rfc9471.original   rfc9471.txt 
DNSOP M. Andrews Internet Engineering Task Force (IETF) M. Andrews
Internet-Draft ISC Request for Comments: 9471 ISC
Updates: 1034 (if approved) S. Huque Updates: 1034 S. Huque
Intended status: Standards Track Salesforce Category: Standards Track Salesforce
Expires: 16 December 2023 P. Wouters ISSN: 2070-1721 P. Wouters
Aiven Aiven
D. Wessels D. Wessels
Verisign Verisign
14 June 2023 September 2023
DNS Glue Requirements in Referral Responses DNS Glue Requirements in Referral Responses
draft-ietf-dnsop-glue-is-not-optional-09
Abstract Abstract
The DNS uses glue records to allow iterative clients to find the The DNS uses glue records to allow iterative clients to find the
addresses of name servers that are contained within a delegated zone. addresses of name servers that are contained within a delegated zone.
Authoritative Servers are expected to return all available glue Authoritative servers are expected to return all available glue
records for in-domain name servers in a referral response. If records for in-domain name servers in a referral response. If
message size constraints prevent the inclusion of all glue records message size constraints prevent the inclusion of all glue records
for in-domain name servers, the server must set the TC flag to inform for in-domain name servers, the server must set the TC (Truncated)
the client that the response is incomplete, and that the client flag to inform the client that the response is incomplete and that
should use another transport to retrieve the full response. This the client should use another transport to retrieve the full
document updates RFC 1034 to clarify correct server behavior. response. This document updates RFC 1034 to clarify correct server
behavior.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 16 December 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9471.
Copyright Notice Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language
2. Types of Glue in Referral Responses . . . . . . . . . . . . . 3 2. Types of Glue in Referral Responses
2.1. Glue for In-Domain Name Servers . . . . . . . . . . . . . 3 2.1. Glue for In-Domain Name Servers
2.2. Glue for Sibling Domain Name Servers . . . . . . . . . . 4 2.2. Glue for Sibling Domain Name Servers
2.3. Glue for Cyclic Sibling Domain Name Servers . . . . . . . 5 2.3. Glue for Cyclic Sibling Domain Name Servers
2.4. Missing Glue . . . . . . . . . . . . . . . . . . . . . . 6 2.4. Missing Glue
3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Requirements
3.1. Glue for In-Domain Name Servers . . . . . . . . . . . . . 7 3.1. Glue for In-Domain Name Servers
3.2. Glue for Sibling Domain Name Servers . . . . . . . . . . 8 3.2. Glue for Sibling Domain Name Servers
3.3. Updates to RFC 1034 . . . . . . . . . . . . . . . . . . . 8 3.3. Update to RFC 1034
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 4. Security Considerations
5. Operational Considerations . . . . . . . . . . . . . . . . . 8 5. Operational Considerations
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 7. References
8. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References
9. Normative References . . . . . . . . . . . . . . . . . . . . 10 7.2. Informative References
10. Informative References . . . . . . . . . . . . . . . . . . . 11 Acknowledgements
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses
1. Introduction 1. Introduction
The Domain Name System (DNS) [RFC1034], [RFC1035] uses glue records The Domain Name System (DNS) [RFC1034] [RFC1035] uses glue records to
to allow iterative clients to find the addresses of name servers that allow iterative clients to find the addresses of name servers that
are contained within a delegated zone. Glue records are added to the are contained within a delegated zone. Glue records are added to the
parent zone as part of the delegation process and returned in parent zone as part of the delegation process and returned in
referral responses, otherwise a resolver following the referral has referral responses; otherwise, a resolver following the referral has
no way of finding these addresses. Authoritative servers are no way of finding these addresses. Authoritative servers are
expected to return all available glue records for in-domain name expected to return all available glue records for in-domain name
servers in a referral response. If message size constraints prevent servers in a referral response. If message size constraints prevent
the inclusion of all glue records for in-domain name servers over the the inclusion of all glue records for in-domain name servers over the
chosen transport, the server MUST set the TC (Truncated) flag to chosen transport, the server MUST set the TC (Truncated) flag to
inform the client that the response is incomplete, and that the inform the client that the response is incomplete and that the client
client SHOULD use another transport to retrieve the full response. SHOULD use another transport to retrieve the full response. This
This document clarifies that expectation. document clarifies that expectation.
