DNS Extensions (dnsext) Internet Drafts
| DNS Zone Transfer Protocol (AXFR) | |||||||||||||||||
|
The Domain Name System standard facilities for maintaining coherent servers for a zone consist of three elements. The Authoritative Transfer (AXFR) is defined in RFC 1034 and RFC 1035. The Incremental Zone Transfer (IXFR) is defined in RFC 1995. A mechanism for prompt notification of zone changes (NOTIFY) is defined in RFC 1996. The base definition of these facilities, that of the AXFR, has proven insufficient in detail, resulting in no implementation complying with it. Yet today we have a satisfactory set of implementations that do interoperate. This document is a new definition of the AXFR, new in the sense that is it recording an accurate definition of an interoperable AXFR mechanism. | ||||||||||||||||
| Domain Name System (DNS) IANA Considerations | |||||||||||||||||
|
Internet Assigned Number Authority (IANA) parameter assignment considerations are specified for the allocation of Domain Name System (DNS) resource record types, CLASSes, operation codes, error codes, DNS protocol message header bits, and AFSDB resource record subtypes. | ||||||||||||||||
| Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC | |||||||||||||||||
|
This document describes how to produce RSA/SHA-256 and RSA/SHA-512 DNSKEY and RRSIG resource records for use in the Domain Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). | ||||||||||||||||
| Update to DNAME Redirection in the DNS | |||||||||||||||||
|
The DNAME record provides redirection for a sub-tree of the domain name tree in the DNS system. That is, all names that end with a particular suffix are redirected to another part of the DNS. This is an update of the original specification in RFC 2672, also aligning RFC 3363 and RFC 4294 with this revision. | ||||||||||||||||
| Measures for making DNS more resilient against forged answers | |||||||||||||||||
|
The current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder. Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation. By describing certain behaviour that has previously not been standardised, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 1034. | ||||||||||||||||
| Revised extension mechanisms for DNS (EDNS0) | |||||||||||||||||
|
The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow clients to advertise their capabilities to servers. This document describes backward compatible mechanisms for allowing the protocol to grow.1 - Introduction | ||||||||||||||||
| The Modern DNS Implementation Guide | |||||||||||||||||
|
A structured catalogue of relevant DNS RFCs is presented with references to the specific normative sections which should be followed in a modern DNS implementation. This document is to be used as guide for DNS implementors, for testing and compliance of DNS software, and to help guide DNS standards' advancement. | ||||||||||||||||
| Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records | |||||||||||||||||
|
The main goal of this document is to deprecate the use of HMAC-MD5 as an algorithm for the TSIG (secret key transaction authentication) resource record in the DNS (domain name system). | ||||||||||||||||
 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
DNS Extensions (dnsext)
Last Modified: 2008-06-16
Additional information is available at tools.ietf.org/wg/dnsext
Chair(s):
Internet Area Director(s):
Internet Area Advisor:
Mailing Lists:
General Discussion: namedroppers@ops.ietf.orgTo Subscribe: namedroppers-request@ops.ietf.org
Archive: http://ops.ietf.org/lists/namedroppers/
Description of Working Group:
The DNS has a large installed base and repertoire of protocolspecifications. The DNSEXT WG group will actively advance DNS
protocol-related RFCs on the standards track while thoroughly
reviewing further proposed extensions. The scope of the DNSEXT WG is
confined to the DNS protocol, particularly changes that affect DNS
protocols "on the wire" or the internal processing of DNS data. DNS
operations are out of scope for the WG.
The WG will limit itself to review of proposals for new extensions,
clarification to the DNS protocol, including DNSSEC, and review of
DNS protocol related work which may originate elsewhere in the IETF,
including AD-sponsored submissions or drafts in other working groups.
Adoption of new DNSEXT standards track working group items will require
changes to this charter. The WG does not intend to hold face to face
meetings, though may do so if deemed necessary for resolution of a
specific issue at hand.
The DNSEXT WG will conduct the specified RFC2929bis review of RR
templates as they are posted and also maintain a living ID of errata
for the DNSSEC document set.
