1 Internet Engineering Task Force (IETF) P. Hoffman
2 Request for Comments: 9499 ICANN
3 BCP: 219 K. Fujiwara
4 Obsoletes: 8499 JPRS
5 Updates: 2308 March 2024
6 Category: Best Current Practice
7 ISSN: 2070-1721
8
9
10 DNS Terminology
11
12 Abstract
13
14 The Domain Name System (DNS) is defined in literally dozens of
15 different RFCs. The terminology used by implementers and developers
16 of DNS protocols, and by operators of DNS systems, has changed in the
17 decades since the DNS was first defined. This document gives current
18 definitions for many of the terms used in the DNS in a single
19 document.
20
21 This document updates RFC 2308 by clarifying the definitions of
22 "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple
23 terms and clarifications. Comprehensive lists of changed and new
24 definitions can be found in Appendices A and B.
25
26 Status of This Memo
27
28 This memo documents an Internet Best Current Practice.
29
30 This document is a product of the Internet Engineering Task Force
31 (IETF). It represents the consensus of the IETF community. It has
32 received public review and has been approved for publication by the
33 Internet Engineering Steering Group (IESG). Further information on
34 BCPs is available in Section 2 of RFC 7841.
35
36 Information about the current status of this document, any errata,
37 and how to provide feedback on it may be obtained at
38 https://www.rfc-editor.org/info/rfc9499.
39
40 Copyright Notice
41
42 Copyright (c) 2024 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
44
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (https://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Revised BSD License text as described in Section 4.e of the
52 Trust Legal Provisions and are provided without warranty as described
53 in the Revised BSD License.
54
55 Table of Contents
56
57 1. Introduction
58 2. Names
59 3. DNS Response Codes
60 4. DNS Transactions
61 5. Resource Records
62 6. DNS Servers and Clients
63 7. Zones
64 8. Wildcards
65 9. Registration Model
66 10. General DNSSEC
67 11. DNSSEC States
68 12. Security Considerations
69 13. IANA Considerations
70 14. References
71 14.1. Normative References
72 14.2. Informative References
73 Appendix A. Definitions Updated by This Document
74 Appendix B. Definitions First Defined in This Document
75 Acknowledgements
76 Index
77 Authors' Addresses
78
79 1. Introduction
80
81 The Domain Name System (DNS) is a simple query-response protocol
82 whose messages in both directions have the same format. (Section 2
83 gives a definition of "global DNS", which is often what people mean
84 when they say "the DNS".) The protocol and message format are
85 defined in [RFC1034] and [RFC1035]. These RFCs defined some terms,
86 and later documents defined others. Some of the terms from [RFC1034]
87 and [RFC1035] have somewhat different meanings now than they did in
88 1987.
89
90 This document contains a collection of a wide variety of DNS-related
91 terms, organized loosely by topic. Some of them have been precisely
92 defined in earlier RFCs, some have been loosely defined in earlier
93 RFCs, and some are not defined in an earlier RFC at all.
94
95 Other organizations sometimes define DNS-related terms in their own
96 way. For example, the WHATWG defines "domain" at
97 <https://url.spec.whatwg.org/>. The Root Server System Advisory
98 Committee (RSSAC) has a good lexicon [RSSAC026].
99
100 Most of the definitions listed here represent the consensus
101 definition of the DNS community -- both protocol developers and
102 operators. Some of the definitions differ from earlier RFCs, and
103 those differences are noted. In this document, where the consensus
104 definition is the same as the one in an RFC, that RFC is quoted.
105 Where the consensus definition has changed somewhat, the RFC is
106 mentioned but the new stand-alone definition is given. See
107 Appendix A for a list of the definitions that this document updates.
108
109 It is important to note that, during the development of this
110 document, it became clear that some DNS-related terms are interpreted
111 quite differently by different DNS experts. Further, some terms that
112 are defined in early DNS RFCs now have definitions that are generally
113 agreed to, but that are different from the original definitions.
114 This document is a small revision to [RFC8499]; that document was a
115 substantial revision to [RFC7719].
116
117 Note that there is no single consistent definition of "the DNS". It
118 can be considered to be some combination of the following: a commonly
119 used naming scheme for objects on the Internet; a distributed
120 database representing the names and certain properties of these
121 objects; an architecture providing distributed maintenance,
122 resilience, and loose coherency for this database; and a simple
123 query-response protocol (as mentioned below) implementing this
124 architecture. Section 2 defines "global DNS" and "private DNS" as a
125 way to deal with these differing definitions.
126
127 Capitalization in DNS terms is often inconsistent among RFCs and
128 various DNS practitioners. The capitalization used in this document
129 is a best guess at current practices, and is not meant to indicate
130 that other capitalization styles are wrong or archaic. In some
131 cases, multiple styles of capitalization are used for the same term
132 due to quoting from different RFCs.
133
134 In this document, the words "byte" and "octet" are used
135 interchangeably. They appear here because they both appear in the
136 earlier RFCs that defined terms in the DNS.
137
138 Readers should note that the terms in this document are grouped by
139 topic. Someone who is not already familiar with the DNS probably
140 cannot learn about the DNS from scratch by reading this document from
141 front to back. Instead, skipping around may be the only way to get
142 enough context to understand some of the definitions. This document
143 has an index that might be useful for readers who are attempting to
144 learn the DNS by reading this document.
145
146 2. Names
147
148 Naming system: A naming system associates names with data. Naming
149 systems have many significant facets that help differentiate them
150 from each other. Some commonly identified facets include:
151
152 * Composition of names
153
154 * Format of names
155
156 * Administration of names
157
158 * Types of data that can be associated with names
159
160 * Types of metadata for names
161
162 * Protocol for getting data from a name
163
164 * Context for resolving a name
165
166 Note that this list is a small subset of facets that people have
167 identified over time for naming systems, and the IETF has yet to
168 agree on a good set of facets that can be used to compare naming
169 systems. For example, other facets might include "protocol to
170 update data in a name", "privacy of names", and "privacy of data
171 associated with names", but those are not as well defined as the
172 ones listed above. The list here is chosen because it helps
173 describe the DNS and naming systems similar to the DNS.
174
175 Domain name: An ordered list of one or more labels.
176
177 Note that this is a definition independent of the DNS RFCs
178 ([RFC1034] and [RFC1035]), and the definition here also applies to
179 systems other than the DNS. [RFC1034] defines the "domain name
180 space" using mathematical trees and their nodes in graph theory,
181 and that definition has the same practical result as the
182 definition here. Any path of a directed acyclic graph can be
183 represented by a domain name consisting of the labels of its
184 nodes, ordered by decreasing distance from the root(s) (which is
185 the normal convention within the DNS, including this document). A
186 domain name whose last label identifies a root of the graph is
187 fully qualified; other domain names whose labels form a strict
188 prefix of a fully qualified domain name are relative to its first
189 omitted node.
190
191 Also note that different IETF and non-IETF documents have used the
192 term "domain name" in many different ways. It is common for
193 earlier documents to use "domain name" to mean "names that match
194 the syntax in [RFC1035]", but possibly with additional rules such
195 as "and are, or will be, resolvable in the global DNS" or "but
196 only using the presentation format".
197
198 Label: An ordered list of zero or more octets that makes up a
199 portion of a domain name. Using graph theory, a label identifies
200 one node in a portion of the graph of all possible domain names.
201
202 Global DNS: Using the short set of facets listed in "Naming system",
203 the global DNS can be defined as follows. Most of the rules here
204 come from [RFC1034] and [RFC1035], although the term "global DNS"
205 has not been defined before now.
206
207 Composition of names: A name in the global DNS has one or more
208 labels. The length of each label is between 0 and 63 octets
209 inclusive. In a fully qualified domain name, the last label in
210 the ordered list is 0 octets long; it is the only label whose
211 length may be 0 octets, and it is called the "root" or "root
212 label". A domain name in the global DNS has a maximum total
213 length of 255 octets in the wire format; the root represents
214 one octet for this calculation. (Multicast DNS [RFC6762]
215 allows names up to 255 bytes plus a terminating zero byte based
216 on a different interpretation of RFC 1035 and what is included
217 in the 255 octets.)
218
219 Format of names: Names in the global DNS are domain names. There
220 are three formats: wire format, presentation format, and common
221 display.
222
223 Wire format: The basic wire format for names in the global DNS
224 is a list of labels ordered by decreasing distance from the
225 root, with the root label last. Each label is preceded by a
226 length octet. [RFC1035] also defines a compression scheme
227 that modifies this format.
228
229 Presentation format: The presentation format for names in the
230 global DNS is a list of labels ordered by decreasing
231 distance from the root, encoded as ASCII, with a "."
232 character between each label. In presentation format, a
233 fully qualified domain name includes the root label and the
234 associated separator dot. For example, in presentation
235 format, a fully qualified domain name with two non-root
236 labels is always shown as "example.tld." instead of
237 "example.tld". [RFC1035] defines a method for showing
238 octets that do not display in ASCII.
239
240 Common display format: The common display format is used in
241 applications and free text. It is the same as the
242 presentation format, but showing the root label and the "."
243 before it is optional and is rarely done. For example, in
244 common display format, a fully qualified domain name with
245 two non-root labels is usually shown as "example.tld"
246 instead of "example.tld.". Names in the common display
247 format are normally written such that the directionality of
248 the writing system presents labels by decreasing distance
249 from the root (so, in both English and the C programming
250 language, the root or Top-Level Domain (TLD) label in the
251 ordered list is rightmost; but in Arabic, it may be
252 leftmost, depending on local conventions).
253
254 Administration of names: Administration is specified by
255 delegation (see the definition of "delegation" in Section 7).
256 Policies for administration of the root zone in the global DNS
257 are determined by the names operational community, which
258 convenes itself in the Internet Corporation for Assigned Names
259 and Numbers (ICANN). The names operational community selects
260 the IANA Functions Operator for the global DNS root zone. The
261 name servers that serve the root zone are provided by
262 independent root operators. Other zones in the global DNS have
263 their own policies for administration.
264
265 Types of data that can be associated with names: A name can have
266 zero or more resource records associated with it. There are
267 numerous types of resource records with unique data structures
268 defined in many different RFCs and in the IANA registry at
269 [IANA_Resource_Registry].
270
271 Types of metadata for names: Any name that is published in the
272 DNS appears as a set of resource records (see the definition of
273 "RRset" in Section 5). Some names do not, themselves, have
274 data associated with them in the DNS, but they "appear" in the
275 DNS anyway because they form part of a longer name that does
276 have data associated with it (see the definition of "empty non-
277 terminals" in Section 7).
278
279 Protocol for getting data from a name: The protocol described in
280 [RFC1035].
281
282 Context for resolving a name: The global DNS root zone
283 distributed by Public Technical Identifiers (PTI).
284
285 Private DNS: Names that use the protocol described in [RFC1035] but
286 do not rely on the global DNS root zone or names that are
287 otherwise not generally available on the Internet but are using
288 the protocol described in [RFC1035]. A system can use both the
289 global DNS and one or more private DNS systems; for example, see
290 "Split DNS" in Section 6.
291
292 Note that domain names that do not appear in the DNS and that are
293 intended never to be looked up using the DNS protocol are not part
294 of the global DNS or a private DNS, even though they are domain
295 names.
296
297 Multicast DNS (mDNS): "Multicast DNS (mDNS) provides the ability to
298 perform DNS-like operations on the local link in the absence of
299 any conventional Unicast DNS server. In addition, Multicast DNS
300 designates a portion of the DNS namespace to be free for local
301 use, without the need to pay any annual fee, and without the need
302 to set up delegations or otherwise configure a conventional DNS
303 server to answer for those names." (Quoted from [RFC6762],
304 Abstract) Although it uses a compatible wire format, mDNS is,
305 strictly speaking, a different protocol than DNS. Also, where the
306 above quote says "a portion of the DNS namespace", it would be
307 clearer to say "a portion of the domain name space". The names in
308 mDNS are not intended to be looked up in the DNS.
309
310 Locally served DNS zone: A locally served DNS zone is a special case
311 of private DNS. Names are resolved using the DNS protocol in a
312 local context. [RFC6303] defines subdomains of IN-ADDR.ARPA that
313 are locally served zones. Resolution of names through locally
314 served zones may result in ambiguous results. For example, the
315 same name may resolve to different results in different locally
316 served DNS zone contexts. The context for a locally served DNS
317 zone may be explicit, such as those that are listed in [RFC6303]
318 and [RFC7793], or implicit, such as those defined by local DNS
319 administration and not known to the resolution client.
320
321 Fully Qualified Domain Name (FQDN): This is often just a clear way
322 of saying the same thing as "domain name of a node", as outlined
323 above. However, the term is ambiguous. Strictly speaking, a
324 fully qualified domain name would include every label, including
325 the zero-length label of the root; such a name would be written
326 "www.example.net." (note the terminating dot). But, because every
327 name eventually shares the common root, names are often written
328 relative to the root (such as "www.example.net") and are still
329 called "fully qualified". This term first appeared in [RFC819].
330 In this document, names are often written relative to the root.
331
332 The need for the term "fully qualified domain name" comes from the
333 existence of partially qualified domain names, which are names
334 where one or more of the last labels in the ordered list are
335 omitted (for example, a domain name of "www" relative to
336 "example.net" identifies "www.example.net"). Such relative names
337 are understood only by context.