DNS responses sometimes contain optional data in the additional DNS responses sometimes contain optional data in the additional
section. In-domain glue records, however, are not optional. Several section. In-domain glue records, however, are not optional. Several
other protocol extensions, when used, are also not optional. This other protocol extensions, when used, are also not optional. This
includes TSIG [RFC8945], OPT [RFC6891], and SIG(0) [RFC2931]. includes TSIG [RFC8945], OPT [RFC6891], and SIG(0) [RFC2931].
At the time of this writing, addresses (A or AAAA records) for a At the time of this writing, addresses (A or AAAA records) for a
delegation's authoritative name servers are the only type of glue delegation's authoritative name servers are the only type of glue
defined for the DNS. defined for the DNS.
Note that this document only clarifies requirements of name server Note that this document only clarifies requirements for name server
software implementations. It does not introduce or change any software implementations. It does not introduce or change any
requirements on data placed in DNS zones or registries. In other requirements regarding data placed in DNS zones or registries. In
words, this document only makes requirements on "available glue other words, this document only makes requirements regarding
records" (i.e., those given in a zone), but does not make "available glue records" (i.e., those given in a zone) but does not
requirements regarding their presence in a zone. If some glue make requirements regarding their presence in a zone. If some glue
records are absent from a given zone, an authoritative name server records are absent from a given zone, an authoritative name server
may be unable to return a useful referral response for the may be unable to return a useful referral response for the
corresponding domain. The IETF may want to consider a separate corresponding domain. The IETF may want to consider a separate
update to the requirements for including glue in zone data, beyond update to the requirements for including glue in zone data, beyond
those given in [RFC1034] and [RFC1035]. those given in [RFC1034] and [RFC1035].
This document assumes a reasonable level of familiarity with DNS This document assumes a reasonable level of familiarity with DNS
operations and protocol terms. Much of the terminology is explained operations and protocol terms. Much of the terminology is explained
in further detail in "DNS Terminology" [RFC8499]. in further detail in "DNS Terminology" [RFC8499].
1.1. Reserved Words 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Types of Glue in Referral Responses 2. Types of Glue in Referral Responses
This section describes different types of glue that may be found in This section describes different types of glue that may be found in
DNS referral responses. Note that the type of glue depends on the DNS referral responses. Note that the type of glue depends on the
QNAME. A particular name server (and its corresponding glue record) QNAME. A particular name server (and its corresponding glue record)
can be in-domain for one response and in a sibling domain for can be in-domain for one response and in a sibling domain for
another. another.
skipping to change at page 4, line 27 skipping to change at line 165
foo.test. 86400 IN NS ns1.foo.test. foo.test. 86400 IN NS ns1.foo.test.
foo.test. 86400 IN NS ns2.foo.test. foo.test. 86400 IN NS ns2.foo.test.
;; ADDITIONAL SECTION: ;; ADDITIONAL SECTION:
ns1.foo.test. 86400 IN A 192.0.2.1 ns1.foo.test. 86400 IN A 192.0.2.1
ns2.foo.test. 86400 IN AAAA 2001:db8::2:2 ns2.foo.test. 86400 IN AAAA 2001:db8::2:2
2.2. Glue for Sibling Domain Name Servers 2.2. Glue for Sibling Domain Name Servers
Sibling domain name servers are NS records that are not contained in Sibling domain name servers are NS records that are not contained in
the delegated zone itself, but in another zone delegated from the the delegated zone itself but rather are contained in another zone
same parent. In many cases, glue for sibling domain name servers are delegated from the same parent. In many cases, glue for sibling
not strictly required for resolution, since the resolver can make domain name servers is not strictly required for resolution, since
follow-on queries to the sibling zone to resolve the name server the resolver can make follow-on queries to the sibling zone to
addresses (after following the referral to the sibling zone). resolve the name server addresses (after following the referral to
However, most name server implementations today provide them as an the sibling zone). However, most name server implementations today
optimization to obviate the need for extra traffic from iterative provide them as an optimization to obviate the need for extra traffic
resolvers. from iterative resolvers.
Here the delegating zone "test" contains two delegations for the Here, the delegating zone "test" contains two delegations for the
child zones "bar.test" and "foo.test": child zones "bar.test" and "foo.test":
bar.test. 86400 IN NS ns1.bar.test. bar.test. 86400 IN NS ns1.bar.test.
bar.test. 86400 IN NS ns2.bar.test. bar.test. 86400 IN NS ns2.bar.test.
ns1.bar.test. 86400 IN A 192.0.2.1 ns1.bar.test. 86400 IN A 192.0.2.1
ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns1.bar.test.
foo.test. 86400 IN NS ns2.bar.test. foo.test. 86400 IN NS ns2.bar.test.
skipping to change at page 5, line 24 skipping to change at line 207
ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
2.3. Glue for Cyclic Sibling Domain Name Servers 2.3. Glue for Cyclic Sibling Domain Name Servers
The use of sibling domain name servers can introduce cyclic The use of sibling domain name servers can introduce cyclic
dependencies. This happens when one domain specifies name servers dependencies. This happens when one domain specifies name servers
from a sibling domain, and vice versa. This type of cyclic from a sibling domain, and vice versa. This type of cyclic
dependency can only be broken when the delegating name server dependency can only be broken when the delegating name server
includes glue for the sibling domain in a referral response. includes glue for the sibling domain in a referral response.
