Dear dnsop,We have a new version of the Delegation Revalidation by DNS Resolvers draft addressing the feedback received during the previous last call.
* We changed the abstract to reflect that the algorithms described in the document are optional and that the document describes the benefits and considerations of using this approach. * A new section is added, "Section 4. Limiting upgrading NS Credibility", giving the possibility for limited (or scoped) revalidation a more prominent place in the document. * "Section 1. Introduction" is rewritten to highlight already in an early stage the considerations and possible remedies for Upgrading NS RRsets. * In "Section 2. Motivation" the security benefits are expended upon earlier than before. * Limiting (or scoping) of /strictly/ revalidating referrals and authoritative NS RRset responses is now RECOMMENDED (Last paragraph of Section 6.1.) * The "Appendix B. Implementation status" section has been updated to reflect more clearly which parts of the document are implemented in Unbound already. Warm regards, Willem Toorop on behalf of the draft-ietf-dnsop-ns-revalidation co-authors -------- Doorgestuurd bericht --------Onderwerp: New Version Notification for draft-ietf-dnsop-ns-revalidation-10.txt
Datum: Wed, 25 Jun 2025 02:17:29 -0700 Van: [email protected]Aan: Paul Vixie <[email protected]>, Shumon Huque <[email protected]>, Willem Toorop <[email protected]>
A new version of Internet-Draft draft-ietf-dnsop-ns-revalidation-10.txt has been successfully submitted by Willem Toorop and posted to the IETF repository. Name: draft-ietf-dnsop-ns-revalidation Revision: 10 Title: Delegation Revalidation by DNS Resolvers Date: 2025-06-25 Group: dnsop Pages: 16 URL: https://www.ietf.org/archive/id/draft-ietf-dnsop-ns-revalidation-10.txt Status: https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-10
Abstract: This document describes an optional algorithm for the processing of Name Server (NS) resource record (RR) sets (RRsets) during iterative resolution, and describes the benefits and considerations of using this approach. When following a referral response from an authoritative server to a child zone, DNS resolvers should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut. The (A and AAAA) address RRsets in the additional section from referral responses and authoritative NS answers for the names of the NS RRset, should similarly be re-queried and used to replace the entries with the lower trustworthiness ranking in cache. Resolvers should also periodically revalidate the delegation by re-querying the parent zone at the expiration of the TTL of either the parent or child NS RRset, whichever comes first. The IETF Secretariat
OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
