summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9156.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc9156.txt')
-rw-r--r--doc/rfc/rfc9156.txt585
1 files changed, 585 insertions, 0 deletions
diff --git a/doc/rfc/rfc9156.txt b/doc/rfc/rfc9156.txt
new file mode 100644
index 0000000..af4f855
--- /dev/null
+++ b/doc/rfc/rfc9156.txt
@@ -0,0 +1,585 @@
+
+
+
+
+Internet Engineering Task Force (IETF) S. Bortzmeyer
+Request for Comments: 9156 AFNIC
+Obsoletes: 7816 R. Dolmans
+Category: Standards Track NLnet Labs
+ISSN: 2070-1721 P. Hoffman
+ ICANN
+ November 2021
+
+
+ DNS Query Name Minimisation to Improve Privacy
+
+Abstract
+
+ This document describes a technique called "QNAME minimisation" to
+ improve DNS privacy, where the DNS resolver no longer always sends
+ the full original QNAME and original QTYPE to the upstream name
+ server. This document obsoletes RFC 7816.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9156.
+
+Copyright Notice
+
+ Copyright (c) 2021 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Revised BSD License text as described in Section 4.e of the
+ Trust Legal Provisions and are provided without warranty as described
+ in the Revised BSD License.
+
+Table of Contents
+
+ 1. Introduction and Background
+ 1.1. Experience from RFC 7816
+ 1.2. Terminology
+ 2. Description of QNAME Minimisation
+ 2.1. QTYPE Selection
+ 2.2. QNAME Selection
+ 2.3. Limitation of the Number of Queries
+ 2.4. Implementation by Stub and Forwarding Resolvers
+ 3. Algorithm to Perform QNAME Minimisation
+ 4. QNAME Minimisation Examples
+ 5. Performance Considerations
+ 6. Security Considerations
+ 7. References
+ 7.1. Normative References
+ 7.2. Informative References
+ Acknowledgments
+ Authors' Addresses
+
+1. Introduction and Background
+
+ The problem statement for this document is described in [RFC9076].
+ This specific solution is not intended to fully solve the DNS privacy
+ problem; instead, it should be viewed as one tool amongst many.
+
+ QNAME minimisation follows the principle explained in Section 6.1 of
+ [RFC6973]: the less data you send out, the fewer privacy problems you
+ have.
+
+ Before QNAME minimisation, when a resolver received the query "What
+ is the AAAA record for www.example.com?", it sent to the root
+ (assuming a resolver, whose cache is empty) the very same question.
+ Sending the full QNAME to the authoritative name server was a
+ tradition, not a protocol requirement. In a conversation with one of
+ the authors in January 2015, Paul Mockapetris explained that this
+ tradition comes from a desire to optimise the number of requests,
+ when the same name server is authoritative for many zones in a given
+ name (something that was more common in the old days, where the same
+ name servers served .com and the root) or when the same name server
+ is both recursive and authoritative (something that is strongly
+ discouraged now). Whatever the merits of this choice at this time,
+ the DNS is quite different now.
+
+ QNAME minimisation is compatible with the current DNS system and
+ therefore can easily be deployed. Because it is only a change to the
+ way that the resolver operates, it does not change the DNS protocol
+ itself. The behaviour suggested here (minimising the amount of data
+ sent in QNAMEs from the resolver) is allowed by Section 5.3.3 of
+ [RFC1034] and Section 7.2 of [RFC1035].
+
+1.1. Experience from RFC 7816
+
+ This document obsoletes [RFC7816]. [RFC7816] was categorised
+ "Experimental", but ideas from it were widely deployed since its
+ publication. Many resolver implementations now support QNAME
+ minimisation. The lessons learned from implementing QNAME
+ minimisation were used to create this new revision.
+
+ Data from DNSThought [dnsthought-qnamemin], Verisign
+ [verisign-qnamemin], and APNIC [apnic-qnamemin] shows that a large
+ percentage of the resolvers deployed on the Internet already support
+ QNAME minimisation in some way.
