summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9499.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc9499.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc9499.txt')
-rw-r--r--doc/rfc/rfc9499.txt2598
1 files changed, 2598 insertions, 0 deletions
diff --git a/doc/rfc/rfc9499.txt b/doc/rfc/rfc9499.txt
new file mode 100644
index 0000000..0f3008b
--- /dev/null
+++ b/doc/rfc/rfc9499.txt
@@ -0,0 +1,2598 @@
+
+
+
+
+Internet Engineering Task Force (IETF) P. Hoffman
+Request for Comments: 9499 ICANN
+BCP: 219 K. Fujiwara
+Obsoletes: 8499 JPRS
+Updates: 2308 March 2024
+Category: Best Current Practice
+ISSN: 2070-1721
+
+
+ DNS Terminology
+
+Abstract
+
+ The Domain Name System (DNS) is defined in literally dozens of
+ different RFCs. The terminology used by implementers and developers
+ of DNS protocols, and by operators of DNS systems, has changed in the
+ decades since the DNS was first defined. This document gives current
+ definitions for many of the terms used in the DNS in a single
+ document.
+
+ This document updates RFC 2308 by clarifying the definitions of
+ "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple
+ terms and clarifications. Comprehensive lists of changed and new
+ definitions can be found in Appendices A and B.
+
+Status of This Memo
+
+ This memo documents an Internet Best Current Practice.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ BCPs is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9499.
+
+Copyright Notice
+
+ Copyright (c) 2024 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Revised BSD License text as described in Section 4.e of the
+ Trust Legal Provisions and are provided without warranty as described
+ in the Revised BSD License.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Names
+ 3. DNS Response Codes
+ 4. DNS Transactions
+ 5. Resource Records
+ 6. DNS Servers and Clients
+ 7. Zones
+ 8. Wildcards
+ 9. Registration Model
+ 10. General DNSSEC
+ 11. DNSSEC States
+ 12. Security Considerations
+ 13. IANA Considerations
+ 14. References
+ 14.1. Normative References
+ 14.2. Informative References
+ Appendix A. Definitions Updated by This Document
+ Appendix B. Definitions First Defined in This Document
+ Acknowledgements
+ Index
+ Authors' Addresses
+
+1. Introduction
+
+ The Domain Name System (DNS) is a simple query-response protocol
+ whose messages in both directions have the same format. (Section 2
+ gives a definition of "global DNS", which is often what people mean
+ when they say "the DNS".) The protocol and message format are
+ defined in [RFC1034] and [RFC1035]. These RFCs defined some terms,
+ and later documents defined others. Some of the terms from [RFC1034]
+ and [RFC1035] have somewhat different meanings now than they did in
+ 1987.
+
+ This document contains a collection of a wide variety of DNS-related
+ terms, organized loosely by topic. Some of them have been precisely
+ defined in earlier RFCs, some have been loosely defined in earlier
+ RFCs, and some are not defined in an earlier RFC at all.
+
+ Other organizations sometimes define DNS-related terms in their own
+ way. For example, the WHATWG defines "domain" at
+ <https://url.spec.whatwg.org/>. The Root Server System Advisory
+ Committee (RSSAC) has a good lexicon [RSSAC026].
+
+ Most of the definitions listed here represent the consensus
+ definition of the DNS community -- both protocol developers and
+ operators. Some of the definitions differ from earlier RFCs, and
+ those differences are noted. In this document, where the consensus
+ definition is the same as the one in an RFC, that RFC is quoted.
+ Where the consensus definition has changed somewhat, the RFC is
+ mentioned but the new stand-alone definition is given. See
+ Appendix A for a list of the definitions that this document updates.
+
+ It is important to note that, during the development of this
+ document, it became clear that some DNS-related terms are interpreted
+ quite differently by different DNS experts. Further, some terms that
+ are defined in early DNS RFCs now have definitions that are generally
+ agreed to, but that are different from the original definitions.
+ This document is a small revision to [RFC8499]; that document was a
+ substantial revision to [RFC7719].
+
+ Note that there is no single consistent definition of "the DNS". It
+ can be considered to be some combination of the following: a commonly
+ used naming scheme for objects on the Internet; a distributed
+ database representing the names and certain properties of these
+ objects; an architecture providing distributed maintenance,
+ resilience, and loose coherency for this database; and a simple
+ query-response protocol (as mentioned below) implementing this
+ architecture. Section 2 defines "global DNS" and "private DNS" as a
+ way to deal with these differing definitions.
+
+ Capitalization in DNS terms is often inconsistent among RFCs and
+ various DNS practitioners. The capitalization used in this document
+ is a best guess at current practices, and is not meant to indicate
+ that other capitalization styles are wrong or archaic. In some
+ cases, multiple styles of capitalization are used for the same term
+ due to quoting from different RFCs.
+
+ In this document, the words "byte" and "octet" are used
+ interchangeably. They appear here because they both appear in the
+ earlier RFCs that defined terms in the DNS.
+
+ Readers should note that the terms in this document are grouped by
+ topic. Someone who is not already familiar with the DNS probably
+ cannot learn about the DNS from scratch by reading this document from
+ front to back. Instead, skipping around may be the only way to get
+ enough context to understand some of the definitions. This document
+ has an index that might be useful for readers who are attempting to
+ learn the DNS by reading this document.
+
+2. Names
+
+ Naming system: A naming system associates names with data. Naming
+ systems have many significant facets that help differentiate them
+ from each other. Some commonly identified facets include:
+
+ * Composition of names
+
+ * Format of names
+
+ * Administration of names
+
+ * Types of data that can be associated with names
+
+ * Types of metadata for names
+
+ * Protocol for getting data from a name
+
+ * Context for resolving a name
+
+ Note that this list is a small subset of facets that people have
+ identified over time for naming systems, and the IETF has yet to
+ agree on a good set of facets that can be used to compare naming
+ systems. For example, other facets might include "protocol to
+ update data in a name", "privacy of names", and "privacy of data
+ associated with names", but those are not as well defined as the
+ ones listed above. The list here is chosen because it helps
+ describe the DNS and naming systems similar to the DNS.
+
+ Domain name: An ordered list of one or more labels.
+
+ Note that this is a definition independent of the DNS RFCs
+ ([RFC1034] and [RFC1035]), and the definition here also applies to
+ systems other than the DNS. [RFC1034] defines the "domain name
+ space" using mathematical trees and their nodes in graph theory,
+ and that definition has the same practical result as the
+ definition here. Any path of a directed acyclic graph can be
+ represented by a domain name consisting of the labels of its
+ nodes, ordered by decreasing distance from the root(s) (which is
+ the normal convention within the DNS, including this document). A
+ domain name whose last label identifies a root of the graph is
+ fully qualified; other domain names whose labels form a strict
+ prefix of a fully qualified domain name are relative to its first
+ omitted node.
+
+ Also note that different IETF and non-IETF documents have used the
+ term "domain name" in many different ways. It is common for
+ earlier documents to use "domain name" to mean "names that match
+ the syntax in [RFC1035]", but possibly with additional rules such
+ as "and are, or will be, resolvable in the global DNS" or "but
+ only using the presentation format".
+
+ Label: An ordered list of zero or more octets that makes up a
+ portion of a domain name. Using graph theory, a label identifies
+ one node in a portion of the graph of all possible domain names.
+
+ Global DNS: Using the short set of facets listed in "Naming system",
+ the global DNS can be defined as follows. Most of the rules here
+ come from [RFC1034] and [RFC1035], although the term "global DNS"
+ has not been defined before now.
+
+ Composition of names: A name in the global DNS has one or more
+ labels. The length of each label is between 0 and 63 octets
+ inclusive. In a fully qualified domain name, the last label in
+ the ordered list is 0 octets long; it is the only label whose
+ length may be 0 octets, and it is called the "root" or "root
+ label". A domain name in the global DNS has a maximum total
+ length of 255 octets in the wire format; the root represents
+ one octet for this calculation. (Multicast DNS [RFC6762]
+ allows names up to 255 bytes plus a terminating zero byte based
+ on a different interpretation of RFC 1035 and what is included
+ in the 255 octets.)
+
+ Format of names: Names in the global DNS are domain names. There
+ are three formats: wire format, presentation format, and common
+ display.
+
+ Wire format: The basic wire format for names in the global DNS
+ is a list of labels ordered by decreasing distance from the
+ root, with the root label last. Each label is preceded by a
+ length octet. [RFC1035] also defines a compression scheme
+ that modifies this format.
+
+ Presentation format: The presentation format for names in the
+ global DNS is a list of labels ordered by decreasing
+ distance from the root, encoded as ASCII, with a "."
+ character between each label. In presentation format, a
+ fully qualified domain name includes the root label and the
+ associated separator dot. For example, in presentation
+ format, a fully qualified domain name with two non-root
+ labels is always shown as "example.tld." instead of
+ "example.tld". [RFC1035] defines a method for showing
+ octets that do not display in ASCII.
+
+ Common display format: The common display format is used in
+ applications and free text. It is the same as the
+ presentation format, but showing the root label and the "."
+ before it is optional and is rarely done. For example, in
+ common display format, a fully qualified domain name with
+ two non-root labels is usually shown as "example.tld"
+ instead of "example.tld.". Names in the common display
+ format are normally written such that the directionality of
+ the writing system presents labels by decreasing distance
+ from the root (so, in both English and the C programming
+ language, the root or Top-Level Domain (TLD) label in the
+ ordered list is rightmost; but in Arabic, it may be
+ leftmost, depending on local conventions).
+
+ Administration of names: Administration is specified by
+ delegation (see the definition of "delegation" in Section 7).
+ Policies for administration of the root zone in the global DNS
+ are determined by the names operational community, which
+ convenes itself in the Internet Corporation for Assigned Names
+ and Numbers (ICANN). The names operational community selects
+ the IANA Functions Operator for the global DNS root zone. The
+ name servers that serve the root zone are provided by
+ independent root operators. Other zones in the global DNS have
+ their own policies for administration.
+
+ Types of data that can be associated with names: A name can have
+ zero or more resource records associated with it. There are
+ numerous types of resource records with unique data structures
+ defined in many different RFCs and in the IANA registry at
+ [IANA_Resource_Registry].
+
+ Types of metadata for names: Any name that is published in the
+ DNS appears as a set of resource records (see the definition of
+ "RRset" in Section 5). Some names do not, themselves, have
+ data associated with them in the DNS, but they "appear" in the
+ DNS anyway because they form part of a longer name that does
+ have data associated with it (see the definition of "empty non-
+ terminals" in Section 7).
+
+ Protocol for getting data from a name: The protocol described in
+ [RFC1035].
+
+ Context for resolving a name: The global DNS root zone
+ distributed by Public Technical Identifiers (PTI).
+
+ Private DNS: Names that use the protocol described in [RFC1035] but
+ do not rely on the global DNS root zone or names that are
+ otherwise not generally available on the Internet but are using
+ the protocol described in [RFC1035]. A system can use both the
+ global DNS and one or more private DNS systems; for example, see
+ "Split DNS" in Section 6.
+
+ Note that domain names that do not appear in the DNS and that are
+ intended never to be looked up using the DNS protocol are not part
+ of the global DNS or a private DNS, even though they are domain
+ names.
+
+ Multicast DNS (mDNS): "Multicast DNS (mDNS) provides the ability to
+ perform DNS-like operations on the local link in the absence of
+ any conventional Unicast DNS server. In addition, Multicast DNS
+ designates a portion of the DNS namespace to be free for local
+ use, without the need to pay any annual fee, and without the need
+ to set up delegations or otherwise configure a conventional DNS
+ server to answer for those names." (Quoted from [RFC6762],
+ Abstract) Although it uses a compatible wire format, mDNS is,
+ strictly speaking, a different protocol than DNS. Also, where the
+ above quote says "a portion of the DNS namespace", it would be
+ clearer to say "a portion of the domain name space". The names in
+ mDNS are not intended to be looked up in the DNS.
+
+ Locally served DNS zone: A locally served DNS zone is a special case
+ of private DNS. Names are resolved using the DNS protocol in a
+ local context. [RFC6303] defines subdomains of IN-ADDR.ARPA that
+ are locally served zones. Resolution of names through locally
+ served zones may result in ambiguous results. For example, the
+ same name may resolve to different results in different locally
+ served DNS zone contexts. The context for a locally served DNS
+ zone may be explicit, such as those that are listed in [RFC6303]
+ and [RFC7793], or implicit, such as those defined by local DNS
+ administration and not known to the resolution client.
+
+ Fully Qualified Domain Name (FQDN): This is often just a clear way
+ of saying the same thing as "domain name of a node", as outlined
+ above. However, the term is ambiguous. Strictly speaking, a
+ fully qualified domain name would include every label, including
+ the zero-length label of the root; such a name would be written
+ "www.example.net." (note the terminating dot). But, because every
+ name eventually shares the common root, names are often written
+ relative to the root (such as "www.example.net") and are still
+ called "fully qualified". This term first appeared in [RFC819].
