1 Internet Engineering Task Force (IETF) D. Lawrence
2 Request for Comments: 8767 Oracle
3 Updates: 1034, 1035, 2181 W. Kumari
4 Category: Standards Track P. Sood
5 ISSN: 2070-1721 Google
6 March 2020
7
8
9 Serving Stale Data to Improve DNS Resiliency
10
11 Abstract
12
13 This document defines a method (serve-stale) for recursive resolvers
14 to use stale DNS data to avoid outages when authoritative nameservers
15 cannot be reached to refresh expired data. One of the motivations
16 for serve-stale is to make the DNS more resilient to DoS attacks and
17 thereby make them less attractive as an attack vector. This document
18 updates the definitions of TTL from RFCs 1034 and 1035 so that data
19 can be kept in the cache beyond the TTL expiry; it also updates RFC
20 2181 by interpreting values with the high-order bit set as being
21 positive, rather than 0, and suggests a cap of 7 days.
22
23 Status of This Memo
24
25 This is an Internet Standards Track document.
26
27 This document is a product of the Internet Engineering Task Force
28 (IETF). It represents the consensus of the IETF community. It has
29 received public review and has been approved for publication by the
30 Internet Engineering Steering Group (IESG). Further information on
31 Internet Standards is available in Section 2 of RFC 7841.
32
33 Information about the current status of this document, any errata,
34 and how to provide feedback on it may be obtained at
35 https://www.rfc-editor.org/info/rfc8767.
36
37 Copyright Notice
38
39 Copyright (c) 2020 IETF Trust and the persons identified as the
40 document authors. All rights reserved.
41
42 This document is subject to BCP 78 and the IETF Trust's Legal
43 Provisions Relating to IETF Documents
44 (https://trustee.ietf.org/license-info) in effect on the date of
45 publication of this document. Please review these documents
46 carefully, as they describe your rights and restrictions with respect
47 to this document. Code Components extracted from this document must
48 include Simplified BSD License text as described in Section 4.e of
49 the Trust Legal Provisions and are provided without warranty as
50 described in the Simplified BSD License.
51
52 Table of Contents
53
54 1. Introduction
55 2. Terminology
56 3. Background
57 4. Standards Action
58 5. Example Method
59 6. Implementation Considerations
60 7. Implementation Caveats
61 8. Implementation Status
62 9. EDNS Option
63 10. Security Considerations
64 11. Privacy Considerations
65 12. NAT Considerations
66 13. IANA Considerations
67 14. References
68 14.1. Normative References
69 14.2. Informative References
70 Acknowledgements
71 Authors' Addresses
72
73 1. Introduction
74
75 Traditionally, the Time To Live (TTL) of a DNS Resource Record (RR)
76 has been understood to represent the maximum number of seconds that a
77 record can be used before it must be discarded, based on its
78 description and usage in [RFC1035] and clarifications in [RFC2181].
79
80 This document expands the definition of the TTL to explicitly allow
81 for expired data to be used in the exceptional circumstance that a
82 recursive resolver is unable to refresh the information. It is
83 predicated on the observation that authoritative answer
84 unavailability can cause outages even when the underlying data those
85 servers would return is typically unchanged.
86
87 We describe a method below for this use of stale data, balancing the
88 competing needs of resiliency and freshness.
89
90 This document updates the definitions of TTL from [RFC1034] and
91 [RFC1035] so that data can be kept in the cache beyond the TTL
92 expiry; it also updates [RFC2181] by interpreting values with the
93 high-order bit set as being positive, rather than 0, and also
94 suggests a cap of 7 days.
95
96 2. Terminology
97
98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
100 "OPTIONAL" in this document are to be interpreted as described in
101 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
102 capitals, as shown here.
103
104 For a glossary of DNS terms, please see [RFC8499].
105
106 3. Background
107
108 There are a number of reasons why an authoritative server may become
109 unreachable, including Denial-of-Service (DoS) attacks, network
110 issues, and so on. If a recursive server is unable to contact the
111 authoritative servers for a query but still has relevant data that
112 has aged past its TTL, that information can still be useful for
113 generating an answer under the metaphorical assumption that "stale
114 bread is better than no bread."
