summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8914.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc8914.txt')
-rw-r--r--doc/rfc/rfc8914.txt638
1 files changed, 638 insertions, 0 deletions
diff --git a/doc/rfc/rfc8914.txt b/doc/rfc/rfc8914.txt
new file mode 100644
index 0000000..cc7b7f8
--- /dev/null
+++ b/doc/rfc/rfc8914.txt
@@ -0,0 +1,638 @@
+
+
+
+
+Internet Engineering Task Force (IETF) W. Kumari
+Request for Comments: 8914 Google
+Category: Standards Track E. Hunt
+ISSN: 2070-1721 ISC
+ R. Arends
+ ICANN
+ W. Hardaker
+ USC/ISI
+ D. Lawrence
+ Salesforce
+ October 2020
+
+
+ Extended DNS Errors
+
+Abstract
+
+ This document defines an extensible method to return additional
+ information about the cause of DNS errors. Though created primarily
+ to extend SERVFAIL to provide additional information about the cause
+ of DNS and DNSSEC failures, the Extended DNS Errors option defined in
+ this document allows all response types to contain extended error
+ information. Extended DNS Error information does not change the
+ processing of RCODEs.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc8914.
+
+Copyright Notice
+
+ Copyright (c) 2020 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction and Background
+ 1.1. Requirements Notation
+ 2. Extended DNS Error EDNS0 Option Format
+ 3. Extended DNS Error Processing
+ 4. Defined Extended DNS Errors
+ 4.1. Extended DNS Error Code 0 - Other
+ 4.2. Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm
+ 4.3. Extended DNS Error Code 2 - Unsupported DS Digest Type
+ 4.4. Extended DNS Error Code 3 - Stale Answer
+ 4.5. Extended DNS Error Code 4 - Forged Answer
+ 4.6. Extended DNS Error Code 5 - DNSSEC Indeterminate
+ 4.7. Extended DNS Error Code 6 - DNSSEC Bogus
+ 4.8. Extended DNS Error Code 7 - Signature Expired
+ 4.9. Extended DNS Error Code 8 - Signature Not Yet Valid
+ 4.10. Extended DNS Error Code 9 - DNSKEY Missing
+ 4.11. Extended DNS Error Code 10 - RRSIGs Missing
+ 4.12. Extended DNS Error Code 11 - No Zone Key Bit Set
+ 4.13. Extended DNS Error Code 12 - NSEC Missing
+ 4.14. Extended DNS Error Code 13 - Cached Error
+ 4.15. Extended DNS Error Code 14 - Not Ready
+ 4.16. Extended DNS Error Code 15 - Blocked
+ 4.17. Extended DNS Error Code 16 - Censored
+ 4.18. Extended DNS Error Code 17 - Filtered
+ 4.19. Extended DNS Error Code 18 - Prohibited
+ 4.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer
+ 4.21. Extended DNS Error Code 20 - Not Authoritative
+ 4.22. Extended DNS Error Code 21 - Not Supported
+ 4.23. Extended DNS Error Code 22 - No Reachable Authority
+ 4.24. Extended DNS Error Code 23 - Network Error
+ 4.25. Extended DNS Error Code 24 - Invalid Data
+ 5. IANA Considerations
+ 5.1. A New Extended DNS Error Code EDNS Option
+ 5.2. New Registry for Extended DNS Error Codes
+ 6. Security Considerations
+ 7. References
+ 7.1. Normative References
+ 7.2. Informative References
+ Acknowledgements
+ Authors' Addresses
+
+1. Introduction and Background
+
+ There are many reasons that a DNS query may fail -- some of them
+ transient, some permanent; some can be resolved by querying another
+ server, some are likely best handled by stopping resolution.
+ Unfortunately, the error signals that a DNS server can return are
+ very limited and are not very expressive. This means that
+ applications and resolvers often have to "guess" at what the issue
+ is, e.g., was the answer marked REFUSED because of a lame delegation
+ or because the nameserver is still starting up and loading zones? Is
+ a SERVFAIL a DNSSEC validation issue, or is the nameserver
+ experiencing some other failure? What error messages should be
+ presented to the user or logged under these conditions?