338
339 Host name: This term and its equivalent, "hostname", have been
340 widely used but are not defined in [RFC1034], [RFC1035],
341 [RFC1123], or [RFC2181]. The DNS was originally deployed into the
342 Host Tables environment as outlined in [RFC952], and it is likely
343 that the term followed informally from the definition there. Over
344 time, the definition seems to have shifted. "Host name" is often
345 meant to be a domain name that follows the rules in Section 3.5 of
346 [RFC1034], which is also called the "preferred name syntax". (In
347 that syntax, every character in each label is a letter, a digit,
348 or a hyphen). Note that any label in a domain name can contain
349 any octet value; hostnames are generally considered to be domain
350 names where every label follows the rules in the "preferred name
351 syntax", with the amendment that labels can start with ASCII
352 digits (this amendment comes from Section 2.1 of [RFC1123]).
353
354 People also sometimes use the term "hostname" to refer to just the
355 first label of an FQDN, such as "printer" in
356 "printer.admin.example.com". (Sometimes this is formalized in
357 configuration in operating systems.) In addition, people
358 sometimes use this term to describe any name that refers to a
359 machine, and those might include labels that do not conform to the
360 "preferred name syntax".
361
362 Top-Level Domain (TLD): A Top-Level Domain is a zone that is one
363 layer below the root, such as "com" or "jp". There is nothing
364 special, from the point of view of the DNS, about TLDs. Most of
365 them are also delegation-centric zones (defined in Section 7), and
366 there are significant policy issues around their operation. TLDs
367 are often divided into sub-groups such as Country Code Top-Level
368 Domains (ccTLDs), Generic Top-Level Domains (gTLDs), and others;
369 the division is a matter of policy and beyond the scope of this
370 document.
371
372 Internationalized Domain Name (IDN): The Internationalized Domain
373 Names for Applications (IDNA) protocol is the standard mechanism
374 for handling domain names with non-ASCII characters in
375 applications in the DNS. The current standard at the time of this
376 writing, normally called "IDNA2008", is defined in [RFC5890],
377 [RFC5891], [RFC5892], [RFC5893], and [RFC5894]. These documents
378 define many IDN-specific terms such as "LDH label", "A-label", and
379 "U-label". [RFC6365] defines more terms that relate to
380 internationalization (some of which relate to IDNs); [RFC6055] has
381 a much more extensive discussion of IDNs, including some new
382 terminology.
383
384 Subdomain: "A domain is a subdomain of another domain if it is
385 contained within that domain. This relationship can be tested by
386 seeing if the subdomain's name ends with the containing domain's
387 name." (Quoted from [RFC1034], Section 3.1) For example, in the
388 host name "nnn.mmm.example.com", both "mmm.example.com" and
389 "nnn.mmm.example.com" are subdomains of "example.com". Note that
390 the comparisons here are done on whole labels; that is,
391 "ooo.example.com" is not a subdomain of "oo.example.com".
392
393 Alias: The owner of a CNAME resource record, or a subdomain of the
394 owner of a DNAME resource record (DNAME records are defined in
395 [RFC6672]). See also "canonical name".
396
397 Canonical name: A CNAME resource record "identifies its owner name
398 as an alias, and specifies the corresponding canonical name in the
399 RDATA section of the RR." (Quoted from [RFC1034], Section 3.6.2)
400 This usage of the word "canonical" is related to the mathematical
401 concept of "canonical form".
402
403 CNAME: "It has been traditional to refer to the [owner] of a CNAME
404 record as 'a CNAME'. This is unfortunate, as 'CNAME' is an
405 abbreviation of 'canonical name', and the [owner] of a CNAME
406 record is most certainly not a canonical name." (Quoted from
407 [RFC2181], Section 10.1.1. The quoted text has been changed from
408 "label" to "owner".)
409
410 3. DNS Response Codes
411
412 Some of the response codes (RCODEs) that are defined in [RFC1035]
413 have acquired their own shorthand names. All of the RCODEs are
414 listed at [IANA_Resource_Registry], although that list uses mixed-
415 case capitalization, while most documents use all caps. Some of the
416 common names for values defined in [RFC1035] are described in this
417 section. This section also includes an additional RCODE and a
418 general definition. The official list of all RCODEs is in the IANA
419 registry.
420
421 NOERROR: This RCODE appears as "No error condition" in Section 4.1.1
422 of [RFC1035].
423
424 FORMERR: This RCODE appears as "Format error - The name server was
425 unable to interpret the query" in Section 4.1.1 of [RFC1035].
426
427 SERVFAIL: This RCODE appears as "Server failure - The name server
428 was unable to process this query due to a problem with the name
429 server" in Section 4.1.1 of [RFC1035].
430
431 NXDOMAIN: This RCODE appears as "Name Error [...] this code
432 signifies that the domain name referenced in the query does not
433 exist." in Section 4.1.1 of [RFC1035]. [RFC2308] established
434 NXDOMAIN as a synonym for Name Error.
435
436 NOTIMP: This RCODE appears as "Not Implemented - The name server
437 does not support the requested kind of query" in Section 4.1.1 of
438 [RFC1035].
439
440 REFUSED: This RCODE appears as "Refused - The name server refuses to
441 perform the specified operation for policy reasons. For example,
442 a name server may not wish to provide the information to the
443 particular requester, or a name server may not wish to perform a
444 particular operation (e.g., zone transfer) for particular data."
445 in Section 4.1.1 of [RFC1035].
446
447 NODATA: "A pseudo RCODE which indicates that the name is valid, for
448 the given class, but [there] are no records of the given type. A
449 NODATA response has to be inferred from the answer." (Quoted from
450 [RFC2308], Section 1) "NODATA is indicated by an answer with the
451 RCODE set to NOERROR and no relevant answers in the Answer
452 section. The Authority section will contain an SOA record, or
453 there will be no NS records there." (Quoted from [RFC2308],
454 Section 2.2) Note that referrals have a similar format to NODATA
455 replies; [RFC2308] explains how to distinguish them.
456
457 The term "NXRRSET" is sometimes used as a synonym for NODATA.
458 However, this is a mistake, given that NXRRSET is a specific error
459 code defined in [RFC2136].
460
461 Negative response: A response that indicates that a particular RRset
462 does not exist or whose RCODE indicates that the nameserver cannot
463 answer. Sections 2 and 7 of [RFC2308] describe the types of
464 negative responses in detail.
465
466 4. DNS Transactions
467
468 The header of a DNS message is its first 12 octets. Many of the
469 fields and flags in the diagrams in Sections 4.1.1 through 4.1.3 of
470 [RFC1035] are referred to by their names in each diagram. For
471 example, the response codes are called "RCODEs", the data for a
472 record is called the "RDATA", and the authoritative answer bit is
473 often called "the AA flag" or "the AA bit".
474
475 Class: A class "identifies a protocol family or instance of a
476 protocol". (Quoted from [RFC1034], Section 3.6) "The DNS tags all
477 data with a class as well as the type, so that we can allow
478 parallel use of different formats for data of type address."
479 (Quoted from [RFC1034], Section 2.2) In practice, the class for
480 nearly every query is "IN" (the Internet). There are some queries
481 for "CH" (the Chaos class), but they are usually for the purposes
482 of information about the server itself rather than for a different
483 type of address.
484
485 QNAME: The most commonly used rough definition is that the QNAME is
486 a field in the Question section of a query. "A standard query
487 specifies a target domain name (QNAME), query type (QTYPE), and
488 query class (QCLASS) and asks for RRs which match." (Quoted from
489 [RFC1034], Section 3.7.1) Strictly speaking, the definition comes
490 from [RFC1035], Section 4.1.2, where the QNAME is defined in
491 respect of the Question section. This definition appears to be
492 applied consistently, as the discussion of inverse queries in
493 Section 6.4.1 of [RFC1035] refers to the "owner name of the query
494 RR and its TTL" because inverse queries populate the Answer
495 section and leave the Question section empty. (Inverse queries
496 are deprecated in [RFC3425]; thus, relevant definitions do not
497 appear in this document.)
498
499 However, [RFC2308] has an alternate definition that puts the QNAME
500 in the answer (or series of answers) instead of the query. It
501 defines QNAME as "...the name in the query section of an answer,
502 or where this resolves to a CNAME, or CNAME chain, the data field
503 of the last CNAME. The last CNAME in this sense is that which
504 contains a value which does not resolve to another CNAME." This
505 definition has a certain internal logic, because of the way CNAME
506 substitution works and the definition of CNAME. If a name server
507 does not find an RRset that matches a query, but does find the
508 same name in the same class with a CNAME record, then the name
509 server "includes the CNAME record in the response and restarts the
510 query at the domain name specified in the data field of the CNAME
511 record." (Quoted from [RFC1034], Section 3.6.2) This is made
512 explicit in the resolution algorithm outlined in Section 4.3.2 of
513 [RFC1034], which says to "change QNAME to the canonical name in
514 the CNAME RR, and go back to step 1" in the case of a CNAME RR.
515 Since a CNAME record explicitly declares that the owner name is
516 canonically named what is in the RDATA, then there is a way to
517 view the new name (i.e., the name that was in the RDATA of the
518 CNAME RR) as also being the QNAME.
519
520 However, this creates confusion because the response to a query
521 that results in CNAME processing contains in the echoed Question
522 section one QNAME (the name in the original query) and a second
523 QNAME that is in the data field of the last CNAME. The confusion
524 comes from the iterative/recursive mode of resolution, which
525 finally returns an answer that need not actually have the same
526 owner name as the QNAME contained in the original query.
527
528 To address this potential confusion, it is helpful to distinguish
529 between three meanings:
530
531 QNAME (original): The name actually sent in the Question section
532 in the original query, which is always echoed in the (final)
533 reply in the Question section when the QR bit is set to 1.
534
535 QNAME (effective): A name actually resolved, which is either the
536 name originally queried or a name received in a CNAME chain
537 response.
538
539 QNAME (final): The name actually resolved, which is either the
540 name actually queried or else the last name in a CNAME chain
541 response.
542
543 Note that, because the definition in [RFC2308] is actually for a
544 different concept than what was in [RFC1034], it would have been
545 better if [RFC2308] had used a different name for that concept.
546 In general use today, QNAME almost always means what is defined
547 above as "QNAME (original)".
548
549 Referrals: A type of response in which a server, signaling that it
550 is not (completely) authoritative for an answer, provides the
551 querying resolver with an alternative place to send its query.
552 Referrals can be partial.
553
554 A referral arises when a server is not performing recursive
555 service while answering a query. It appears in step 3(b) of the
556 algorithm in [RFC1034], Section 4.3.2.
557
558 There are two types of referral response. The first is a downward
559 referral (sometimes described as "delegation response"), where the
560 server is authoritative for some portion of the QNAME. The
561 Authority section RRset's RDATA contains the name servers
562 specified at the referred-to zone cut. In normal DNS operation,
563 this kind of response is required in order to find names beneath a
564 delegation. The bare use of "referral" means this kind of
565 referral, and many people believe that this is the only legitimate
566 kind of referral in the DNS.
567
568 The second is an upward referral (sometimes described as "root
569 referral"), where the server is not authoritative for any portion
570 of the QNAME. When this happens, the referred-to zone in the
571 Authority section is usually the root zone ("."). In normal DNS
572 operation, this kind of response is not required for resolution or
573 for correctly answering any query. There is no requirement that
574 any server send upward referrals. Some people regard upward
575 referrals as a sign of a misconfiguration or error. Upward
576 referrals always need some sort of qualifier (such as "upward" or
577 "root") and are never identified simply by the word "referral".
578
579 A response that has only a referral contains an empty Answer
580 section. It contains the NS RRset for the referred-to zone in the
581 Authority section. It may contain RRs that provide addresses in
582 the Additional section. The AA bit is clear.
583
584 In the case where the query matches an alias, and the server is
585 not authoritative for the target of the alias but is authoritative
586 for some name above the target of the alias, the resolution
587 algorithm will produce a response that contains both the
588 authoritative answer for the alias and a referral. Such a partial
589 answer and referral response has data in the Answer section. It
590 has the NS RRset for the referred-to zone in the Authority
591 section. It may contain RRs that provide addresses in the
592 Additional section. The AA bit is set because the first name in
593 the Answer section matches the QNAME and the server is
594 authoritative for that answer (see [RFC1035], Section 4.1.1).
595
596 5. Resource Records
597
598 RR: An acronym for resource record. (See [RFC1034], Section 3.6.)
599
600 RRset: A set of resource records "with the same label, class and
601 type, but with different data" (according to [RFC2181],
602 Section 5). Also written as "RRSet" in some documents. As a
603 clarification, "same label" in this definition means "same owner
604 name". In addition, [RFC2181] states that "the TTLs of all RRs in
605 an RRSet must be the same".
606
607 Note that RRSIG resource records do not match this definition.
608 [RFC4035] says:
609
610 An RRset MAY have multiple RRSIG RRs associated with it. Note
611 that as RRSIG RRs are closely tied to the RRsets whose
612 signatures they contain, RRSIG RRs, unlike all other DNS RR
613 types, do not form RRsets. In particular, the TTL values among
614 RRSIG RRs with a common owner name do not follow the RRset
615 rules described in [RFC2181].
616
617 Master file: "Master files are text files that contain RRs in text
618 form. Since the contents of a zone can be expressed in the form
619 of a list of RRs a master file is most often used to define a
620 zone, though it can be used to list a cache's contents." (Quoted
621 from [RFC1035], Section 5) Master files are sometimes called "zone
622 files".