115
116 [RFC1035], Section 3.2.1 says that the TTL "specifies the time
117 interval that the resource record may be cached before the source of
118 the information should again be consulted." [RFC1035], Section 4.1.3
119 further says that the TTL "specifies the time interval (in seconds)
120 that the resource record may be cached before it should be
121 discarded."
122
123 A natural English interpretation of these remarks would seem to be
124 clear enough that records past their TTL expiration must not be used.
125 However, [RFC1035] predates the more rigorous terminology of
126 [RFC2119], which softened the interpretation of "may" and "should".
127
128 [RFC2181] aimed to provide "the precise definition of the Time to
129 Live," but Section 8 of [RFC2181] was mostly concerned with the
130 numeric range of values rather than data expiration behavior. It
131 does, however, close that section by noting, "The TTL specifies a
132 maximum time to live, not a mandatory time to live." This wording
133 again does not contain BCP 14 key words [RFC2119], but it does convey
134 the natural language connotation that data becomes unusable past TTL
135 expiry.
136
137 As of the time of this writing, several large-scale operators use
138 stale data for answers in some way. A number of recursive resolver
139 packages, including BIND, Knot Resolver, OpenDNS, and Unbound,
140 provide options to use stale data. Apple macOS can also use stale
141 data as part of the Happy Eyeballs algorithms in mDNSResponder. The
142 collective operational experience is that using stale data can
143 provide significant benefit with minimal downside.
144
145 4. Standards Action
146
147 The definition of TTL in Sections 3.2.1 and 4.1.3 of [RFC1035] is
148 amended to read:
149
150 TTL a 32-bit unsigned integer number of seconds that specifies the
151 duration that the resource record MAY be cached before the
152 source of the information MUST again be consulted. Zero values
153 are interpreted to mean that the RR can only be used for the
154 transaction in progress, and should not be cached. Values
155 SHOULD be capped on the order of days to weeks, with a
156 recommended cap of 604,800 seconds (7 days). If the data is
157 unable to be authoritatively refreshed when the TTL expires, the
158 record MAY be used as though it is unexpired. See Sections 5
159 and 6 of [RFC8767] for details.
160
161 Interpreting values that have the high-order bit set as being
162 positive, rather than 0, is a change from [RFC2181], the rationale
163 for which is explained in Section 6. Suggesting a cap of 7 days,
164 rather than the 68 years allowed by the full 31 bits of Section 8 of
165 [RFC2181], reflects the current practice of major modern DNS
166 resolvers.
167
168 When returning a response containing stale records, a recursive
169 resolver MUST set the TTL of each expired record in the message to a
170 value greater than 0, with a RECOMMENDED value of 30 seconds. See
171 Section 6 for explanation.
172
173 Answers from authoritative servers that have a DNS response code of
174 either 0 (NoError) or 3 (NXDomain) and the Authoritative Answer (AA)
175 bit set MUST be considered to have refreshed the data at the
176 resolver. Answers from authoritative servers that have any other
177 response code SHOULD be considered a failure to refresh the data and
178 therefore leave any previous state intact. See Section 6 for a
179 discussion.
180
181 5. Example Method
182
183 There is more than one way a recursive resolver could responsibly
184 implement this resiliency feature while still respecting the intent
185 of the TTL as a signal for when data is to be refreshed.
186
187 In this example method, four notable timers drive considerations for
188 the use of stale data:
189
190 * A client response timer, which is the maximum amount of time a
191 recursive resolver should allow between the receipt of a
192 resolution request and sending its response.
193
194 * A query resolution timer, which caps the total amount of time a
195 recursive resolver spends processing the query.
196
197 * A failure recheck timer, which limits the frequency at which a
198 failed lookup will be attempted again.
199
200 * A maximum stale timer, which caps the amount of time that records
201 will be kept past their expiration.
202
203 Most recursive resolvers already have the query resolution timer and,
204 effectively, some kind of failure recheck timer. The client response
205 timer and maximum stale timer are new concepts for this mechanism.
206
207 When a recursive resolver receives a request, it should start the
208 client response timer. This timer is used to avoid client timeouts.