+ In this document, names are often written relative to the root.
+
+ The need for the term "fully qualified domain name" comes from the
+ existence of partially qualified domain names, which are names
+ where one or more of the last labels in the ordered list are
+ omitted (for example, a domain name of "www" relative to
+ "example.net" identifies "www.example.net"). Such relative names
+ are understood only by context.
+
+ Host name: This term and its equivalent, "hostname", have been
+ widely used but are not defined in [RFC1034], [RFC1035],
+ [RFC1123], or [RFC2181]. The DNS was originally deployed into the
+ Host Tables environment as outlined in [RFC952], and it is likely
+ that the term followed informally from the definition there. Over
+ time, the definition seems to have shifted. "Host name" is often
+ meant to be a domain name that follows the rules in Section 3.5 of
+ [RFC1034], which is also called the "preferred name syntax". (In
+ that syntax, every character in each label is a letter, a digit,
+ or a hyphen). Note that any label in a domain name can contain
+ any octet value; hostnames are generally considered to be domain
+ names where every label follows the rules in the "preferred name
+ syntax", with the amendment that labels can start with ASCII
+ digits (this amendment comes from Section 2.1 of [RFC1123]).
+
+ People also sometimes use the term "hostname" to refer to just the
+ first label of an FQDN, such as "printer" in
+ "printer.admin.example.com". (Sometimes this is formalized in
+ configuration in operating systems.) In addition, people
+ sometimes use this term to describe any name that refers to a
+ machine, and those might include labels that do not conform to the
+ "preferred name syntax".
+
+ Top-Level Domain (TLD): A Top-Level Domain is a zone that is one
+ layer below the root, such as "com" or "jp". There is nothing
+ special, from the point of view of the DNS, about TLDs. Most of
+ them are also delegation-centric zones (defined in Section 7), and
+ there are significant policy issues around their operation. TLDs
+ are often divided into sub-groups such as Country Code Top-Level
+ Domains (ccTLDs), Generic Top-Level Domains (gTLDs), and others;
+ the division is a matter of policy and beyond the scope of this
+ document.
+
+ Internationalized Domain Name (IDN): The Internationalized Domain
+ Names for Applications (IDNA) protocol is the standard mechanism
+ for handling domain names with non-ASCII characters in
+ applications in the DNS. The current standard at the time of this
+ writing, normally called "IDNA2008", is defined in [RFC5890],
+ [RFC5891], [RFC5892], [RFC5893], and [RFC5894]. These documents
+ define many IDN-specific terms such as "LDH label", "A-label", and
+ "U-label". [RFC6365] defines more terms that relate to
+ internationalization (some of which relate to IDNs); [RFC6055] has
+ a much more extensive discussion of IDNs, including some new
+ terminology.
+
+ Subdomain: "A domain is a subdomain of another domain if it is
+ contained within that domain. This relationship can be tested by
+ seeing if the subdomain's name ends with the containing domain's
+ name." (Quoted from [RFC1034], Section 3.1) For example, in the
+ host name "nnn.mmm.example.com", both "mmm.example.com" and
+ "nnn.mmm.example.com" are subdomains of "example.com". Note that
+ the comparisons here are done on whole labels; that is,
+ "ooo.example.com" is not a subdomain of "oo.example.com".
+
+ Alias: The owner of a CNAME resource record, or a subdomain of the
+ owner of a DNAME resource record (DNAME records are defined in
+ [RFC6672]). See also "canonical name".
+
+ Canonical name: A CNAME resource record "identifies its owner name
+ as an alias, and specifies the corresponding canonical name in the
+ RDATA section of the RR." (Quoted from [RFC1034], Section 3.6.2)
+ This usage of the word "canonical" is related to the mathematical
+ concept of "canonical form".
+
+ CNAME: "It has been traditional to refer to the [owner] of a CNAME
+ record as 'a CNAME'. This is unfortunate, as 'CNAME' is an
+ abbreviation of 'canonical name', and the [owner] of a CNAME
+ record is most certainly not a canonical name." (Quoted from
+ [RFC2181], Section 10.1.1. The quoted text has been changed from
+ "label" to "owner".)
+
+3. DNS Response Codes
+
+ Some of the response codes (RCODEs) that are defined in [RFC1035]
+ have acquired their own shorthand names. All of the RCODEs are
+ listed at [IANA_Resource_Registry], although that list uses mixed-
+ case capitalization, while most documents use all caps. Some of the
+ common names for values defined in [RFC1035] are described in this
+ section. This section also includes an additional RCODE and a
+ general definition. The official list of all RCODEs is in the IANA
+ registry.
+
+ NOERROR: This RCODE appears as "No error condition" in Section 4.1.1
+ of [RFC1035].
+
+ FORMERR: This RCODE appears as "Format error - The name server was
+ unable to interpret the query" in Section 4.1.1 of [RFC1035].
+
+ SERVFAIL: This RCODE appears as "Server failure - The name server
+ was unable to process this query due to a problem with the name
+ server" in Section 4.1.1 of [RFC1035].
+
+ NXDOMAIN: This RCODE appears as "Name Error [...] this code
+ signifies that the domain name referenced in the query does not
+ exist." in Section 4.1.1 of [RFC1035]. [RFC2308] established
+ NXDOMAIN as a synonym for Name Error.
+
+ NOTIMP: This RCODE appears as "Not Implemented - The name server
+ does not support the requested kind of query" in Section 4.1.1 of
+ [RFC1035].
+
+ REFUSED: This RCODE appears as "Refused - The name server refuses to
+ perform the specified operation for policy reasons. For example,
+ a name server may not wish to provide the information to the
+ particular requester, or a name server may not wish to perform a
+ particular operation (e.g., zone transfer) for particular data."
+ in Section 4.1.1 of [RFC1035].
+
+ NODATA: "A pseudo RCODE which indicates that the name is valid, for
+ the given class, but [there] are no records of the given type. A
+ NODATA response has to be inferred from the answer." (Quoted from
+ [RFC2308], Section 1) "NODATA is indicated by an answer with the
+ RCODE set to NOERROR and no relevant answers in the Answer
+ section. The Authority section will contain an SOA record, or
+ there will be no NS records there." (Quoted from [RFC2308],
+ Section 2.2) Note that referrals have a similar format to NODATA
+ replies; [RFC2308] explains how to distinguish them.
+
+ The term "NXRRSET" is sometimes used as a synonym for NODATA.
+ However, this is a mistake, given that NXRRSET is a specific error
+ code defined in [RFC2136].
+
+ Negative response: A response that indicates that a particular RRset
+ does not exist or whose RCODE indicates that the nameserver cannot
+ answer. Sections 2 and 7 of [RFC2308] describe the types of
+ negative responses in detail.
+
+4. DNS Transactions
+
+ The header of a DNS message is its first 12 octets. Many of the
+ fields and flags in the diagrams in Sections 4.1.1 through 4.1.3 of
+ [RFC1035] are referred to by their names in each diagram. For
+ example, the response codes are called "RCODEs", the data for a
+ record is called the "RDATA", and the authoritative answer bit is
+ often called "the AA flag" or "the AA bit".
+
+ Class: A class "identifies a protocol family or instance of a
+ protocol". (Quoted from [RFC1034], Section 3.6) "The DNS tags all
+ data with a class as well as the type, so that we can allow
+ parallel use of different formats for data of type address."
+ (Quoted from [RFC1034], Section 2.2) In practice, the class for
+ nearly every query is "IN" (the Internet). There are some queries
+ for "CH" (the Chaos class), but they are usually for the purposes
+ of information about the server itself rather than for a different
+ type of address.
+
+ QNAME: The most commonly used rough definition is that the QNAME is
+ a field in the Question section of a query. "A standard query
+ specifies a target domain name (QNAME), query type (QTYPE), and
+ query class (QCLASS) and asks for RRs which match." (Quoted from
+ [RFC1034], Section 3.7.1) Strictly speaking, the definition comes
+ from [RFC1035], Section 4.1.2, where the QNAME is defined in
+ respect of the Question section. This definition appears to be
+ applied consistently, as the discussion of inverse queries in
+ Section 6.4.1 of [RFC1035] refers to the "owner name of the query
+ RR and its TTL" because inverse queries populate the Answer
+ section and leave the Question section empty. (Inverse queries
+ are deprecated in [RFC3425]; thus, relevant definitions do not
+ appear in this document.)
+
+ However, [RFC2308] has an alternate definition that puts the QNAME
+ in the answer (or series of answers) instead of the query. It
+ defines QNAME as "...the name in the query section of an answer,
+ or where this resolves to a CNAME, or CNAME chain, the data field
+ of the last CNAME. The last CNAME in this sense is that which
+ contains a value which does not resolve to another CNAME." This
+ definition has a certain internal logic, because of the way CNAME
+ substitution works and the definition of CNAME. If a name server
+ does not find an RRset that matches a query, but does find the
+ same name in the same class with a CNAME record, then the name
+ server "includes the CNAME record in the response and restarts the
+ query at the domain name specified in the data field of the CNAME
+ record." (Quoted from [RFC1034], Section 3.6.2) This is made
+ explicit in the resolution algorithm outlined in Section 4.3.2 of
+ [RFC1034], which says to "change QNAME to the canonical name in
+ the CNAME RR, and go back to step 1" in the case of a CNAME RR.
+ Since a CNAME record explicitly declares that the owner name is
+ canonically named what is in the RDATA, then there is a way to
+ view the new name (i.e., the name that was in the RDATA of the
+ CNAME RR) as also being the QNAME.
+
+ However, this creates confusion because the response to a query
+ that results in CNAME processing contains in the echoed Question
+ section one QNAME (the name in the original query) and a second
+ QNAME that is in the data field of the last CNAME. The confusion
+ comes from the iterative/recursive mode of resolution, which
+ finally returns an answer that need not actually have the same
+ owner name as the QNAME contained in the original query.
+
+ To address this potential confusion, it is helpful to distinguish
+ between three meanings:
+
+ QNAME (original): The name actually sent in the Question section
+ in the original query, which is always echoed in the (final)
+ reply in the Question section when the QR bit is set to 1.
+
+ QNAME (effective): A name actually resolved, which is either the
+ name originally queried or a name received in a CNAME chain
+ response.
+
+ QNAME (final): The name actually resolved, which is either the
+ name actually queried or else the last name in a CNAME chain
+ response.
+
+ Note that, because the definition in [RFC2308] is actually for a
+ different concept than what was in [RFC1034], it would have been
+ better if [RFC2308] had used a different name for that concept.
+ In general use today, QNAME almost always means what is defined
+ above as "QNAME (original)".
+
+ Referrals: A type of response in which a server, signaling that it
+ is not (completely) authoritative for an answer, provides the
+ querying resolver with an alternative place to send its query.
+ Referrals can be partial.
+
+ A referral arises when a server is not performing recursive
+ service while answering a query. It appears in step 3(b) of the
+ algorithm in [RFC1034], Section 4.3.2.
+
+ There are two types of referral response. The first is a downward
+ referral (sometimes described as "delegation response"), where the
+ server is authoritative for some portion of the QNAME. The
+ Authority section RRset's RDATA contains the name servers
+ specified at the referred-to zone cut. In normal DNS operation,
+ this kind of response is required in order to find names beneath a
+ delegation. The bare use of "referral" means this kind of
+ referral, and many people believe that this is the only legitimate
+ kind of referral in the DNS.
+
+ The second is an upward referral (sometimes described as "root
+ referral"), where the server is not authoritative for any portion
+ of the QNAME. When this happens, the referred-to zone in the
+ Authority section is usually the root zone ("."). In normal DNS
+ operation, this kind of response is not required for resolution or
+ for correctly answering any query. There is no requirement that
+ any server send upward referrals. Some people regard upward
+ referrals as a sign of a misconfiguration or error. Upward
+ referrals always need some sort of qualifier (such as "upward" or
+ "root") and are never identified simply by the word "referral".
+
+ A response that has only a referral contains an empty Answer
+ section. It contains the NS RRset for the referred-to zone in the
+ Authority section. It may contain RRs that provide addresses in
+ the Additional section. The AA bit is clear.
+
+ In the case where the query matches an alias, and the server is
+ not authoritative for the target of the alias but is authoritative
+ for some name above the target of the alias, the resolution
+ algorithm will produce a response that contains both the
+ authoritative answer for the alias and a referral. Such a partial
+ answer and referral response has data in the Answer section. It
+ has the NS RRset for the referred-to zone in the Authority
+ section. It may contain RRs that provide addresses in the
+ Additional section. The AA bit is set because the first name in
+ the Answer section matches the QNAME and the server is
+ authoritative for that answer (see [RFC1035], Section 4.1.1).
+
+5. Resource Records
+
+ RR: An acronym for resource record. (See [RFC1034], Section 3.6.)
