RFC 9499 | DNS Terminology | March 2024 |
Hoffman & Fujiwara | Best Current Practice | [Page] |
The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.¶
This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.¶
This memo documents an Internet Best Current Practice.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9499.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Domain Name System (DNS) is a simple query-response protocol whose messages in both directions have the same format. (Section 2 gives a definition of "global DNS", which is often what people mean when they say "the DNS".) The protocol and message format are defined in [RFC1034] and [RFC1035]. These RFCs defined some terms, and later documents defined others. Some of the terms from [RFC1034] and [RFC1035] have somewhat different meanings now than they did in 1987.¶
This document contains a collection of a wide variety of DNS-related terms, organized loosely by topic. Some of them have been precisely defined in earlier RFCs, some have been loosely defined in earlier RFCs, and some are not defined in an earlier RFC at all.¶
Other organizations sometimes define DNS-related terms in their own way. For example, the WHATWG defines "domain" at <https://url.spec.whatwg.org/>. The Root Server System Advisory Committee (RSSAC) has a good lexicon [RSSAC026].¶
Most of the definitions listed here represent the consensus definition of the DNS community -- both protocol developers and operators. Some of the definitions differ from earlier RFCs, and those differences are noted. In this document, where the consensus definition is the same as the one in an RFC, that RFC is quoted. Where the consensus definition has changed somewhat, the RFC is mentioned but the new stand-alone definition is given. See Appendix A for a list of the definitions that this document updates.¶
It is important to note that, during the development of this document, it became clear that some DNS-related terms are interpreted quite differently by different DNS experts. Further, some terms that are defined in early DNS RFCs now have definitions that are generally agreed to, but that are different from the original definitions. This document is a small revision to [RFC8499]; that document was a substantial revision to [RFC7719].¶
Note that there is no single consistent definition of "the DNS". It can be considered to be some combination of the following: a commonly used naming scheme for objects on the Internet; a distributed database representing the names and certain properties of these objects; an architecture providing distributed maintenance, resilience, and loose coherency for this database; and a simple query-response protocol (as mentioned below) implementing this architecture. Section 2 defines "global DNS" and "private DNS" as a way to deal with these differing definitions.¶
Capitalization in DNS terms is often inconsistent among RFCs and various DNS practitioners. The capitalization used in this document is a best guess at current practices, and is not meant to indicate that other capitalization styles are wrong or archaic. In some cases, multiple styles of capitalization are used for the same term due to quoting from different RFCs.¶
In this document, the words "byte" and "octet" are used interchangeably. They appear here because they both appear in the earlier RFCs that defined terms in the DNS.¶
Readers should note that the terms in this document are grouped by topic. Someone who is not already familiar with the DNS probably cannot learn about the DNS from scratch by reading this document from front to back. Instead, skipping around may be the only way to get enough context to understand some of the definitions. This document has an index that might be useful for readers who are attempting to learn the DNS by reading this document.¶
A naming system associates names with data. Naming systems have many significant facets that help differentiate them from each other. Some commonly identified facets include:¶
Some of the response codes (RCODEs) that are defined in [RFC1035] have acquired their own shorthand names. All of the RCODEs are listed at [IANA_Resource_Registry], although that list uses mixed-case capitalization, while most documents use all caps. Some of the common names for values defined in [RFC1035] are described in this section. This section also includes an additional RCODE and a general definition. The official list of all RCODEs is in the IANA registry.¶
The header of a DNS message is its first 12 octets. Many of the fields and flags in the diagrams in Sections 4.1.1 through 4.1.3 of [RFC1035] are referred to by their names in each diagram. For example, the response codes are called "RCODEs", the data for a record is called the "RDATA", and the authoritative answer bit is often called "the AA flag" or "the AA bit".¶
To address this potential confusion, it is helpful to distinguish between three meanings:¶
Note that RRSIG resource records do not match this definition. [RFC4035] says:¶
This section defines the terms used for the systems that act as DNS clients, DNS servers, or both. In past RFCs, DNS servers are sometimes called "name servers", "nameservers", or just "servers". There is no formal definition of "DNS server", but RFCs generally assume that it is an Internet server that listens for queries and sends responses using the DNS protocol defined in [RFC1035] and its successors.¶
It is important to note that the terms "DNS server" and "name server" require context in order to understand the services being provided. Both authoritative servers and recursive resolvers are often called "DNS servers" and "name servers" even though they serve different roles (but may be part of the same software package).¶