Here the delegating zone "test" contains two delegations for the Here, the delegating zone "test" contains two delegations for the
child zones "bar.test" and "foo.test", and each use name servers child zones "bar.test" and "foo.test", and each uses name servers
under the other: under the other:
bar.test. 86400 IN NS ns1.foo.test. bar.test. 86400 IN NS ns1.foo.test.
bar.test. 86400 IN NS ns2.foo.test. bar.test. 86400 IN NS ns2.foo.test.
ns1.bar.test. 86400 IN A 192.0.2.1 ns1.bar.test. 86400 IN A 192.0.2.1
ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns1.bar.test.
foo.test. 86400 IN NS ns2.bar.test. foo.test. 86400 IN NS ns2.bar.test.
ns1.foo.test. 86400 IN A 192.0.2.3 ns1.foo.test. 86400 IN A 192.0.2.3
skipping to change at page 6, line 5 skipping to change at line 235
;www.bar.test. IN A ;www.bar.test. IN A
;; AUTHORITY SECTION: ;; AUTHORITY SECTION:
bar.test. 86400 IN NS ns1.foo.test. bar.test. 86400 IN NS ns1.foo.test.
bar.test. 86400 IN NS ns2.foo.test. bar.test. 86400 IN NS ns2.foo.test.
;; ADDITIONAL SECTION: ;; ADDITIONAL SECTION:
ns1.foo.test. 86400 IN A 192.0.2.3 ns1.foo.test. 86400 IN A 192.0.2.3
ns2.foo.test. 86400 IN AAAA 2001:db8::2:4 ns2.foo.test. 86400 IN AAAA 2001:db8::2:4
In late 2021 the authors analyzed zone file data available from In late 2021, the authors analyzed zone file data available from
ICANN's Centralized Zone Data Service [CZDS] and found 222 out of ICANN's Centralized Zone Data Service [CZDS] and found 222 out of
approximately 209,000,000 total delegations that had only sibling approximately 209,000,000 total delegations that had only sibling
domain NS RRs in a cyclic dependency as above. domain NS Resource Records (RRs) in a cyclic dependency as above.
2.4. Missing Glue 2.4. Missing Glue
An example of missing glue is included here, even though it can not An example of missing glue is included here, even though it cannot be
be considered as a type of glue. While not common, real examples of considered as a type of glue. While not common, real examples of
responses that lack required glue, and with TC=0, have been shown to responses that lack required glue, and with TC=0, have been shown to
occur and cause resolution failures. occur and cause resolution failures.
The example below, from the dig command [DIG], is based on a response The example below, from the dig command [DIG], is based on a response
observed in June 2020. The names have been altered to fall under observed in June 2020. The names have been altered to fall under
documentation domains. It shows a case where none of the glue documentation domains. It shows a case where none of the glue
records present in the zone fit into the available space of the UDP records present in the zone fit into the available space of the UDP
response, and the TC flag was not set. While this example shows a response, and the TC flag was not set. While this example shows a
referral with DNSSEC records [RFC4033], [RFC4034], [RFC4035], this referral with DNSSEC records [RFC4033] [RFC4034] [RFC4035], this
behavior has been seen with plain DNS responses as well. Some behavior has been seen with plain DNS responses as well. Some
records have been truncated for display purposes. Note that at the records have been truncated for display purposes. Note that at the
time of this writing, the servers originally responsible for this time of this writing, the servers originally responsible for this
example have been updated and now correctly set the TC flag. example have been updated and now correctly set the TC flag.
% dig +norec +dnssec +bufsize=512 +ignore @ns.example.net \ % dig +norec +dnssec +bufsize=512 +ignore @ns.example.net \
rh202ns2.355.foo.example rh202ns2.355.foo.example
; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \ ; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \
@ns.example.net rh202ns2.355.foo.example @ns.example.net rh202ns2.355.foo.example
skipping to change at page 7, line 41 skipping to change at line 294
3. Requirements 3. Requirements
This section describes updated requirements for including glue in DNS This section describes updated requirements for including glue in DNS
referral responses. referral responses.
