DNS Extensions (dnsext)
-----------------------
Charter
Last Modified: 2010-12-07
Current Status: Active Working Group
Chair(s):
Olafur Gudmundsson <ogud@ogud.com>
Andrew Sullivan <ajs@shinkuro.com>
Internet Area Director(s):
Ralph Droms <rdroms.ietf@gmail.com>
Jari Arkko <jari.arkko@piuha.net>
Internet Area Advisor:
Ralph Droms <rdroms.ietf@gmail.com>
Mailing Lists:
General Discussion:dnsext@ietf.org
To Subscribe: https://www.ietf.org/mailman/listinfo/dnsext
Archive: http://www.ietf.org/mail-archive/web/dnsext/
Description of Working Group:
The DNS has a large installed base and repertoire of protocol
specifications. The DNSEXT working group will actively advance DNS
protocol-related RFCs on the standards track while thoroughly
reviewing further proposed extensions. The scope of the DNSEXT WG is
confined to the DNS protocol, particularly changes that affect DNS
protocols "on the wire" or the internal processing of DNS data. DNS
operations are out of scope for the WG.
The WG will consider work in the following areas:
* DNSSEC and TSIG/TKEY algorithm maintenance
* Mechanisms that complement, or are alternatives to, TSIG and SIG(0)
* Hardening DNS protocol and providing guidance to implementers
* Advancing existing DNS-related Proposed Standard RFCs to Draft/Full
Standard
* Obsoleting DNS-related RFCs
* Maintaining a Wiki containing a guide to DNS protocol RFCs
* Improving DNS zone synchronization mechanisms
* Examining transport protocols, possibly adding new ones.
* Mechanisms to alias DNS trees or parts thereof
While the DNS offers two mechanisms for aliasing DNS labels -- CNAME
and DNAME -- neither of these provides the support necessary to alias
completely one part of the DNS tree as another part. There are claims
that the restriction has proven to be too great in practice,
particularly with burgeoning deployment of IDNA and the need to
provide domain name variants. The issue is made more complex by
DNSSEC
The DNSEXT WG will evaluate ways to provide such aliasing, to add
metadata to zones to allow easier operation of zones when such
aliasing is needed, or both. The WG will also provide an
informational document outlining the various strategies available,
what they might be used for, and what their limitations are. It is
possible that the WG will conclude no aliasing or metadata support is
possible, or that none of the proposals so far made are adequate.
Before formal adoption of any work item at least 5 working group
participants must publicly state that the item is within charter and
is a worthwhile item for further study.
The DNSEXT WG will conduct the specified RFC5395 review of RR
templates as they are posted, and EDNS0 Option templates if EDNS0-bis
updates registration requirements.
The WG will review DNS protocol related work which may originate
elsewhere in the IETF, including AD-sponsored submissions or drafts
in other working group.
Goals and Milestones:
Done Forward NSEC rdata to IESG for Proposed Standard
Done Forward RFC2535-bis to IESG for proposed standard
Done Forward Case Insensitive to IESG for Proposed Standard
Done Forward LLMNR to IESG for Proposed Standard
Done Update boilerplate text on OPT-IN
Done Forward Wildcard clarification to IESG for proposed standard
Done Finalize Zone Enumeration Requirements
Done RFC2538 (CERT RR) to Draft Standard
Done Forgery Resilience advanced to IESG
Done GOST DNSKEY and DS support advanced to IESG
Done AXFR Clarify to IESG
Done DNS existing transport protocol recommendations/clarifications
to IESG
Dec 2010 RFC3597-bis Unknown RR advanced to IESG for PS
Dec 2010 DNSKEY Registry fixes and allocation procedure advanced to IESG
Dec 2010 EDNS0-bis update advanced to IESG
Dec 2010 TSIG/MD5 Obsoleting to IESG.