623
624 Presentation format: The text format used in master files. This
625 format is shown but not formally defined in [RFC1034] or
626 [RFC1035]. The term "presentation format" first appears in
627 [RFC4034].
628
629 EDNS: The extension mechanisms for DNS, defined in [RFC6891].
630 Sometimes called "EDNS0" or "EDNS(0)" to indicate the version
631 number. EDNS allows DNS clients and servers to specify message
632 sizes larger than the original 512-octet limit, to expand the
633 response code space, and to carry additional options that affect
634 the handling of a DNS query.
635
636 OPT: A pseudo-RR (sometimes called a "meta-RR") that is used only to
637 contain control information pertaining to the question-and-answer
638 sequence of a specific transaction. (Definition paraphrased from
639 [RFC6891], Section 6.1.1.) It is used by EDNS.
640
641 Owner: "The domain name where the RR is found." (Quoted from
642 [RFC1034], Section 3.6) Often appears in the term "owner name".
643
644 SOA field names: DNS documents, including the definitions here,
645 often refer to the fields in the RDATA of an SOA resource record
646 by field name. "SOA" stands for "start of a zone of authority".
647 Those fields are defined in Section 3.3.13 of [RFC1035]. The
648 names (in the order they appear in the SOA RDATA) are MNAME,
649 RNAME, SERIAL, REFRESH, RETRY, EXPIRE, and MINIMUM. Note that the
650 meaning of the MINIMUM field is updated in Section 4 of [RFC2308];
651 the new definition is that the MINIMUM field is only "the TTL to
652 be used for negative responses". This document tends to use field
653 names instead of terms that describe the fields.
654
655 TTL: The maximum "time to live" of a resource record. "A TTL value
656 is an unsigned number, with a minimum value of 0, and a maximum
657 value of 2147483647. That is, a maximum of 2^31 - 1. When
658 transmitted, this value shall be encoded in the less significant
659 31 bits of the 32 bit TTL field, with the most significant, or
660 sign, bit set to zero." (Quoted from [RFC2181], Section 8) Note
661 that [RFC1035] erroneously stated that this is a signed integer;
662 that was fixed by [RFC2181].
663
664 The TTL "specifies the time interval that the resource record may
665 be cached before the source of the information should again be
666 consulted." (Quoted from [RFC1035], Section 3.2.1) Section 4.1.3
667 of [RFC1035] states "the time interval (in seconds) that the
668 resource record may be cached before it should be discarded".
669 Despite being defined for a resource record, the TTL of every
670 resource record in an RRset is required to be the same ([RFC2181],
671 Section 5.2).
672
673 The reason that the TTL is the maximum time to live is that a
674 cache operator might decide to shorten the time to live for
675 operational purposes, for example, if there is a policy to
676 disallow TTL values over a certain number. Some servers are known
677 to ignore the TTL on some RRsets (such as when the authoritative
678 data has a very short TTL) even though this is against the advice
679 in [RFC1035]. An RRset can be flushed from the cache before the
680 end of the TTL interval, at which point, the value of the TTL
681 becomes unknown because the RRset with which it was associated no
682 longer exists.
683
684 There is also the concept of a "default TTL" for a zone, which can
685 be a configuration parameter in the server software. This is
686 often expressed by a default for the entire server, and a default
687 for a zone using the $TTL directive in a zone file. The $TTL
688 directive was added to the master file format by [RFC2308].
689
690 Class independent: A resource record type whose syntax and semantics
691 are the same for every DNS class. A resource record type that is
692 not class independent has different meanings, depending on the DNS
693 class of the record or if the meaning is undefined for some
694 classes. Most resource record types are defined for class 1 (IN,
695 the Internet), but many are undefined for other classes.
696
697 Address records: Records whose type is either A or AAAA. [RFC2181]
698 informally defines these as "(A, AAAA, etc)". Note that new types
699 of address records could be defined in the future.
700
701 6. DNS Servers and Clients
702
703 This section defines the terms used for the systems that act as DNS
704 clients, DNS servers, or both. In past RFCs, DNS servers are
705 sometimes called "name servers", "nameservers", or just "servers".
706 There is no formal definition of "DNS server", but RFCs generally
707 assume that it is an Internet server that listens for queries and
708 sends responses using the DNS protocol defined in [RFC1035] and its
709 successors.
710
711 It is important to note that the terms "DNS server" and "name server"
712 require context in order to understand the services being provided.
713 Both authoritative servers and recursive resolvers are often called
714 "DNS servers" and "name servers" even though they serve different
715 roles (but may be part of the same software package).
716
717 For terminology specific to the global DNS root server system, see
718 [RSSAC026]. That document defines terms such as "root server", "root
719 server operator", and terms that are specific to the way that the
720 root zone of the global DNS is served.
721
722 Resolver: A program "that extract[s] information from name servers
723 in response to client requests." (Quoted from [RFC1034],
724 Section 2.4) A resolver performs queries for a name, type, and
725 class, and receives responses. The logical function is called
726 "resolution". In practice, the term is usually referring to some
727 specific type of resolver (some of which are defined below), and
728 understanding the use of the term depends on understanding the
729 context.
730
731 A related term is "resolve", which is not formally defined in
732 [RFC1034] or [RFC1035]. An imputed definition might be "asking a
733 question that consists of a domain name, class, and type, and
734 receiving some sort of response". Similarly, an imputed
735 definition of "resolution" might be "the response received from
736 resolving".
737
738 Stub resolver: A resolver that cannot perform all resolution itself.
739 Stub resolvers generally depend on a recursive resolver to
740 undertake the actual resolution function. Stub resolvers are
741 discussed but never fully defined in Section 5.3.1 of [RFC1034].
742 They are fully defined in Section 6.1.3.1 of [RFC1123].
743
744 Iterative mode: A resolution mode of a server that receives DNS
745 queries and responds with a referral to another server.
746 Section 2.3 of [RFC1034] describes this as "The server refers the
747 client to another server and lets the client pursue the query." A
748 resolver that works in iterative mode is sometimes called an
749 "iterative resolver". See also "iterative resolution" later in
750 this section.
751
752 Recursive mode: A resolution mode of a server that receives DNS
753 queries and either responds to those queries from a local cache or
754 sends queries to other servers in order to get the final answers
755 to the original queries. Section 2.3 of [RFC1034] describes this
756 as "the first server pursues the query for the client at another
757 server". Section 4.3.1 of [RFC1034] says: "in [recursive] mode
758 the name server acts in the role of a resolver and returns either
759 an error or the answer, but never referrals." That same section
760 also says:
761
762 The recursive mode occurs when a query with RD set arrives at a
763 server which is willing to provide recursive service; the
764 client can verify that recursive mode was used by checking that
765 both RA and RD are set in the reply.
766
767 A server operating in recursive mode may be thought of as having a
768 name server side (which is what answers the query) and a resolver
769 side (which performs the resolution function). Systems operating
770 in this mode are commonly called "recursive servers". Sometimes
771 they are called "recursive resolvers". In practice, it is not
772 possible to know in advance whether the server that one is
773 querying will also perform recursion; both terms can be observed
774 in use interchangeably.
775
776 Recursive resolver: A resolver that acts in recursive mode. In
777 general, a recursive resolver is expected to cache the answers it
778 receives (which would make it a full-service resolver), but some
779 recursive resolvers might not cache.
780
781 [RFC4697] tried to differentiate between a recursive resolver and
782 an iterative resolver.
783
784 Recursive query: A query with the Recursion Desired (RD) bit set to
785 1 in the header. (See Section 4.1.1 of [RFC1035].) If recursive
786 service is available and is requested by the RD bit in the query,
787 the server uses its resolver to answer the query. (See
788 Section 4.3.2 of [RFC1034].)
789
790 Non-recursive query: A query with the Recursion Desired (RD) bit set
791 to 0 in the header. A server can answer non-recursive queries
792 using only local information: the response contains either an
793 error, the answer, or a referral to some other server "closer" to
794 the answer. (See Section 4.3.1 of [RFC1034].)
795
796 Iterative resolution: A name server may be presented with a query
797 that can only be answered by some other server. The two general
798 approaches to dealing with this problem are "recursive", in which
799 the first server pursues the query on behalf of the client at
800 another server, and "iterative", in which the server refers the
801 client to another server and lets the client pursue the query
802 there. (See Section 2.3 of [RFC1034].)
803
804 In iterative resolution, the client repeatedly makes non-recursive
805 queries and follows referrals and/or aliases. The iterative
806 resolution algorithm is described in Section 5.3.3 of [RFC1034].
807
808 Full resolver: This term is used in [RFC1035], but it is not defined
809 there. RFC 1123 defines a "full-service resolver" that may or may
810 not be what was intended by "full resolver" in [RFC1035]. This
811 term is not properly defined in any RFC, and there is no consensus
812 on what the term means. The use of this term without proper
813 context is discouraged.
814
815 Full-service resolver: Section 6.1.3.1 of [RFC1123] defines this
816 term as a resolver that acts in recursive mode with a cache (and
817 meets other requirements).
818
819 Priming: "The act of finding the list of root servers from a
820 configuration that lists some or all of the purported IP addresses
821 of some or all of those root servers." (Quoted from [RFC8109],
822 Section 2) In order to operate in recursive mode, a resolver needs
823 to know the address of at least one root server. Priming is most
824 often done from a configuration setting that contains a list of
825 authoritative servers for the root zone.
826
827 Root hints: "Operators who manage a DNS recursive resolver typically
828 need to configure a 'root hints file'. This file contains the
829 names and IP addresses of the authoritative name servers for the
830 root zone, so the software can bootstrap the DNS resolution
831 process. For many pieces of software, this list comes built into
832 the software." (Quoted from [IANA_RootFiles]) This file is often
833 used in priming.
834
835 Negative caching: "The storage of knowledge that something does not
836 exist, cannot or does not give an answer." (Quoted from
837 [RFC2308], Section 1)
838
839 Authoritative server: "A server that knows the content of a DNS zone
840 from local knowledge, and thus can answer queries about that zone
841 without needing to query other servers." (Quoted from [RFC2182],
842 Section 2) An authoritative server is named in the NS ("name
843 server") record in a zone. It is a system that responds to DNS
844 queries with information about zones for which it has been
845 configured to answer with the AA flag in the response header set
846 to 1. It is a server that has authority over one or more DNS
847 zones. Note that it is possible for an authoritative server to
848 respond to a query without the parent zone delegating authority to
849 that server. Authoritative servers also provide "referrals",
850 usually to child zones delegated from them; these referrals have
851 the AA bit set to 0 and come with referral data in the Authority
852 and (if needed) the Additional sections.
853
854 Authoritative-only server: A name server that only serves
855 authoritative data and ignores requests for recursion. It will
856 "not normally generate any queries of its own. Instead it answers
857 non-recursive queries from iterative resolvers looking for
858 information in zones it serves." (Quoted from [RFC4697],
859 Section 2.4) In this case, "ignores requests for recursion" means
860 "responds to requests for recursion with responses indicating that
861 recursion was not performed".
862
863 Zone transfer: The act of a client requesting a copy of a zone and
864 an authoritative server sending the needed information. (See
865 Section 7 for a description of zones.) There are two common
866 standard ways to do zone transfers: the AXFR ("Authoritative
867 Transfer") mechanism to copy the full zone (described in
868 [RFC5936], and the IXFR ("Incremental Transfer") mechanism to copy
869 only parts of the zone that have changed (described in [RFC1995]).
870 Many systems use non-standard methods for zone transfers outside
871 the DNS protocol.
872
873 Slave server: See "Secondary server".
874
875 Secondary server: "An authoritative server which uses zone transfer
876 to retrieve the zone." (Quoted from [RFC1996], Section 2.1)
877 Secondary servers are also discussed in [RFC1034]. [RFC2182]
878 describes secondary servers in more detail. Although early DNS
879 RFCs such as [RFC1996] referred to this as a "slave", the current
880 common usage has shifted to calling it a "secondary".
881
882 Master server: See "Primary server".
883
884 Primary server: "Any authoritative server configured to be the
885 source of zone transfer for one or more [secondary] servers."
886 (Quoted from [RFC1996], Section 2.1) Or, more specifically,
887 [RFC2136] calls it "an authoritative server configured to be the
888 source of AXFR or IXFR data for one or more [secondary] servers".
889 Primary servers are also discussed in [RFC1034]. Although early
890 DNS RFCs such as [RFC1996] referred to this as a "master", the
891 current common usage has shifted to "primary".
892
893 Primary master: "The primary master is named in the zone's SOA MNAME
894 field and optionally by an NS RR." (Quoted from [RFC1996],
895 Section 2.1) [RFC2136] defines "primary master" as "Master server
896 at the root of the AXFR/IXFR dependency graph. The primary master
897 is named in the zone's SOA MNAME field and optionally by an NS RR.
898 There is by definition only one primary master server per zone."
899
900 The idea of a primary master is only used in [RFC1996] and
901 [RFC2136]. A modern interpretation of the term "primary master"
902 is a server that is both authoritative for a zone and that gets
903 its updates to the zone from configuration (such as a master file)
904 or from UPDATE transactions.
905
906 Stealth server: This is "like a slave server except not listed in an
907 NS RR for the zone." (Quoted from [RFC1996], Section 2.1)
908
909 Hidden master: A stealth server that is a primary server for zone
910 transfers. "In this arrangement, the master name server that
911 processes the updates is unavailable to general hosts on the
912 Internet; it is not listed in the NS RRset." (Quoted from
913 [RFC6781], Section 3.4.3) [RFC4641] said that the hidden master's
914 name "appears in the SOA RRs MNAME field"; however, the name does
915 not appear at all in the global DNS in some setups. A hidden
916 master can also be a secondary server for the zone itself.
