointed to them.  Refused, however, is also       
  367    overloaded to mean multiple possible failures that could represent      
  368    transient configuration failures.  Operational experience has shown     
  369    that purposely returning Refused is a poor way to achieve an explicit   
  370    takedown of a zone compared to either updating the delegation or        
  371    returning NXDomain with a suitable SOA for extended negative caching.   
  372    Implementers MAY nonetheless consider whether to treat all              
  373    authorities returning Refused as preempting the use of stale data.      
  375 7.  Implementation Caveats                                                 
  377    Stale data is used only when refreshing has failed in order to adhere   
  378    to the original intent of the design of the DNS and the behavior        
  379    expected by operators.  If stale data were to always be used            
  380    immediately and then a cache refresh attempted after the client         
  381    response has been sent, the resolver would frequently be sending data   
  382    that it would have had no trouble refreshing.  Because modern           
  383    resolvers use techniques like prefetching and request coalescing for    
  384    efficiency, it is not necessary that every client request needs to      
  385    trigger a new lookup flow in the presence of stale data, but rather     
  386    that a good-faith effort has been recently made to refresh the stale    
  387    data before it is delivered to any client.                              
  389    It is important to continue the resolution attempt after the stale      
  390    response has been sent, until the query resolution timeout, because     
  391    some pathological resolutions can take many seconds to succeed as       
  392    they cope with unavailable servers, bad networks, and other problems.   
  393    Stopping the resolution attempt when the response with expired data     
  394    has been sent would mean that answers in these pathological cases       
  395    would never be refreshed.                                               
  397    The continuing prohibition against using data with a 0-second TTL       
  398    beyond the current transaction explicitly extends to it being           
  399    unusable even for stale fallback, as it is not to be cached at all.     
  401    Be aware that Canonical Name (CNAME) and DNAME records [RFC6672]        
  402    mingled in the expired cache with other records at the same owner       
  403    name can cause surprising results.  This was observed with an initial   
  404    implementation in BIND when a hostname changed from having an IPv4      
  405    Address (A) record to a CNAME.  The version of BIND being used did      
  406    not evict other types in the cache when a CNAME was received, which     
  407    in normal operations is not a significant issue.  However, after both   
  408    records expired and the authorities became unavailable, the fallback    
  409    to stale answers returned the older A instead of the newer CNAME.       
  411 8.  Implementation Status                                                  
  413    The algorithm described in Section 5 was originally implemented as a    
  414    patch to BIND 9.7.0.  It has been in use on Akamai's production         
  415    network since 2011; it effectively smoothed over transient failures     
  416    and longer outages that would have resulted in major incidents.  The    
  417    patch was contributed to the Internet Systems Consortium, and the       
  418    functionality is now available in BIND 9.12 and later via the options   
  419    stale-answer-enable, stale-answer-ttl, and max-stale-ttl.               
  421    Unbound has a similar feature for serving stale answers and will        
  422    respond with stale data immediately if it has recently tried and        
  423    failed to refresh the answer by prefetching.  Starting from version     
  424    1.10.0, Unbound can also be configured to follow the algorithm          
  425    described in Section 5.  Both behaviors can be configured and fine-     
  426    tuned with the available serve-expired-* options.                       
  428    Knot Resolver has a demo module here: <https://knot-                    
  429    resolver.readthedocs.io/en/stable/modules-serve_stale.html>.            
  431    Apple's system resolvers are also known to use stale answers, but the   
  432    details are not readily available.                                      
  434    In the research paper "When the Dike Breaks: Dissecting DNS Defenses    
  435    During DDoS" [DikeBreaks], the authors detected some use of stale       
  436    answers by resolvers when authorities came under attack.  Their         
  437    research results suggest that more widespread adoption of the           
  438    technique would significantly improve resiliency for the large number   
  439    of requests that fail or experience abnormally long resolution times    
  440    during an attack.                                                       
  442 9.  EDNS Option                                                            
  444    During the discussion of serve-stale in the IETF, it was suggested      
  445    that an EDNS option [RFC6891] should be available.  One proposal was    
  446    to use it to opt in to getting data that is possibly stale, and         
  447    another was to signal when stale data has been used for a response.     
  449    The opt-in use case was rejected, as the technique was meant to be      
  450    immediately useful in improving DNS resiliency for all clients.         
  452    The reporting case was ultimately also rejected because even the        
  453    simpler version of a proposed option was still too much bother to       
  454    implement for too little perceived value.                               
  456 10.  Security Considerations                                               
  458    The most obvious security issue is the increased likelihood of DNSSEC   
  459    validation failures when using stale data because signatures could be   
  460    returned outside their validity period.  Stale negative records can     
  461    increase the time window where newly published TLSA or DS RRs may not   
  462    be used due to cached NSEC or NSEC3 records.  These scenarios would     
  463    only be an issue if the authoritative servers are unreachable (the      
  464    only time the techniques in this document are used), and thus serve-    
  465    stale does not introduce a new failure in place of what would have      
  466    otherwise been success.                                                 
  468    Additionally, bad actors have been known to use DNS caches to keep      
  469    records alive even after their authorities have gone away.  The         
  470    serve-stale feature potentially makes the attack easier, although       
  471    without introducing a new risk.  In addition, attackers could combine   
  472    this with a DDoS attack on authoritative servers with the explicit      
  473    intent of having stale information cached for a longer period of        
  474    time.  But if attackers have this capacity, they probably could do      
  475    much worse than prolonging the life of old data.                        