+
+ A good example of issues that would benefit from additional error
+ information are errors caused by DNSSEC validation issues. When a
+ stub resolver queries a name that is DNSSEC bogus [RFC8499] (using a
+ validating resolver), the stub resolver receives only a SERVFAIL in
+ response. Unfortunately, the SERVFAIL Response Code (RCODE) is used
+ to signal many sorts of DNS errors, and so the stub resolver's only
+ option is to ask the next configured DNS resolver. The result of
+ trying the next resolver is one of two outcomes: either the next
+ resolver also validates and a SERVFAIL is returned again or the next
+ resolver is not a validating resolver and the user is returned a
+ potentially harmful result. With an Extended DNS Error (EDE) option
+ enclosed in the response message, the resolver is able to return a
+ more descriptive reason as to why any failures happened or add
+ additional context to a message containing a NOERROR RCODE.
+
+ This document specifies a mechanism to extend DNS errors to provide
+ additional information about the cause of an error. The Extended DNS
+ Error codes described in this document can be used by any system that
+ sends DNS queries and receives a response containing an EDE option.
+ Different codes are useful in different circumstances, and thus
+ different systems (stub resolvers, recursive resolvers, and
+ authoritative resolvers) might receive and use them.
+
+1.1. Requirements Notation
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+2. Extended DNS Error EDNS0 Option Format
+
+ This document uses an Extended Mechanism for DNS (EDNS0) [RFC6891]
+ option to include Extended DNS Error (EDE) information in DNS
+ messages. The option is structured as follows:
+
+ 1 1 1 1 1 1
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ 0: | OPTION-CODE |
+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ 2: | OPTION-LENGTH |
+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ 4: | INFO-CODE |
+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ 6: / EXTRA-TEXT ... /
+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+
+
+ Field definition details:
+
+ OPTION-CODE:
+ 2 octets / 16 bits (defined in [RFC6891]) contains the value 15
+ for EDE.
+
+ OPTION-LENGTH:
+ 2 octets / 16 bits (defined in [RFC6891]) contains the length of
+ the payload (everything after OPTION-LENGTH) in octets and should
+ be 2 plus the length of the EXTRA-TEXT field (which may be a zero-
+ length string).
+
+ INFO-CODE:
+ 16 bits, which is the principal contribution of this document.
+ This 16-bit value, encoded in network most significant bit (MSB)
+ byte order, provides the additional context for the RESPONSE-CODE
+ of the DNS message. The INFO-CODE serves as an index into the
+ "Extended DNS Errors" registry, defined and created in
+ Section 5.2.
+
+ EXTRA-TEXT:
+ a variable-length, UTF-8-encoded [RFC5198] text field that may
+ hold additional textual information. This information is intended
+ for human consumption (not automated parsing). EDE text may be
+ null terminated but MUST NOT be assumed to be; the length MUST be
+ derived from the OPTION-LENGTH field. The EXTRA-TEXT field may be
+ zero octets in length, indicating that there is no EXTRA-TEXT
+ included. Care should be taken not to include private information
+ in the EXTRA-TEXT field that an observer would not otherwise have
+ access to, such as account numbers.
+
+ The Extended DNS Error (EDE) option can be included in any response
+ (SERVFAIL, NXDOMAIN, REFUSED, even NOERROR, etc.) to a query that
+ includes an OPT pseudo-RR [RFC6891]. This document includes a set of
+ initial codepoints but is extensible via the IANA registry defined
+ and created in Section 5.2.
+
+3. Extended DNS Error Processing
+
+ When the response grows beyond the requestor's UDP payload size
+ [RFC6891], servers SHOULD truncate messages by dropping EDE options
+ before dropping other data from packets. Implementations SHOULD set
+ the truncation bit when dropping EDE options. Because long EXTRA-
+ TEXT fields may trigger truncation (which is undesirable given the
+ supplemental nature of EDE), implementers and operators creating EDE
+ options SHOULD avoid lengthy EXTRA-TEXT contents.