917
918 Forwarding: The process of one server sending a DNS query with the
919 RD bit set to 1 to another server to resolve that query.
920 Forwarding is a function of a DNS resolver; it is different than
921 simply blindly relaying queries.
922
923 [RFC5625] does not give a specific definition for forwarding, but
924 describes in detail what features a system that forwards needs to
925 support. Systems that forward are sometimes called "DNS proxies",
926 but that term has not yet been defined (even in [RFC5625]).
927
928 Forwarder: Section 1 of [RFC2308] describes a forwarder as "a
929 nameserver used to resolve queries instead of directly using the
930 authoritative nameserver chain". [RFC2308] further says "The
931 forwarder typically either has better access to the internet, or
932 maintains a bigger cache which may be shared amongst many
933 resolvers." That definition appears to suggest that forwarders
934 normally only query authoritative servers. In current use,
935 however, forwarders often stand between stub resolvers and
936 recursive servers. [RFC2308] is silent on whether a forwarder is
937 iterative-only or can be a full-service resolver.
938
939 Policy-implementing resolver: A resolver acting in recursive mode
940 that changes some of the answers that it returns based on policy
941 criteria, such as to prevent access to malware sites or
942 objectionable content. In general, a stub resolver has no idea
943 whether upstream resolvers implement such policy or, if they do,
944 the exact policy about what changes will be made. In some cases,
945 the user of the stub resolver has selected the policy-implementing
946 resolver with the explicit intention of using it to implement the
947 policies. In other cases, policies are imposed without the user
948 of the stub resolver being informed.
949
950 Open resolver: A full-service resolver that accepts and processes
951 queries from any (or nearly any) client. This is sometimes also
952 called a "public resolver", although the term "public resolver" is
953 used more with open resolvers that are meant to be open, as
954 compared to the vast majority of open resolvers that are probably
955 misconfigured to be open. Open resolvers are discussed in
956 [RFC5358].
957
958 Split DNS: The terms "split DNS" and "split-horizon DNS" have long
959 been used in the DNS community without formal definition. In
960 general, they refer to situations in which DNS servers that are
961 authoritative for a particular set of domains provide partly or
962 completely different answers in those domains depending on the
963 source of the query. Nevertheless, the effect of this is that a
964 domain name that is notionally globally unique has different
965 meanings for different network users. This can sometimes be the
966 result of a "view" configuration, as described below.
967
968 Section 3.8 of [RFC2775] gives a related definition that is too
969 specific to be generally useful.
970
971 View: A configuration for a DNS server that allows it to provide
972 different responses depending on attributes of the query, such as
973 for "split DNS". Typically, views differ by the source IP address
974 of a query, but can also be based on the destination IP address,
975 the type of query (such as AXFR), whether it is recursive, and so
976 on. Views are often used to provide more names or different
977 addresses to queries from "inside" a protected network than to
978 those "outside" that network. Views are not a standardized part
979 of the DNS, but they are widely implemented in server software.
980
981 Passive DNS: A mechanism to collect DNS data by storing DNS
982 responses from name servers. Some of these systems also collect
983 the DNS queries associated with the responses, although doing so
984 raises some privacy concerns. Passive DNS databases can be used
985 to answer historical questions about DNS zones, such as which
986 values were present at a given time in the past, or when a name
987 was spotted first. Passive DNS databases allow searching of the
988 stored records on keys other than just the name and type, such as
989 "find all names which have A records of a particular value".
990
991 Anycast: "The practice of making a particular service address
992 available in multiple, discrete, autonomous locations, such that
993 datagrams sent are routed to one of several available locations."
994 (Quoted from [RFC4786], Section 2) See [RFC4786] for more detail
995 on Anycast and other terms that are specific to its use.
996
997 Instance: "When anycast routing is used to allow more than one
998 server to have the same IP address, each one of those servers is
999 commonly referred to as an 'instance'." It goes on to say: "An
1000 instance of a server, such as a root server, is often referred to
1001 as an 'Anycast instance'." (Quoted from [RSSAC026])
1002
1003 Privacy-enabling DNS server: "A DNS server that implements DNS over
1004 TLS [RFC7858] and may optionally implement DNS over DTLS
1005 [RFC8094]." (Quoted from [RFC8310], Section 2) Other types of DNS
1006 servers might also be considered privacy-enabling, such as those
1007 running DNS-over-HTTPS [RFC8484] or DNS-over-QUIC [RFC9250].
1008
1009 DNS-over-TLS (DoT): DNS over TLS as defined in [RFC7858] and its
1010 successors.
1011
1012 DNS-over-HTTPS (DoH): DNS over HTTPS as defined in [RFC8484] and its
1013 successors.
1014
1015 DNS-over-QUIC (DoQ): DNS over QUIC as defined in [RFC9250] and its
1016 successors. [RFC9250] specifically defines DoQ as general-purpose
1017 transport for DNS that can be used in stub to recursive, recursive
1018 to authoritative, and zone transfer scenarios.
1019
1020 Classic DNS: DNS over UDP or DNS over TCP as defined in [RFC1035]
1021 and its successors. Classic DNS applies to DNS communication
1022 between stub resolvers and recursive resolvers, and between
1023 recursive resolvers and authoritative servers. This has sometimes
1024 been called "Do53". Classic DNS is not encrypted.
1025
1026 Recursive DoT (RDoT): RDoT specifically means DNS-over-TLS for
1027 transport between a stub resolver and a recursive resolver, or
1028 between a recursive resolver and another recursive resolver. This
1029 term is necessary because it is expected that DNS-over-TLS will
1030 later be defined as a transport between recursive resolvers and
1031 authoritative servers.
1032
1033 Authoritative DoT (ADoT): If DNS-over-TLS is later defined as a
1034 transport between recursive resolvers and authoritative servers,
1035 ADoT specifically means DNS-over-TLS for transport between
1036 recursive resolvers and authoritative servers.
1037
1038 XFR-over-TLS (XoT): DNS zone transfer over TLS, as specified in
1039 [RFC9103]. This term applies to both AXFR over TLS (AXoT) and
1040 IXFR over TLS (IXoT).
1041
1042 7. Zones
1043
1044 This section defines terms that are used when discussing zones that
1045 are being served or retrieved.
1046
1047 Zone: "Authoritative information is organized into units called
1048 ZONEs, and these zones can be automatically distributed to the
1049 name servers which provide redundant service for the data in a
1050 zone." (Quoted from [RFC1034], Section 2.4)
1051
1052 Child: "The entity on record that has the delegation of the domain
1053 from the Parent." (Quoted from [RFC7344], Section 1.1)
1054
1055 Parent: "The domain in which the Child is registered." (Quoted from
1056 [RFC7344], Section 1.1) Earlier, "parent name server" was defined
1057 in [RFC0882] as "the name server that has authority over the place
1058 in the domain name space that will hold the new domain". (Note
1059 that [RFC0882] was obsoleted by [RFC1034] and [RFC1035].)
1060 [RFC819] also has some description of the relationship between
1061 parents and children.
1062
1063 Origin:
1064
1065 There are two different uses for this term:
1066
1067 (a) "The domain name that appears at the top of a zone (just
1068 below the cut that separates the zone from its parent)... The
1069 name of the zone is the same as the name of the domain at the
1070 zone's origin." (Quoted from [RFC2181], Section 6) These
1071 days, this sense of "origin" and "apex" (defined below) are
1072 often used interchangeably.
1073
1074 (b) The domain name within which a given relative domain name
1075 appears in zone files. Generally seen in the context of
1076 "$ORIGIN", which is a control entry defined in [RFC1035],
1077 Section 5.1, as part of the master file format. For example,
1078 if the $ORIGIN is set to "example.org.", then a master file
1079 line for "www" is in fact an entry for "www.example.org.".
1080
1081 Apex: The point in the tree at an owner of an SOA and corresponding
1082 authoritative NS RRset. This is also called the "zone apex".
1083 [RFC4033] defines it as "the name at the child's side of a zone
1084 cut". The "apex" can usefully be thought of as a data-theoretic
1085 description of a tree structure, and "origin" is the name of the
1086 same concept when it is implemented in zone files. The
1087 distinction is not always maintained in use, however, and one can
1088 find uses that conflict subtly with this definition. [RFC1034]
1089 uses the term "top node of the zone" as a synonym of "apex", but
1090 that term is not widely used. These days, the first sense of
1091 "origin" (above) and "apex" are often used interchangeably.
1092
1093 Zone cut: The delimitation point between two zones where the origin
1094 of one of the zones is the child of the other zone.
1095
1096 "Zones are delimited by 'zone cuts'. Each zone cut separates a
1097 'child' zone (below the cut) from a 'parent' zone (above the
1098 cut)." (Quoted from [RFC2181], Section 6; note that this is
1099 barely an ostensive definition.) Section 4.2 of [RFC1034] uses
1100 "cuts" instead of "zone cut".
1101
1102 Delegation: The process by which a separate zone is created in the
1103 name space beneath the apex of a given domain. Delegation happens
1104 when an NS RRset is added in the parent zone for the child origin.
1105 Delegation inherently happens at a zone cut. The term is also
1106 commonly a noun: the new zone that is created by the act of
1107 delegating.
1108
1109 Authoritative data: "All of the RRs attached to all of the nodes
1110 from the top node of the zone down to leaf nodes or nodes above
1111 cuts around the bottom edge of the zone." (Quoted from [RFC1034],
1112 Section 4.2.1) Note that this definition might inadvertently also
1113 cause any NS records that appear in the zone to be included, even
1114 those that might not truly be authoritative, because there are
1115 identical NS RRs below the zone cut. This reveals the ambiguity
1116 in the notion of authoritative data, because the parent-side NS
1117 records authoritatively indicate the delegation, even though they
1118 are not themselves authoritative data.
1119
1120 [RFC4033], Section 2, defines "Authoritative RRset", which is
1121 related to authoritative data but has a more precise definition.
1122
1123 Lame delegation: "A lame delegations exists [sic] when a nameserver
1124 is delegated responsibility for providing nameservice for a zone
1125 (via NS records) but is not performing nameservice for that zone
1126 (usually because it is not set up as a primary or secondary for
1127 the zone)." (Quoted from [RFC1912], Section 2.8) Another
1128 definition is that a lame delegation "...happens when a name
1129 server is listed in the NS records for some domain and in fact it
1130 is not a server for that domain. Queries are thus sent to the
1131 wrong servers, who don't know nothing [sic] (at least not as
1132 expected) about the queried domain. Furthermore, sometimes these
1133 hosts (if they exist!) don't even run name servers." (Quoted from
1134 [RFC1713], Section 2.3)
1135
1136 These early definitions do not match the current use of the term
1137 "lame delegation", but there is no consensus on what a lame
1138 delegation is. The term is used not only for the specific case
1139 described above, but for a variety of other flaws in delegations
1140 that lead to non-authoritative answers or no answers at all, such
1141 as:
1142
1143 * a nameserver with an NS record for a zone that does not answer
1144 DNS queries;
1145
1146 * a nameserver with an IP address that is not reachable by the
1147 resolver; and
1148
1149 * a nameserver that responds to a query for a specific name with
1150 an error or without the authoritative bit set.
1151
1152 Because the term in current usage has drifted from the original
1153 definition, and now is not specific or clear as to the intended
1154 meaning, it should be considered historic and avoided in favor of
1155 terms that are specific and clear.
1156
1157 Glue records: "...[Resource records] which are not part of the
1158 authoritative data [of the zone], and are address RRs for the
1159 [name] servers [in subzones]. These RRs are only necessary if the
1160 name server's name is 'below' the cut, and are only used as part
1161 of a referral response." Without glue "we could be faced with the
1162 situation where the NS RRs tell us that in order to learn a name
1163 server's address, we should contact the server using the address
1164 we wish to learn." (Quoted from [RFC1034], Section 4.2.1)
1165
1166 A later definition is that glue "includes any record in a zone
1167 file that is not properly part of that zone, including nameserver
1168 records of delegated sub-zones (NS records), address records that
1169 accompany those NS records (A, AAAA, etc), and any other stray
1170 data that might appear." (Quoted from [RFC2181], Section 5.4.1)
1171 Although glue is sometimes used today with this wider definition
1172 in mind, the context surrounding the definition in [RFC2181]
1173 suggests it is intended to apply to the use of glue within the
1174 document itself and not necessarily beyond.
1175
1176 In an NS record, there are three types of relationships between
1177 the owner name of the record, the name in the NS RDATA, and the
1178 zone origin: unrelated, in-domain, and sibling domain. The
1179 application of these three types of relationships to glue records
1180 is defined in [RFC9471].
1181
1182 An unrelated relationship is one where the NS RDATA contains a
1183 name server that is not subordinate to the zone origin and
1184 therefore is not part of the same zone.
1185
1186 An in-domain relationship is one where the NS RDATA contains a
1187 name server whose name is either subordinate to or (rarely) the
1188 same as the owner name of the NS resource records. For example, a
1189 delegation for "child.example.com" might have an in-domain name
1190 server called "ns.child.example.com".