209 It should be configurable, with a recommended value of 1.8 seconds as
210 being just under a common timeout value of 2 seconds while still
211 giving the resolver a fair shot at resolving the name.
212
213 The resolver then checks its cache for any unexpired records that
214 satisfy the request and returns them if available. If it finds no
215 relevant unexpired data and the Recursion Desired flag is not set in
216 the request, it should immediately return the response without
217 consulting the cache for expired records. Typically, this response
218 would be a referral to authoritative nameservers covering the zone,
219 but the specifics are implementation dependent.
220
221 If iterative lookups will be done, then the failure recheck timer is
222 consulted. Attempts to refresh from non-responsive or otherwise
223 failing authoritative nameservers are recommended to be done no more
224 frequently than every 30 seconds. If this request was received
225 within this period, the cache may be immediately consulted for stale
226 data to satisfy the request.
227
228 Outside the period of the failure recheck timer, the resolver should
229 start the query resolution timer and begin the iterative resolution
230 process. This timer bounds the work done by the resolver when
231 contacting external authorities and is commonly around 10 to 30
232 seconds. If this timer expires on an attempted lookup that is still
233 being processed, the resolution effort is abandoned.
234
235 If the answer has not been completely determined by the time the
236 client response timer has elapsed, the resolver should then check its
237 cache to see whether there is expired data that would satisfy the
238 request. If so, it adds that data to the response message with a TTL
239 greater than 0 (as specified in Section 4). The response is then
240 sent to the client while the resolver continues its attempt to
241 refresh the data.
242
243 When no authorities are able to be reached during a resolution
244 attempt, the resolver should attempt to refresh the delegation and
245 restart the iterative lookup process with the remaining time on the
246 query resolution timer. This resumption should be done only once per
247 resolution effort.
248
249 Outside the resolution process, the maximum stale timer is used for
250 cache management and is independent of the query resolution process.
251 This timer is conceptually different from the maximum cache TTL that
252 exists in many resolvers, the latter being a clamp on the value of
253 TTLs as received from authoritative servers and recommended to be
254 7 days in the TTL definition in Section 4. The maximum stale timer
255 should be configurable. It defines the length of time after a record
256 expires that it should be retained in the cache. The suggested value
257 is between 1 and 3 days.
258
259 6. Implementation Considerations
260
261 This document mainly describes the issues behind serving stale data
262 and intentionally does not provide a formal algorithm. The concept
263 is not overly complex, and the details are best left to resolver
264 authors to implement in their codebases. The processing of serve-
265 stale is a local operation, and consistent variables between
266 deployments are not needed for interoperability. However, we would
267 like to highlight the impact of various implementation choices,
268 starting with the timers involved.
269
270 The most obvious of these is the maximum stale timer. If this
271 variable is too large, it could cause excessive cache memory usage,
272 but if it is too small, the serve-stale technique becomes less
273 effective, as the record may not be in the cache to be used if
274 needed. Shorter values, even less than a day, can effectively handle
275 the vast majority of outages. Longer values, as much as a week, give
276 time for monitoring systems to notice a resolution problem and for
277 human intervention to fix it; operational experience has been that
278 sometimes the right people can be hard to track down and
279 unfortunately slow to remedy the situation.
280
281 Increased memory consumption could be mitigated by prioritizing
282 removal of stale records over non-expired records during cache
283 exhaustion. Eviction strategies could consider additional factors,
284 including the last time of use or the popularity of a record, to
285 retain active but stale records. A feature to manually flush only
286 stale records could also be useful.
287
288 The client response timer is another variable that deserves
289 consideration. If this value is too short, there exists the risk
290 that stale answers may be used even when the authoritative server is
291 actually reachable but slow; this may result in undesirable answers
292 being returned. Conversely, waiting too long will negatively impact
293 user experience.
294
295 The balance for the failure recheck timer is responsiveness in
296 detecting the renewed availability of authorities versus the extra
297 resource use for resolution. If this variable is set too large,
298 stale answers may continue to be returned even after the
299 authoritative server is reachable; per [RFC2308], Section 7, this
300 should be no more than 5 minutes. If this variable is too small,
301 authoritative servers may be targeted with a significant amount of
302 excess traffic.
