rfc9704.original.xml   rfc9704.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors --> <!DOCTYPE rfc [
<?xml-model href="https://raw.githubusercontent.com/ietf-tools/xml2rfc/main/xml2 <!ENTITY nbsp "&#160;">
rfc/data/v3.rng" schematypens="http://relaxng.org/ns/structure/1.0" type="applic <!ENTITY zwsp "&#8203;">
ation/xml"?> <!ENTITY nbhy "&#8209;">
<!-- For a complete list and description of processing instructions (PIs), <!ENTITY wj "&#8288;">
please see http://xml.resource.org/authoring/README.html. --> ]>
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds
might want to use. <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ie
(Here they are set differently than their defaults in xml2rfc v1.32) --> tf-add-split-horizon-authority-14" number="9704" updates="" obsoletes="" ipr="tr
<?rfc strict="yes" ?> ust200902" submissionType="IETF" xml:lang="en" tocInclude="true" tocDepth="4" sy
<!-- give errors regarding ID-nits and DTD validation --> mRefs="true" sortRefs="true" version="3" consensus="true">
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ie
tf-add-split-horizon-authority-14" ipr="trust200902" submissionType="IETF" xml:l
ang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="
3" consensus="true">
<front> <front>
<title abbrev="Establishing Local DNS Authority">Establishing Local DNS <title abbrev="Establishing Local DNS Authority">Establishing Local DNS
Authority in Validated Split-Horizon Environments</title> Authority in Validated Split-Horizon Environments</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-add-split-horizon-author <seriesInfo name="RFC" value="9704"/>
ity-14"/> <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
<author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
<organization>Nokia</organization> <organization>Nokia</organization>
<address> <address>
<postal> <postal>
<country>India</country> <country>India</country>
</postal> </postal>
<email>kondtir@gmail.com</email> <email>kondtir@gmail.com</email>
</address> </address>
</author> </author>
<author fullname="Dan Wing" initials="D." surname="Wing"> <author fullname="Dan Wing" initials="D." surname="Wing">
<organization abbrev="Citrix">Citrix Systems, Inc.</organization> <organization abbrev="Citrix">Citrix Systems, Inc.</organization>
<address> <address>
<postal> <postal>
<street>4988 Great America Pkwy</street> <country>United States of America</country>
<city>Santa Clara</city>
<region>CA</region>
<code>95054</code>
<country>USA</country>
</postal> </postal>
<email>danwing@gmail.com</email> <email>danwing@gmail.com</email>
</address> </address>
</author> </author>
<author fullname="Kevin Smith" initials="K." surname="Smith"> <author fullname="Kevin Smith" initials="K." surname="Smith">
<organization abbrev="Vodafone">Vodafone Group</organization> <organization abbrev="Vodafone">Vodafone Group</organization>
<address> <address>
<postal> <postal>
<street>One Kingdom Street</street> <street>One Kingdom Street</street>
<city>London</city> <city>London</city>
<country>UK</country> <country>United Kingdom</country>
</postal> </postal>
<email>kevin.smith@vodafone.com</email> <email>kevin.smith@vodafone.com</email>
</address> </address>
</author> </author>
<author fullname="Benjamin Schwartz" initials="B." surname="Schwartz"> <author fullname="Benjamin Schwartz" initials="B." surname="Schwartz">
<organization abbrev="Meta">Meta Platforms, Inc.</organization> <organization abbrev="Meta">Meta Platforms, Inc.</organization>
<address> <address>
<email>ietf@bemasc.net</email> <email>ietf@bemasc.net</email>
</address> </address>
</author> </author>
<date/> <date month="January" year="2025"/>
<workgroup>ADD</workgroup> <area>INT</area>
<workgroup>add</workgroup>
<abstract> <abstract>
<t>When split-horizon DNS is deployed by a network, certain domain names c an <t>When split-horizon DNS is deployed by a network, certain domain names c an
be resolved authoritatively by a network-provided DNS resolver. DNS client s be resolved authoritatively by a network-provided DNS resolver. DNS client s
that are not configured to use this resolver by default can use it for that are not configured to use this resolver by default can use it for
these specific domains only. This specification defines a mechanism for do main owners these specific domains only. This specification defines a mechanism for do main owners
to inform DNS clients about local resolvers that are authorized to answer to inform DNS clients about local resolvers that are authorized to answer