+
+ RRset: A set of resource records "with the same label, class and
+ type, but with different data" (according to [RFC2181],
+ Section 5). Also written as "RRSet" in some documents. As a
+ clarification, "same label" in this definition means "same owner
+ name". In addition, [RFC2181] states that "the TTLs of all RRs in
+ an RRSet must be the same".
+
+ Note that RRSIG resource records do not match this definition.
+ [RFC4035] says:
+
+ An RRset MAY have multiple RRSIG RRs associated with it. Note
+ that as RRSIG RRs are closely tied to the RRsets whose
+ signatures they contain, RRSIG RRs, unlike all other DNS RR
+ types, do not form RRsets. In particular, the TTL values among
+ RRSIG RRs with a common owner name do not follow the RRset
+ rules described in [RFC2181].
+
+ Master file: "Master files are text files that contain RRs in text
+ form. Since the contents of a zone can be expressed in the form
+ of a list of RRs a master file is most often used to define a
+ zone, though it can be used to list a cache's contents." (Quoted
+ from [RFC1035], Section 5) Master files are sometimes called "zone
+ files".
+
+ Presentation format: The text format used in master files. This
+ format is shown but not formally defined in [RFC1034] or
+ [RFC1035]. The term "presentation format" first appears in
+ [RFC4034].
+
+ EDNS: The extension mechanisms for DNS, defined in [RFC6891].
+ Sometimes called "EDNS0" or "EDNS(0)" to indicate the version
+ number. EDNS allows DNS clients and servers to specify message
+ sizes larger than the original 512-octet limit, to expand the
+ response code space, and to carry additional options that affect
+ the handling of a DNS query.
+
+ OPT: A pseudo-RR (sometimes called a "meta-RR") that is used only to
+ contain control information pertaining to the question-and-answer
+ sequence of a specific transaction. (Definition paraphrased from
+ [RFC6891], Section 6.1.1.) It is used by EDNS.
+
+ Owner: "The domain name where the RR is found." (Quoted from
+ [RFC1034], Section 3.6) Often appears in the term "owner name".
+
+ SOA field names: DNS documents, including the definitions here,
+ often refer to the fields in the RDATA of an SOA resource record
+ by field name. "SOA" stands for "start of a zone of authority".
+ Those fields are defined in Section 3.3.13 of [RFC1035]. The
+ names (in the order they appear in the SOA RDATA) are MNAME,
+ RNAME, SERIAL, REFRESH, RETRY, EXPIRE, and MINIMUM. Note that the
+ meaning of the MINIMUM field is updated in Section 4 of [RFC2308];
+ the new definition is that the MINIMUM field is only "the TTL to
+ be used for negative responses". This document tends to use field
+ names instead of terms that describe the fields.
+
+ TTL: The maximum "time to live" of a resource record. "A TTL value
+ is an unsigned number, with a minimum value of 0, and a maximum
+ value of 2147483647. That is, a maximum of 2^31 - 1. When
+ transmitted, this value shall be encoded in the less significant
+ 31 bits of the 32 bit TTL field, with the most significant, or
+ sign, bit set to zero." (Quoted from [RFC2181], Section 8) Note
+ that [RFC1035] erroneously stated that this is a signed integer;
+ that was fixed by [RFC2181].
+
+ The TTL "specifies the time interval that the resource record may
+ be cached before the source of the information should again be
+ consulted." (Quoted from [RFC1035], Section 3.2.1) Section 4.1.3
+ of [RFC1035] states "the time interval (in seconds) that the
+ resource record may be cached before it should be discarded".
+ Despite being defined for a resource record, the TTL of every
+ resource record in an RRset is required to be the same ([RFC2181],
+ Section 5.2).
+
+ The reason that the TTL is the maximum time to live is that a
+ cache operator might decide to shorten the time to live for
+ operational purposes, for example, if there is a policy to
+ disallow TTL values over a certain number. Some servers are known
+ to ignore the TTL on some RRsets (such as when the authoritative
+ data has a very short TTL) even though this is against the advice
+ in [RFC1035]. An RRset can be flushed from the cache before the
+ end of the TTL interval, at which point, the value of the TTL
+ becomes unknown because the RRset with which it was associated no
+ longer exists.
+
+ There is also the concept of a "default TTL" for a zone, which can
+ be a configuration parameter in the server software. This is
+ often expressed by a default for the entire server, and a default
+ for a zone using the $TTL directive in a zone file. The $TTL
+ directive was added to the master file format by [RFC2308].
+
+ Class independent: A resource record type whose syntax and semantics
+ are the same for every DNS class. A resource record type that is
+ not class independent has different meanings, depending on the DNS
+ class of the record or if the meaning is undefined for some
+ classes. Most resource record types are defined for class 1 (IN,
+ the Internet), but many are undefined for other classes.
+
+ Address records: Records whose type is either A or AAAA. [RFC2181]
+ informally defines these as "(A, AAAA, etc)". Note that new types
+ of address records could be defined in the future.
+
+6. DNS Servers and Clients
+
+ This section defines the terms used for the systems that act as DNS
+ clients, DNS servers, or both. In past RFCs, DNS servers are
+ sometimes called "name servers", "nameservers", or just "servers".
+ There is no formal definition of "DNS server", but RFCs generally
+ assume that it is an Internet server that listens for queries and
+ sends responses using the DNS protocol defined in [RFC1035] and its
+ successors.
+
+ It is important to note that the terms "DNS server" and "name server"
+ require context in order to understand the services being provided.
+ Both authoritative servers and recursive resolvers are often called
+ "DNS servers" and "name servers" even though they serve different
+ roles (but may be part of the same software package).
+
+ For terminology specific to the global DNS root server system, see
+ [RSSAC026]. That document defines terms such as "root server", "root
+ server operator", and terms that are specific to the way that the
+ root zone of the global DNS is served.
+
+ Resolver: A program "that extract[s] information from name servers
+ in response to client requests." (Quoted from [RFC1034],
+ Section 2.4) A resolver performs queries for a name, type, and
+ class, and receives responses. The logical function is called
+ "resolution". In practice, the term is usually referring to some
+ specific type of resolver (some of which are defined below), and
+ understanding the use of the term depends on understanding the
+ context.
+
+ A related term is "resolve", which is not formally defined in
+ [RFC1034] or [RFC1035]. An imputed definition might be "asking a
+ question that consists of a domain name, class, and type, and
+ receiving some sort of response". Similarly, an imputed
+ definition of "resolution" might be "the response received from
+ resolving".
+
+ Stub resolver: A resolver that cannot perform all resolution itself.
+ Stub resolvers generally depend on a recursive resolver to
+ undertake the actual resolution function. Stub resolvers are
+ discussed but never fully defined in Section 5.3.1 of [RFC1034].
+ They are fully defined in Section 6.1.3.1 of [RFC1123].
+
+ Iterative mode: A resolution mode of a server that receives DNS
+ queries and responds with a referral to another server.
+ Section 2.3 of [RFC1034] describes this as "The server refers the
+ client to another server and lets the client pursue the query." A
+ resolver that works in iterative mode is sometimes called an
+ "iterative resolver". See also "iterative resolution" later in
+ this section.
+
+ Recursive mode: A resolution mode of a server that receives DNS
+ queries and either responds to those queries from a local cache or
+ sends queries to other servers in order to get the final answers
+ to the original queries. Section 2.3 of [RFC1034] describes this
+ as "the first server pursues the query for the client at another
+ server". Section 4.3.1 of [RFC1034] says: "in [recursive] mode
+ the name server acts in the role of a resolver and returns either
+ an error or the answer, but never referrals." That same section
+ also says:
+
+ The recursive mode occurs when a query with RD set arrives at a
+ server which is willing to provide recursive service; the
+ client can verify that recursive mode was used by checking that
+ both RA and RD are set in the reply.
+
+ A server operating in recursive mode may be thought of as having a
+ name server side (which is what answers the query) and a resolver
+ side (which performs the resolution function). Systems operating
+ in this mode are commonly called "recursive servers". Sometimes
+ they are called "recursive resolvers". In practice, it is not
+ possible to know in advance whether the server that one is
+ querying will also perform recursion; both terms can be observed
+ in use interchangeably.
+
+ Recursive resolver: A resolver that acts in recursive mode. In
+ general, a recursive resolver is expected to cache the answers it
+ receives (which would make it a full-service resolver), but some
+ recursive resolvers might not cache.
+
+ [RFC4697] tried to differentiate between a recursive resolver and
+ an iterative resolver.
+
+ Recursive query: A query with the Recursion Desired (RD) bit set to
+ 1 in the header. (See Section 4.1.1 of [RFC1035].) If recursive
+ service is available and is requested by the RD bit in the query,
+ the server uses its resolver to answer the query. (See
+ Section 4.3.2 of [RFC1034].)
+
+ Non-recursive query: A query with the Recursion Desired (RD) bit set
+ to 0 in the header. A server can answer non-recursive queries
+ using only local information: the response contains either an
+ error, the answer, or a referral to some other server "closer" to
+ the answer. (See Section 4.3.1 of [RFC1034].)
+
+ Iterative resolution: A name server may be presented with a query
+ that can only be answered by some other server. The two general
+ approaches to dealing with this problem are "recursive", in which
+ the first server pursues the query on behalf of the client at
+ another server, and "iterative", in which the server refers the
+ client to another server and lets the client pursue the query
+ there. (See Section 2.3 of [RFC1034].)
+
+ In iterative resolution, the client repeatedly makes non-recursive
+ queries and follows referrals and/or aliases. The iterative
+ resolution algorithm is described in Section 5.3.3 of [RFC1034].
+
+ Full resolver: This term is used in [RFC1035], but it is not defined
+ there. RFC 1123 defines a "full-service resolver" that may or may
+ not be what was intended by "full resolver" in [RFC1035]. This
+ term is not properly defined in any RFC, and there is no consensus
+ on what the term means. The use of this term without proper
+ context is discouraged.
+
+ Full-service resolver: Section 6.1.3.1 of [RFC1123] defines this
+ term as a resolver that acts in recursive mode with a cache (and
+ meets other requirements).
+
+ Priming: "The act of finding the list of root servers from a
+ configuration that lists some or all of the purported IP addresses
+ of some or all of those root servers." (Quoted from [RFC8109],
+ Section 2) In order to operate in recursive mode, a resolver needs
+ to know the address of at least one root server. Priming is most
+ often done from a configuration setting that contains a list of
+ authoritative servers for the root zone.
+
+ Root hints: "Operators who manage a DNS recursive resolver typically
+ need to configure a 'root hints file'. This file contains the
+ names and IP addresses of the authoritative name servers for the
+ root zone, so the software can bootstrap the DNS resolution
+ process. For many pieces of software, this list comes built into
+ the software." (Quoted from [IANA_RootFiles]) This file is often
+ used in priming.
+
+ Negative caching: "The storage of knowledge that something does not
+ exist, cannot or does not give an answer." (Quoted from
+ [RFC2308], Section 1)
+
+ Authoritative server: "A server that knows the content of a DNS zone
+ from local knowledge, and thus can answer queries about that zone
+ without needing to query other servers." (Quoted from [RFC2182],
+ Section 2) An authoritative server is named in the NS ("name
+ server") record in a zone. It is a system that responds to DNS
+ queries with information about zones for which it has been
+ configured to answer with the AA flag in the response header set
+ to 1. It is a server that has authority over one or more DNS
+ zones. Note that it is possible for an authoritative server to
+ respond to a query without the parent zone delegating authority to
+ that server. Authoritative servers also provide "referrals",
+ usually to child zones delegated from them; these referrals have
+ the AA bit set to 0 and come with referral data in the Authority
+ and (if needed) the Additional sections.
+
+ Authoritative-only server: A name server that only serves
+ authoritative data and ignores requests for recursion. It will
+ "not normally generate any queries of its own. Instead it answers
+ non-recursive queries from iterative resolvers looking for
+ information in zones it serves." (Quoted from [RFC4697],
+ Section 2.4) In this case, "ignores requests for recursion" means
+ "responds to requests for recursion with responses indicating that
+ recursion was not performed".
+
+ Zone transfer: The act of a client requesting a copy of a zone and
+ an authoritative server sending the needed information. (See
+ Section 7 for a description of zones.) There are two common
+ standard ways to do zone transfers: the AXFR ("Authoritative
+ Transfer") mechanism to copy the full zone (described in
+ [RFC5936], and the IXFR ("Incremental Transfer") mechanism to copy
+ only parts of the zone that have changed (described in [RFC1995]).
+ Many systems use non-standard methods for zone transfers outside
+ the DNS protocol.
+
+ Slave server: See "Secondary server".
+
+ Secondary server: "An authoritative server which uses zone transfer
+ to retrieve the zone." (Quoted from [RFC1996], Section 2.1)
+ Secondary servers are also discussed in [RFC1034]. [RFC2182]
+ describes secondary servers in more detail. Although early DNS
+ RFCs such as [RFC1996] referred to this as a "slave", the current
+ common usage has shifted to calling it a "secondary".