1191
1192 A sibling domain relationship is one where the NS RDATA contains a
1193 name server whose name is either subordinate to or (rarely) the
1194 same as the zone origin of the parent and not subordinate to or
1195 the same as the owner name of the NS resource records. For
1196 example, a delegation for "child.example.com" in "example.com"
1197 zone might have a sibling domain name server called
1198 "ns.another.example.com".
1199
1200 The following table shows examples of delegation types:
1201
1202
1203 +=============+========+====================+================+
1204 | Delegation | Parent | Name Server Name | Type |
1205 +=============+========+====================+================+
1206 | com | . | a.gtld-servers.net | sibling domain |
1207 +-------------+--------+--------------------+----------------+
1208 | net | . | a.gtld-servers.net | in-domain |
1209 +-------------+--------+--------------------+----------------+
1210 | example.org | org | ns.example.org | in-domain |
1211 +-------------+--------+--------------------+----------------+
1212 | example.org | org | ns.ietf.org | sibling domain |
1213 +-------------+--------+--------------------+----------------+
1214 | example.org | org | ns.example.com | unrelated |
1215 +-------------+--------+--------------------+----------------+
1216 | example.jp | jp | ns.example.jp | in-domain |
1217 +-------------+--------+--------------------+----------------+
1218 | example.jp | jp | ns.example.ne.jp | sibling domain |
1219 +-------------+--------+--------------------+----------------+
1220 | example.jp | jp | ns.example.com | unrelated |
1221 +-------------+--------+--------------------+----------------+
1222
1223 Table 1
1224
1225 Bailiwick: "In-bailiwick" and "Out-of-bailiwick" are modifiers used
1226 to describe the relationship between a zone and the name servers
1227 for that zone. The dictionary definition of bailiwick has been
1228 observed to cause more confusion than meaning for this use. These
1229 terms should be considered historic in nature.
1230
1231 Root zone: The zone of a DNS-based tree whose apex is the zero-
1232 length label. Also sometimes called "the DNS root".
1233
1234 Empty non-terminals (ENTs): "Domain names that own no resource
1235 records but have subdomains that do." (Quoted from [RFC4592],
1236 Section 2.2.2) A typical example is in SRV records: in the name
1237 "_sip._tcp.example.com", it is likely that "_tcp.example.com" has
1238 no RRsets, but that "_sip._tcp.example.com" has (at least) an SRV
1239 RRset.
1240
1241 Delegation-centric zone: A zone that consists mostly of delegations
1242 to child zones. This term is used in contrast to a zone that
1243 might have some delegations to child zones but also has many data
1244 resource records for the zone itself and/or for child zones. The
1245 term is used in [RFC4956] and [RFC5155], but it is not defined in
1246 either document.
1247
1248 Occluded name: "The addition of a delegation point via dynamic
1249 update will render all subordinate domain names to be in a limbo,
1250 still part of the zone but not available to the lookup process.
1251 The addition of a DNAME resource record has the same impact. The
1252 subordinate names are said to be 'occluded'." (Quoted from
1253 [RFC5936], Section 3.5)
1254
1255 Fast flux DNS: This "occurs when a domain is [found] in DNS using A
1256 records to multiple IP addresses, each of which has a very short
1257 Time-to-Live (TTL) value associated with it. This means that the
1258 domain resolves to varying IP addresses over a short period of
1259 time." (Quoted from [RFC6561], Section 1.1.5, with a typo
1260 corrected) In addition to having legitimate uses, fast flux DNS
1261 can be used to deliver malware. Because the addresses change so
1262 rapidly, it is difficult to ascertain all the hosts. It should be
1263 noted that the technique also works with AAAA records, but such
1264 use is not frequently observed on the Internet as of this writing.
1265
1266 Reverse DNS, reverse lookup: "The process of mapping an address to a
1267 name is generally known as a 'reverse lookup', and the IN-
1268 ADDR.ARPA and IP6.ARPA zones are said to support the 'reverse
1269 DNS'." (Quoted from [RFC5855], Section 1)
1270
1271 Forward lookup: "Hostname-to-address translation". (Quoted from
1272 [RFC3493], Section 6)
1273
1274 arpa (Address and Routing Parameter Area Domain): "The 'arpa' domain
1275 was originally established as part of the initial deployment of
1276 the DNS to provide a transition mechanism from the Host Tables
1277 that were common in the ARPANET, as well as a home for the IPv4
1278 reverse mapping domain. During 2000, the abbreviation was
1279 redesignated to 'Address and Routing Parameter Area' in the hope
1280 of reducing confusion with the earlier network name." (Quoted
1281 from [RFC3172], Section 2) .arpa is an "infrastructure domain", a
1282 domain whose "role is to support the operating infrastructure of
1283 the Internet". (Quoted from [RFC3172], Section 2) See [RFC3172]
1284 for more history of this name.
1285
1286 Service name: "Service names are the unique key in the Service Name
1287 and Transport Protocol Port Number registry. This unique symbolic
1288 name for a service may also be used for other purposes, such as in
1289 DNS SRV records." (Quoted from [RFC6335], Section 5)
1290
1291 8. Wildcards
1292
1293 Wildcard: [RFC1034] defined "wildcard", but in a way that turned out
1294 to be confusing to implementers. For an extended discussion of
1295 wildcards, including clearer definitions, see [RFC4592]. Special
1296 treatment is given to RRs with owner names starting with the label
1297 "*". "Such RRs are called 'wildcards'. Wildcard RRs can be
1298 thought of as instructions for synthesizing RRs." (Quoted from
1299 [RFC1034], Section 4.3.3)
1300
1301 Asterisk label: "The first octet is the normal label type and length
1302 for a 1-octet-long label, and the second octet is the ASCII
1303 representation [RFC20] for the '*' character. A descriptive name
1304 of a label equaling that value is an 'asterisk label'." (Quoted
1305 from [RFC4592], Section 2.1.1)
1306
1307 Wildcard domain name: "A 'wildcard domain name' is defined by having
1308 its initial (i.e., leftmost or least significant) label, in binary
1309 format: 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)".
1310 (Quoted from [RFC4592], Section 2.1.1) The second octet in this
1311 label is the ASCII representation for the "*" character.
1312
1313 Closest encloser: "The longest existing ancestor of a name."
1314 (Quoted from [RFC5155], Section 1.3) An earlier definition is "The
1315 node in the zone's tree of existing domain names that has the most
1316 labels matching the query name (consecutively, counting from the
1317 root label downward). Each match is a 'label match' and the order
1318 of the labels is the same." (Quoted from [RFC4592],
1319 Section 3.3.1)
1320
1321 Closest provable encloser: "The longest ancestor of a name that can
1322 be proven to exist. Note that this is only different from the
1323 closest encloser in an Opt-Out zone." (Quoted from [RFC5155],
1324 Section 1.3) See Section 10 for more on "opt-out".
1325
1326 Next closer name: "The name one label longer than the closest
1327 provable encloser of a name." (Quoted from [RFC5155],
1328 Section 1.3)
1329
1330 Source of Synthesis: "The source of synthesis is defined in the
1331 context of a query process as that wildcard domain name
1332 immediately descending from the closest encloser, provided that
1333 this wildcard domain name exists. 'Immediately descending' means
1334 that the source of synthesis has a name of the form:
1335
1336 <asterisk label>.<closest encloser>."
1337
1338 (Quoted from [RFC4592], Section 3.3.1)
1339
1340 9. Registration Model
1341
1342 Registry: The administrative operation of a zone that allows
1343 registration of names within that zone. People often use this
1344 term to refer only to those organizations that perform
1345 registration in large delegation-centric zones (such as TLDs); but
1346 formally, whoever decides what data goes into a zone is the
1347 registry for that zone. This definition of "registry" is from a
1348 DNS point of view; for some zones, the policies that determine
1349 what can go in the zone are decided by zones that are
1350 superordinate and not the registry operator.
1351
1352 Registrant: An individual or organization on whose behalf a name in
1353 a zone is registered by the registry. In many zones, the registry
1354 and the registrant may be the same entity, but in TLDs they often
1355 are not.
1356
1357 Registrar: A service provider that acts as a go-between for
1358 registrants and registries. Not all registrations require a
1359 registrar, though it is common to have registrars involved in
1360 registrations in TLDs.
1361
1362 EPP: The Extensible Provisioning Protocol (EPP), which is commonly
1363 used for communication of registration information between
1364 registries and registrars. EPP is defined in [RFC5730].
1365
1366 WHOIS: A protocol specified in [RFC3912], often used for querying
1367 registry databases. WHOIS data is frequently used to associate
1368 registration data (such as zone management contacts) with domain
1369 names. The term "WHOIS data" is often used as a synonym for the
1370 registry database, even though that database may be served by
1371 different protocols, particularly RDAP. The WHOIS protocol is
1372 also used with IP address registry data.
1373
1374 RDAP: The Registration Data Access Protocol, defined in [RFC7480],
1375 [RFC7481], [RFC7485], [RFC9082], [RFC9083], and [RFC9224]. The
1376 RDAP protocol and data format are meant as a replacement for
1377 WHOIS.
1378
1379 DNS operator: An entity responsible for running DNS servers. For a
1380 zone's authoritative servers, the registrant may act as their own
1381 DNS operator, their registrar may do it on their behalf, or they
1382 may use a third-party operator. For some zones, the registry
1383 function is performed by the DNS operator plus other entities who
1384 decide about the allowed contents of the zone.
1385
1386 Public suffix: "A domain that is controlled by a public registry."
1387 (Quoted from [RFC6265], Section 5.3) A common definition for this
1388 term is a domain under which subdomains can be registered by third
1389 parties and on which HTTP cookies (which are described in detail
1390 in [RFC6265]) should not be set. There is no indication in a
1391 domain name whether it is a public suffix; that can only be
1392 determined by outside means. In fact, both a domain and a
1393 subdomain of that domain can be public suffixes.
1394
1395 There is nothing inherent in a domain name to indicate whether it
1396 is a public suffix. One resource for identifying public suffixes
1397 is the Public Suffix List (PSL) maintained by Mozilla
1398 <https://publicsuffix.org/>.
1399
1400 For example, at the time this document is published, the "com.au"
1401 domain is listed as a public suffix in the PSL. (Note that this
1402 example might change in the future.)
1403
1404 Note that the term "public suffix" is controversial in the DNS
1405 community for many reasons, and it may be significantly changed in
1406 the future. One example of the difficulty of calling a domain a
1407 public suffix is that designation can change over time as the
1408 registration policy for the zone changes, such as was the case
1409 with the "uk" TLD in 2014.
1410
1411 Subordinate and Superordinate: These terms are introduced in
1412 [RFC5731] for use in the registration model, but not defined
1413 there. Instead, they are given in examples. "For example, domain
1414 name 'example.com' has a superordinate relationship to host name
1415 ns1.example.com'... For example, host ns1.example1.com is a
1416 subordinate host of domain example1.com, but it is a not a
1417 subordinate host of domain example2.com." (Quoted from [RFC5731],
1418 Section 1.1) These terms are strictly ways of referring to the
1419 relationship standing of two domains where one is a subdomain of
1420 the other.
1421
1422 10. General DNSSEC
1423
1424 Most DNSSEC terms are defined in [RFC4033], [RFC4034], [RFC4035], and
1425 [RFC5155]. The terms that have caused confusion in the DNS community
1426 are highlighted here.
1427
1428 DNSSEC-aware and DNSSEC-unaware: These two terms, which are used in
1429 some RFCs, have not been formally defined. However, Section 2 of
1430 [RFC4033] defines many types of resolvers and validators,
1431 including "non-validating security-aware stub resolver", "non-
1432 validating stub resolver", "security-aware name server",
1433 "security-aware recursive name server", "security-aware resolver",
1434 "security-aware stub resolver", and "security-oblivious
1435 'anything'". (Note that the term "validating resolver", which is
1436 used in some places in DNSSEC-related documents, is also not
1437 defined in those RFCs, but is defined below.)
1438
1439 Signed zone: "A zone whose RRsets are signed and that contains
1440 properly constructed DNSKEY, Resource Record Signature (RRSIG),
1441 Next Secure (NSEC), and (optionally) DS records." (Quoted from
1442 [RFC4033], Section 2) It has been noted in other contexts that the
1443 zone itself is not really signed, but all the relevant RRsets in
1444 the zone are signed. Nevertheless, if a zone that should be
1445 signed contains any RRsets that are not signed (or opted out),
1446 those RRsets will be treated as bogus, so the whole zone needs to
1447 be handled in some way.
1448
1449 It should also be noted that, since the publication of [RFC6840],
1450 NSEC records are no longer required for signed zones: a signed
1451 zone might include NSEC3 records instead. [RFC7129] provides
1452 additional background commentary and some context for the NSEC and
1453 NSEC3 mechanisms used by DNSSEC to provide authenticated denial-
1454 of-existence responses. NSEC and NSEC3 are described below.
1455
1456 Online signing: [RFC4470] defines "on-line signing" (note the
1457 hyphen) as "generating and signing these records on demand", where
1458 "these" was defined as NSEC records. The current definition
1459 expands that to generating and signing RRSIG, NSEC, and NSEC3
1460 records on demand.
1461
1462 Unsigned zone: Section 2 of [RFC4033] defines this as "a zone that
1463 is not signed". Section 2 of [RFC4035] defines this as a "zone
1464 that does not include these records [properly constructed DNSKEY,
1465 Resource Record Signature (RRSIG), Next Secure (NSEC), and
1466 (optionally) DS records] according to the rules in this
1467 section..." There is an important note at the end of Section 5.2
1468 of [RFC4035] that defines an additional situation in which a zone
1469 is considered unsigned: "If the resolver does not support any of
1470 the algorithms listed in an authenticated DS RRset, then the
1471 resolver will not be able to verify the authentication path to the
1472 child zone. In this case, the resolver SHOULD treat the child
1473 zone as if it were unsigned."