authoritatively for certain subdomains.</t> authoritatively for certain subdomains.</t>
</abstract> </abstract>
<note title="Discussion Venues" removeInRFC="true">
<t>Discussion of this document takes place on the
Adaptive DNS Discovery Working Group mailing list (add@ietf.org),
which is archived at <eref target="https://mailarchive.ietf.org/arch/b
rowse/add/"/>.</t>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/ietf-wg-add/draft-ietf-add-split-hori
zon-authority"/>.</t>
</note>
</front> </front>
<middle> <middle>
<section anchor="intro"> <section anchor="intro">
<name>Introduction</name> <name>Introduction</name>
<t>To resolve a DNS query, there are three main behaviors that an <t>To resolve a DNS query, there are three main behaviors that an
implementation can apply: (1) answer from a local database, (2) query implementation can apply: (1) answer from a local database, (2) query
the relevant authorities and their parents, or (3) ask a server to query the relevant authorities and their parents, or (3) ask a server to query
those authorities and return the final answer. Implementations that use those authorities and return the final answer. Implementations that use
these behaviors are called "authoritative nameservers", "full/recursive these behaviors are called "authoritative nameservers", "full/recursive
resolvers", and "forwarders" (or "stub resolvers") respectively. However, an resolvers", and "forwarders" (or "stub resolvers"), respectively. However, an
implementation can also implement a mixture of these behaviors, implementation can also implement a mixture of these behaviors,
depending on a local policy, for each query. Such an implementation depending on local policy, for each query. Such an implementation
is termed a "hybrid resolver".</t> is termed a "hybrid resolver".</t>
<t>Most DNS resolvers are hybrids of some kind. For example, stub <t>Most DNS resolvers are hybrids of some kind. For example, stub
resolvers support a local "hosts file" that preempts query resolvers support a local "hosts file" that preempts query
forwarding, and most DNS forwarders and full resolvers can also serve forwarding, and most DNS forwarders and full resolvers can also serve
responses from a local zone file. Other standardized hybrid resolution responses from a local zone file. Other standardized hybrid resolution
behaviors include <xref target="RFC8806">Local Root</xref>, <xref behaviors include <xref target="RFC8806">using a local root</xref>, <xref
target="RFC6762">mDNS</xref>, and <xref target="RFC7686">NXDOMAIN target="RFC6762">Multicast DNS (mDNS)</xref>, and <xref target="RFC7686">N
XDOMAIN
synthesis for .onion</xref>.</t> synthesis for .onion</xref>.</t>
<t>Networks usually offer clients a DNS resolver using means such as <t>Networks usually offer clients a DNS resolver using means such as
(e.g., DHCP OFFER, IPv6 Router Advertisement). Although this resolver is DHCP offers or IPv6 Router Advertisements (RAs). Although this resolver is
formally specified as a recursive resolver (e.g., <relref section="5.1" formally specified as a recursive resolver (e.g., see <xref section="5.1"
target="RFC8106"/>), some networks provide a hybrid resolver target="RFC8106"/>), some networks provide a hybrid resolver
instead. If this resolver acts as an authoritative server for some names instead. If this resolver acts as an authoritative server for some names
and provides different answers for those domains depending on the source and -- depending on the source of the query -- provides different answers
of the query, it is described as the network having "split-horizon DNS", b for those domains, the network is said to be using "split-horizon DNS", because
ecause those those
names resolve in this way only from inside the network.</t> names resolve in this way only from inside the network.</t>
<t>DNS clients that use pure stub resolution, sending all queries to <t>DNS clients that use pure stub resolution, sending all queries to
the network-provided resolver, will always receive the split-horizon the network-provided resolver, will always receive the split-horizon
results. Conversely, clients that send all queries to a different results. Conversely, clients that send all queries to a different
resolver or implement pure full resolution locally will never receive resolver or implement pure full resolution locally will never receive