For terminology specific to the global DNS root server system, see [RSSAC026]. That document defines terms such as "root server", "root server operator", and terms that are specific to the way that the root zone of the global DNS is served.¶
A resolution mode of a server that receives DNS queries and either responds to those queries from a local cache or sends queries to other servers in order to get the final answers to the original queries. Section 2.3 of [RFC1034] describes this as "the first server pursues the query for the client at another server". Section 4.3.1 of [RFC1034] says: "in [recursive] mode the name server acts in the role of a resolver and returns either an error or the answer, but never referrals." That same section also says:¶
This section defines terms that are used when discussing zones that are being served or retrieved.¶
There are two different uses for this term:¶
These early definitions do not match the current use of the term "lame delegation", but there is no consensus on what a lame delegation is. The term is used not only for the specific case described above, but for a variety of other flaws in delegations that lead to non-authoritative answers or no answers at all, such as:¶
Delegation | Parent | Name Server Name | Type |
---|---|---|---|
com | . | a.gtld-servers.net | sibling domain |
net | . | a.gtld-servers.net | in-domain |
example.org | org | ns.example.org | in-domain |
example.org | org | ns.ietf.org | sibling domain |
example.org | org | ns.example.com | unrelated |
example.jp | jp | ns.example.jp | in-domain |
example.jp | jp | ns.example.ne.jp | sibling domain |
example.jp | jp | ns.example.com | unrelated |
"The source of synthesis is defined in the context of a query process as that wildcard domain name immediately descending from the closest encloser, provided that this wildcard domain name exists. 'Immediately descending' means that the source of synthesis has a name of the form:¶
<asterisk label>.<closest encloser>."¶
(Quoted from [RFC4592], Section 3.3.1)¶
Most DNSSEC terms are defined in [RFC4033], [RFC4034], [RFC4035], and [RFC5155]. The terms that have caused confusion in the DNS community are highlighted here.¶
Validation, in the context of DNSSEC, refers to one of the following:¶
A validating resolver can determine that a response is in one of four states: secure, insecure, bogus, or indeterminate. These states are defined in [RFC4033] and [RFC4035], although the definitions in the two documents differ a bit. This document makes no effort to reconcile the definitions in the two documents and takes no position as to whether they need to be reconciled.¶
A validating resolver can determine the following 4 states:¶
- Secure:
- The validating resolver has a trust anchor, has a chain of trust, and is able to verify all the signatures in the response.¶
- Insecure:
- The validating resolver has a trust anchor, a chain of trust, and, at some delegation point, signed proof of the non-existence of a DS record. This indicates that subsequent branches in the tree are provably insecure. A validating resolver may have a local policy to mark parts of the domain space as insecure.¶
- Bogus:
- The validating resolver has a trust anchor and a secure delegation indicating that subsidiary data is signed, but the response fails to validate for some reason: missing signatures, expired signatures, signatures with unsupported algorithms, data missing that the relevant NSEC RR says should be present, and so forth.¶
- Indeterminate:
- There is no trust anchor that would indicate that a specific portion of the tree is secure. This is the default operation mode.¶
Section 4.3 of [RFC4035] says:¶
A security-aware resolver must be able to distinguish between four cases:¶
- Secure:
- An RRset for which the resolver is able to build a chain of signed DNSKEY and DS RRs from a trusted security anchor to the RRset. In this case, the RRset should be signed and is subject to signature validation, as described above.¶
- Insecure:
- An RRset for which the resolver knows that it has no chain of signed DNSKEY and DS RRs from any trusted starting point to the RRset. This can occur when the target RRset lies in an unsigned zone or in a descendent [sic] of an unsigned zone. In this case, the RRset may or may not be signed, but the resolver will not be able to verify the signature.¶
- Bogus:
- An RRset for which the resolver believes that it ought to be able to establish a chain of trust but for which it is unable to do so, either due to signatures that for some reason fail to validate or due to missing data that the relevant DNSSEC RRs indicate should be present. This case may indicate an attack but may also indicate a configuration error or some form of data corruption.¶
- Indeterminate:
- An RRset for which the resolver is not able to determine whether the RRset should be signed, as the resolver is not able to obtain the necessary DNSSEC RRs. This can occur when the security-aware resolver is not able to contact security-aware name servers for the relevant zones.¶
These definitions do not change any security considerations for either the global DNS or private DNS.¶
References to RFC 8499 in the IANA registries have been replaced with references to this document.¶
The following definitions from RFCs are updated by this document:¶
The following definitions are first defined in this document:¶
[RFC8499] and its predecessor, [RFC7719], were co-authored by Andrew Sullivan. The current document, which is a small update to [RFC8499], has just two authors. Andrew's work on the earlier documents is greatly appreciated.¶
Numerous people made significant contributions to [RFC8499] and [RFC7719]. Please see the acknowledgements sections in those two documents for the extensive list of contributors.¶
Even though the current document is a small revision, many people in the DNSOP Working Group have contributed to it, and their work is greatly appreciated.¶