1474
1475 NSEC: "The NSEC record allows a security-aware resolver to
1476 authenticate a negative reply for either name or type non-
1477 existence with the same mechanisms used to authenticate other DNS
1478 replies." (Quoted from [RFC4033], Section 3.2) In short, an NSEC
1479 record provides authenticated denial of existence.
1480
1481 "The NSEC resource record lists two separate things: the next
1482 owner name (in the canonical ordering of the zone) that contains
1483 authoritative data or a delegation point NS RRset, and the set of
1484 RR types present at the NSEC RR's owner name." (Quoted from
1485 [RFC4034], Section 4)
1486
1487 NSEC3: Like the NSEC record, the NSEC3 record also provides
1488 authenticated denial of existence; however, NSEC3 records mitigate
1489 zone enumeration and support Opt-Out. NSEC3 resource records
1490 require associated NSEC3PARAM resource records. NSEC3 and
1491 NSEC3PARAM resource records are defined in [RFC5155].
1492
1493 Note that [RFC6840] says that [RFC5155] "is now considered part of
1494 the DNS Security Document Family as described by Section 10 of
1495 [RFC4033]". This means that some of the definitions from earlier
1496 RFCs that only talk about NSEC records should probably be
1497 considered to be talking about both NSEC and NSEC3.
1498
1499 Opt-out: "The Opt-Out Flag indicates whether this NSEC3 RR may cover
1500 unsigned delegations." (Quoted from [RFC5155], Section 3.1.2.1)
1501 Opt-out tackles the high costs of securing a delegation to an
1502 insecure zone. When using Opt-Out, names that are an insecure
1503 delegation (and empty non-terminals that are only derived from
1504 insecure delegations) don't require an NSEC3 record or its
1505 corresponding RRSIG records. Opt-Out NSEC3 records are not able
1506 to prove or deny the existence of the insecure delegations.
1507 (Adapted from [RFC7129], Section 5.1)
1508
1509 Insecure delegation: "A signed name containing a delegation (NS
1510 RRset), but lacking a DS RRset, signifying a delegation to an
1511 unsigned subzone." (Quoted from [RFC4956], Section 2)
1512
1513 Zone enumeration: "The practice of discovering the full content of a
1514 zone via successive queries." (Quoted from [RFC5155],
1515 Section 1.3) This is also sometimes called "zone walking". Zone
1516 enumeration is different from zone content guessing where the
1517 guesser uses a large dictionary of possible labels and sends
1518 successive queries for them, or matches the contents of NSEC3
1519 records against such a dictionary.
1520
1521 Validation: Validation, in the context of DNSSEC, refers to one of
1522 the following:
1523
1524 * Checking the validity of DNSSEC signatures,
1525
1526 * Checking the validity of DNS responses, such as those including
1527 authenticated denial of existence, or
1528
1529 * Building an authentication chain from a trust anchor to a DNS
1530 response or individual DNS RRsets in a response.
1531
1532 The first two definitions above consider only the validity of
1533 individual DNSSEC components, such as the RRSIG validity or NSEC
1534 proof validity. The third definition considers the components of
1535 the entire DNSSEC authentication chain; thus, it requires
1536 "configured knowledge of at least one authenticated DNSKEY or DS
1537 RR" (as described in [RFC4035], Section 5).
1538
1539 [RFC4033], Section 2, says that a "Validating Security-Aware Stub
1540 Resolver... performs signature validation" and uses a trust anchor
1541 "as a starting point for building the authentication chain to a
1542 signed DNS response"; thus, it uses the first and third
1543 definitions above. The process of validating an RRSIG resource
1544 record is described in [RFC4035], Section 5.3.
1545
1546 [RFC5155] refers to validating responses throughout the document
1547 in the context of hashed authenticated denial of existence; this
1548 uses the second definition above.
1549
1550 The term "authentication" is used interchangeably with
1551 "validation", in the sense of the third definition above.
1552 [RFC4033], Section 2, describes the chain linking trust anchor to
1553 DNS data as the "authentication chain". A response is considered
1554 to be authentic if "all RRsets in the Answer and Authority
1555 sections of the response [are considered] to be authentic" (Quoted
1556 from [RFC4035]) DNS data or responses deemed to be authentic or
1557 validated have a security status of "secure" ([RFC4035],
1558 Section 4.3; [RFC4033], Section 5). "Authenticating both DNS keys
1559 and data is a matter of local policy, which may extend or even
1560 override the [DNSSEC] protocol extensions..." (Quoted from
1561 [RFC4033], Section 3.1)
1562
1563 The term "verification", when used, is usually a synonym for
1564 "validation".
1565
1566 Validating resolver: A security-aware recursive name server,
1567 security-aware resolver, or security-aware stub resolver that is
1568 applying at least one of the definitions of validation (above) as
1569 appropriate to the resolution context. For the same reason that
1570 the generic term "resolver" is sometimes ambiguous and needs to be
1571 evaluated in context (see Section 6), "validating resolver" is a
1572 context-sensitive term.
1573
1574 Key signing key (KSK): DNSSEC keys that "only sign the apex DNSKEY
1575 RRset in a zone." (Quoted from [RFC6781], Section 3.1)
1576
1577 Zone signing key (ZSK): "DNSSEC keys that can be used to sign all
1578 the RRsets in a zone that require signatures, other than the apex
1579 DNSKEY RRset." (Quoted from [RFC6781], Section 3.1) Also note
1580 that a ZSK is sometimes used to sign the apex DNSKEY RRset.
1581
1582 Combined signing key (CSK): "In cases where the differentiation
1583 between the KSK and ZSK is not made, i.e., where keys have the
1584 role of both KSK and ZSK, we talk about a Single-Type Signing
1585 Scheme." (Quoted from [RFC6781], Section 3.1) This is sometimes
1586 called a "combined signing key" or "CSK". It is operational
1587 practice, not protocol, that determines whether a particular key
1588 is a ZSK, a KSK, or a CSK.
1589
1590 Secure Entry Point (SEP): A flag in the DNSKEY RDATA that "can be
1591 used to distinguish between keys that are intended to be used as
1592 the secure entry point into the zone when building chains of
1593 trust, i.e., they are (to be) pointed to by parental DS RRs or
1594 configured as a trust anchor.... Therefore, it is suggested that
1595 the SEP flag be set on keys that are used as KSKs and not on keys
1596 that are used as ZSKs, while in those cases where a distinction
1597 between a KSK and ZSK is not made (i.e., for a Single-Type Signing
1598 Scheme), it is suggested that the SEP flag be set on all keys."
1599 (Quoted from [RFC6781], Section 3.2.3) Note that the SEP flag is
1600 only a hint, and its presence or absence may not be used to
1601 disqualify a given DNSKEY RR from use as a KSK or ZSK during
1602 validation.
1603
1604 The original definition of SEPs was in [RFC3757]. That definition
1605 clearly indicated that the SEP was a key, not just a bit in the
1606 key. The abstract of [RFC3757] says: "With the Delegation Signer
1607 (DS) resource record (RR), the concept of a public key acting as a
1608 secure entry point (SEP) has been introduced. During exchanges of
1609 public keys with the parent there is a need to differentiate SEP
1610 keys from other public keys in the Domain Name System KEY (DNSKEY)
1611 resource record set. A flag bit in the DNSKEY RR is defined to
1612 indicate that DNSKEY is to be used as a SEP." That definition of
1613 the SEP as a key was made obsolete by [RFC4034], and the
1614 definition from [RFC6781] is consistent with [RFC4034].
1615
1616 Trust anchor: "A configured DNSKEY RR or DS RR hash of a DNSKEY RR.
1617 A validating security-aware resolver uses this public key or hash
1618 as a starting point for building the authentication chain to a
1619 signed DNS response. In general, a validating resolver will have
1620 to obtain the initial values of its trust anchors via some secure
1621 or trusted means outside the DNS protocol." (Quoted from
1622 [RFC4033], Section 2)
1623
1624 DNSSEC Policy (DP): A statement that "sets forth the security
1625 requirements and standards to be implemented for a DNSSEC-signed
1626 zone." (Quoted from [RFC6841], Section 2)
1627
1628 DNSSEC Practice Statement (DPS): "A practices disclosure document
1629 that may support and be a supplemental document to the DNSSEC
1630 Policy (if such exists), and it states how the management of a
1631 given zone implements procedures and controls at a high level."
1632 (Quoted from [RFC6841], Section 2)
1633
1634 Hardware security module (HSM): A specialized piece of hardware that
1635 is used to create keys for signatures and to sign messages without
1636 ever disclosing the private key. In DNSSEC, HSMs are often used
1637 to hold the private keys for KSKs and ZSKs and to create the
1638 signatures used in RRSIG records at periodic intervals.
1639
1640 Signing software: Authoritative DNS servers that support DNSSEC
1641 often contain software that facilitates the creation and
1642 maintenance of DNSSEC signatures in zones. There is also stand-
1643 alone software that can be used to sign a zone regardless of
1644 whether the authoritative server itself supports signing.
1645 Sometimes signing software can support particular HSMs as part of
1646 the signing process.
1647
1648 11. DNSSEC States
1649
1650 A validating resolver can determine that a response is in one of four
1651 states: secure, insecure, bogus, or indeterminate. These states are
1652 defined in [RFC4033] and [RFC4035], although the definitions in the
1653 two documents differ a bit. This document makes no effort to
1654 reconcile the definitions in the two documents and takes no position
1655 as to whether they need to be reconciled.
1656
1657 Section 5 of [RFC4033] says:
1658
1659 | A validating resolver can determine the following 4 states:
1660 | Secure: The validating resolver has a trust anchor, has a chain
1661 | of trust, and is able to verify all the signatures in the
1662 | response.
1663 |
1664 | Insecure: The validating resolver has a trust anchor, a chain of
1665 | trust, and, at some delegation point, signed proof of the non-
1666 | existence of a DS record. This indicates that subsequent
1667 | branches in the tree are provably insecure. A validating
1668 | resolver may have a local policy to mark parts of the domain
1669 | space as insecure.
1670 |
1671 | Bogus: The validating resolver has a trust anchor and a secure
1672 | delegation indicating that subsidiary data is signed, but the
1673 | response fails to validate for some reason: missing signatures,
1674 | expired signatures, signatures with unsupported algorithms,
1675 | data missing that the relevant NSEC RR says should be present,
1676 | and so forth.
1677 |
1678 | Indeterminate: There is no trust anchor that would indicate that
1679 | a specific portion of the tree is secure. This is the default
1680 | operation mode.
1681
1682 Section 4.3 of [RFC4035] says:
1683
1684 | A security-aware resolver must be able to distinguish between four
1685 | cases:
1686 | Secure: An RRset for which the resolver is able to build a chain
1687 | of signed DNSKEY and DS RRs from a trusted security anchor to
1688 | the RRset. In this case, the RRset should be signed and is
1689 | subject to signature validation, as described above.
1690 |
1691 | Insecure: An RRset for which the resolver knows that it has no
1692 | chain of signed DNSKEY and DS RRs from any trusted starting
1693 | point to the RRset. This can occur when the target RRset lies
1694 | in an unsigned zone or in a descendent [sic] of an unsigned
1695 | zone. In this case, the RRset may or may not be signed, but
1696 | the resolver will not be able to verify the signature.
1697 |
1698 | Bogus: An RRset for which the resolver believes that it ought to
1699 | be able to establish a chain of trust but for which it is
1700 | unable to do so, either due to signatures that for some reason
1701 | fail to validate or due to missing data that the relevant
1702 | DNSSEC RRs indicate should be present. This case may indicate
1703 | an attack but may also indicate a configuration error or some
1704 | form of data corruption.
1705 |
1706 | Indeterminate: An RRset for which the resolver is not able to
1707 | determine whether the RRset should be signed, as the resolver
1708 | is not able to obtain the necessary DNSSEC RRs. This can occur
1709 | when the security-aware resolver is not able to contact
1710 | security-aware name servers for the relevant zones.
1711
1712 12. Security Considerations
1713
1714 These definitions do not change any security considerations for
1715 either the global DNS or private DNS.
1716
1717 13. IANA Considerations
1718
1719 References to RFC 8499 in the IANA registries have been replaced with
1720 references to this document.
1721
1722 14. References
1723
1724 14.1. Normative References
1725
1726 [IANA_RootFiles]
1727 IANA, "Root Files",
1728 <https://www.iana.org/domains/root/files>.
1729
1730 [RFC0882] Mockapetris, P., "Domain names: Concepts and facilities",
1731 RFC 882, DOI 10.17487/RFC0882, November 1983,
1732 <https://www.rfc-editor.org/info/rfc882>.
1733
1734 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
1735 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
1736 <https://www.rfc-editor.org/info/rfc1034>.
1737
1738 [RFC1035] Mockapetris, P., "Domain names - implementation and
1739 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
1740 November 1987, <https://www.rfc-editor.org/info/rfc1035>.
1741
1742 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
1743 Application and Support", STD 3, RFC 1123,
1744 DOI 10.17487/RFC1123, October 1989,
1745 <https://www.rfc-editor.org/info/rfc1123>.