+
+ Academic research has been performed on QNAME minimisation
+ [devries-qnamemin]. This work shows that QNAME minimisation in
+ relaxed mode causes almost no problems. The paper recommends using
+ the A QTYPE and limiting the number of queries in some way. Some of
+ the issues that the paper found are covered in Section 5.
+
+1.2. Terminology
+
+ The terminology used in this document is defined in [RFC8499].
+
+ In this document, a "cold" cache is one that is empty, having
+ literally no entries in it. A "warm" cache is one that has some
+ entries in it.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+2. Description of QNAME Minimisation
+
+ The idea behind QNAME minimisation is to minimise the amount of
+ privacy-sensitive data sent from the DNS resolver to the
+ authoritative name server. This section describes how to do QNAME
+ minimisation. The algorithm is summarised in Section 3.
+
+ When a resolver is not able to answer a query from cache, it has to
+ send a query to an authoritative name server. Traditionally, these
+ queries would contain the full QNAME and the original QTYPE as
+ received in the client query.
+
+ The full QNAME and original QTYPE are only needed at the name server
+ that is authoritative for the record requested by the client. All
+ other name servers queried while resolving the query only need to
+ receive enough of the QNAME to be able to answer with a delegation.
+ The QTYPE in these queries is not relevant, as the name server is not
+ able to authoritatively answer the records the client is looking for.
+ Sending the full QNAME and original QTYPE to these name servers
+ therefore exposes more privacy-sensitive data than necessary to
+ resolve the client's request.
+
+ A resolver that implements QNAME minimisation obscures the QNAME and
+ QTYPE in queries directed to an authoritative name server that is not
+ known to be responsible for the original QNAME. These queries
+ contain:
+
+ * a QTYPE selected by the resolver to possibly obscure the original
+ QTYPE
+
+ * the QNAME that is the original QNAME, stripped to just one label
+ more than the longest matching domain name for which the name
+ server is known to be authoritative
+
+2.1. QTYPE Selection
+
+ Note that this document relaxes the recommendation in [RFC7816] to
+ use the NS QTYPE to hide the original QTYPE. Using the NS QTYPE is
+ still allowed. The authority of NS records lies at the child side.
+ The parent side of the delegation will answer using a referral, like
+ it will do for queries with other QTYPEs. Using the NS QTYPE
+ therefore has no added value over other QTYPEs.
+
+ The QTYPE to use while minimising queries can be any possible data
+ type (as defined in Section 3.1 of [RFC6895]) for which the authority
+ always lies below the zone cut (i.e., not DS, NSEC, NSEC3, OPT, TSIG,
+ TKEY, ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no
+ relation between the incoming QTYPE and the selection of the QTYPE to
+ use while minimising. The A or AAAA QTYPEs are always good
+ candidates to use because these are the least likely to raise issues
+ in DNS software and middleboxes that do not properly support all
+ QTYPEs. QTYPE=A or QTYPE=AAAA queries will also blend into traffic
+ from nonminimising resolvers, making it in some cases harder to
+ observe that the resolver is using QNAME minimisation. Using a QTYPE
+ that occurs most in incoming queries will slightly reduce the number
+ of queries, as there is no extra check needed for delegations on non-
+ apex records.
+
+2.2. QNAME Selection
+
+ The minimising resolver works perfectly when it knows the zone cut
+ (zone cuts are described in Section 6 of [RFC2181]). But zone cuts
+ do not necessarily exist at every label boundary. In the name
+ www.foo.bar.example, it is possible that there is a zone cut between
+ "foo" and "bar" but not between "bar" and "example". So, assuming
+ that the resolver already knows the name servers of example, when it
+ receives the query "What is the AAAA record of www.foo.bar.example?",
+ it does not always know where the zone cut will be. To find the zone
+ cut, it will query the example name servers for a record for
+ bar.example. It will get a non-referral answer, so it has to query
+ the example name servers again with one more label, and so on.