Goals and Milestones:
| Done | Forward NSEC rdata to IESG for Proposed Standard | |
| Done | Forward RFC2535-bis to IESG for proposed standard | |
| Done | Forward Case Insensitive to IESG for Proposed Standard | |
| Done | Forward LLMNR to IESG for Proposed Standard | |
| Done | Update boilerplate text on OPT-IN | |
| Done | Forward Wildcard clarification to IESG for proposed standard | |
| Feb 2007 | Submit KEY algorithm documents RFC253[69]bis and RFC3110 to IESG for proposed standard | |
| Done | Finalize Zone Enumeration Requirements | |
| Jun 2007 | Start of process of reviewing the following RFCs and to move them to Draft Standard status | |
| Jul 2007 | RFC2930 (TKEY) to Draft standard | |
| Jul 2007 | RFC2181 (Clarify) to Draft Standard | |
| Jul 2007 | RFC2136 (Dynamic Update) to Draft Standard | |
| Jul 2007 | RFC2308 (Neg Caching) to Draft Standard | |
| Jul 2007 | RFC3007 (Secure Update) to Draft Standard | |
| Jul 2007 | RFC2782 (SRV RR) to Draft Standard | |
| Jul 2007 | RFC2671 (EDNS0) to Draft Standard | |
| Jul 2007 | RFC1995 (IXFR) to Draft standard | |
| Jul 2007 | RFC2672 (DNAME) to Draft Standard or revision | |
| Jul 2007 | RFC1996 (Notify) to Draft Standard | |
| Jul 2007 | Submit to IESG RFC2845 (TSIG)to Draft standard | |
| Jul 2007 | RFC1982 (Serial Number Arithmetic) | |
| Jul 2007 | RFC2538 (CERT RR) to Draft Standard | |
| Jul 2007 | FRC2539 (DH Key RR) to Draft Standard | |
| Jul 2007 | RFC3226 (Message Size) to Draft Standard | |
| Feb 2008 | RFC2536bis and RFC2539bis advanced to IESG. | |
| Mar 2008 | DNAMEbis advanced to IESG | |
| Apr 2008 | ENDS0bis advanced to IESG | |
| Jun 2008 | Forgery Resilience advanced to IESG | |
| Jul 2008 | AXFR-clarify advanced to IESG | |
| Dec 2008 | DNS-profile advanced to IESG |
Internet-Drafts:
DNS Zone Transfer Protocol (AXFR) (43665 bytes)Domain Name System (DNS) IANA Considerations (35303 bytes)
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC (16798 bytes)
Update to DNAME Redirection in the DNS (36763 bytes)
Measures for making DNS more resilient against forged answers (37975 bytes)
Revised extension mechanisms for DNS (EDNS0) (19053 bytes)
The Modern DNS Implementation Guide (52420 bytes)
Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records (11006 bytes)
Request For Comments:
A DNS RR for specifying the location of services (DNS SRV) (RFC 2782) (24013 bytes) obsoletes RFC 2052Secret Key Transaction Authentication for DNS (TSIG) (RFC 2845) (32272 bytes) updates RFC 1035/ updated by RFC 3645
Domain Name System (DNS) IANA Considerations (RFC 2929) (22454 bytes)
Secret Key Establishment for DNS (TKEY RR) (RFC 2930) (34894 bytes)
DNS Request and Transaction Signatures ( SIG(0)s ) (RFC 2931) (19073 bytes) updates RFC 2535
Domain Name System Security (DNSSEC) Signing Authority (RFC 3008) (13484 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 2535/ updated by RFC 3658
Secure Domain Name System (DNS) Dynamic Update (RFC 3007) (18056 bytes) obsoletes RFC 2535,RFC 2136/ updates RFC 2137/ updated by RFC 4033,RFC 4034,RFC 4035
DNS Security Extension Clarification on Zone Status (RFC 3090) (24166 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updated by RFC 3658
RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) (RFC 3110) (14587 bytes)
A DNS RR Type for Lists of Address Prefixes (APL RR) (RFC 3123) (14648 bytes)
Applicability Statement for DNS MIB Extensions (RFC 3197) (8610 bytes)
DNSSEC and IPv6 A6 aware server/resolver message size requirements (RFC 3226) (12078 bytes) updates RFC 2874,RFC 2535/ updated by RFC 4033,RFC 4034,RFC 4035