+
+ Master server: See "Primary server".
+
+ Primary server: "Any authoritative server configured to be the
+ source of zone transfer for one or more [secondary] servers."
+ (Quoted from [RFC1996], Section 2.1) Or, more specifically,
+ [RFC2136] calls it "an authoritative server configured to be the
+ source of AXFR or IXFR data for one or more [secondary] servers".
+ Primary servers are also discussed in [RFC1034]. Although early
+ DNS RFCs such as [RFC1996] referred to this as a "master", the
+ current common usage has shifted to "primary".
+
+ Primary master: "The primary master is named in the zone's SOA MNAME
+ field and optionally by an NS RR." (Quoted from [RFC1996],
+ Section 2.1) [RFC2136] defines "primary master" as "Master server
+ at the root of the AXFR/IXFR dependency graph. The primary master
+ is named in the zone's SOA MNAME field and optionally by an NS RR.
+ There is by definition only one primary master server per zone."
+
+ The idea of a primary master is only used in [RFC1996] and
+ [RFC2136]. A modern interpretation of the term "primary master"
+ is a server that is both authoritative for a zone and that gets
+ its updates to the zone from configuration (such as a master file)
+ or from UPDATE transactions.
+
+ Stealth server: This is "like a slave server except not listed in an
+ NS RR for the zone." (Quoted from [RFC1996], Section 2.1)
+
+ Hidden master: A stealth server that is a primary server for zone
+ transfers. "In this arrangement, the master name server that
+ processes the updates is unavailable to general hosts on the
+ Internet; it is not listed in the NS RRset." (Quoted from
+ [RFC6781], Section 3.4.3) [RFC4641] said that the hidden master's
+ name "appears in the SOA RRs MNAME field"; however, the name does
+ not appear at all in the global DNS in some setups. A hidden
+ master can also be a secondary server for the zone itself.
+
+ Forwarding: The process of one server sending a DNS query with the
+ RD bit set to 1 to another server to resolve that query.
+ Forwarding is a function of a DNS resolver; it is different than
+ simply blindly relaying queries.
+
+ [RFC5625] does not give a specific definition for forwarding, but
+ describes in detail what features a system that forwards needs to
+ support. Systems that forward are sometimes called "DNS proxies",
+ but that term has not yet been defined (even in [RFC5625]).
+
+ Forwarder: Section 1 of [RFC2308] describes a forwarder as "a
+ nameserver used to resolve queries instead of directly using the
+ authoritative nameserver chain". [RFC2308] further says "The
+ forwarder typically either has better access to the internet, or
+ maintains a bigger cache which may be shared amongst many
+ resolvers." That definition appears to suggest that forwarders
+ normally only query authoritative servers. In current use,
+ however, forwarders often stand between stub resolvers and
+ recursive servers. [RFC2308] is silent on whether a forwarder is
+ iterative-only or can be a full-service resolver.
+
+ Policy-implementing resolver: A resolver acting in recursive mode
+ that changes some of the answers that it returns based on policy
+ criteria, such as to prevent access to malware sites or
+ objectionable content. In general, a stub resolver has no idea
+ whether upstream resolvers implement such policy or, if they do,
+ the exact policy about what changes will be made. In some cases,
+ the user of the stub resolver has selected the policy-implementing
+ resolver with the explicit intention of using it to implement the
+ policies. In other cases, policies are imposed without the user
+ of the stub resolver being informed.
+
+ Open resolver: A full-service resolver that accepts and processes
+ queries from any (or nearly any) client. This is sometimes also
+ called a "public resolver", although the term "public resolver" is
+ used more with open resolvers that are meant to be open, as
+ compared to the vast majority of open resolvers that are probably
+ misconfigured to be open. Open resolvers are discussed in
+ [RFC5358].
+
+ Split DNS: The terms "split DNS" and "split-horizon DNS" have long
+ been used in the DNS community without formal definition. In
+ general, they refer to situations in which DNS servers that are
+ authoritative for a particular set of domains provide partly or
+ completely different answers in those domains depending on the
+ source of the query. Nevertheless, the effect of this is that a
+ domain name that is notionally globally unique has different
+ meanings for different network users. This can sometimes be the
+ result of a "view" configuration, as described below.
+
+ Section 3.8 of [RFC2775] gives a related definition that is too
+ specific to be generally useful.
+
+ View: A configuration for a DNS server that allows it to provide
+ different responses depending on attributes of the query, such as
+ for "split DNS". Typically, views differ by the source IP address
+ of a query, but can also be based on the destination IP address,
+ the type of query (such as AXFR), whether it is recursive, and so
+ on. Views are often used to provide more names or different
+ addresses to queries from "inside" a protected network than to
+ those "outside" that network. Views are not a standardized part
+ of the DNS, but they are widely implemented in server software.
+
+ Passive DNS: A mechanism to collect DNS data by storing DNS
+ responses from name servers. Some of these systems also collect
+ the DNS queries associated with the responses, although doing so
+ raises some privacy concerns. Passive DNS databases can be used
+ to answer historical questions about DNS zones, such as which
+ values were present at a given time in the past, or when a name
+ was spotted first. Passive DNS databases allow searching of the
+ stored records on keys other than just the name and type, such as
+ "find all names which have A records of a particular value".
+
+ Anycast: "The practice of making a particular service address
+ available in multiple, discrete, autonomous locations, such that
+ datagrams sent are routed to one of several available locations."
+ (Quoted from [RFC4786], Section 2) See [RFC4786] for more detail
+ on Anycast and other terms that are specific to its use.
+
+ Instance: "When anycast routing is used to allow more than one
+ server to have the same IP address, each one of those servers is
+ commonly referred to as an 'instance'." It goes on to say: "An
+ instance of a server, such as a root server, is often referred to
+ as an 'Anycast instance'." (Quoted from [RSSAC026])
+
+ Privacy-enabling DNS server: "A DNS server that implements DNS over
+ TLS [RFC7858] and may optionally implement DNS over DTLS
+ [RFC8094]." (Quoted from [RFC8310], Section 2) Other types of DNS
+ servers might also be considered privacy-enabling, such as those
+ running DNS-over-HTTPS [RFC8484] or DNS-over-QUIC [RFC9250].
+
+ DNS-over-TLS (DoT): DNS over TLS as defined in [RFC7858] and its
+ successors.
+
+ DNS-over-HTTPS (DoH): DNS over HTTPS as defined in [RFC8484] and its
+ successors.
+
+ DNS-over-QUIC (DoQ): DNS over QUIC as defined in [RFC9250] and its
+ successors. [RFC9250] specifically defines DoQ as general-purpose
+ transport for DNS that can be used in stub to recursive, recursive
+ to authoritative, and zone transfer scenarios.
+
+ Classic DNS: DNS over UDP or DNS over TCP as defined in [RFC1035]
+ and its successors. Classic DNS applies to DNS communication
+ between stub resolvers and recursive resolvers, and between
+ recursive resolvers and authoritative servers. This has sometimes
+ been called "Do53". Classic DNS is not encrypted.
+
+ Recursive DoT (RDoT): RDoT specifically means DNS-over-TLS for
+ transport between a stub resolver and a recursive resolver, or
+ between a recursive resolver and another recursive resolver. This
+ term is necessary because it is expected that DNS-over-TLS will
+ later be defined as a transport between recursive resolvers and
+ authoritative servers.
+
+ Authoritative DoT (ADoT): If DNS-over-TLS is later defined as a
+ transport between recursive resolvers and authoritative servers,
+ ADoT specifically means DNS-over-TLS for transport between
+ recursive resolvers and authoritative servers.
+
+ XFR-over-TLS (XoT): DNS zone transfer over TLS, as specified in
+ [RFC9103]. This term applies to both AXFR over TLS (AXoT) and
+ IXFR over TLS (IXoT).
+
+7. Zones
+
+ This section defines terms that are used when discussing zones that
+ are being served or retrieved.
+
+ Zone: "Authoritative information is organized into units called
+ ZONEs, and these zones can be automatically distributed to the
+ name servers which provide redundant service for the data in a
+ zone." (Quoted from [RFC1034], Section 2.4)
+
+ Child: "The entity on record that has the delegation of the domain
+ from the Parent." (Quoted from [RFC7344], Section 1.1)
+
+ Parent: "The domain in which the Child is registered." (Quoted from
+ [RFC7344], Section 1.1) Earlier, "parent name server" was defined
+ in [RFC0882] as "the name server that has authority over the place
+ in the domain name space that will hold the new domain". (Note
+ that [RFC0882] was obsoleted by [RFC1034] and [RFC1035].)
+ [RFC819] also has some description of the relationship between
+ parents and children.
+
+ Origin:
+
+ There are two different uses for this term:
+
+ (a) "The domain name that appears at the top of a zone (just
+ below the cut that separates the zone from its parent)... The
+ name of the zone is the same as the name of the domain at the
+ zone's origin." (Quoted from [RFC2181], Section 6) These
+ days, this sense of "origin" and "apex" (defined below) are
+ often used interchangeably.
+
+ (b) The domain name within which a given relative domain name
+ appears in zone files. Generally seen in the context of
+ "$ORIGIN", which is a control entry defined in [RFC1035],
+ Section 5.1, as part of the master file format. For example,
+ if the $ORIGIN is set to "example.org.", then a master file
+ line for "www" is in fact an entry for "www.example.org.".
+
+ Apex: The point in the tree at an owner of an SOA and corresponding
+ authoritative NS RRset. This is also called the "zone apex".
+ [RFC4033] defines it as "the name at the child's side of a zone
+ cut". The "apex" can usefully be thought of as a data-theoretic
+ description of a tree structure, and "origin" is the name of the
+ same concept when it is implemented in zone files. The
+ distinction is not always maintained in use, however, and one can
+ find uses that conflict subtly with this definition. [RFC1034]
+ uses the term "top node of the zone" as a synonym of "apex", but
+ that term is not widely used. These days, the first sense of
+ "origin" (above) and "apex" are often used interchangeably.
+
+ Zone cut: The delimitation point between two zones where the origin
+ of one of the zones is the child of the other zone.
+
+ "Zones are delimited by 'zone cuts'. Each zone cut separates a
+ 'child' zone (below the cut) from a 'parent' zone (above the
+ cut)." (Quoted from [RFC2181], Section 6; note that this is
+ barely an ostensive definition.) Section 4.2 of [RFC1034] uses
+ "cuts" instead of "zone cut".
+
+ Delegation: The process by which a separate zone is created in the
+ name space beneath the apex of a given domain. Delegation happens
+ when an NS RRset is added in the parent zone for the child origin.
+ Delegation inherently happens at a zone cut. The term is also
+ commonly a noun: the new zone that is created by the act of
+ delegating.
+
+ Authoritative data: "All of the RRs attached to all of the nodes
+ from the top node of the zone down to leaf nodes or nodes above
+ cuts around the bottom edge of the zone." (Quoted from [RFC1034],
+ Section 4.2.1) Note that this definition might inadvertently also
+ cause any NS records that appear in the zone to be included, even
+ those that might not truly be authoritative, because there are
+ identical NS RRs below the zone cut. This reveals the ambiguity
+ in the notion of authoritative data, because the parent-side NS
+ records authoritatively indicate the delegation, even though they
+ are not themselves authoritative data.
+
+ [RFC4033], Section 2, defines "Authoritative RRset", which is
+ related to authoritative data but has a more precise definition.
+
+ Lame delegation: "A lame delegations exists [sic] when a nameserver
+ is delegated responsibility for providing nameservice for a zone
+ (via NS records) but is not performing nameservice for that zone
+ (usually because it is not set up as a primary or secondary for
+ the zone)." (Quoted from [RFC1912], Section 2.8) Another
+ definition is that a lame delegation "...happens when a name
+ server is listed in the NS records for some domain and in fact it
+ is not a server for that domain. Queries are thus sent to the
+ wrong servers, who don't know nothing [sic] (at least not as
+ expected) about the queried domain. Furthermore, sometimes these
+ hosts (if they exist!) don't even run name servers." (Quoted from
+ [RFC1713], Section 2.3)
+
+ These early definitions do not match the current use of the term
+ "lame delegation", but there is no consensus on what a lame
+ delegation is. The term is used not only for the specific case
+ described above, but for a variety of other flaws in delegations
+ that lead to non-authoritative answers or no answers at all, such
+ as:
+
+ * a nameserver with an NS record for a zone that does not answer
+ DNS queries;
+
+ * a nameserver with an IP address that is not reachable by the
+ resolver; and
+
+ * a nameserver that responds to a query for a specific name with
+ an error or without the authoritative bit set.
+
+ Because the term in current usage has drifted from the original
+ definition, and now is not specific or clear as to the intended
+ meaning, it should be considered historic and avoided in favor of
+ terms that are specific and clear.