+ (Section 3 describes this algorithm in deeper detail.)
+
+2.3. Limitation of the Number of Queries
+
+ When using QNAME minimisation, the number of labels in the received
+ QNAME can influence the number of queries sent from the resolver.
+ This opens an attack vector and can decrease performance. Resolvers
+ supporting QNAME minimisation MUST implement a mechanism to limit the
+ number of outgoing queries per user request.
+
+ Take for example an incoming QNAME with many labels, like
+ www.host.group.department.example.com, where
+ host.group.department.example.com is hosted on example.com's name
+ servers. (Such deep domains are especially common under ip6.arpa.)
+ Assume a resolver that knows only the name servers of example.com.
+ Without QNAME minimisation, it would send these example.com name
+ servers a query for www.host.group.department.example.com and
+ immediately get a specific referral or an answer, without the need
+ for more queries to probe for the zone cut. For such a name, a cold
+ resolver with QNAME minimisation will send more queries, one per
+ label. Once the cache is warm, there will be less difference with a
+ traditional resolver. Testing of this is described in
+ [Huque-QNAME-Min].
+
+ The behaviour of sending multiple queries can be exploited by sending
+ queries with a large number of labels in the QNAME that will be
+ answered using a wildcard record. Take for example a record for
+ *.example.com, hosted on example.com's name servers. An incoming
+ query containing a QNAME with more than 100 labels, ending in
+ example.com, will result in a query per label. By using random
+ labels, the attacker can bypass the cache and always require the
+ resolver to send many queries upstream. Note that [RFC8198] can
+ limit this attack in some cases.
+
+ One mechanism that MAY be used to reduce this attack vector is by
+ appending more than one label per iteration for QNAMEs with a large
+ number of labels. To do this, a maximum number of QNAME minimisation
+ iterations MUST be selected (MAX_MINIMISE_COUNT); a RECOMMENDED value
+ is 10. Optionally, a value for the number of queries that should
+ only have one label appended MAY be selected (MINIMISE_ONE_LAB); a
+ good value is 4. The assumption here is that the number of labels on
+ delegations higher in the hierarchy are rather small; therefore, not
+ exposing too many labels early on has the most privacy benefit.
+
+ Another potential, optional mechanism for limiting the number of
+ queries is to assume that labels that begin with an underscore (_)
+ character do not represent privacy-relevant administrative
+ boundaries. For example, if the QNAME is "_25._tcp.mail.example.org"
+ and the algorithm has already searched for "mail.example.org", the
+ next query can be for all the underscore-prefixed names together,
+ namely "_25._tcp.mail.example.org".
+
+ When a resolver needs to send out a query, it will look for the
+ closest-known delegation point in its cache. The number of not-yet-
+ exposed labels is the difference between this closest name server and
+ the incoming QNAME. The first MINIMISE_ONE_LAB labels will be
+ handled as described in Section 2. The number of labels that are
+ still not exposed now need to be divided proportionally over the
+ remaining iterations (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). If the
+ not-yet-exposed labels cannot be equally divided over the remaining
+ iterations, the remainder of the division should be added to the last
+ iterations. For example, when resolving a QNAME with 18 labels with
+ MAX_MINIMISE_COUNT set to 10 and MINIMISE_ONE_LAB set to 4, the
+ number of labels added per iteration are: 1,1,1,1,2,2,2,2,3,3.
+
+2.4. Implementation by Stub and Forwarding Resolvers
+
+ Stub and forwarding resolvers MAY implement QNAME minimisation.
+ Minimising queries that will be sent to an upstream resolver does not
+ help in hiding data from the upstream resolver because all
+ information will end up there anyway. It might however limit the
+ data exposure between the upstream resolver and the authoritative
+ name server in the situation where the upstream resolver does not
+ support QNAME minimisation. Using QNAME minimisation in a stub or
+ forwarding resolver that does not have a mechanism to find and cache
+ zone cuts will drastically increase the number of outgoing queries.