1746
1747 [RFC1912] Barr, D., "Common DNS Operational and Configuration
1748 Errors", RFC 1912, DOI 10.17487/RFC1912, February 1996,
1749 <https://www.rfc-editor.org/info/rfc1912>.
1750
1751 [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
1752 Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
1753 August 1996, <https://www.rfc-editor.org/info/rfc1996>.
1754
1755 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
1756 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
1757 RFC 2136, DOI 10.17487/RFC2136, April 1997,
1758 <https://www.rfc-editor.org/info/rfc2136>.
1759
1760 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
1761 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
1762 <https://www.rfc-editor.org/info/rfc2181>.
1763
1764 [RFC2182] Elz, R., Bush, R., Bradner, S., and M. Patton, "Selection
1765 and Operation of Secondary DNS Servers", BCP 16, RFC 2182,
1766 DOI 10.17487/RFC2182, July 1997,
1767 <https://www.rfc-editor.org/info/rfc2182>.
1768
1769 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
1770 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
1771 <https://www.rfc-editor.org/info/rfc2308>.
1772
1773 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1774 Rose, "DNS Security Introduction and Requirements",
1775 RFC 4033, DOI 10.17487/RFC4033, March 2005,
1776 <https://www.rfc-editor.org/info/rfc4033>.
1777
1778 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1779 Rose, "Resource Records for the DNS Security Extensions",
1780 RFC 4034, DOI 10.17487/RFC4034, March 2005,
1781 <https://www.rfc-editor.org/info/rfc4034>.
1782
1783 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1784 Rose, "Protocol Modifications for the DNS Security
1785 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
1786 <https://www.rfc-editor.org/info/rfc4035>.
1787
1788 [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name
1789 System", RFC 4592, DOI 10.17487/RFC4592, July 2006,
1790 <https://www.rfc-editor.org/info/rfc4592>.
1791
1792 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
1793 Security (DNSSEC) Hashed Authenticated Denial of
1794 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
1795 <https://www.rfc-editor.org/info/rfc5155>.
1796
1797 [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive
1798 Nameservers in Reflector Attacks", BCP 140, RFC 5358,
1799 DOI 10.17487/RFC5358, October 2008,
1800 <https://www.rfc-editor.org/info/rfc5358>.
1801
1802 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
1803 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
1804 <https://www.rfc-editor.org/info/rfc5730>.
1805
1806 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
1807 Domain Name Mapping", STD 69, RFC 5731,
1808 DOI 10.17487/RFC5731, August 2009,
1809 <https://www.rfc-editor.org/info/rfc5731>.
1810
1811 [RFC5855] Abley, J. and T. Manderson, "Nameservers for IPv4 and IPv6
1812 Reverse Zones", BCP 155, RFC 5855, DOI 10.17487/RFC5855,
1813 May 2010, <https://www.rfc-editor.org/info/rfc5855>.
1814
1815 [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol
1816 (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010,
1817 <https://www.rfc-editor.org/info/rfc5936>.
1818
1819 [RFC6561] Livingood, J., Mody, N., and M. O'Reirdan,
1820 "Recommendations for the Remediation of Bots in ISP
1821 Networks", RFC 6561, DOI 10.17487/RFC6561, March 2012,
1822 <https://www.rfc-editor.org/info/rfc6561>.
1823
1824 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
1825 Operational Practices, Version 2", RFC 6781,
1826 DOI 10.17487/RFC6781, December 2012,
1827 <https://www.rfc-editor.org/info/rfc6781>.
1828
1829 [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and
1830 Implementation Notes for DNS Security (DNSSEC)", RFC 6840,
1831 DOI 10.17487/RFC6840, February 2013,
1832 <https://www.rfc-editor.org/info/rfc6840>.
1833
1834 [RFC6841] Ljunggren, F., Eklund Lowinder, AM., and T. Okubo, "A
1835 Framework for DNSSEC Policies and DNSSEC Practice
1836 Statements", RFC 6841, DOI 10.17487/RFC6841, January 2013,
1837 <https://www.rfc-editor.org/info/rfc6841>.
1838
1839 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
1840 for DNS (EDNS(0))", STD 75, RFC 6891,
1841 DOI 10.17487/RFC6891, April 2013,
1842 <https://www.rfc-editor.org/info/rfc6891>.
1843
1844 [RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
1845 DNSSEC Delegation Trust Maintenance", RFC 7344,
1846 DOI 10.17487/RFC7344, September 2014,
1847 <https://www.rfc-editor.org/info/rfc7344>.
1848
1849 [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
1850 Terminology", RFC 7719, DOI 10.17487/RFC7719, December
1851 2015, <https://www.rfc-editor.org/info/rfc7719>.
1852
1853 [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles
1854 for DNS over TLS and DNS over DTLS", RFC 8310,
1855 DOI 10.17487/RFC8310, March 2018,
1856 <https://www.rfc-editor.org/info/rfc8310>.
1857
1858 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
1859 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
1860 January 2019, <https://www.rfc-editor.org/info/rfc8499>.
1861
1862 [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
1863 Dedicated QUIC Connections", RFC 9250,
1864 DOI 10.17487/RFC9250, May 2022,
1865 <https://www.rfc-editor.org/info/rfc9250>.
1866
1867 [RFC9471] Andrews, M., Huque, S., Wouters, P., and D. Wessels, "DNS
1868 Glue Requirements in Referral Responses", RFC 9471,
1869 DOI 10.17487/RFC9471, September 2023,
1870 <https://www.rfc-editor.org/info/rfc9471>.
1871
1872 14.2. Informative References
1873
1874 [IANA_Resource_Registry]
1875 IANA, "Resource Record (RR) TYPEs",
1876 <https://www.iana.org/assignments/dns-parameters/>.
1877
1878 [RFC20] Cerf, V., "ASCII format for network interchange", STD 80,
1879 RFC 20, DOI 10.17487/RFC0020, October 1969,
1880 <https://www.rfc-editor.org/info/rfc20>.
1881
1882 [RFC819] Su, Z. and J. Postel, "The Domain Naming Convention for
1883 Internet User Applications", RFC 819,
1884 DOI 10.17487/RFC0819, August 1982,
1885 <https://www.rfc-editor.org/info/rfc819>.
1886
1887 [RFC952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
1888 host table specification", RFC 952, DOI 10.17487/RFC0952,
1889 October 1985, <https://www.rfc-editor.org/info/rfc952>.
1890
1891 [RFC1713] Romao, A., "Tools for DNS debugging", FYI 27, RFC 1713,
1892 DOI 10.17487/RFC1713, November 1994,
1893 <https://www.rfc-editor.org/info/rfc1713>.
1894
1895 [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
1896 DOI 10.17487/RFC1995, August 1996,
1897 <https://www.rfc-editor.org/info/rfc1995>.
1898
1899 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775,
1900 DOI 10.17487/RFC2775, February 2000,
1901 <https://www.rfc-editor.org/info/rfc2775>.
1902
1903 [RFC3172] Huston, G., Ed., "Management Guidelines & Operational
1904 Requirements for the Address and Routing Parameter Area
1905 Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172,
1906 September 2001, <https://www.rfc-editor.org/info/rfc3172>.
1907
1908 [RFC3425] Lawrence, D., "Obsoleting IQUERY", RFC 3425,
1909 DOI 10.17487/RFC3425, November 2002,
1910 <https://www.rfc-editor.org/info/rfc3425>.
1911
1912 [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W.
1913 Stevens, "Basic Socket Interface Extensions for IPv6",
1914 RFC 3493, DOI 10.17487/RFC3493, February 2003,
1915 <https://www.rfc-editor.org/info/rfc3493>.
1916
1917 [RFC3757] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
1918 System KEY (DNSKEY) Resource Record (RR) Secure Entry
1919 Point (SEP) Flag", RFC 3757, DOI 10.17487/RFC3757, April
1920 2004, <https://www.rfc-editor.org/info/rfc3757>.
1921
1922 [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
1923 DOI 10.17487/RFC3912, September 2004,
1924 <https://www.rfc-editor.org/info/rfc3912>.
1925
1926 [RFC4470] Weiler, S. and J. Ihren, "Minimally Covering NSEC Records
1927 and DNSSEC On-line Signing", RFC 4470,
1928 DOI 10.17487/RFC4470, April 2006,
1929 <https://www.rfc-editor.org/info/rfc4470>.
1930
1931 [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
1932 RFC 4641, DOI 10.17487/RFC4641, September 2006,
1933 <https://www.rfc-editor.org/info/rfc4641>.
1934
1935 [RFC4697] Larson, M. and P. Barber, "Observed DNS Resolution
1936 Misbehavior", BCP 123, RFC 4697, DOI 10.17487/RFC4697,
1937 October 2006, <https://www.rfc-editor.org/info/rfc4697>.
1938
1939 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast
1940 Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786,
1941 December 2006, <https://www.rfc-editor.org/info/rfc4786>.
1942
1943 [RFC4956] Arends, R., Kosters, M., and D. Blacka, "DNS Security
1944 (DNSSEC) Opt-In", RFC 4956, DOI 10.17487/RFC4956, July
1945 2007, <https://www.rfc-editor.org/info/rfc4956>.
1946
1947 [RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines",
1948 BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009,
1949 <https://www.rfc-editor.org/info/rfc5625>.
1950
1951 [RFC5890] Klensin, J., "Internationalized Domain Names for
1952 Applications (IDNA): Definitions and Document Framework",
1953 RFC 5890, DOI 10.17487/RFC5890, August 2010,
1954 <https://www.rfc-editor.org/info/rfc5890>.
1955
1956 [RFC5891] Klensin, J., "Internationalized Domain Names in
1957 Applications (IDNA): Protocol", RFC 5891,
1958 DOI 10.17487/RFC5891, August 2010,
1959 <https://www.rfc-editor.org/info/rfc5891>.
1960
1961 [RFC5892] Faltstrom, P., Ed., "The Unicode Code Points and
1962 Internationalized Domain Names for Applications (IDNA)",
1963 RFC 5892, DOI 10.17487/RFC5892, August 2010,
1964 <https://www.rfc-editor.org/info/rfc5892>.
1965
1966 [RFC5893] Alvestrand, H., Ed. and C. Karp, "Right-to-Left Scripts
1967 for Internationalized Domain Names for Applications
1968 (IDNA)", RFC 5893, DOI 10.17487/RFC5893, August 2010,
1969 <https://www.rfc-editor.org/info/rfc5893>.
1970
1971 [RFC5894] Klensin, J., "Internationalized Domain Names for
1972 Applications (IDNA): Background, Explanation, and
1973 Rationale", RFC 5894, DOI 10.17487/RFC5894, August 2010,
1974 <https://www.rfc-editor.org/info/rfc5894>.
1975
1976 [RFC6055] Thaler, D., Klensin, J., and S. Cheshire, "IAB Thoughts on
1977 Encodings for Internationalized Domain Names", RFC 6055,
1978 DOI 10.17487/RFC6055, February 2011,
1979 <https://www.rfc-editor.org/info/rfc6055>.
1980
1981 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
1982 DOI 10.17487/RFC6265, April 2011,
1983 <https://www.rfc-editor.org/info/rfc6265>.
1984
1985 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163,
1986 RFC 6303, DOI 10.17487/RFC6303, July 2011,
1987 <https://www.rfc-editor.org/info/rfc6303>.
1988
1989 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
1990 Cheshire, "Internet Assigned Numbers Authority (IANA)
1991 Procedures for the Management of the Service Name and
1992 Transport Protocol Port Number Registry", BCP 165,
1993 RFC 6335, DOI 10.17487/RFC6335, August 2011,
1994 <https://www.rfc-editor.org/info/rfc6335>.
1995
1996 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
1997 Internationalization in the IETF", BCP 166, RFC 6365,
1998 DOI 10.17487/RFC6365, September 2011,
1999 <https://www.rfc-editor.org/info/rfc6365>.
2000
2001 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
2002 DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012,
2003 <https://www.rfc-editor.org/info/rfc6672>.
2004
2005 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
2006 DOI 10.17487/RFC6762, February 2013,
2007 <https://www.rfc-editor.org/info/rfc6762>.
2008
2009 [RFC7129] Gieben, R. and W. Mekking, "Authenticated Denial of
2010 Existence in the DNS", RFC 7129, DOI 10.17487/RFC7129,
2011 February 2014, <https://www.rfc-editor.org/info/rfc7129>.
2012
2013 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
2014 Registration Data Access Protocol (RDAP)", STD 95,
2015 RFC 7480, DOI 10.17487/RFC7480, March 2015,
2016 <https://www.rfc-editor.org/info/rfc7480>.
2017
2018 [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
2019 Registration Data Access Protocol (RDAP)", STD 95,
2020 RFC 7481, DOI 10.17487/RFC7481, March 2015,
2021 <https://www.rfc-editor.org/info/rfc7481>.
2022
2023 [RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
2024 Protocol (RDAP) Query Format", STD 95, RFC 9082,
2025 DOI 10.17487/RFC9082, June 2021,
2026 <https://www.rfc-editor.org/info/rfc9082>.
2027
2028 [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
2029 Registration Data Access Protocol (RDAP)", STD 95,
2030 RFC 9083, DOI 10.17487/RFC9083, June 2021,
2031 <https://www.rfc-editor.org/info/rfc9083>.
2032
2033 [RFC9224] Blanchet, M., "Finding the Authoritative Registration Data
2034 Access Protocol (RDAP) Service", STD 95, RFC 9224,
2035 DOI 10.17487/RFC9224, March 2022,
2036 <https://www.rfc-editor.org/info/rfc9224>.
