Dear all,

This latest version 07 of draft-ietf-dnsop-ns-revalidation has all feedback from DNS Directorate early review, the mailing list, the room and hallways, since it was presented at the last IETF119 in Brisbane, processed. The authors believe the draft is ready for working group last call.

Changes in response to DNS Directorate review:

 * Section 3 is now formatted as paragraphs.
 * RFC 2119 keywords are used throughout the document
 * Explain what to do with auth answer with NS in authority section

From feedback from the list:

 * Corrected error in security section

From feedback from the room and hallways:

 * Send DNS Error report on NS set mismatch is detected
 * ZONEMD also adds DNSSEC protection to infrastructure data
 * A paragraph on parent only resolvers, how they are less vulnerable
   to some cache poisoning attacks, but also do not benefit from DNSSEC
   protection against query redirection
 * A paragraph on implementations wishing to consider to limited
   revalidation to the parts of the domain name space where it counts
   the most.
 * Added an Implementation status section


-------- Doorgestuurd bericht --------
Onderwerp: New Version Notification for draft-ietf-dnsop-ns-revalidation-07.txt
Datum:  Mon, 08 Jul 2024 01:45:12 -0700
Van:    internet-dra...@ietf.org
Aan: Paul Vixie <p...@redbarn.org>, Shumon Huque <shu...@gmail.com>, Willem Toorop <wil...@nlnetlabs.nl>



A new version of Internet-Draft draft-ietf-dnsop-ns-revalidation-07.txt has
been successfully submitted by Willem Toorop and posted to the
IETF repository.

Name: draft-ietf-dnsop-ns-revalidation
Revision: 07
Title: Delegation Revalidation by DNS Resolvers
Date: 2024-07-08
Group: dnsop
Pages: 13
URL: https://www.ietf.org/archive/id/draft-ietf-dnsop-ns-revalidation-07.txt
Status: https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/
HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-07

Abstract:

This document recommends improved DNS [RFC1034] [RFC1035] resolver
behavior with respect to the processing of Name Server (NS) resource
record (RR) sets (RRsets) during iterative resolution. When
following a referral response from an authoritative server to a child
zone, DNS resolvers should explicitly query the authoritative NS
RRset at the apex of the child zone and cache this in preference to
the NS RRset on the parent side of the zone cut. The (A and AAAA)
address RRsets in the additional section from referral responses and
authoritative NS answers for the names of the NS RRset, should
similarly be re-queried and used to replace the entries with the
lower trustworthiness ranking in cache. Resolvers should also
periodically revalidate the child delegation by re-querying the
parent zone at the expiration of the TTL of the parent side NS RRset.



The IETF Secretariat


Attachment: OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to