+
+3. Algorithm to Perform QNAME Minimisation
+
+ This algorithm performs name resolution with QNAME minimisation in
+ the presence of zone cuts that are not yet known.
+
+ Although a validating resolver already has the logic to find the zone
+ cuts, implementers of resolvers may want to use this algorithm to
+ locate the zone cuts.
+
+ (0) If the query can be answered from the cache, do so; otherwise,
+ iterate as follows:
+
+ (1) Get the closest delegation point that can be used for the
+ original QNAME from the cache.
+
+ (1a) For queries with a QTYPE for which the authority only lies
+ at the parent side (like QTYPE=DS), this is the NS RRset
+ with the owner matching the most labels with QNAME
+ stripped by one label. QNAME will be a subdomain of (but
+ not equal to) this NS RRset. Call this ANCESTOR.
+
+ (1b) For queries with other original QTYPEs, this is the NS
+ RRset with the owner matching the most labels with QNAME.
+ QNAME will be equal to or a subdomain of this NS RRset.
+ Call this ANCESTOR.
+
+ (2) Initialise CHILD to the same as ANCESTOR.
+
+ (3) If CHILD is the same as QNAME, or if CHILD is one label shorter
+ than QNAME and the original QTYPE can only be at the parent side
+ (like QTYPE=DS), resolve the original query as normal, starting
+ from ANCESTOR's name servers. Start over from step 0 if new
+ names need to be resolved as a result of this answer, for
+ example, when the answer contains a CNAME or DNAME [RFC6672]
+ record.
+
+ (4) Otherwise, update the value of CHILD by adding the next relevant
+ label or labels from QNAME to the start of CHILD. The number of
+ labels to add is discussed in Section 2.3.
+
+ (5) Look for a cache entry for the RRset at CHILD with the original
+ QTYPE. If the cached response code is NXDOMAIN and the resolver
+ has support for [RFC8020], the NXDOMAIN can be used in response
+ to the original query, and stop. If the cached response code is
+ NOERROR (including NODATA), go back to step 3. If the cached
+ response code is NXDOMAIN and the resolver does not support
+ [RFC8020], go back to step 3.
+
+ (6) Query for CHILD with the selected QTYPE using one of ANCESTOR's
+ name servers. The response can be:
+
+ (6a) A referral. Cache the NS RRset from the authority
+ section, and go back to step 1.
+
+ (6b) A DNAME response. Proceed as if a DNAME is received for
+ the original query. Start over from step 0 to resolve the
+ new name based on the DNAME target.
+
+ (6c) All other NOERROR answers (including NODATA). Cache this
+ answer. Regardless of the answered RRset type, including
+ CNAMEs, continue with the algorithm from step 3 by
+ building the original QNAME.
+
+ (6d) An NXDOMAIN response. If the resolver supports [RFC8020],
+ return an NXDOMAIN response to the original query, and
+ stop. If the resolver does not support [RFC8020], go to
+ step 3.
+
+ (6e) A timeout or response with another RCODE. The
+ implementation may choose to retry step 6 with a different
+ ANCESTOR name server.
+
+4. QNAME Minimisation Examples
+
+ As a first example, assume that a resolver receives a request to
+ resolve foo.bar.baz.example. Assume that the resolver already knows
+ that ns1.nic.example is authoritative for .example and that the
+ resolver does not know a more specific authoritative name server. It
+ will send the query with QNAME=baz.example and the QTYPE selected to
+ hide the original QTYPE to ns1.nic.example.