3.1. Glue for In-Domain Name Servers 3.1. Glue for In-Domain Name Servers
This document clarifies that when a name server generates a referral This document clarifies that when a name server generates a referral
response, it MUST include all available glue records for in-domain response, it MUST include all available glue records for in-domain
name servers in the additional section, or MUST set TC=1 if name servers in the additional section or MUST set TC=1 if
constrained by message size. constrained by message size.
At the time of writing, most iterative clients send initial queries At the time of this writing, most iterative clients send initial
over UDP and retry over TCP upon receiving a response with the TC queries over UDP and retry over TCP upon receiving a response with
flag set. UDP responses are generally limited to between 1232 and the TC flag set. UDP responses are generally limited to between 1232
4096 bytes, due to values commonly used for the EDNS0 UDP Message and 4096 bytes, due to values commonly used for the EDNS0 UDP Message
Size field [RFC6891], [FLAGDAY2020]. TCP responses are limited to Size field [RFC6891] [FLAGDAY2020]. TCP responses are limited to
65,535 bytes. 65,535 bytes.
3.2. Glue for Sibling Domain Name Servers 3.2. Glue for Sibling Domain Name Servers
This document clarifies that when a name server generates a referral This document clarifies that when a name server generates a referral
response, it SHOULD include all available glue records in the response, it SHOULD include all available glue records in the
additional section. If, after adding glue for all in-domain name additional section. If, after adding glue for all in-domain name
servers, the glue for all sibling domain name servers does not fit servers, the glue for all sibling domain name servers does not fit
due to message size constraints, the name server MAY set TC=1 but is due to message size constraints, the name server MAY set TC=1 but is
not obligated to do so. not obligated to do so.
Note that users may experience resolution failures for domains with Note that users may experience resolution failures for domains with
cyclically-dependent sibling name servers when the delegating name cyclically dependent sibling name servers when the delegating name
server chooses to omit the corresponding glue in a referral response. server chooses to omit the corresponding glue in a referral response.
As described in Section 2.3, such domains are rare. As described in Section 2.3, such domains are rare.
3.3. Updates to RFC 1034 3.3. Update to RFC 1034
Replace OLD:
"Copy the NS RRs for the subzone into the authority section of the | Copy the NS RRs for the subzone into the authority section of the
reply. Put whatever addresses are available into the additional | reply. Put whatever addresses are available into the additional
section, using glue RRs if the addresses are not available from | section, using glue RRs if the addresses are not available from
authoritative data or the cache. Go to step 4." | authoritative data or the cache. Go to step 4.
with NEW:
"Copy the NS RRs for the subzone into the authority section of the | Copy the NS RRs for the subzone into the authority section of the
reply. Put whatever NS addresses are available into the additional | reply. Put whatever NS addresses are available into the
section, using glue RRs if the addresses are not available from | additional section, using glue RRs if the addresses are not
authoritative data or the cache. If all glue RRs for in-domain name | available from authoritative data or the cache. If all glue RRs
servers do not fit, set TC=1 in the header. Go to step 4." | for in-domain name servers do not fit, set TC=1 in the header. Go
| to step 4.
4. Security Considerations 4. Security Considerations
This document clarifies correct DNS server behavior and does not This document clarifies correct DNS server behavior and does not
introduce any changes or new security considerations. introduce any changes or new security considerations.
5. Operational Considerations 5. Operational Considerations
At the time of this writing, the behavior of most DNS server At the time of this writing, the behavior of most DNS server
implementations is to set the TC flag only if none of the available implementations is to set the TC flag only if none of the available
glue records fit in a response over UDP transport. The updated glue records fit in a response over UDP transport. The updated
requirements in this document might lead to an increase in the requirements in this document might lead to an increase in the
fraction of UDP responses with the TC flag set, and consequently an fraction of UDP responses with the TC flag set and, consequently, an
increase in the number of queries received over TCP transport. increase in the number of queries received over TCP transport.
6. IANA Considerations 6. IANA Considerations
There are no actions for IANA. This document has no IANA actions.
7. Acknowledgements
The authors wish to thank Joe Abley, David Blacka, Brian Dickson,
Kazunori Fujiwara, Paul Hoffman, Geoff Huston, Jared Mauch, George
Michaelson, Yasuhiro Orange Morishita, Benno Overeinder, John R
Levine, Hugo Salgado, Shinta Sato, Puneet Sood, Petr Spacek, Ralf
Weber, Tim Wicinski, Suzanne Woolf, and other members of the DNSOP
working group for their input.