303
304 Regarding the TTL to set on stale records in the response,
305 historically TTLs of 0 seconds have been problematic for some
306 implementations, and negative values can't effectively be
307 communicated to existing software. Other very short TTLs could lead
308 to congestive collapse as TTL-respecting clients rapidly try to
309 refresh. The recommended value of 30 seconds not only sidesteps
310 those potential problems with no practical negative consequences, it
311 also rate-limits further queries from any client that honors the TTL,
312 such as a forwarding resolver.
313
314 As for the change to treat a TTL with the high-order bit set as
315 positive and then clamping it, as opposed to [RFC2181] treating it as
316 zero, the rationale here is basically one of engineering simplicity
317 versus an inconsequential operational history. Negative TTLs had no
318 rational intentional meaning that wouldn't have been satisfied by
319 just sending 0 instead, and similarly there was realistically no
320 practical purpose for sending TTLs of 2^25 seconds (1 year) or more.
321 There's also no record of TTLs in the wild having the most
322 significant bit set in the DNS Operations, Analysis, and Research
323 Center's (DNS-OARC's) "Day in the Life" samples [DITL]. With no
324 apparent reason for operators to use them intentionally, that leaves
325 either errors or non-standard experiments as explanations as to why
326 such TTLs might be encountered, with neither providing an obviously
327 compelling reason as to why having the leading bit set should be
328 treated differently from having any of the next eleven bits set and
329 then capped per Section 4.
330
331 Another implementation consideration is the use of stale nameserver
332 addresses for lookups. This is mentioned explicitly because, in some
333 resolvers, getting the addresses for nameservers is a separate path
334 from a normal cache lookup. If authoritative server addresses are
335 not able to be refreshed, resolution can possibly still be successful
336 if the authoritative servers themselves are up. For instance,
337 consider an attack on a top-level domain that takes its nameservers
338 offline; serve-stale resolvers that had expired glue addresses for
339 subdomains within that top-level domain would still be able to
340 resolve names within those subdomains, even those it had not
341 previously looked up.
342
343 The directive in Section 4 that only NoError and NXDomain responses
344 should invalidate any previously associated answer stems from the
345 fact that no other RCODEs that a resolver normally encounters make
346 any assertions regarding the name in the question or any data
347 associated with it. This comports with existing resolver behavior
348 where a failed lookup (say, during prefetching) doesn't impact the
349 existing cache state. Some authoritative server operators have said
350 that they would prefer stale answers to be used in the event that
351 their servers are responding with errors like ServFail instead of
352 giving true authoritative answers. Implementers MAY decide to return
353 stale answers in this situation.
354
355 Since the goal of serve-stale is to provide resiliency for all
356 obvious errors to refresh data, these other RCODEs are treated as
357 though they are equivalent to not getting an authoritative response.
358 Although NXDomain for a previously existing name might well be an
359 error, it is not handled that way because there is no effective way
360 to distinguish operator intent for legitimate cases versus error
361 cases.
362
363 During discussion in the IETF, it was suggested that, if all
364 authorities return responses with an RCODE of Refused, it may be an
365 explicit signal to take down the zone from servers that still have
366 the zone's delegation pointed to them. Refused, however, is also
367 overloaded to mean multiple possible failures that could represent
368 transient configuration failures. Operational experience has shown
369 that purposely returning Refused is a poor way to achieve an explicit
370 takedown of a zone compared to either updating the delegation or
371 returning NXDomain with a suitable SOA for extended negative caching.
372 Implementers MAY nonetheless consider whether to treat all
373 authorities returning Refused as preempting the use of stale data.
374
375 7. Implementation Caveats
376
377 Stale data is used only when refreshing has failed in order to adhere
378 to the original intent of the design of the DNS and the behavior
379 expected by operators. If stale data were to always be used
380 immediately and then a cache refresh attempted after the client
381 response has been sent, the resolver would frequently be sending data
382 that it would have had no trouble refreshing. Because modern
383 resolvers use techniques like prefetching and request coalescing for
384 efficiency, it is not necessary that every client request needs to
385 trigger a new lookup flow in the presence of stale data, but rather
386 that a good-faith effort has been recently made to refresh the stale
387 data before it is delivered to any client.