  477    In [CloudStrife], it was demonstrated how stale DNS data, namely        
  478    hostnames pointing to addresses that are no longer in use by the        
  479    owner of the name, can be used to co-opt security -- for example, to    
  480    get domain-validated certificates fraudulently issued to an attacker.   
  481    While this document does not create a new vulnerability in this area,   
  482    it does potentially enlarge the window in which such an attack could    
  483    be made.  A proposed mitigation is that certificate authorities         
  484    should fully look up each name starting at the DNS root for every       
  485    name lookup.  Alternatively, certificate authorities should use a       
  486    resolver that is not serving stale data.                                
  488 11.  Privacy Considerations                                                
  490    This document does not add any practical new privacy issues.            
  492 12.  NAT Considerations                                                    
  494    The method described here is not affected by the use of NAT devices.    
  496 13.  IANA Considerations                                                   
  498    This document has no IANA actions.                                      
  500 14.  References                                                            
  502 14.1.  Normative References                                                
  504    [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",   
  505               STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,       
  506               <https://www.rfc-editor.org/info/rfc1034>.                   
  508    [RFC1035]  Mockapetris, P., "Domain names - implementation and          
  509               specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,      
  510               November 1987, <https://www.rfc-editor.org/info/rfc1035>.    
  512    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate          
  513               Requirement Levels", BCP 14, RFC 2119,                       
  514               DOI 10.17487/RFC2119, March 1997,                            
  515               <https://www.rfc-editor.org/info/rfc2119>.                   
  517    [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS              
  518               Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,   
  519               <https://www.rfc-editor.org/info/rfc2181>.                   
  521    [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS           
  522               NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,        
  523               <https://www.rfc-editor.org/info/rfc2308>.                   
  525    [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC       
  526               2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,     
  527               May 2017, <https://www.rfc-editor.org/info/rfc8174>.         
  529 14.2.  Informative References                                              
  531    [CloudStrife]                                                           
  532               Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., and G.       
  533               Vigna, "Cloud Strife: Mitigating the Security Risks of       
  534               Domain-Validated Certificates",                              
  535               DOI 10.1145/3232755.3232859, ACM 2018 Applied Networking     
  536               Research Workshop, July 2018, <https://www.ndss-             
  537               symposium.org/wp-content/uploads/2018/02/ndss2018_06A-       
  538               4_Borgolte_paper.pdf>.                                       
  540    [DikeBreaks]                                                            
  541               Moura, G.C.M., Heidemann, J., Müller, M., Schmidt, R. de     
  542               O., and M. Davids, "When the Dike Breaks: Dissecting DNS     
  543               Defenses During DDoS", DOI 10.1145/3278532.3278534,          
  544               ACM 2018 Internet Measurement Conference, October 2018,      
  545               <https://www.isi.edu/~johnh/PAPERS/Moura18b.pdf>.            
  547    [DITL]     DNS-OARC, "DITL Traces and Analysis", January 2018,          
  548               <https://www.dns-oarc.net/oarc/data/ditl>.                   
  550    [RFC6672]  Rose, S. and W. Wijngaards, "DNAME Redirection in the        
  551               DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012,             
  552               <https://www.rfc-editor.org/info/rfc6672>.                   
  554    [RFC6891]  Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms    
  555               for DNS (EDNS(0))", STD 75, RFC 6891,                        
  556               DOI 10.17487/RFC6891, April 2013,                            
  557               <https://www.rfc-editor.org/info/rfc6891>.                   
  559    [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS             
  560               Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,       
  561               January 2019, <https://www.rfc-editor.org/info/rfc8499>.     
  563 Acknowledgements                                                           
  565    The authors wish to thank Brian Carpenter, Vladimir Cunat, Robert       
  566    Edmonds, Tony Finch, Bob Harold, Tatuya Jinmei, Matti Klock, Jason      
  567    Moreau, Giovane Moura, Jean Roy, Mukund Sivaraman, Davey Song, Paul     
  568    Vixie, Ralf Weber, and Paul Wouters for their review and feedback.      
  569    Paul Hoffman deserves special thanks for submitting a number of Pull    
  570    Requests.                                                               
  572    Thank you also to the following members of the IESG for their final     
  573    review: Roman Danyliw, Benjamin Kaduk, Suresh Krishnan, Mirja           
  574    Kühlewind, and Adam Roach.                                              
  576 Authors' Addresses                                                         
  578    David C Lawrence                                                        
  579    Oracle                                                                  
  581    Email: tale@dd.org                                                      
  584    Warren "Ace" Kumari                                                     
  585    Google                                                                  
  586    1600 Amphitheatre Parkway                                               
  587    Mountain View, CA 94043                                                 
  588    United States of America                                                
  590    Email: warren@kumari.net                                                
  593    Puneet Sood                                                             
  594    Google                                                                  
  596    Email: puneets@google.com                                               

The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.

This RFC is included in the DNS RFCs annotation project whose home page is here.