+
+ Glue records: "...[Resource records] which are not part of the
+ authoritative data [of the zone], and are address RRs for the
+ [name] servers [in subzones]. These RRs are only necessary if the
+ name server's name is 'below' the cut, and are only used as part
+ of a referral response." Without glue "we could be faced with the
+ situation where the NS RRs tell us that in order to learn a name
+ server's address, we should contact the server using the address
+ we wish to learn." (Quoted from [RFC1034], Section 4.2.1)
+
+ A later definition is that glue "includes any record in a zone
+ file that is not properly part of that zone, including nameserver
+ records of delegated sub-zones (NS records), address records that
+ accompany those NS records (A, AAAA, etc), and any other stray
+ data that might appear." (Quoted from [RFC2181], Section 5.4.1)
+ Although glue is sometimes used today with this wider definition
+ in mind, the context surrounding the definition in [RFC2181]
+ suggests it is intended to apply to the use of glue within the
+ document itself and not necessarily beyond.
+
+ In an NS record, there are three types of relationships between
+ the owner name of the record, the name in the NS RDATA, and the
+ zone origin: unrelated, in-domain, and sibling domain. The
+ application of these three types of relationships to glue records
+ is defined in [RFC9471].
+
+ An unrelated relationship is one where the NS RDATA contains a
+ name server that is not subordinate to the zone origin and
+ therefore is not part of the same zone.
+
+ An in-domain relationship is one where the NS RDATA contains a
+ name server whose name is either subordinate to or (rarely) the
+ same as the owner name of the NS resource records. For example, a
+ delegation for "child.example.com" might have an in-domain name
+ server called "ns.child.example.com".
+
+ A sibling domain relationship is one where the NS RDATA contains a
+ name server whose name is either subordinate to or (rarely) the
+ same as the zone origin of the parent and not subordinate to or
+ the same as the owner name of the NS resource records. For
+ example, a delegation for "child.example.com" in "example.com"
+ zone might have a sibling domain name server called
+ "ns.another.example.com".
+
+ The following table shows examples of delegation types:
+
+
+ +=============+========+====================+================+
+ | Delegation | Parent | Name Server Name | Type |
+ +=============+========+====================+================+
+ | com | . | a.gtld-servers.net | sibling domain |
+ +-------------+--------+--------------------+----------------+
+ | net | . | a.gtld-servers.net | in-domain |
+ +-------------+--------+--------------------+----------------+
+ | example.org | org | ns.example.org | in-domain |
+ +-------------+--------+--------------------+----------------+
+ | example.org | org | ns.ietf.org | sibling domain |
+ +-------------+--------+--------------------+----------------+
+ | example.org | org | ns.example.com | unrelated |
+ +-------------+--------+--------------------+----------------+
+ | example.jp | jp | ns.example.jp | in-domain |
+ +-------------+--------+--------------------+----------------+
+ | example.jp | jp | ns.example.ne.jp | sibling domain |
+ +-------------+--------+--------------------+----------------+
+ | example.jp | jp | ns.example.com | unrelated |
+ +-------------+--------+--------------------+----------------+
+
+ Table 1
+
+ Bailiwick: "In-bailiwick" and "Out-of-bailiwick" are modifiers used
+ to describe the relationship between a zone and the name servers
+ for that zone. The dictionary definition of bailiwick has been
+ observed to cause more confusion than meaning for this use. These
+ terms should be considered historic in nature.
+
+ Root zone: The zone of a DNS-based tree whose apex is the zero-
+ length label. Also sometimes called "the DNS root".
+
+ Empty non-terminals (ENTs): "Domain names that own no resource
+ records but have subdomains that do." (Quoted from [RFC4592],
+ Section 2.2.2) A typical example is in SRV records: in the name
+ "_sip._tcp.example.com", it is likely that "_tcp.example.com" has
+ no RRsets, but that "_sip._tcp.example.com" has (at least) an SRV
+ RRset.
+
+ Delegation-centric zone: A zone that consists mostly of delegations
+ to child zones. This term is used in contrast to a zone that
+ might have some delegations to child zones but also has many data
+ resource records for the zone itself and/or for child zones. The
+ term is used in [RFC4956] and [RFC5155], but it is not defined in
+ either document.
+
+ Occluded name: "The addition of a delegation point via dynamic
+ update will render all subordinate domain names to be in a limbo,
+ still part of the zone but not available to the lookup process.
+ The addition of a DNAME resource record has the same impact. The
+ subordinate names are said to be 'occluded'." (Quoted from
+ [RFC5936], Section 3.5)
+
+ Fast flux DNS: This "occurs when a domain is [found] in DNS using A
+ records to multiple IP addresses, each of which has a very short
+ Time-to-Live (TTL) value associated with it. This means that the
+ domain resolves to varying IP addresses over a short period of
+ time." (Quoted from [RFC6561], Section 1.1.5, with a typo
+ corrected) In addition to having legitimate uses, fast flux DNS
+ can be used to deliver malware. Because the addresses change so
+ rapidly, it is difficult to ascertain all the hosts. It should be
+ noted that the technique also works with AAAA records, but such
+ use is not frequently observed on the Internet as of this writing.
+
+ Reverse DNS, reverse lookup: "The process of mapping an address to a
+ name is generally known as a 'reverse lookup', and the IN-
+ ADDR.ARPA and IP6.ARPA zones are said to support the 'reverse
+ DNS'." (Quoted from [RFC5855], Section 1)
+
+ Forward lookup: "Hostname-to-address translation". (Quoted from
+ [RFC3493], Section 6)
+
+ arpa (Address and Routing Parameter Area Domain): "The 'arpa' domain
+ was originally established as part of the initial deployment of
+ the DNS to provide a transition mechanism from the Host Tables
+ that were common in the ARPANET, as well as a home for the IPv4
+ reverse mapping domain. During 2000, the abbreviation was
+ redesignated to 'Address and Routing Parameter Area' in the hope
+ of reducing confusion with the earlier network name." (Quoted
+ from [RFC3172], Section 2) .arpa is an "infrastructure domain", a
+ domain whose "role is to support the operating infrastructure of
+ the Internet". (Quoted from [RFC3172], Section 2) See [RFC3172]
+ for more history of this name.
+
+ Service name: "Service names are the unique key in the Service Name
+ and Transport Protocol Port Number registry. This unique symbolic
+ name for a service may also be used for other purposes, such as in
+ DNS SRV records." (Quoted from [RFC6335], Section 5)
+
+8. Wildcards
+
+ Wildcard: [RFC1034] defined "wildcard", but in a way that turned out
+ to be confusing to implementers. For an extended discussion of
+ wildcards, including clearer definitions, see [RFC4592]. Special
+ treatment is given to RRs with owner names starting with the label
+ "*". "Such RRs are called 'wildcards'. Wildcard RRs can be
+ thought of as instructions for synthesizing RRs." (Quoted from
+ [RFC1034], Section 4.3.3)
+
+ Asterisk label: "The first octet is the normal label type and length
+ for a 1-octet-long label, and the second octet is the ASCII
+ representation [RFC20] for the '*' character. A descriptive name
+ of a label equaling that value is an 'asterisk label'." (Quoted
+ from [RFC4592], Section 2.1.1)
+
+ Wildcard domain name: "A 'wildcard domain name' is defined by having
+ its initial (i.e., leftmost or least significant) label, in binary
+ format: 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)".
+ (Quoted from [RFC4592], Section 2.1.1) The second octet in this
+ label is the ASCII representation for the "*" character.
+
+ Closest encloser: "The longest existing ancestor of a name."
+ (Quoted from [RFC5155], Section 1.3) An earlier definition is "The
+ node in the zone's tree of existing domain names that has the most
+ labels matching the query name (consecutively, counting from the
+ root label downward). Each match is a 'label match' and the order
+ of the labels is the same." (Quoted from [RFC4592],
+ Section 3.3.1)
+
+ Closest provable encloser: "The longest ancestor of a name that can
+ be proven to exist. Note that this is only different from the
+ closest encloser in an Opt-Out zone." (Quoted from [RFC5155],
+ Section 1.3) See Section 10 for more on "opt-out".
+
+ Next closer name: "The name one label longer than the closest
+ provable encloser of a name." (Quoted from [RFC5155],
+ Section 1.3)
+
+ Source of Synthesis: "The source of synthesis is defined in the
+ context of a query process as that wildcard domain name
+ immediately descending from the closest encloser, provided that
+ this wildcard domain name exists. 'Immediately descending' means
+ that the source of synthesis has a name of the form:
+
+ <asterisk label>.<closest encloser>."
+
+ (Quoted from [RFC4592], Section 3.3.1)
+
+9. Registration Model
+
+ Registry: The administrative operation of a zone that allows
+ registration of names within that zone. People often use this
+ term to refer only to those organizations that perform
+ registration in large delegation-centric zones (such as TLDs); but
+ formally, whoever decides what data goes into a zone is the
+ registry for that zone. This definition of "registry" is from a
+ DNS point of view; for some zones, the policies that determine
+ what can go in the zone are decided by zones that are
+ superordinate and not the registry operator.
+
+ Registrant: An individual or organization on whose behalf a name in
+ a zone is registered by the registry. In many zones, the registry
+ and the registrant may be the same entity, but in TLDs they often
+ are not.
+
+ Registrar: A service provider that acts as a go-between for
+ registrants and registries. Not all registrations require a
+ registrar, though it is common to have registrars involved in
+ registrations in TLDs.
+
+ EPP: The Extensible Provisioning Protocol (EPP), which is commonly
+ used for communication of registration information between
+ registries and registrars. EPP is defined in [RFC5730].
+
+ WHOIS: A protocol specified in [RFC3912], often used for querying
+ registry databases. WHOIS data is frequently used to associate
+ registration data (such as zone management contacts) with domain
+ names. The term "WHOIS data" is often used as a synonym for the
+ registry database, even though that database may be served by
+ different protocols, particularly RDAP. The WHOIS protocol is
+ also used with IP address registry data.
+
+ RDAP: The Registration Data Access Protocol, defined in [RFC7480],
+ [RFC7481], [RFC7485], [RFC9082], [RFC9083], and [RFC9224]. The
+ RDAP protocol and data format are meant as a replacement for
+ WHOIS.
+
+ DNS operator: An entity responsible for running DNS servers. For a
+ zone's authoritative servers, the registrant may act as their own
+ DNS operator, their registrar may do it on their behalf, or they
+ may use a third-party operator. For some zones, the registry
+ function is performed by the DNS operator plus other entities who
+ decide about the allowed contents of the zone.
+
+ Public suffix: "A domain that is controlled by a public registry."
+ (Quoted from [RFC6265], Section 5.3) A common definition for this
+ term is a domain under which subdomains can be registered by third
+ parties and on which HTTP cookies (which are described in detail
+ in [RFC6265]) should not be set. There is no indication in a
+ domain name whether it is a public suffix; that can only be
+ determined by outside means. In fact, both a domain and a
+ subdomain of that domain can be public suffixes.
+
+ There is nothing inherent in a domain name to indicate whether it
+ is a public suffix. One resource for identifying public suffixes
+ is the Public Suffix List (PSL) maintained by Mozilla
+ <https://publicsuffix.org/>.
+
+ For example, at the time this document is published, the "com.au"
+ domain is listed as a public suffix in the PSL. (Note that this
+ example might change in the future.)
+
+ Note that the term "public suffix" is controversial in the DNS
+ community for many reasons, and it may be significantly changed in
+ the future. One example of the difficulty of calling a domain a
+ public suffix is that designation can change over time as the
+ registration policy for the zone changes, such as was the case
+ with the "uk" TLD in 2014.
+
+ Subordinate and Superordinate: These terms are introduced in
+ [RFC5731] for use in the registration model, but not defined
+ there. Instead, they are given in examples. "For example, domain
+ name 'example.com' has a superordinate relationship to host name
+ ns1.example.com'... For example, host ns1.example1.com is a
+ subordinate host of domain example1.com, but it is a not a
+ subordinate host of domain example2.com." (Quoted from [RFC5731],
+ Section 1.1) These terms are strictly ways of referring to the
+ relationship standing of two domains where one is a subdomain of
+ the other.
+
+10. General DNSSEC
+
+ Most DNSSEC terms are defined in [RFC4033], [RFC4034], [RFC4035], and
+ [RFC5155]. The terms that have caused confusion in the DNS community
+ are highlighted here.
+
+ DNSSEC-aware and DNSSEC-unaware: These two terms, which are used in
+ some RFCs, have not been formally defined. However, Section 2 of
+ [RFC4033] defines many types of resolvers and validators,
+ including "non-validating security-aware stub resolver", "non-
+ validating stub resolver", "security-aware name server",
+ "security-aware recursive name server", "security-aware resolver",
+ "security-aware stub resolver", and "security-oblivious
+ 'anything'". (Note that the term "validating resolver", which is
+ used in some places in DNSSEC-related documents, is also not
+ defined in those RFCs, but is defined below.)