Dec 2010 IXFR-only to IESG
Jan 2011 DNSSEC Errata document to IESG
Jul 2011 WG consensus on new or revised RRTYPEs for aliasing work
Jul 2011 Interoperation testing on new or revised RRTYPEs (particularly
with existing deployed code)
Nov 2011 Document on new RRTYPE or revised RRTYPE handling for alias to
IESG
Nov 2011 Document on in-zone metadata for aliases to IESG
Nov 2011 Document on uses and limitations of different alias techniques
to IESG
Internet-Drafts:
Posted Revised I-D Title <Filename>
------ ------- --------------------------------------------
May 2005 Nov 2010 <draft-ietf-dnsext-dnssec-bis-updates-12.txt>
Clarifications and Implementation Notes for DNSSECbis
Sep 2006 Dec 2010 <draft-ietf-dnsext-rfc2672bis-dname-21.txt>
Update to DNAME Redirection in the DNS
Dec 2007 Nov 2010 <draft-ietf-dnsext-rfc2671bis-edns0-04.txt>
Extension Mechanisms for DNS (EDNS0)
Sep 2009 Feb 2010 <draft-ietf-dnsext-rfc3597-bis-02.txt>
Handling of Unknown DNS Resource Record (RR) Types
Oct 2009 Jan 2011 <draft-ietf-dnsext-dnssec-registry-fixes-07.txt>
Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm
IANA Registry
Nov 2010 Nov 2010 <draft-ietf-dnsext-dnssec-algo-signal-00.txt>
Signaling Cryptographic Algorithm Understanding in DNSSEC
Nov 2010 Nov 2010 <draft-ietf-dnsext-5395bis-02.txt>
Domain Name System (DNS) IANA Considerations
Request For Comments:
RFC Stat Published Title
------- -- ----------- ------------------------------------
RFC2782 PS Feb 2000 A DNS RR for specifying the location of services (DNS
SRV)
RFC2845Standard Jun 2000 Secret Key Transaction Authentication for DNS (TSIG)
RFC2929BCP Sep 2000 Domain Name System (DNS) IANA Considerations
RFC2930 PS Sep 2000 Secret Key Establishment for DNS (TKEY RR)
RFC2931 PS Sep 2000 DNS Request and Transaction Signatures ( SIG(0)s )
RFC3008 PS Dec 2000 Domain Name System Security (DNSSEC) Signing Authority
RFC3007 PS Dec 2000 Secure Domain Name System (DNS) Dynamic Update
RFC3090 PS Mar 2001 DNS Security Extension Clarification on Zone Status
RFC3110 PS May 2001 RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
(DNS)
RFC3123 E Jun 2001 A DNS RR Type for Lists of Address Prefixes (APL RR)
RFC3197 I Nov 2001 Applicability Statement for DNS MIB Extensions
RFC3225 PS Dec 2001 Indicating Resolver Support of DNSSEC
RFC3226 PS Dec 2001 DNSSEC and IPv6 A6 aware server/resolver message size
requirements
RFC3364 I Aug 2002 Tradeoffs in DNS support for IPv6
RFC3363 I Aug 2002 Representing IPv6 addresses in DNS
RFC3425 PS Nov 2002 Obsoleting IQUERY
RFC3445 PS Dec 2002 Limiting the Scope of the KEY Resource Record out
RFC3597 PS Sep 2003 Handling of Unknown DNS Resource Record (RR) Types
RFC3596Standard Oct 2003 DNS Extensions to support IP version 6
RFC3645Standard Oct 2003 GSS Algorithm for TSIG (GSS-TSIG)
RFC3655Standard Nov 2003 Redefinition of DNS AD bit
RFC3658Standard Dec 2003 Delegation Signer Resource Record
RFC3755Standard May 2004 Legacy Resolver Compatibility for Delegation Signer
RFC3757Standard May 2004 KEY RR Secure Entry Point Flag
RFC3845Standard Aug 2004 DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
RFC3833 I Aug 2004 Threat Analysis Of The Domain Name System
RFC4035Standard Apr 2005 Protocol Modifications for the DNS Security Extensions
RFC4034Standard Apr 2005 Resource Records for the DNS Security Extensions
RFC4033Standard Apr 2005 DNS Security Introduction and Requirements
RFC4343Standard Jan 2006 Domain Name System (DNS) Case Insensitivity
Clarification
RFC4398 PS Mar 2006 Storing Certificates in the Domain Name System (DNS)
RFC4470 PS Apr 2006 Minimally Covering NSEC Records and DNSSEC On-line
Signing
RFC4509 PS May 2006 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource
Records (RRs)
RFC4592 PS Jul 2006 The Role of Wildcards in the Domain Name System
RFC4635 PS Aug 2006 HMAC SHA (Hashed Message Authentication Code, Secure
Hash Algorithm) TSIG Algorithm Identifiers
RFC4471 E Sep 2006 Derivation of DNS Name Predecessor and Successor
RFC4701 PS Oct 2006 A DNS Resource Record (RR) for Encoding Dynamic Host
Configuration Protocol (DHCP) Information (DHCID RR)
RFC4795 I Jan 2007 Link-local Multicast Name Resolution (LLMNR)
RFC4955 PS Jul 2007 DNS Security (DNSSEC) Experiments
RFC4956 E Jul 2007 DNS Security (DNSSEC) Opt-In
RFC5001 PS Aug 2007 DNS Name Server Identifier Option (NSID)
RFC4986 I Aug 2007 Requirements Related to DNS Security (DNSSEC) Trust
Anchor Rollover
RFC5011 PS Sep 2007 Automated Updates of DNS Security (DNSSEC) Trust Anchors
RFC5155 PS Mar 2008 DNS Security (DNSSEC) Hashed Authenticated Denial of
Existence
RFC5395BCP Nov 2008 Domain Name System (DNS) IANA Considerations
RFC5452 PS Jan 2009 Measures for Making DNS More Resilient against Forged
Answers
RFC5625BCP Aug 2009 DNS Proxy Implementation Guidelines
RFC5702 PS Oct 2009 Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG
Resource Records for DNSSEC
RFC5936 PS Jun 2010 DNS Zone Transfer Protocol (AXFR)
RFC5933 PS Jul 2010 Use of GOST Signature Algorithms in DNSKEY and RRSIG
Resource Records for DNSSEC
RFC5966 PS Aug 2010 DNS Transport over TCP - Implementation Requirements
RFC6014 PS Nov 2010 Cryptographic Algorithm Identifier Allocation for DNSSEC