Dear all,This latest version 07 of draft-ietf-dnsop-ns-revalidation has all feedback from DNS Directorate early review, the mailing list, the room and hallways, since it was presented at the last IETF119 in Brisbane, processed. The authors believe the draft is ready for working group last call.
Changes in response to DNS Directorate review: * Section 3 is now formatted as paragraphs. * RFC 2119 keywords are used throughout the document * Explain what to do with auth answer with NS in authority section From feedback from the list: * Corrected error in security section From feedback from the room and hallways: * Send DNS Error report on NS set mismatch is detected * ZONEMD also adds DNSSEC protection to infrastructure data * A paragraph on parent only resolvers, how they are less vulnerable to some cache poisoning attacks, but also do not benefit from DNSSEC protection against query redirection * A paragraph on implementations wishing to consider to limited revalidation to the parts of the domain name space where it counts the most. * Added an Implementation status section -------- Doorgestuurd bericht --------Onderwerp: New Version Notification for draft-ietf-dnsop-ns-revalidation-07.txt
Datum: Mon, 08 Jul 2024 01:45:12 -0700 Van: internet-dra...@ietf.orgAan: Paul Vixie <p...@redbarn.org>, Shumon Huque <shu...@gmail.com>, Willem Toorop <wil...@nlnetlabs.nl>
A new version of Internet-Draft draft-ietf-dnsop-ns-revalidation-07.txt has been successfully submitted by Willem Toorop and posted to the IETF repository. Name: draft-ietf-dnsop-ns-revalidation Revision: 07 Title: Delegation Revalidation by DNS Resolvers Date: 2024-07-08 Group: dnsop Pages: 13 URL: https://www.ietf.org/archive/id/draft-ietf-dnsop-ns-revalidation-07.txt Status: https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-07
Abstract: This document recommends improved DNS [RFC1034] [RFC1035] resolver behavior with respect to the processing of Name Server (NS) resource record (RR) sets (RRsets) during iterative resolution. When following a referral response from an authoritative server to a child zone, DNS resolvers should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut. The (A and AAAA) address RRsets in the additional section from referral responses and authoritative NS answers for the names of the NS RRset, should similarly be re-queried and used to replace the entries with the lower trustworthiness ranking in cache. Resolvers should also periodically revalidate the child delegation by re-querying the parent zone at the expiration of the TTL of the parent side NS RRset. The IETF Secretariat
OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org