+
+ When a resolver or forwarder receives an EDE option, whether or not
+ (and how) to pass along EDE information on to their original client
+ is implementation dependent. Implementations MAY choose to not
+ forward information, or they MAY choose to create a new EDE option(s)
+ that conveys the information encoded in the received EDE. When doing
+ so, the source of the error SHOULD be attributed in the EXTRA-TEXT
+ field, since an EDNS0 option received by the original client will
+ appear to have come from the resolver or forwarder sending it.
+
+ This document does not allow or prohibit any particular extended
+ error codes and information to be matched with any particular RCODEs.
+ Some combinations of extended error codes and RCODEs may seem
+ nonsensical (such as resolver-specific extended error codes received
+ in responses from authoritative servers), so systems interpreting the
+ extended error codes MUST NOT assume that a combination will make
+ sense. Receivers MUST be able to accept EDE codes and EXTRA-TEXT in
+ all messages, including those with a NOERROR RCODE but need not act
+ on them. Applications MUST continue to follow requirements from
+ applicable specifications on how to process RCODEs no matter what EDE
+ values are also received. Senders MAY include more than one EDE
+ option and receivers MUST be able to accept (but not necessarily
+ process or act on) multiple EDE options in a DNS message.
+
+4. Defined Extended DNS Errors
+
+ This document defines some initial EDE codes. The mechanism is
+ intended to be extensible, and additional codepoints can be
+ registered in the "Extended DNS Errors" registry (Section 5.2). The
+ INFO-CODE from the EDE EDNS option is used to serve as an index into
+ the "Extended DNS Error" IANA registry, the initial values for which
+ are defined in the following subsections.
+
+4.1. Extended DNS Error Code 0 - Other
+
+ The error in question falls into a category that does not match known
+ extended error codes. Implementations SHOULD include an EXTRA-TEXT
+ value to augment this error code with additional information.
+
+4.2. Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm
+
+ The resolver attempted to perform DNSSEC validation, but a DNSKEY
+ RRset contained only unsupported DNSSEC algorithms.
+
+4.3. Extended DNS Error Code 2 - Unsupported DS Digest Type
+
+ The resolver attempted to perform DNSSEC validation, but a DS RRset
+ contained only unsupported Digest Types.
+
+4.4. Extended DNS Error Code 3 - Stale Answer
+
+ The resolver was unable to resolve the answer within its time limits
+ and decided to answer with previously cached data instead of
+ answering with an error. This is typically caused by problems
+ communicating with an authoritative server, possibly as result of a
+ denial of service (DoS) attack against another network. (See also
+ Code 19.)
+
+4.5. Extended DNS Error Code 4 - Forged Answer
+
+ For policy reasons (legal obligation or malware filtering, for
+ instance), an answer was forged. Note that this should be used when
+ an answer is still provided, not when failure codes are returned
+ instead. See Blocked (15), Censored (16), and Filtered (17) for use
+ when returning other response codes.
+
+4.6. Extended DNS Error Code 5 - DNSSEC Indeterminate
+
+ The resolver attempted to perform DNSSEC validation, but validation
+ ended in the Indeterminate state [RFC4035].
+
+4.7. Extended DNS Error Code 6 - DNSSEC Bogus
+
+ The resolver attempted to perform DNSSEC validation, but validation
+ ended in the Bogus state.
+
+4.8. Extended DNS Error Code 7 - Signature Expired
+
+ The resolver attempted to perform DNSSEC validation, but no
+ signatures are presently valid and some (often all) are expired.
+
+4.9. Extended DNS Error Code 8 - Signature Not Yet Valid
+
+ The resolver attempted to perform DNSSEC validation, but no
+ signatures are presently valid and at least some are not yet valid.
+
+4.10. Extended DNS Error Code 9 - DNSKEY Missing
+
+ A DS record existed at a parent, but no supported matching DNSKEY
+ record could be found for the child.
+
+4.11. Extended DNS Error Code 10 - RRSIGs Missing
+
+ The resolver attempted to perform DNSSEC validation, but no RRSIGs
+ could be found for at least one RRset where RRSIGs were expected.
+
+4.12. Extended DNS Error Code 11 - No Zone Key Bit Set
+
+ The resolver attempted to perform DNSSEC validation, but no Zone Key
+ Bit was set in a DNSKEY.