388
389 It is important to continue the resolution attempt after the stale
390 response has been sent, until the query resolution timeout, because
391 some pathological resolutions can take many seconds to succeed as
392 they cope with unavailable servers, bad networks, and other problems.
393 Stopping the resolution attempt when the response with expired data
394 has been sent would mean that answers in these pathological cases
395 would never be refreshed.
396
397 The continuing prohibition against using data with a 0-second TTL
398 beyond the current transaction explicitly extends to it being
399 unusable even for stale fallback, as it is not to be cached at all.
400
401 Be aware that Canonical Name (CNAME) and DNAME records [RFC6672]
402 mingled in the expired cache with other records at the same owner
403 name can cause surprising results. This was observed with an initial
404 implementation in BIND when a hostname changed from having an IPv4
405 Address (A) record to a CNAME. The version of BIND being used did
406 not evict other types in the cache when a CNAME was received, which
407 in normal operations is not a significant issue. However, after both
408 records expired and the authorities became unavailable, the fallback
409 to stale answers returned the older A instead of the newer CNAME.
410
411 8. Implementation Status
412
413 The algorithm described in Section 5 was originally implemented as a
414 patch to BIND 9.7.0. It has been in use on Akamai's production
415 network since 2011; it effectively smoothed over transient failures
416 and longer outages that would have resulted in major incidents. The
417 patch was contributed to the Internet Systems Consortium, and the
418 functionality is now available in BIND 9.12 and later via the options
419 stale-answer-enable, stale-answer-ttl, and max-stale-ttl.
420
421 Unbound has a similar feature for serving stale answers and will
422 respond with stale data immediately if it has recently tried and
423 failed to refresh the answer by prefetching. Starting from version
424 1.10.0, Unbound can also be configured to follow the algorithm
425 described in Section 5. Both behaviors can be configured and fine-
426 tuned with the available serve-expired-* options.
427
428 Knot Resolver has a demo module here: <https://knot-
429 resolver.readthedocs.io/en/stable/modules-serve_stale.html>.
430
431 Apple's system resolvers are also known to use stale answers, but the
432 details are not readily available.
433
434 In the research paper "When the Dike Breaks: Dissecting DNS Defenses
435 During DDoS" [DikeBreaks], the authors detected some use of stale
436 answers by resolvers when authorities came under attack. Their
437 research results suggest that more widespread adoption of the
438 technique would significantly improve resiliency for the large number
439 of requests that fail or experience abnormally long resolution times
440 during an attack.
441
442 9. EDNS Option
443
444 During the discussion of serve-stale in the IETF, it was suggested
445 that an EDNS option [RFC6891] should be available. One proposal was
446 to use it to opt in to getting data that is possibly stale, and
447 another was to signal when stale data has been used for a response.
448
449 The opt-in use case was rejected, as the technique was meant to be
450 immediately useful in improving DNS resiliency for all clients.
451
452 The reporting case was ultimately also rejected because even the
453 simpler version of a proposed option was still too much bother to
454 implement for too little perceived value.
455
456 10. Security Considerations
457
458 The most obvious security issue is the increased likelihood of DNSSEC
459 validation failures when using stale data because signatures could be
460 returned outside their validity period. Stale negative records can
461 increase the time window where newly published TLSA or DS RRs may not
462 be used due to cached NSEC or NSEC3 records. These scenarios would
463 only be an issue if the authoritative servers are unreachable (the
464 only time the techniques in this document are used), and thus serve-
465 stale does not introduce a new failure in place of what would have
466 otherwise been success.
467
468 Additionally, bad actors have been known to use DNS caches to keep
469 records alive even after their authorities have gone away. The
470 serve-stale feature potentially makes the attack easier, although
471 without introducing a new risk. In addition, attackers could combine
472 this with a DDoS attack on authoritative servers with the explicit
473 intent of having stale information cached for a longer period of
474 time. But if attackers have this capacity, they probably could do
475 much worse than prolonging the life of old data.