+
+ +=======+=================+=========================+======+
+ | QTYPE | QNAME | TARGET | NOTE |
+ +=======+=================+=========================+======+
+ | MX | a.b.example.org | root name server | |
+ +-------+-----------------+-------------------------+------+
+ | MX | a.b.example.org | org name server | |
+ +-------+-----------------+-------------------------+------+
+ | MX | a.b.example.org | example.org name server | |
+ +-------+-----------------+-------------------------+------+
+
+ Table 1: Cold Cache, Traditional Resolution Algorithm
+ without QNAME Minimisation, Request for MX Record of
+ a.b.example.org
+
+ The following are more detailed examples of requests for an MX record
+ of a.b.example.org with QNAME minimisation, using A QTYPE to hide the
+ original QTYPE and using other names and authoritative servers:
+
+ +=======+=================+=========================+============+
+ | QTYPE | QNAME | TARGET | NOTE |
+ +=======+=================+=========================+============+
+ | A | org | root name server | |
+ +-------+-----------------+-------------------------+------------+
+ | A | example.org | org name server | |
+ +-------+-----------------+-------------------------+------------+
+ | A | b.example.org | example.org name server | |
+ +-------+-----------------+-------------------------+------------+
+ | A | a.b.example.org | example.org name server | "a" may be |
+ | | | | delegated |
+ +-------+-----------------+-------------------------+------------+
+ | MX | a.b.example.org | example.org name server | |
+ +-------+-----------------+-------------------------+------------+
+
+ Table 2: Cold Cache with QNAME Minimisation
+
+ Note that, in the above example, one query would have been saved if
+ the incoming QTYPE was the same as the QTYPE selected by the resolver
+ to hide the original QTYPE. Only one query for a.b.example.org would
+ have been needed if the original QTYPE would have been A. Using the
+ most-used QTYPE to hide the original QTYPE therefore slightly reduces
+ the number of outgoing queries compared to using any other QTYPE to
+ hide the original QTYPE.
+
+ +=======+=================+=========================+============+
+ | QTYPE | QNAME | TARGET | NOTE |
+ +=======+=================+=========================+============+
+ | A | example.org | org name server | |
+ +-------+-----------------+-------------------------+------------+
+ | A | b.example.org | example.org name server | |
+ +-------+-----------------+-------------------------+------------+
+ | A | a.b.example.org | example.org name server | "a" may be |
+ | | | | delegated |
+ +-------+-----------------+-------------------------+------------+
+ | MX | a.b.example.org | example.org name server | |
+ +-------+-----------------+-------------------------+------------+
+
+ Table 3: Warm Cache with QNAME Minimisation
+
+5. Performance Considerations
+
+ The main goal of QNAME minimisation is to improve privacy by sending
+ less data. However, it may have other advantages. For instance, if
+ a resolver sends a root name server queries for A.example followed by
+ B.example followed by C.example, the result will be three NXDOMAINs,
+ since .example does not exist in the root zone. When using QNAME
+ minimisation, the resolver would send only one question (for .example
+ itself) to which they could answer NXDOMAIN. The resolver can cache
+ this answer and use it to prove that nothing below .example exists
+ [RFC8020]. A resolver now knows a priori that neither B.example nor
+ C.example exist. Thus, in this common case, the total number of
+ upstream queries under QNAME minimisation could be counterintuitively
+ less than the number of queries under the traditional iteration (as
+ described in the DNS standard).
+
+ QNAME minimisation can increase the number of queries based on the
+ incoming QNAME. This is described in Section 2.3. As described in
+ [devries-qnamemin], QNAME minimisation both increases the number of
+ DNS lookups by up to 26% and leads to up to 5% more failed lookups.
+ Filling the cache in a production resolver will soften that overhead.
+
+6. Security Considerations
+
+ QNAME minimisation's benefits are clear in the case where you want to
+ decrease exposure of the queried name to the authoritative name
+ server. But minimising the amount of data sent also, in part,
+ addresses the case of a wire sniffer as well as the case of privacy
+ invasion by the authoritative name servers. Encryption is of course
+ a better defense against wire sniffers, but, unlike QNAME
+ minimisation, it changes the protocol and cannot be deployed
+ unilaterally. Also, the effect of QNAME minimisation on wire
+ sniffers depends on whether the sniffer is on the DNS path.
+
+ QNAME minimisation offers no protection against the recursive
+ resolver, which still sees the full request coming from the stub
+ resolver.