+
+4.13. Extended DNS Error Code 12 - NSEC Missing
+
+ The resolver attempted to perform DNSSEC validation, but the
+ requested data was missing and a covering NSEC or NSEC3 was not
+ provided.
+
+4.14. Extended DNS Error Code 13 - Cached Error
+
+ The resolver is returning the SERVFAIL RCODE from its cache.
+
+4.15. Extended DNS Error Code 14 - Not Ready
+
+ The server is unable to answer the query, as it was not fully
+ functional when the query was received.
+
+4.16. Extended DNS Error Code 15 - Blocked
+
+ The server is unable to respond to the request because the domain is
+ on a blocklist due to an internal security policy imposed by the
+ operator of the server resolving or forwarding the query.
+
+4.17. Extended DNS Error Code 16 - Censored
+
+ The server is unable to respond to the request because the domain is
+ on a blocklist due to an external requirement imposed by an entity
+ other than the operator of the server resolving or forwarding the
+ query. Note that how the imposed policy is applied is irrelevant
+ (in-band DNS filtering, court order, etc.).
+
+4.18. Extended DNS Error Code 17 - Filtered
+
+ The server is unable to respond to the request because the domain is
+ on a blocklist as requested by the client. Functionally, this
+ amounts to "you requested that we filter domains like this one."
+
+4.19. Extended DNS Error Code 18 - Prohibited
+
+ An authoritative server or recursive resolver that receives a query
+ from an "unauthorized" client can annotate its REFUSED message with
+ this code. Examples of "unauthorized" clients are recursive queries
+ from IP addresses outside the network, blocklisted IP addresses,
+ local policy, etc.
+
+4.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer
+
+ The resolver was unable to resolve an answer within its configured
+ time limits and decided to answer with a previously cached NXDOMAIN
+ answer instead of answering with an error. This may be caused, for
+ example, by problems communicating with an authoritative server,
+ possibly as result of a denial of service (DoS) attack against
+ another network. (See also Code 3.)
+
+4.21. Extended DNS Error Code 20 - Not Authoritative
+
+ An authoritative server that receives a query with the Recursion
+ Desired (RD) bit clear, or when it is not configured for recursion
+ for a domain for which it is not authoritative, SHOULD include this
+ EDE code in the REFUSED response. A resolver that receives a query
+ with the RD bit clear SHOULD include this EDE code in the REFUSED
+ response.
+
+4.22. Extended DNS Error Code 21 - Not Supported
+
+ The requested operation or query is not supported.
+
+4.23. Extended DNS Error Code 22 - No Reachable Authority
+
+ The resolver could not reach any of the authoritative name servers
+ (or they potentially refused to reply).
+
+4.24. Extended DNS Error Code 23 - Network Error
+
+ An unrecoverable error occurred while communicating with another
+ server.
+
+4.25. Extended DNS Error Code 24 - Invalid Data
+
+ The authoritative server cannot answer with data for a zone it is
+ otherwise configured to support. Examples of this include its most
+ recent zone being too old or having expired.
+
+5. IANA Considerations
+
+5.1. A New Extended DNS Error Code EDNS Option
+
+ This document defines a new EDNS(0) option, entitled "Extended DNS
+ Error", with the assigned value of 15 from the "DNS EDNS0 Option
+ Codes (OPT)" registry:
+
+ +=======+====================+==========+===========+
+ | Value | Name | Status | Reference |
+ +=======+====================+==========+===========+
+ | 15 | Extended DNS Error | Standard | RFC 8914 |
+ +-------+--------------------+----------+-----------+
+
+ Table 1
+
+5.2. New Registry for Extended DNS Error Codes
+
+ IANA has created and will maintain a new registry called "Extended
+ DNS Error Codes" on the "Domain Name System (DNS) Parameters" web
+ page as follows:
+
+ +===============+=========================+
+ | Range | Registration Procedures |
+ +===============+=========================+
+ | 0 - 49151 | First Come First Served |
+ +---------------+-------------------------+
+ | 49152 - 65535 | Private Use |
+ +---------------+-------------------------+
+
+ Table 2
+
+ The "Extended DNS Error Codes" registry is a table with three
+ columns: INFO-CODE, Purpose, and Reference. The initial content is
+ as below.