476
477 In [CloudStrife], it was demonstrated how stale DNS data, namely
478 hostnames pointing to addresses that are no longer in use by the
479 owner of the name, can be used to co-opt security -- for example, to
480 get domain-validated certificates fraudulently issued to an attacker.
481 While this document does not create a new vulnerability in this area,
482 it does potentially enlarge the window in which such an attack could
483 be made. A proposed mitigation is that certificate authorities
484 should fully look up each name starting at the DNS root for every
485 name lookup. Alternatively, certificate authorities should use a
486 resolver that is not serving stale data.
487
488 11. Privacy Considerations
489
490 This document does not add any practical new privacy issues.
491
492 12. NAT Considerations
493
494 The method described here is not affected by the use of NAT devices.
495
496 13. IANA Considerations
497
498 This document has no IANA actions.
499
500 14. References
501
502 14.1. Normative References
503
504 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
505 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
506 <https://www.rfc-editor.org/info/rfc1034>.
507
508 [RFC1035] Mockapetris, P., "Domain names - implementation and
509 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
510 November 1987, <https://www.rfc-editor.org/info/rfc1035>.
511
512 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
513 Requirement Levels", BCP 14, RFC 2119,
514 DOI 10.17487/RFC2119, March 1997,
515 <https://www.rfc-editor.org/info/rfc2119>.
516
517 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
518 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
519 <https://www.rfc-editor.org/info/rfc2181>.
520
521 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
522 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
523 <https://www.rfc-editor.org/info/rfc2308>.
524
525 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
526 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
527 May 2017, <https://www.rfc-editor.org/info/rfc8174>.
528
529 14.2. Informative References
530
531 [CloudStrife]
532 Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., and G.
533 Vigna, "Cloud Strife: Mitigating the Security Risks of
534 Domain-Validated Certificates",
535 DOI 10.1145/3232755.3232859, ACM 2018 Applied Networking
536 Research Workshop, July 2018, <https://www.ndss-
537 symposium.org/wp-content/uploads/2018/02/ndss2018_06A-
538 4_Borgolte_paper.pdf>.
539
540 [DikeBreaks]
541 Moura, G.C.M., Heidemann, J., Müller, M., Schmidt, R. de
542 O., and M. Davids, "When the Dike Breaks: Dissecting DNS
543 Defenses During DDoS", DOI 10.1145/3278532.3278534,
544 ACM 2018 Internet Measurement Conference, October 2018,
545 <https://www.isi.edu/~johnh/PAPERS/Moura18b.pdf>.
546
547 [DITL] DNS-OARC, "DITL Traces and Analysis", January 2018,
548 <https://www.dns-oarc.net/oarc/data/ditl>.
549
550 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
551 DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012,
552 <https://www.rfc-editor.org/info/rfc6672>.
553
554 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
555 for DNS (EDNS(0))", STD 75, RFC 6891,
556 DOI 10.17487/RFC6891, April 2013,
557 <https://www.rfc-editor.org/info/rfc6891>.
558
559 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
560 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
561 January 2019, <https://www.rfc-editor.org/info/rfc8499>.
562
563 Acknowledgements
564
565 The authors wish to thank Brian Carpenter, Vladimir Cunat, Robert
566 Edmonds, Tony Finch, Bob Harold, Tatuya Jinmei, Matti Klock, Jason
567 Moreau, Giovane Moura, Jean Roy, Mukund Sivaraman, Davey Song, Paul
568 Vixie, Ralf Weber, and Paul Wouters for their review and feedback.
569 Paul Hoffman deserves special thanks for submitting a number of Pull
570 Requests.
571
572 Thank you also to the following members of the IESG for their final
573 review: Roman Danyliw, Benjamin Kaduk, Suresh Krishnan, Mirja
574 Kühlewind, and Adam Roach.
575
576 Authors' Addresses
577
578 David C Lawrence
579 Oracle
580
581 Email: tale@dd.org
582
583
584 Warren "Ace" Kumari
585 Google
586 1600 Amphitheatre Parkway
587 Mountain View, CA 94043
588 United States of America
589
590 Email: warren@kumari.net
591
592
593 Puneet Sood
594 Google
595
596 Email: puneets@google.com
597
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.