+
+ A resolver using QNAME minimisation can possibly be used to cause a
+ query storm to be sent to servers when resolving queries containing a
+ QNAME with a large number of labels, as described in Section 2.3.
+ That section proposes methods to significantly dampen the effects of
+ such attacks.
+
+7. References
+
+7.1. Normative References
+
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
+ <https://www.rfc-editor.org/info/rfc1034>.
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
+ November 1987, <https://www.rfc-editor.org/info/rfc1035>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
+ Morris, J., Hansen, M., and R. Smith, "Privacy
+ Considerations for Internet Protocols", RFC 6973,
+ DOI 10.17487/RFC6973, July 2013,
+ <https://www.rfc-editor.org/info/rfc6973>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
+ Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
+ January 2019, <https://www.rfc-editor.org/info/rfc8499>.
+
+7.2. Informative References
+
+ [apnic-qnamemin]
+ Huston, G. and J. Damas, "Measuring Query Name
+ Minimization", September 2020, <https://indico.dns-
+ oarc.net/event/34/contributions/787/
+ attachments/777/1326/2020-09-28-oarc33-qname-
+ minimisation.pdf>.
+
+ [devries-qnamemin]
+ de Vries, W., Scheitle, Q., Müller, M., Toorop, W.,
+ Dolmans, R., and R. van Rijswijk-Deij, "A First Look at
+ QNAME Minimization in the Domain Name System", March 2019,
+ <https://nlnetlabs.nl/downloads/publications/
+ devries2019.pdf>.
+
+ [dnsthought-qnamemin]
+ "Qname Minimisation", October 2021,
+ <https://dnsthought.nlnetlabs.nl/#qnamemin>.
+
+ [Huque-QNAME-Min]
+ Huque, S., "Query name minimization and authoritative
+ server behavior", May 2015,
+ <https://indico.dns-oarc.net/event/21/contribution/9>.
+
+ [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+ Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
+ <https://www.rfc-editor.org/info/rfc2181>.
+
+ [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
+ DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012,
+ <https://www.rfc-editor.org/info/rfc6672>.
+
+ [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
+ Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
+ April 2013, <https://www.rfc-editor.org/info/rfc6895>.
+
+ [RFC7816] Bortzmeyer, S., "DNS Query Name Minimisation to Improve
+ Privacy", RFC 7816, DOI 10.17487/RFC7816, March 2016,
+ <https://www.rfc-editor.org/info/rfc7816>.
+
+ [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is
+ Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020,
+ November 2016, <https://www.rfc-editor.org/info/rfc8020>.
+
+ [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of
+ DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198,
+ July 2017, <https://www.rfc-editor.org/info/rfc8198>.
+
+ [RFC9076] Wicinski, T., Ed., "DNS Privacy Considerations", RFC 9076,
+ DOI 10.17487/RFC9076, July 2021,
+ <https://www.rfc-editor.org/info/rfc9076>.
+
+ [verisign-qnamemin]
+ Thomas, M., "Maximizing Qname Minimization: A New Chapter
+ in DNS Protocol Evolution", September 2020,
+ <https://blog.verisign.com/security/maximizing-qname-
+ minimization-a-new-chapter-in-dns-protocol-evolution/>.
+
+Acknowledgments
+
+ The acknowledgments from RFC 7816 apply here. In addition, many
+ participants from the DNSOP Working Group helped with proposals for
+ simplification, clarification, and general editorial help.
+
+Authors' Addresses
+
+ Stephane Bortzmeyer
+ AFNIC
+ 1, rue Stephenson
+ 78180 Montigny-le-Bretonneux
+ France
+
+ Phone: +33 1 39 30 83 46
+ Email: bortzmeyer+ietf@nic.fr
+ URI: https://www.afnic.fr/
+
+
+ Ralph Dolmans
+ NLnet Labs
+
+ Email: ralph@nlnetlabs.nl
+
+
+ Paul Hoffman
+ ICANN
+
+ Email: paul.hoffman@icann.org