+
+ Signed zone: "A zone whose RRsets are signed and that contains
+ properly constructed DNSKEY, Resource Record Signature (RRSIG),
+ Next Secure (NSEC), and (optionally) DS records." (Quoted from
+ [RFC4033], Section 2) It has been noted in other contexts that the
+ zone itself is not really signed, but all the relevant RRsets in
+ the zone are signed. Nevertheless, if a zone that should be
+ signed contains any RRsets that are not signed (or opted out),
+ those RRsets will be treated as bogus, so the whole zone needs to
+ be handled in some way.
+
+ It should also be noted that, since the publication of [RFC6840],
+ NSEC records are no longer required for signed zones: a signed
+ zone might include NSEC3 records instead. [RFC7129] provides
+ additional background commentary and some context for the NSEC and
+ NSEC3 mechanisms used by DNSSEC to provide authenticated denial-
+ of-existence responses. NSEC and NSEC3 are described below.
+
+ Online signing: [RFC4470] defines "on-line signing" (note the
+ hyphen) as "generating and signing these records on demand", where
+ "these" was defined as NSEC records. The current definition
+ expands that to generating and signing RRSIG, NSEC, and NSEC3
+ records on demand.
+
+ Unsigned zone: Section 2 of [RFC4033] defines this as "a zone that
+ is not signed". Section 2 of [RFC4035] defines this as a "zone
+ that does not include these records [properly constructed DNSKEY,
+ Resource Record Signature (RRSIG), Next Secure (NSEC), and
+ (optionally) DS records] according to the rules in this
+ section..." There is an important note at the end of Section 5.2
+ of [RFC4035] that defines an additional situation in which a zone
+ is considered unsigned: "If the resolver does not support any of
+ the algorithms listed in an authenticated DS RRset, then the
+ resolver will not be able to verify the authentication path to the
+ child zone. In this case, the resolver SHOULD treat the child
+ zone as if it were unsigned."
+
+ NSEC: "The NSEC record allows a security-aware resolver to
+ authenticate a negative reply for either name or type non-
+ existence with the same mechanisms used to authenticate other DNS
+ replies." (Quoted from [RFC4033], Section 3.2) In short, an NSEC
+ record provides authenticated denial of existence.
+
+ "The NSEC resource record lists two separate things: the next
+ owner name (in the canonical ordering of the zone) that contains
+ authoritative data or a delegation point NS RRset, and the set of
+ RR types present at the NSEC RR's owner name." (Quoted from
+ [RFC4034], Section 4)
+
+ NSEC3: Like the NSEC record, the NSEC3 record also provides
+ authenticated denial of existence; however, NSEC3 records mitigate
+ zone enumeration and support Opt-Out. NSEC3 resource records
+ require associated NSEC3PARAM resource records. NSEC3 and
+ NSEC3PARAM resource records are defined in [RFC5155].
+
+ Note that [RFC6840] says that [RFC5155] "is now considered part of
+ the DNS Security Document Family as described by Section 10 of
+ [RFC4033]". This means that some of the definitions from earlier
+ RFCs that only talk about NSEC records should probably be
+ considered to be talking about both NSEC and NSEC3.
+
+ Opt-out: "The Opt-Out Flag indicates whether this NSEC3 RR may cover
+ unsigned delegations." (Quoted from [RFC5155], Section 3.1.2.1)
+ Opt-out tackles the high costs of securing a delegation to an
+ insecure zone. When using Opt-Out, names that are an insecure
+ delegation (and empty non-terminals that are only derived from
+ insecure delegations) don't require an NSEC3 record or its
+ corresponding RRSIG records. Opt-Out NSEC3 records are not able
+ to prove or deny the existence of the insecure delegations.
+ (Adapted from [RFC7129], Section 5.1)
+
+ Insecure delegation: "A signed name containing a delegation (NS
+ RRset), but lacking a DS RRset, signifying a delegation to an
+ unsigned subzone." (Quoted from [RFC4956], Section 2)
+
+ Zone enumeration: "The practice of discovering the full content of a
+ zone via successive queries." (Quoted from [RFC5155],
+ Section 1.3) This is also sometimes called "zone walking". Zone
+ enumeration is different from zone content guessing where the
+ guesser uses a large dictionary of possible labels and sends
+ successive queries for them, or matches the contents of NSEC3
+ records against such a dictionary.
+
+ Validation: Validation, in the context of DNSSEC, refers to one of
+ the following:
+
+ * Checking the validity of DNSSEC signatures,
+
+ * Checking the validity of DNS responses, such as those including
+ authenticated denial of existence, or
+
+ * Building an authentication chain from a trust anchor to a DNS
+ response or individual DNS RRsets in a response.
+
+ The first two definitions above consider only the validity of
+ individual DNSSEC components, such as the RRSIG validity or NSEC
+ proof validity. The third definition considers the components of
+ the entire DNSSEC authentication chain; thus, it requires
+ "configured knowledge of at least one authenticated DNSKEY or DS
+ RR" (as described in [RFC4035], Section 5).
+
+ [RFC4033], Section 2, says that a "Validating Security-Aware Stub
+ Resolver... performs signature validation" and uses a trust anchor
+ "as a starting point for building the authentication chain to a
+ signed DNS response"; thus, it uses the first and third
+ definitions above. The process of validating an RRSIG resource
+ record is described in [RFC4035], Section 5.3.
+
+ [RFC5155] refers to validating responses throughout the document
+ in the context of hashed authenticated denial of existence; this
+ uses the second definition above.
+
+ The term "authentication" is used interchangeably with
+ "validation", in the sense of the third definition above.
+ [RFC4033], Section 2, describes the chain linking trust anchor to
+ DNS data as the "authentication chain". A response is considered
+ to be authentic if "all RRsets in the Answer and Authority
+ sections of the response [are considered] to be authentic" (Quoted
+ from [RFC4035]) DNS data or responses deemed to be authentic or
+ validated have a security status of "secure" ([RFC4035],
+ Section 4.3; [RFC4033], Section 5). "Authenticating both DNS keys
+ and data is a matter of local policy, which may extend or even
+ override the [DNSSEC] protocol extensions..." (Quoted from
+ [RFC4033], Section 3.1)
+
+ The term "verification", when used, is usually a synonym for
+ "validation".
+
+ Validating resolver: A security-aware recursive name server,
+ security-aware resolver, or security-aware stub resolver that is
+ applying at least one of the definitions of validation (above) as
+ appropriate to the resolution context. For the same reason that
+ the generic term "resolver" is sometimes ambiguous and needs to be
+ evaluated in context (see Section 6), "validating resolver" is a
+ context-sensitive term.
+
+ Key signing key (KSK): DNSSEC keys that "only sign the apex DNSKEY
+ RRset in a zone." (Quoted from [RFC6781], Section 3.1)
+
+ Zone signing key (ZSK): "DNSSEC keys that can be used to sign all
+ the RRsets in a zone that require signatures, other than the apex
+ DNSKEY RRset." (Quoted from [RFC6781], Section 3.1) Also note
+ that a ZSK is sometimes used to sign the apex DNSKEY RRset.
+
+ Combined signing key (CSK): "In cases where the differentiation
+ between the KSK and ZSK is not made, i.e., where keys have the
+ role of both KSK and ZSK, we talk about a Single-Type Signing
+ Scheme." (Quoted from [RFC6781], Section 3.1) This is sometimes
+ called a "combined signing key" or "CSK". It is operational
+ practice, not protocol, that determines whether a particular key
+ is a ZSK, a KSK, or a CSK.
+
+ Secure Entry Point (SEP): A flag in the DNSKEY RDATA that "can be
+ used to distinguish between keys that are intended to be used as
+ the secure entry point into the zone when building chains of
+ trust, i.e., they are (to be) pointed to by parental DS RRs or
+ configured as a trust anchor.... Therefore, it is suggested that
+ the SEP flag be set on keys that are used as KSKs and not on keys
+ that are used as ZSKs, while in those cases where a distinction
+ between a KSK and ZSK is not made (i.e., for a Single-Type Signing
+ Scheme), it is suggested that the SEP flag be set on all keys."
+ (Quoted from [RFC6781], Section 3.2.3) Note that the SEP flag is
+ only a hint, and its presence or absence may not be used to
+ disqualify a given DNSKEY RR from use as a KSK or ZSK during
+ validation.
+
+ The original definition of SEPs was in [RFC3757]. That definition
+ clearly indicated that the SEP was a key, not just a bit in the
+ key. The abstract of [RFC3757] says: "With the Delegation Signer
+ (DS) resource record (RR), the concept of a public key acting as a
+ secure entry point (SEP) has been introduced. During exchanges of
+ public keys with the parent there is a need to differentiate SEP
+ keys from other public keys in the Domain Name System KEY (DNSKEY)
+ resource record set. A flag bit in the DNSKEY RR is defined to
+ indicate that DNSKEY is to be used as a SEP." That definition of
+ the SEP as a key was made obsolete by [RFC4034], and the
+ definition from [RFC6781] is consistent with [RFC4034].
+
+ Trust anchor: "A configured DNSKEY RR or DS RR hash of a DNSKEY RR.
+ A validating security-aware resolver uses this public key or hash
+ as a starting point for building the authentication chain to a
+ signed DNS response. In general, a validating resolver will have
+ to obtain the initial values of its trust anchors via some secure
+ or trusted means outside the DNS protocol." (Quoted from
+ [RFC4033], Section 2)
+
+ DNSSEC Policy (DP): A statement that "sets forth the security
+ requirements and standards to be implemented for a DNSSEC-signed
+ zone." (Quoted from [RFC6841], Section 2)
+
+ DNSSEC Practice Statement (DPS): "A practices disclosure document
+ that may support and be a supplemental document to the DNSSEC
+ Policy (if such exists), and it states how the management of a
+ given zone implements procedures and controls at a high level."
+ (Quoted from [RFC6841], Section 2)
+
+ Hardware security module (HSM): A specialized piece of hardware that
+ is used to create keys for signatures and to sign messages without
+ ever disclosing the private key. In DNSSEC, HSMs are often used
+ to hold the private keys for KSKs and ZSKs and to create the
+ signatures used in RRSIG records at periodic intervals.
+
+ Signing software: Authoritative DNS servers that support DNSSEC
+ often contain software that facilitates the creation and
+ maintenance of DNSSEC signatures in zones. There is also stand-
+ alone software that can be used to sign a zone regardless of
+ whether the authoritative server itself supports signing.
+ Sometimes signing software can support particular HSMs as part of
+ the signing process.
+
+11. DNSSEC States
+
+ A validating resolver can determine that a response is in one of four
+ states: secure, insecure, bogus, or indeterminate. These states are
+ defined in [RFC4033] and [RFC4035], although the definitions in the
+ two documents differ a bit. This document makes no effort to
+ reconcile the definitions in the two documents and takes no position
+ as to whether they need to be reconciled.
+
+ Section 5 of [RFC4033] says:
+
+ | A validating resolver can determine the following 4 states:
+ | Secure: The validating resolver has a trust anchor, has a chain
+ | of trust, and is able to verify all the signatures in the
+ | response.
+ |
+ | Insecure: The validating resolver has a trust anchor, a chain of
+ | trust, and, at some delegation point, signed proof of the non-
+ | existence of a DS record. This indicates that subsequent
+ | branches in the tree are provably insecure. A validating
+ | resolver may have a local policy to mark parts of the domain
+ | space as insecure.
+ |
+ | Bogus: The validating resolver has a trust anchor and a secure
+ | delegation indicating that subsidiary data is signed, but the
+ | response fails to validate for some reason: missing signatures,
+ | expired signatures, signatures with unsupported algorithms,
+ | data missing that the relevant NSEC RR says should be present,
+ | and so forth.
+ |
+ | Indeterminate: There is no trust anchor that would indicate that
+ | a specific portion of the tree is secure. This is the default
+ | operation mode.
+
+ Section 4.3 of [RFC4035] says:
+
+ | A security-aware resolver must be able to distinguish between four
+ | cases:
+ | Secure: An RRset for which the resolver is able to build a chain
+ | of signed DNSKEY and DS RRs from a trusted security anchor to
+ | the RRset. In this case, the RRset should be signed and is
+ | subject to signature validation, as described above.
+ |
+ | Insecure: An RRset for which the resolver knows that it has no
+ | chain of signed DNSKEY and DS RRs from any trusted starting
+ | point to the RRset. This can occur when the target RRset lies
+ | in an unsigned zone or in a descendent [sic] of an unsigned
+ | zone. In this case, the RRset may or may not be signed, but
+ | the resolver will not be able to verify the signature.
+ |
+ | Bogus: An RRset for which the resolver believes that it ought to
+ | be able to establish a chain of trust but for which it is
+ | unable to do so, either due to signatures that for some reason
+ | fail to validate or due to missing data that the relevant
+ | DNSSEC RRs indicate should be present. This case may indicate
+ | an attack but may also indicate a configuration error or some
+ | form of data corruption.