+
+ +=============+==============================+===============+
+ | INFO-CODE | Purpose | Reference |
+ +=============+==============================+===============+
+ | 0 | Other Error | Section 4.1 |
+ +-------------+------------------------------+---------------+
+ | 1 | Unsupported DNSKEY Algorithm | Section 4.2 |
+ +-------------+------------------------------+---------------+
+ | 2 | Unsupported DS Digest Type | Section 4.3 |
+ +-------------+------------------------------+---------------+
+ | 3 | Stale Answer | Section 4.4 |
+ | | | and [RFC8767] |
+ +-------------+------------------------------+---------------+
+ | 4 | Forged Answer | Section 4.5 |
+ +-------------+------------------------------+---------------+
+ | 5 | DNSSEC Indeterminate | Section 4.6 |
+ +-------------+------------------------------+---------------+
+ | 6 | DNSSEC Bogus | Section 4.7 |
+ +-------------+------------------------------+---------------+
+ | 7 | Signature Expired | Section 4.8 |
+ +-------------+------------------------------+---------------+
+ | 8 | Signature Not Yet Valid | Section 4.9 |
+ +-------------+------------------------------+---------------+
+ | 9 | DNSKEY Missing | Section 4.10 |
+ +-------------+------------------------------+---------------+
+ | 10 | RRSIGs Missing | Section 4.11 |
+ +-------------+------------------------------+---------------+
+ | 11 | No Zone Key Bit Set | Section 4.12 |
+ +-------------+------------------------------+---------------+
+ | 12 | NSEC Missing | Section 4.13 |
+ +-------------+------------------------------+---------------+
+ | 13 | Cached Error | Section 4.14 |
+ +-------------+------------------------------+---------------+
+ | 14 | Not Ready | Section 4.15 |
+ +-------------+------------------------------+---------------+
+ | 15 | Blocked | Section 4.16 |
+ +-------------+------------------------------+---------------+
+ | 16 | Censored | Section 4.17 |
+ +-------------+------------------------------+---------------+
+ | 17 | Filtered | Section 4.18 |
+ +-------------+------------------------------+---------------+
+ | 18 | Prohibited | Section 4.19 |
+ +-------------+------------------------------+---------------+
+ | 19 | Stale NXDomain Answer | Section 4.20 |
+ +-------------+------------------------------+---------------+
+ | 20 | Not Authoritative | Section 4.21 |
+ +-------------+------------------------------+---------------+
+ | 21 | Not Supported | Section 4.22 |
+ +-------------+------------------------------+---------------+
+ | 22 | No Reachable Authority | Section 4.23 |
+ +-------------+------------------------------+---------------+
+ | 23 | Network Error | Section 4.24 |
+ +-------------+------------------------------+---------------+
+ | 24 | Invalid Data | Section 4.25 |
+ +-------------+------------------------------+---------------+
+ | 25-49151 | Unassigned | |
+ +-------------+------------------------------+---------------+
+ | 49152-65535 | Reserved for Private Use | Section 5.2 |
+ +-------------+------------------------------+---------------+
+
+ Table 3
+
+6. Security Considerations
+
+ Though DNSSEC continues to be deployed, unfortunately a significant
+ number of clients (~11% according to [GeoffValidation]) that receive
+ a SERVFAIL from a validating resolver because of a DNSSEC validation
+ issue will simply ask the next (potentially non-validating) resolver
+ in their list and thus don't get the protections that DNSSEC should
+ provide.
+
+ EDE information is unauthenticated information, unless secured by a
+ form of secured DNS transaction, such as [RFC2845], [RFC2931],
+ [RFC8094], or [RFC8484]. An attacker (e.g., a man in the middle
+ (MITM) or malicious recursive server) could insert an extended error
+ response into untrusted data -- although, ideally, clients and
+ resolvers would not trust any unauthenticated information. As such,
+ EDE content should be treated only as diagnostic information and MUST
+ NOT alter DNS protocol processing. Until all DNS answers are
+ authenticated via DNSSEC or the other mechanisms mentioned above,
+ there are some trade-offs. As an example, an attacker who is able to
+ insert the DNSSEC Bogus Extended Error into a DNS message could
+ instead simply reply with a fictitious address (A or AAAA) record.