2037
2038 [RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin,
2039 "Inventory and Analysis of WHOIS Registration Objects",
2040 RFC 7485, DOI 10.17487/RFC7485, March 2015,
2041 <https://www.rfc-editor.org/info/rfc7485>.
2042
2043 [RFC7793] Andrews, M., "Adding 100.64.0.0/10 Prefixes to the IPv4
2044 Locally-Served DNS Zones Registry", BCP 163, RFC 7793,
2045 DOI 10.17487/RFC7793, May 2016,
2046 <https://www.rfc-editor.org/info/rfc7793>.
2047
2048 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
2049 and P. Hoffman, "Specification for DNS over Transport
2050 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2051 2016, <https://www.rfc-editor.org/info/rfc7858>.
2052
2053 [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
2054 Transport Layer Security (DTLS)", RFC 8094,
2055 DOI 10.17487/RFC8094, February 2017,
2056 <https://www.rfc-editor.org/info/rfc8094>.
2057
2058 [RFC8109] Koch, P., Larson, M., and P. Hoffman, "Initializing a DNS
2059 Resolver with Priming Queries", BCP 209, RFC 8109,
2060 DOI 10.17487/RFC8109, March 2017,
2061 <https://www.rfc-editor.org/info/rfc8109>.
2062
2063 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
2064 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
2065 <https://www.rfc-editor.org/info/rfc8484>.
2066
2067 [RFC9103] Toorop, W., Dickinson, S., Sahib, S., Aras, P., and A.
2068 Mankin, "DNS Zone Transfer over TLS", RFC 9103,
2069 DOI 10.17487/RFC9103, August 2021,
2070 <https://www.rfc-editor.org/info/rfc9103>.
2071
2072 [RSSAC026] Root Server System Advisory Committee (RSSAC), "RSSAC0226
2073 RSSAC Lexicon", 2017,
2074 <https://www.icann.org/en/system/files/files/rssac-
2075 026-14mar17-en.pdf>.
2076
2077 Appendix A. Definitions Updated by This Document
2078
2079 The following definitions from RFCs are updated by this document:
2080
2081 * Forwarder in [RFC2308]
2082
2083 * QNAME in [RFC2308]
2084
2085 * Secure Entry Point (SEP) in [RFC3757]; note, however, that this
2086 RFC is already obsolete (see [RFC4033], [RFC4034], [RFC4035]).
2087
2088 Appendix B. Definitions First Defined in This Document
2089
2090 The following definitions are first defined in this document:
2091
2092 * "Alias" in Section 2
2093
2094 * "Apex" in Section 7
2095
2096 * "arpa" in Section 7
2097
2098 * "Authoritative DoT (ADot)" in Section 6
2099
2100 * "Bailiwick" in Section 7
2101
2102 * "Class independent" in Section 5
2103
2104 * "Classic DNS" in Section 6
2105
2106 * "Delegation-centric zone" in Section 7
2107
2108 * "Delegation" in Section 7
2109
2110 * "DNS operator" in Section 9
2111
2112 * "DNSSEC-aware" in Section 10
2113
2114 * "DNSSEC-unaware" in Section 10
2115
2116 * "Forwarding" in Section 6
2117
2118 * "Full resolver" in Section 6
2119
2120 * "Fully Qualified Domain Name" in Section 2
2121
2122 * "Global DNS" in Section 2
2123
2124 * "Hardware Security Module (HSM)" in Section 10
2125
2126 * "Host name" in Section 2
2127
2128 * "IDN" in Section 2
2129
2130 * "In-domain" in Section 7
2131
2132 * "Iterative resolution" in Section 6
2133
2134 * "Label" in Section 2
2135
2136 * "Locally served DNS zone" in Section 2
2137
2138 * "Naming system" in Section 2
2139
2140 * "Negative response" in Section 3
2141
2142 * "Non-recursive query" in Section 6
2143
2144 * "Open resolver" in Section 6
2145
2146 * "Passive DNS" in Section 6
2147
2148 * "Policy-implementing resolver" in Section 6
2149
2150 * "Presentation format" in Section 5
2151
2152 * "Priming" in Section 6
2153
2154 * "Private DNS" in Section 2
2155
2156 * "Recursive DoT (RDot)" in Section 6
2157
2158 * "Recursive resolver" in Section 6
2159
2160 * "Referrals" in Section 4
2161
2162 * "Registrant" in Section 9
2163
2164 * "Registrar" in Section 9
2165
2166 * "Registry" in Section 9
2167
2168 * "Root zone" in Section 7
2169
2170 * "Secure Entry Point (SEP)" in Section 10
2171
2172 * "Sibling domain" in Section 7
2173
2174 * "Signing software" in Section 10
2175
2176 * "Split DNS" in Section 6
2177
2178 * "Stub resolver" in Section 6
2179
2180 * "Subordinate" in Section 8
2181
2182 * "Superordinate" in Section 8
2183
2184 * "TLD" in Section 2
2185
2186 * "Validating resolver" in Section 10
2187
2188 * "Validation" in Section 10
2189
2190 * "View" in Section 6
2191
2192 * "Zone transfer" in Section 6
2193
2194 Acknowledgements
2195
2196 [RFC8499] and its predecessor, [RFC7719], were co-authored by Andrew
2197 Sullivan. The current document, which is a small update to
2198 [RFC8499], has just two authors. Andrew's work on the earlier
2199 documents is greatly appreciated.
2200
2201 Numerous people made significant contributions to [RFC8499] and
2202 [RFC7719]. Please see the acknowledgements sections in those two
2203 documents for the extensive list of contributors.
2204
2205 Even though the current document is a small revision, many people in
2206 the DNSOP Working Group have contributed to it, and their work is
2207 greatly appreciated.
2208
2209 Index
2210
2211 A B C D E F G H I K L M N O P Q R S T U V W X Z
2212
2213 A
2214
2215 Address and Routing Parameter Area Domain (arpa)
2216 Section 7
2217 Address records
2218 Section 5
2219 ADoT
2220 Section 6
2221 Alias
2222 Section 2
2223 Anycast
2224 Section 6
2225 Apex
2226 Section 7
2227 Asterisk label
2228 Section 8
2229 Authoritative data
2230 Section 7
2231 Authoritative server
2232 Section 6
2233 Authoritative-only server
2234 Section 6
2235 AXoT
2236 Section 6
2237
2238 B
2239
2240 Bailiwick
2241 Section 7
2242
2243 C
2244
2245 Canonical name
2246 Section 2
2247 Child
2248 Section 7
2249 Class
2250 Section 4
2251 Class independent
2252 Section 5
2253 Classic DNS
2254 Section 6
2255 Closest encloser
2256 Section 8
2257 Closest provable encloser
2258 Section 8
2259 CNAME
2260 Section 2
2261 Combined signing key (CSK)
2262 Section 10
2263
2264 D
2265
2266 Delegation
2267 Section 7
2268 Delegation-centric zone
2269 Section 7
2270 DNS operator
2271 Section 9
2272 DNS-over-HTTPS
2273 Section 6
2274 DNS-over-QUIC
2275 Section 6
2276 DNS-over-TLS
2277 Section 6
2278 DNSSEC Policy (DP)
2279 Section 10
2280 DNSSEC Practice Statement (DPS)
2281 Section 10
2282 DNSSEC-aware and DNSSEC-unaware
2283 Section 10
2284 DoH
2285 Section 6
2286 Domain name
2287 Section 2
2288 DoQ
2289 Section 6
2290 DoT
2291 Section 6
2292
2293 E
2294
2295 EDNS
2296 Section 5
2297 Empty non-terminals (ENTs)
2298 Section 7
2299 EPP
2300 Section 9
2301
2302 F
2303
2304 Fast flux DNS
2305 Section 7
2306 FORMERR
2307 Section 3
2308 Forward lookup
2309 Section 7
2310 Forwarder
2311 Section 6
2312 Forwarding
2313 Section 6
2314 Full resolver
2315 Section 6
2316 Full-service resolver
2317 Section 6
2318 Fully Qualified Domain Name (FQDN)
2319 Section 2
2320
2321 G
2322
2323 Global DNS
2324 Section 2
2325 Glue records
2326 Section 7
2327
2328 H
2329
2330 Hardware security module (HSM)
2331 Section 10
2332 Hidden master
2333 Section 6
2334 Host name
2335 Section 2
2336
2337 I
2338
2339 IDN
2340 Section 2
2341 In-bailiwick
2342 Section 7
2343 In-domain
2344 Section 7
2345 Insecure delegation
2346 Section 10
2347 Instance
2348 Section 6
2349 Internationalized Domain Name
2350 Section 2
2351 Iterative mode
2352 Section 6
2353 Iterative resolution
2354 Section 6
2355 IXoT
2356 Section 6
2357
2358 K
2359
2360 Key signing key (KSK)
2361 Section 10
2362
2363 L
2364
2365 Label
2366 Section 2
2367 Lame delegation
2368 Section 7
2369 Locally served DNS zone
2370 Section 2
2371
2372 M
2373
2374 Master file
2375 Section 5
2376 Master server
2377 Section 6
2378 mDNS
2379 Section 2
2380 Multicast DNS
2381 Section 2
2382
2383 N
2384
2385 Naming system
2386 Section 2, Paragraph 1.2.1
2387 Negative caching
2388 Section 6
2389 Negative response
2390 Section 3
2391 Next closer name
2392 Section 8
2393 NODATA
2394 Section 3
2395 NOERROR
2396 Section 3
2397 Non-recursive query
2398 Section 6
2399 NOTIMP
2400 Section 3
2401 NS
2402 Section 6
2403 NSEC
2404 Section 10
2405 NSEC3
2406 Section 10
2407 NXDOMAIN
2408 Section 3
2409
2410 O
2411
2412 Occluded name
2413 Section 7
2414 on-line signing
2415 Section 10
2416 online signing
2417 Section 10
2418 Open resolver
2419 Section 6
2420 OPT
2421 Section 5
2422 Opt-out
2423 Section 10
2424 Origin
2425 Section 7
2426 Out-of-bailiwick
2427 Section 7
2428 Owner
2429 Section 5
2430
2431 P
2432
2433 Parent
2434 Section 7
2435 Passive DNS
2436 Section 6
2437 Policy-implementing resolver
2438 Section 6
2439 Presentation format
2440 Section 5
2441 Primary master
2442 Section 6
2443 Primary server
2444 Section 6
2445 Priming
2446 Section 6
2447 Privacy-enabling DNS server
2448 Section 6
2449 Private DNS
2450 Section 2
2451 Public suffix
2452 Section 9
2453
2454 Q
2455
2456 QNAME
2457 Section 4
2458
2459 R
2460
2461 RDAP
2462 Section 9
2463 RDoT
2464 Section 6
2465 Recursive DoT
2466 Section 6
2467 Recursive mode
2468 Section 6, Paragraph 4.10.1
2469 Recursive query
2470 Section 6
2471 Recursive resolver
2472 Section 6
2473 Referrals
2474 Section 4
2475 REFUSED
2476 Section 3
2477 Registrant
2478 Section 9
2479 Registrar
2480 Section 9
2481 Registry
2482 Section 9
2483 Resolver
2484 Section 6
2485 Reverse DNS, reverse lookup
2486 Section 7
2487 Root hints
2488 Section 6
2489 Root zone
2490 Section 7
2491 RR
2492 Section 5
2493 RRset
2494 Section 5
2495
2496 S
2497
2498 Secondary server
2499 Section 6
2500 Secure Entry Point (SEP)
2501 Section 10
2502 SERVFAIL
2503 Section 3
2504 Service name
2505 Section 7
2506 Sibling domain
2507 Section 7
2508 Signed zone
2509 Section 10
2510 Signing software
2511 Section 10
2512 Slave server
2513 Section 6
2514 SOA
2515 Section 5
2516 SOA field names
2517 Section 5
2518 Source of Synthesis
2519 Section 8, Paragraph 1.14.1
2520 Split DNS
2521 Section 6
2522 Split-horizon DNS
2523 Section 6
2524 Stealth server
2525 Section 6
2526 Stub resolver
2527 Section 6
2528 Subdomain
2529 Section 2
2530 Subordinate
2531 Section 9
2532 Superordinate
2533 Section 9
2534
2535 T
2536
2537 TLD
2538 Section 2
2539 Trust anchor
2540 Section 10
2541 TTL
2542 Section 5
2543
2544 U
2545
2546 Unsigned zone
2547 Section 10
2548
2549 V
2550
2551 Validating resolver
2552 Section 10
2553 Validation
2554 Section 10, Paragraph 2.26.1
2555 View
2556 Section 6
2557
2558 W
2559
2560 WHOIS
2561 Section 9
2562 Wildcard
2563 Section 8
2564 Wildcard domain name
2565 Section 8
2566
2567 X
2568
2569 XoT
2570 Section 6
2571
2572 Z
2573
2574 Zone
2575 Section 7
2576 Zone cut
2577 Section 7
2578 Zone enumeration
2579 Section 10
2580 Zone signing key (ZSK)
2581 Section 10
2582 Zone transfer
2583 Section 6
2584
2585 Authors' Addresses
2586
2587 Paul Hoffman
2588 ICANN
2589 Email: paul.hoffman@icann.org
2590
2591
2592 Kazunori Fujiwara
2593 Japan Registry Services Co., Ltd.
2594 Email: fujiwara@jprs.co.jp
2595
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.