Indicating Resolver Support of DNSSEC (RFC 3225) (11548 bytes) updated by RFC 4033,RFC 4034,RFC 4035
Representing IPv6 addresses in DNS (RFC 3363) (11055 bytes) updates RFC 2673,RFC 2874
Tradeoffs in DNS support for IPv6 (RFC 3364) (26544 bytes) updates RFC 2874
Obsoleting IQUERY (RFC 3425) (8615 bytes) updates RFC 1035
Limiting the Scope of the KEY Resource Record out (RFC 3445) (20947 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 2535
Handling of Unknown DNS Resource Record (RR) Types (RFC 3597) (17559 bytes) updated by RFC 4033,RFC 4034,RFC 4035
DNS Extensions to support IP version 6 (RFC 3596) (14093 bytes)
GSS Algorithm for TSIG (GSS-TSIG) (RFC 3645) (56162 bytes) updates RFC 2845
Redefinition of DNS AD bit (RFC 3655) (15646 bytes) obsoletes RFC 2535/ obsoleted by RFC 4033,RFC 4034,RFC 4035
Delegation Signer Resource Record (RFC 3658) (42120 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 3090,RFC 3008,RFC 2535,RFC 1035/ updated by RFC 3755
KEY RR Secure Entry Point Flag (RFC 3757) (16868 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 3755,RFC 2535
Legacy Resolver Compatibility for Delegation Signer (RFC 3755) (19812 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 3658,RFC 2535/ updated by RFC 3757,RFC 3845
DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format (RFC 3845) (14793 bytes) obsoleted by RFC 4033,RFC 4034,RFC 4035/ updates RFC 3755,RFC 2535
Threat Analysis Of The Domain Name System (RFC 3833) (39303 bytes)
Protocol Modifications for the DNS Security Extensions (RFC 4035) (130589 bytes) obsoletes RFC 3845,RFC 2535,RFC 3008,RFC 3090,RFC 3445,RFC 3655,RFC 3658,RFC 3755,RFC 3757/ updates RFC 1034,RFC 1035,RFC 2136,RFC 2181,RFC 2308,RFC 3225,RFC 3007,RFC 3597,RFC 3226/ updated by RFC 4470
Resource Records for the DNS Security Extensions (RFC 4034) (63879 bytes) obsoletes RFC 3845,RFC 2535,RFC 3008,RFC 3090,RFC 3445,RFC 3655,RFC 3658,RFC 3755,RFC 3757/ updates RFC 1034,RFC 1035,RFC 2136,RFC 2181,RFC 2308,RFC 3225,RFC 3007,RFC 3597,RFC 3226/ updated by RFC 4470
DNS Security Introduction and Requirements (RFC 4033) (52445 bytes) obsoletes RFC 2535,RFC 3008,RFC 3090,RFC 3445,RFC 3655,RFC 3658,RFC 3755,RFC 3757,RFC 3845/ updates RFC 1034,RFC 1035,RFC 2136,RFC 2181,RFC 2308,RFC 3225,RFC 3007,RFC 3597,RFC 3226
Domain Name System (DNS) Case Insensitivity Clarification (RFC 4343) (22899 bytes) updates RFC 1034,RFC 1035,RFC 2181
Storing Certificates in the Domain Name System (DNS) (RFC 4398) (35652 bytes) obsoletes RFC 2538
Minimally Covering NSEC Records and DNSSEC On-line Signing (RFC 4470) (17471 bytes) updates RFC 4035,RFC 4034
Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) (RFC 4509) (14155 bytes)
The Role of Wildcards in the Domain Name System (RFC 4592) (43991 bytes) updates RFC 1034,RFC 2672
HMAC SHA (Hashed Message Authentication Code, Secure Hash Algorithm) TSIG Algorithm Identifiers (RFC 4635) (16533 bytes)
Derivation of DNS Name Predecessor and Successor (RFC 4471) (42430 bytes)
A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR) (RFC 4701) (24570 bytes)
Link-local Multicast Name Resolution (LLMNR) (RFC 4795) (71969 bytes)
DNS Security (DNSSEC) Opt-In (RFC 4956) (32033 bytes)
DNS Security (DNSSEC) Experiments (RFC 4955) (15417 bytes)
DNS Name Server Identifier Option (NSID) (RFC 5001) (23754 bytes)
Requirements Related to DNS Security (DNSSEC) Trust Anchor Rollover (RFC 4986) (22647 bytes)
Automated Updates of DNS Security (DNSSEC) Trust Anchors (RFC 5011) (30138 bytes)
DNS Security (DNSSEC) Hashed Authenticated Denial of Existence (RFC 5155) (112140 bytes)
IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.
Return to working group directory. 