+ Note that DNS RCODEs also contain no authentication and can be just
+ as easily manipulated.
+
+ By design, EDE potentially exposes additional information via DNS
+ resolution processes that may leak information. An example of this
+ is the Prohibited EDE code (18), which may leak the fact that the
+ name is on a blocklist.
+
+7. References
+
+7.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
+ <https://www.rfc-editor.org/info/rfc4035>.
+
+ [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
+ Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008,
+ <https://www.rfc-editor.org/info/rfc5198>.
+
+ [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
+ for DNS (EDNS(0))", STD 75, RFC 6891,
+ DOI 10.17487/RFC6891, April 2013,
+ <https://www.rfc-editor.org/info/rfc6891>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
+ Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
+ January 2019, <https://www.rfc-editor.org/info/rfc8499>.
+
+ [RFC8767] Lawrence, D., Kumari, W., and P. Sood, "Serving Stale Data
+ to Improve DNS Resiliency", RFC 8767,
+ DOI 10.17487/RFC8767, March 2020,
+ <https://www.rfc-editor.org/info/rfc8767>.
+
+7.2. Informative References
+
+ [GeoffValidation]
+ Huston, G., "A quick review of DNSSEC Validation in
+ today's Internet", June 2016, <http://www.potaroo.net/
+ presentations/2016-06-27-dnssec.pdf>.
+
+ [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+ Wellington, "Secret Key Transaction Authentication for DNS
+ (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000,
+ <https://www.rfc-editor.org/info/rfc2845>.
+
+ [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
+ ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September
+ 2000, <https://www.rfc-editor.org/info/rfc2931>.
+
+ [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
+ Transport Layer Security (DTLS)", RFC 8094,
+ DOI 10.17487/RFC8094, February 2017,
+ <https://www.rfc-editor.org/info/rfc8094>.
+
+ [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
+ (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
+ <https://www.rfc-editor.org/info/rfc8484>.
+
+Acknowledgements
+
+ The authors wish to thank Joe Abley, Mark Andrews, Tim April,
+ Vittorio Bertola, Stephane Bortzmeyer, Vladimir Cunat, Ralph Dolmans,
+ Peter DeVries, Peter van Dijk, Mats Dufberg, Donald Eastlake, Bob
+ Harold, Paul Hoffman, Geoff Huston, Shane Kerr, Edward Lewis, Carlos
+ M. Martinez, George Michelson, Eric Orth, Michael Sheldon, Puneet
+ Sood, Petr Spacek, Ondrej Sury, John Todd, Loganaden Velvindron, and
+ Paul Vixie. They also vaguely remember discussing this with a number
+ of people over the years but have forgotten who all of them were.
+ Apologies if we forgot to acknowledge your contributions.
+
+ One author also wants to thank the band Infected Mushroom for
+ providing a good background soundtrack. Another author would like to
+ thank the band Mushroom Infectors. This was funny at the time we
+ wrote it, but we cannot remember why...
+
+Authors' Addresses
+
+ Warren Kumari
+ Google
+ 1600 Amphitheatre Parkway
+ Mountain View, CA 94043
+ United States of America
+
+ Email: warren@kumari.net
+
+
+ Evan Hunt
+ ISC
+ 950 Charter St
+ Redwood City, CA 94063
+ United States of America
+
+ Email: each@isc.org
+
+
+ Roy Arends
+ ICANN
+
+ Email: roy.arends@icann.org
+
+
+ Wes Hardaker
+ USC/ISI
+ P.O. Box 382
+ Davis, CA 95617
+ United States of America
+
+ Email: ietf@hardakers.net
+
+
+ David C Lawrence
+ Salesforce
+ 415 Mission St
+ San Francisco, CA 94105
+ United States of America
+
+ Email: tale@dd.org