+ |
+ | Indeterminate: An RRset for which the resolver is not able to
+ | determine whether the RRset should be signed, as the resolver
+ | is not able to obtain the necessary DNSSEC RRs. This can occur
+ | when the security-aware resolver is not able to contact
+ | security-aware name servers for the relevant zones.
+
+12. Security Considerations
+
+ These definitions do not change any security considerations for
+ either the global DNS or private DNS.
+
+13. IANA Considerations
+
+ References to RFC 8499 in the IANA registries have been replaced with
+ references to this document.
+
+14. References
+
+14.1. Normative References
+
+ [IANA_RootFiles]
+ IANA, "Root Files",
+ <https://www.iana.org/domains/root/files>.
+
+ [RFC0882] Mockapetris, P., "Domain names: Concepts and facilities",
+ RFC 882, DOI 10.17487/RFC0882, November 1983,
+ <https://www.rfc-editor.org/info/rfc882>.
+
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
+ <https://www.rfc-editor.org/info/rfc1034>.
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
+ November 1987, <https://www.rfc-editor.org/info/rfc1035>.
+
+ [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
+ Application and Support", STD 3, RFC 1123,
+ DOI 10.17487/RFC1123, October 1989,
+ <https://www.rfc-editor.org/info/rfc1123>.
+
+ [RFC1912] Barr, D., "Common DNS Operational and Configuration
+ Errors", RFC 1912, DOI 10.17487/RFC1912, February 1996,
+ <https://www.rfc-editor.org/info/rfc1912>.
+
+ [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
+ Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
+ August 1996, <https://www.rfc-editor.org/info/rfc1996>.
+
+ [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
+ "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+ RFC 2136, DOI 10.17487/RFC2136, April 1997,
+ <https://www.rfc-editor.org/info/rfc2136>.
+
+ [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+ Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
+ <https://www.rfc-editor.org/info/rfc2181>.
+
+ [RFC2182] Elz, R., Bush, R., Bradner, S., and M. Patton, "Selection
+ and Operation of Secondary DNS Servers", BCP 16, RFC 2182,
+ DOI 10.17487/RFC2182, July 1997,
+ <https://www.rfc-editor.org/info/rfc2182>.
+
+ [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
+ NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
+ <https://www.rfc-editor.org/info/rfc2308>.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, DOI 10.17487/RFC4033, March 2005,
+ <https://www.rfc-editor.org/info/rfc4033>.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, DOI 10.17487/RFC4034, March 2005,
+ <https://www.rfc-editor.org/info/rfc4034>.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
+ <https://www.rfc-editor.org/info/rfc4035>.
+
+ [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name
+ System", RFC 4592, DOI 10.17487/RFC4592, July 2006,
+ <https://www.rfc-editor.org/info/rfc4592>.
+
+ [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+ Security (DNSSEC) Hashed Authenticated Denial of
+ Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
+ <https://www.rfc-editor.org/info/rfc5155>.
+
+ [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive
+ Nameservers in Reflector Attacks", BCP 140, RFC 5358,
+ DOI 10.17487/RFC5358, October 2008,
+ <https://www.rfc-editor.org/info/rfc5358>.
+
+ [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
+ STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
+ <https://www.rfc-editor.org/info/rfc5730>.
+
+ [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
+ Domain Name Mapping", STD 69, RFC 5731,
+ DOI 10.17487/RFC5731, August 2009,
+ <https://www.rfc-editor.org/info/rfc5731>.
+
+ [RFC5855] Abley, J. and T. Manderson, "Nameservers for IPv4 and IPv6
+ Reverse Zones", BCP 155, RFC 5855, DOI 10.17487/RFC5855,
+ May 2010, <https://www.rfc-editor.org/info/rfc5855>.
+
+ [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol
+ (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010,
+ <https://www.rfc-editor.org/info/rfc5936>.
+
+ [RFC6561] Livingood, J., Mody, N., and M. O'Reirdan,
+ "Recommendations for the Remediation of Bots in ISP
+ Networks", RFC 6561, DOI 10.17487/RFC6561, March 2012,
+ <https://www.rfc-editor.org/info/rfc6561>.
+
+ [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
+ Operational Practices, Version 2", RFC 6781,
+ DOI 10.17487/RFC6781, December 2012,
+ <https://www.rfc-editor.org/info/rfc6781>.
+
+ [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and
+ Implementation Notes for DNS Security (DNSSEC)", RFC 6840,
+ DOI 10.17487/RFC6840, February 2013,
+ <https://www.rfc-editor.org/info/rfc6840>.
+
+ [RFC6841] Ljunggren, F., Eklund Lowinder, AM., and T. Okubo, "A
+ Framework for DNSSEC Policies and DNSSEC Practice
+ Statements", RFC 6841, DOI 10.17487/RFC6841, January 2013,
+ <https://www.rfc-editor.org/info/rfc6841>.
+
+ [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
+ for DNS (EDNS(0))", STD 75, RFC 6891,
+ DOI 10.17487/RFC6891, April 2013,
+ <https://www.rfc-editor.org/info/rfc6891>.
+
+ [RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
+ DNSSEC Delegation Trust Maintenance", RFC 7344,
+ DOI 10.17487/RFC7344, September 2014,
+ <https://www.rfc-editor.org/info/rfc7344>.
+
+ [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
+ Terminology", RFC 7719, DOI 10.17487/RFC7719, December
+ 2015, <https://www.rfc-editor.org/info/rfc7719>.
+
+ [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles
+ for DNS over TLS and DNS over DTLS", RFC 8310,
+ DOI 10.17487/RFC8310, March 2018,
+ <https://www.rfc-editor.org/info/rfc8310>.
+
+ [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
+ Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
+ January 2019, <https://www.rfc-editor.org/info/rfc8499>.
+
+ [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
+ Dedicated QUIC Connections", RFC 9250,
+ DOI 10.17487/RFC9250, May 2022,
+ <https://www.rfc-editor.org/info/rfc9250>.
+
+ [RFC9471] Andrews, M., Huque, S., Wouters, P., and D. Wessels, "DNS
+ Glue Requirements in Referral Responses", RFC 9471,
+ DOI 10.17487/RFC9471, September 2023,
+ <https://www.rfc-editor.org/info/rfc9471>.
+
+14.2. Informative References
+
+ [IANA_Resource_Registry]
+ IANA, "Resource Record (RR) TYPEs",
+ <https://www.iana.org/assignments/dns-parameters/>.
+
+ [RFC20] Cerf, V., "ASCII format for network interchange", STD 80,
+ RFC 20, DOI 10.17487/RFC0020, October 1969,
+ <https://www.rfc-editor.org/info/rfc20>.
+
+ [RFC819] Su, Z. and J. Postel, "The Domain Naming Convention for
+ Internet User Applications", RFC 819,
+ DOI 10.17487/RFC0819, August 1982,
+ <https://www.rfc-editor.org/info/rfc819>.
+
+ [RFC952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
+ host table specification", RFC 952, DOI 10.17487/RFC0952,
+ October 1985, <https://www.rfc-editor.org/info/rfc952>.
+
+ [RFC1713] Romao, A., "Tools for DNS debugging", FYI 27, RFC 1713,
+ DOI 10.17487/RFC1713, November 1994,
+ <https://www.rfc-editor.org/info/rfc1713>.
+
+ [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+ DOI 10.17487/RFC1995, August 1996,
+ <https://www.rfc-editor.org/info/rfc1995>.
+
+ [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775,
+ DOI 10.17487/RFC2775, February 2000,
+ <https://www.rfc-editor.org/info/rfc2775>.
+
+ [RFC3172] Huston, G., Ed., "Management Guidelines & Operational
+ Requirements for the Address and Routing Parameter Area
+ Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172,
+ September 2001, <https://www.rfc-editor.org/info/rfc3172>.
+
+ [RFC3425] Lawrence, D., "Obsoleting IQUERY", RFC 3425,
+ DOI 10.17487/RFC3425, November 2002,
+ <https://www.rfc-editor.org/info/rfc3425>.
+
+ [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W.
+ Stevens, "Basic Socket Interface Extensions for IPv6",
+ RFC 3493, DOI 10.17487/RFC3493, February 2003,
+ <https://www.rfc-editor.org/info/rfc3493>.
+
+ [RFC3757] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
+ System KEY (DNSKEY) Resource Record (RR) Secure Entry
+ Point (SEP) Flag", RFC 3757, DOI 10.17487/RFC3757, April
+ 2004, <https://www.rfc-editor.org/info/rfc3757>.
+
+ [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
+ DOI 10.17487/RFC3912, September 2004,
+ <https://www.rfc-editor.org/info/rfc3912>.
+
+ [RFC4470] Weiler, S. and J. Ihren, "Minimally Covering NSEC Records
+ and DNSSEC On-line Signing", RFC 4470,
+ DOI 10.17487/RFC4470, April 2006,
+ <https://www.rfc-editor.org/info/rfc4470>.
+
+ [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+ RFC 4641, DOI 10.17487/RFC4641, September 2006,
+ <https://www.rfc-editor.org/info/rfc4641>.
+
+ [RFC4697] Larson, M. and P. Barber, "Observed DNS Resolution
+ Misbehavior", BCP 123, RFC 4697, DOI 10.17487/RFC4697,
+ October 2006, <https://www.rfc-editor.org/info/rfc4697>.
+
+ [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast
+ Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786,
+ December 2006, <https://www.rfc-editor.org/info/rfc4786>.
+
+ [RFC4956] Arends, R., Kosters, M., and D. Blacka, "DNS Security
+ (DNSSEC) Opt-In", RFC 4956, DOI 10.17487/RFC4956, July
+ 2007, <https://www.rfc-editor.org/info/rfc4956>.
+
+ [RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines",
+ BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009,
+ <https://www.rfc-editor.org/info/rfc5625>.
+
+ [RFC5890] Klensin, J., "Internationalized Domain Names for
+ Applications (IDNA): Definitions and Document Framework",
+ RFC 5890, DOI 10.17487/RFC5890, August 2010,
+ <https://www.rfc-editor.org/info/rfc5890>.
+
+ [RFC5891] Klensin, J., "Internationalized Domain Names in
+ Applications (IDNA): Protocol", RFC 5891,
+ DOI 10.17487/RFC5891, August 2010,
+ <https://www.rfc-editor.org/info/rfc5891>.
+
+ [RFC5892] Faltstrom, P., Ed., "The Unicode Code Points and
+ Internationalized Domain Names for Applications (IDNA)",
+ RFC 5892, DOI 10.17487/RFC5892, August 2010,
+ <https://www.rfc-editor.org/info/rfc5892>.
+
+ [RFC5893] Alvestrand, H., Ed. and C. Karp, "Right-to-Left Scripts
+ for Internationalized Domain Names for Applications
+ (IDNA)", RFC 5893, DOI 10.17487/RFC5893, August 2010,
+ <https://www.rfc-editor.org/info/rfc5893>.
+
+ [RFC5894] Klensin, J., "Internationalized Domain Names for
+ Applications (IDNA): Background, Explanation, and
+ Rationale", RFC 5894, DOI 10.17487/RFC5894, August 2010,
+ <https://www.rfc-editor.org/info/rfc5894>.
+
+ [RFC6055] Thaler, D., Klensin, J., and S. Cheshire, "IAB Thoughts on
+ Encodings for Internationalized Domain Names", RFC 6055,
+ DOI 10.17487/RFC6055, February 2011,
+ <https://www.rfc-editor.org/info/rfc6055>.
+
+ [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
+ DOI 10.17487/RFC6265, April 2011,
+ <https://www.rfc-editor.org/info/rfc6265>.
+
+ [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163,
+ RFC 6303, DOI 10.17487/RFC6303, July 2011,
+ <https://www.rfc-editor.org/info/rfc6303>.
+
+ [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
+ Cheshire, "Internet Assigned Numbers Authority (IANA)
+ Procedures for the Management of the Service Name and
+ Transport Protocol Port Number Registry", BCP 165,
+ RFC 6335, DOI 10.17487/RFC6335, August 2011,
+ <https://www.rfc-editor.org/info/rfc6335>.
+
+ [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
+ Internationalization in the IETF", BCP 166, RFC 6365,
+ DOI 10.17487/RFC6365, September 2011,
+ <https://www.rfc-editor.org/info/rfc6365>.
+
+ [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
+ DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012,
+ <https://www.rfc-editor.org/info/rfc6672>.
+
+ [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
+ DOI 10.17487/RFC6762, February 2013,
+ <https://www.rfc-editor.org/info/rfc6762>.
+
+ [RFC7129] Gieben, R. and W. Mekking, "Authenticated Denial of
+ Existence in the DNS", RFC 7129, DOI 10.17487/RFC7129,
+ February 2014, <https://www.rfc-editor.org/info/rfc7129>.