8. Changes
RFC Editor: Please remove this section before publication.
This section lists substantial changes to the document as it is being
worked on.
From -01 to -02:
* Clarified that "servers" means "authoritative servers".
* Clarified that "available glue" means "all available glue".
* Updated examples and placed before RFC 1034 update.
From -02 to -03:
* Clarified scope to focus only on name server responses, and not
zone/registry data.
* Reorganized with section 2 as Types of Glue and section 3 as
Requirements.
* Removed any discussion of promoted / orphan glue.
* Use appropriate documentation addresses and domain names.
* Added Sibling Cyclic Glue example.
From -03 to -04:
* Use "referral glue" on the assumption that other types of glue may
be defined in the future.
* Added Operational Considerations section.
* Note many current implementations set TC=1 only when no glue RRs
fit. New requirements may lead to more truncation and TCP.
* Sibling glue can be optional. Only require TC=1 when all in-
domain glue RRs don't fit.
* Avoid talking about requirements for UDP/TCP specifically, and
talk more generically about message size constraints regardless of
transport.
From -04 to -05:
* Reverting the -04 change to use the phrase "referral glue".
* Rephrase "in-domain glue" as "glue for in-domain name servers".
* Rephrase "sibling glue" as "glue for sibling domain name servers".
* Expand paragraph noting this document does not make requirements
about presence of glue in zones.
From -05 to -06:
* More instances of rephrasing "in-domain glue" as "glue for in-
domain name servers" (and for sibling glue).
From -06 to -07:
* Change "NOT REQUIRED to set TC=1" to "MAY set TC=1 but is not
obligated to do so."
From -07 to -08:
* Update TSIG reference to RFC8945.
From -08 to -09:
* Lowercase RFC2119 keywords in abstract
* Add informative reference to DNS terminology RFC
* Add informative reference to dig 7. References
9. Normative References 7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10. Informative References 7.2. Informative References
[CZDS] ICANN, "Centralized Zone Data Service", January 2022, [CZDS] ICANN, "Centralized Zone Data Service",
<https://czds.icann.org/>. <https://czds.icann.org/>.
[DIG] Wikipedia, "dig (command)", June 2023, [DIG] Wikipedia, "dig (command)", September 2023,
<https://en.wikipedia.org/wiki/Dig_(command)>. <https://en.wikipedia.org/wiki/Dig_(command)>.
[FLAGDAY2020] [FLAGDAY2020]
Various DNS software and service providers, "DNS Flag Day Various DNS software and service providers, "DNS Flag Day
2020", October 2020, <https://dnsflagday.net/2020/>. 2020", October 2020, <https://dnsflagday.net/2020/>.
[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September
2000, <https://www.rfc-editor.org/info/rfc2931>. 2000, <https://www.rfc-editor.org/info/rfc2931>.
skipping to change at page 12, line 15 skipping to change at line 421
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>. January 2019, <https://www.rfc-editor.org/info/rfc8499>.
[RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D., [RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D.,
Gudmundsson, O., and B. Wellington, "Secret Key Gudmundsson, O., and B. Wellington, "Secret Key
Transaction Authentication for DNS (TSIG)", STD 93, Transaction Authentication for DNS (TSIG)", STD 93,
RFC 8945, DOI 10.17487/RFC8945, November 2020, RFC 8945, DOI 10.17487/RFC8945, November 2020,
<https://www.rfc-editor.org/info/rfc8945>. <https://www.rfc-editor.org/info/rfc8945>.
Acknowledgements
The authors wish to thank Joe Abley, David Blacka, Brian Dickson,
Kazunori Fujiwara, Paul Hoffman, Geoff Huston, John R. Levine, Jared
Mauch, George Michaelson, Yasuhiro Orange Morishita, Benno
Overeinder, Hugo Salgado, Shinta Sato, Puneet Sood, Petr Spacek, Ralf
Weber, Tim Wicinski, Suzanne Woolf, and other members of the DNSOP
Working Group for their input.
Authors' Addresses Authors' Addresses
M. Andrews M. Andrews
ISC ISC
Email: marka@isc.org Email: marka@isc.org
Shumon Huque Shumon Huque
Salesforce Salesforce
Email: shuque@gmail.com Email: shuque@gmail.com
 End of changes. 40 change blocks. 
192 lines changed or deleted 114 lines changed or added

This html diff was produced by rfcdiff 1.48.