+
+ [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 7480, DOI 10.17487/RFC7480, March 2015,
+ <https://www.rfc-editor.org/info/rfc7480>.
+
+ [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 7481, DOI 10.17487/RFC7481, March 2015,
+ <https://www.rfc-editor.org/info/rfc7481>.
+
+ [RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
+ Protocol (RDAP) Query Format", STD 95, RFC 9082,
+ DOI 10.17487/RFC9082, June 2021,
+ <https://www.rfc-editor.org/info/rfc9082>.
+
+ [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 9083, DOI 10.17487/RFC9083, June 2021,
+ <https://www.rfc-editor.org/info/rfc9083>.
+
+ [RFC9224] Blanchet, M., "Finding the Authoritative Registration Data
+ Access Protocol (RDAP) Service", STD 95, RFC 9224,
+ DOI 10.17487/RFC9224, March 2022,
+ <https://www.rfc-editor.org/info/rfc9224>.
+
+ [RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin,
+ "Inventory and Analysis of WHOIS Registration Objects",
+ RFC 7485, DOI 10.17487/RFC7485, March 2015,
+ <https://www.rfc-editor.org/info/rfc7485>.
+
+ [RFC7793] Andrews, M., "Adding 100.64.0.0/10 Prefixes to the IPv4
+ Locally-Served DNS Zones Registry", BCP 163, RFC 7793,
+ DOI 10.17487/RFC7793, May 2016,
+ <https://www.rfc-editor.org/info/rfc7793>.
+
+ [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
+ and P. Hoffman, "Specification for DNS over Transport
+ Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
+ 2016, <https://www.rfc-editor.org/info/rfc7858>.
+
+ [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
+ Transport Layer Security (DTLS)", RFC 8094,
+ DOI 10.17487/RFC8094, February 2017,
+ <https://www.rfc-editor.org/info/rfc8094>.
+
+ [RFC8109] Koch, P., Larson, M., and P. Hoffman, "Initializing a DNS
+ Resolver with Priming Queries", BCP 209, RFC 8109,
+ DOI 10.17487/RFC8109, March 2017,
+ <https://www.rfc-editor.org/info/rfc8109>.
+
+ [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
+ (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
+ <https://www.rfc-editor.org/info/rfc8484>.
+
+ [RFC9103] Toorop, W., Dickinson, S., Sahib, S., Aras, P., and A.
+ Mankin, "DNS Zone Transfer over TLS", RFC 9103,
+ DOI 10.17487/RFC9103, August 2021,
+ <https://www.rfc-editor.org/info/rfc9103>.
+
+ [RSSAC026] Root Server System Advisory Committee (RSSAC), "RSSAC0226
+ RSSAC Lexicon", 2017,
+ <https://www.icann.org/en/system/files/files/rssac-
+ 026-14mar17-en.pdf>.
+
+Appendix A. Definitions Updated by This Document
+
+ The following definitions from RFCs are updated by this document:
+
+ * Forwarder in [RFC2308]
+
+ * QNAME in [RFC2308]
+
+ * Secure Entry Point (SEP) in [RFC3757]; note, however, that this
+ RFC is already obsolete (see [RFC4033], [RFC4034], [RFC4035]).
+
+Appendix B. Definitions First Defined in This Document
+
+ The following definitions are first defined in this document:
+
+ * "Alias" in Section 2
+
+ * "Apex" in Section 7
+
+ * "arpa" in Section 7
+
+ * "Authoritative DoT (ADot)" in Section 6
+
+ * "Bailiwick" in Section 7
+
+ * "Class independent" in Section 5
+
+ * "Classic DNS" in Section 6
+
+ * "Delegation-centric zone" in Section 7
+
+ * "Delegation" in Section 7
+
+ * "DNS operator" in Section 9
+
+ * "DNSSEC-aware" in Section 10
+
+ * "DNSSEC-unaware" in Section 10
+
+ * "Forwarding" in Section 6
+
+ * "Full resolver" in Section 6
+
+ * "Fully Qualified Domain Name" in Section 2
+
+ * "Global DNS" in Section 2
+
+ * "Hardware Security Module (HSM)" in Section 10
+
+ * "Host name" in Section 2
+
+ * "IDN" in Section 2
+
+ * "In-domain" in Section 7
+
+ * "Iterative resolution" in Section 6
+
+ * "Label" in Section 2
+
+ * "Locally served DNS zone" in Section 2
+
+ * "Naming system" in Section 2
+
+ * "Negative response" in Section 3
+
+ * "Non-recursive query" in Section 6
+
+ * "Open resolver" in Section 6
+
+ * "Passive DNS" in Section 6
+
+ * "Policy-implementing resolver" in Section 6
+
+ * "Presentation format" in Section 5
+
+ * "Priming" in Section 6
+
+ * "Private DNS" in Section 2
+
+ * "Recursive DoT (RDot)" in Section 6
+
+ * "Recursive resolver" in Section 6
+
+ * "Referrals" in Section 4
+
+ * "Registrant" in Section 9
+
+ * "Registrar" in Section 9
+
+ * "Registry" in Section 9
+
+ * "Root zone" in Section 7
+
+ * "Secure Entry Point (SEP)" in Section 10
+
+ * "Sibling domain" in Section 7
+
+ * "Signing software" in Section 10
+
+ * "Split DNS" in Section 6
+
+ * "Stub resolver" in Section 6
+
+ * "Subordinate" in Section 8
+
+ * "Superordinate" in Section 8
+
+ * "TLD" in Section 2
+
+ * "Validating resolver" in Section 10
+
+ * "Validation" in Section 10
+
+ * "View" in Section 6
+
+ * "Zone transfer" in Section 6
+
+Acknowledgements
+
+ [RFC8499] and its predecessor, [RFC7719], were co-authored by Andrew
+ Sullivan. The current document, which is a small update to
+ [RFC8499], has just two authors. Andrew's work on the earlier
+ documents is greatly appreciated.
+
+ Numerous people made significant contributions to [RFC8499] and
+ [RFC7719]. Please see the acknowledgements sections in those two
+ documents for the extensive list of contributors.
+
+ Even though the current document is a small revision, many people in
+ the DNSOP Working Group have contributed to it, and their work is
+ greatly appreciated.
+
+Index
+
+ A B C D E F G H I K L M N O P Q R S T U V W X Z
+
+ A
+
+ Address and Routing Parameter Area Domain (arpa)
+ Section 7
+ Address records
+ Section 5
+ ADoT
+ Section 6
+ Alias
+ Section 2
+ Anycast
+ Section 6
+ Apex
+ Section 7
+ Asterisk label
+ Section 8
+ Authoritative data
+ Section 7
+ Authoritative server
+ Section 6
+ Authoritative-only server
+ Section 6
+ AXoT
+ Section 6
+
+ B
+
+ Bailiwick
+ Section 7
+
+ C
+
+ Canonical name
+ Section 2
+ Child
+ Section 7
+ Class
+ Section 4
+ Class independent
+ Section 5
+ Classic DNS
+ Section 6
+ Closest encloser
+ Section 8
+ Closest provable encloser
+ Section 8
+ CNAME
+ Section 2
+ Combined signing key (CSK)
+ Section 10
+
+ D
+
+ Delegation
+ Section 7
+ Delegation-centric zone
+ Section 7
+ DNS operator
+ Section 9
+ DNS-over-HTTPS
+ Section 6
+ DNS-over-QUIC
+ Section 6
+ DNS-over-TLS
+ Section 6
+ DNSSEC Policy (DP)
+ Section 10
+ DNSSEC Practice Statement (DPS)
+ Section 10
+ DNSSEC-aware and DNSSEC-unaware
+ Section 10
+ DoH
+ Section 6
+ Domain name
+ Section 2
+ DoQ
+ Section 6
+ DoT
+ Section 6
+
+ E
+
+ EDNS
+ Section 5
+ Empty non-terminals (ENTs)
+ Section 7
+ EPP
+ Section 9
+
+ F
+
+ Fast flux DNS
+ Section 7
+ FORMERR
+ Section 3
+ Forward lookup
+ Section 7
+ Forwarder
+ Section 6
+ Forwarding
+ Section 6
+ Full resolver
+ Section 6
+ Full-service resolver
+ Section 6
+ Fully Qualified Domain Name (FQDN)
+ Section 2
+
+ G
+
+ Global DNS
+ Section 2
+ Glue records
+ Section 7
+
+ H
+
+ Hardware security module (HSM)
+ Section 10
+ Hidden master
+ Section 6
+ Host name
+ Section 2
+
+ I
+
+ IDN
+ Section 2
+ In-bailiwick
+ Section 7
+ In-domain
+ Section 7
+ Insecure delegation
+ Section 10
+ Instance
+ Section 6
+ Internationalized Domain Name
+ Section 2
+ Iterative mode
+ Section 6
+ Iterative resolution
+ Section 6
+ IXoT
+ Section 6
+
+ K
+
+ Key signing key (KSK)
+ Section 10
+
+ L
+
+ Label
+ Section 2
+ Lame delegation
+ Section 7
+ Locally served DNS zone
+ Section 2
+
+ M
+
+ Master file
+ Section 5
+ Master server
+ Section 6
+ mDNS
+ Section 2
+ Multicast DNS
+ Section 2
+
+ N
+
+ Naming system
+ Section 2, Paragraph 1.2.1
+ Negative caching
+ Section 6
+ Negative response
+ Section 3
+ Next closer name
+ Section 8
+ NODATA
+ Section 3
+ NOERROR
+ Section 3
+ Non-recursive query
+ Section 6
+ NOTIMP
+ Section 3
+ NS
+ Section 6
+ NSEC
+ Section 10
+ NSEC3
+ Section 10
+ NXDOMAIN
+ Section 3
+
+ O
+
+ Occluded name
+ Section 7
+ on-line signing
+ Section 10
+ online signing
+ Section 10
+ Open resolver
+ Section 6
+ OPT
+ Section 5
+ Opt-out
+ Section 10
+ Origin
+ Section 7
+ Out-of-bailiwick
+ Section 7
+ Owner
+ Section 5
+
+ P
+
+ Parent
+ Section 7
+ Passive DNS
+ Section 6
+ Policy-implementing resolver
+ Section 6
+ Presentation format
+ Section 5
+ Primary master
+ Section 6
+ Primary server
+ Section 6
+ Priming
+ Section 6
+ Privacy-enabling DNS server
+ Section 6
+ Private DNS
+ Section 2
+ Public suffix
+ Section 9
+
+ Q
+
+ QNAME
+ Section 4
+
+ R
+
+ RDAP
+ Section 9
+ RDoT
+ Section 6
+ Recursive DoT
+ Section 6
+ Recursive mode
+ Section 6, Paragraph 4.10.1
+ Recursive query
+ Section 6
+ Recursive resolver
+ Section 6
+ Referrals
+ Section 4
+ REFUSED
+ Section 3
+ Registrant
+ Section 9
+ Registrar
+ Section 9
+ Registry
+ Section 9
+ Resolver
+ Section 6
+ Reverse DNS, reverse lookup
+ Section 7
+ Root hints
+ Section 6
+ Root zone
+ Section 7
+ RR
+ Section 5
+ RRset
+ Section 5
+
+ S
+
+ Secondary server
+ Section 6
+ Secure Entry Point (SEP)
+ Section 10
+ SERVFAIL
+ Section 3
+ Service name
+ Section 7
+ Sibling domain
+ Section 7
+ Signed zone
+ Section 10
+ Signing software
+ Section 10
+ Slave server
+ Section 6
+ SOA
+ Section 5
+ SOA field names
+ Section 5
+ Source of Synthesis
+ Section 8, Paragraph 1.14.1
+ Split DNS
+ Section 6
+ Split-horizon DNS
+ Section 6
+ Stealth server
+ Section 6
+ Stub resolver
+ Section 6
+ Subdomain
+ Section 2
+ Subordinate
+ Section 9
+ Superordinate
+ Section 9
+
+ T
+
+ TLD
+ Section 2
+ Trust anchor
+ Section 10
+ TTL
+ Section 5
+
+ U
+
+ Unsigned zone
+ Section 10
+
+ V
+
+ Validating resolver
+ Section 10
+ Validation
+ Section 10, Paragraph 2.26.1
+ View
+ Section 6
+
+ W
+
+ WHOIS
+ Section 9
+ Wildcard
+ Section 8
+ Wildcard domain name
+ Section 8
+
+ X
+
+ XoT
+ Section 6
+
+ Z
+
+ Zone
+ Section 7
+ Zone cut
+ Section 7
+ Zone enumeration
+ Section 10
+ Zone signing key (ZSK)
+ Section 10
+ Zone transfer
+ Section 6
+
+Authors' Addresses
+
+ Paul Hoffman
+ ICANN
+ Email: paul.hoffman@icann.org
+
+
+ Kazunori Fujiwara
+ Japan Registry Services Co., Ltd.
+ Email: fujiwara@jprs.co.jp