them. Clients that strictly implement either of these resolution behaviors are out of scope for them. Clients that strictly implement either of these resolution behaviors are out of scope for
this specification. Instead, this specification enables hybrid clients this specification. Instead, this specification enables hybrid clients
to access split-horizon results from a network-provided hybrid resolver, to access split-horizon results from a network-provided hybrid resolver,
while using a different resolution method for some or all other while using a different resolution method for some or all other
names.</t> names.</t>
<t>There are several existing mechanisms for a network to provide <t>There are several existing mechanisms for a network to provide
clients with "local domain hints", listing domain names that have clients with "local domain hints", listing domain names that are given
special treatment in this network (e.g., <xref target="RFC6731"> special treatment in this network (e.g., <xref target="RFC6731">
RDNSS Selection</xref>, <xref target="RFC5986"> "Recursive DNS Server (RDNSS) selection"</xref>, <xref target="RFC5986">
"Access Network Domain Name"</xref>, and "Client FQDN" <xref "access network domain name"</xref>, and "Client Fully Qualified Domain Na
target="RFC4702"/><xref target="RFC4704"/> in DHCP, "dnsZones" in me
Provisioning Domains <xref target="RFC8801"/>, and <xref (FQDN)" <xref
target="RFC8598">INTERNAL_DNS_DOMAIN</xref> in IKEv2). target="RFC4702"/> <xref target="RFC4704"/> in DHCP; "dnsZones" in
However, none of the local domain hint mechanisms enables clients to Provisioning Domains (PvDs) <xref target="RFC8801"/>; and <xref
target="RFC8598">"INTERNAL_DNS_DOMAIN"</xref> in Internet Key Exchange Pro
tocol Version 2 (IKEv2)).
However, none of the local domain hint mechanisms enable clients to
determine whether this special treatment is authorized by the domain determine whether this special treatment is authorized by the domain
owner. Instead, these specifications require clients to make their own owner. Instead, these specifications require clients to make their own
determinations about whether to trust and rely on these hints.</t> determinations about whether to trust and rely on these hints.</t>
<t>This document describes a mechanism between domain names, networks, <t>This document describes a mechanism between domain names, networks,
and clients that allows the network to establish its authority over a and clients that allows the network to establish its authority over a
domain to a client (<xref target="establishing"/>). Clients can domain to a client (<xref target="establishing"/>). Clients can
use this protocol to confirm that a local domain hint was authorized by use this protocol to confirm that a local domain hint was authorized by
the domain owner (<xref target="validating"/>), which might influence the domain owner (<xref target="validating"/>), which might influence
its processing of that hint. This process requires cooperation between its processing of that hint. This process requires cooperation between
the local DNS zone and the public zone.</t> the local DNS zone and the public zone.</t>
<t>This specification relies on securely identified local DNS servers, <t>In this specification, network operators securely identify the local DN
and checks each local domain hint against a globally valid parent zone.</t S
> servers, and clients check each local domain hint against a globally
valid parent zone.</t>
</section> </section>
<section anchor="notation"> <section anchor="notation">
<name>Terminology</name> <name>Terminology</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14 <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED< "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
/bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as descri "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
bed in BCP 14 "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document
<xref target="RFC2119"/><xref target="RFC8174"/> when, and are to be interpreted as described in BCP&nbsp;14
only when, they appear in all capitals, as shown here.</t> <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
when, they appear in all capitals, as shown here.</t>
<t>This document makes use of the terms defined in <xref <t>This document makes use of the terms defined in <xref
target="RFC9499"/>, e.g., "Global DNS". The following additional terms ar target="RFC9499"/>, e.g., "global DNS". The following additional terms ar
e e
used throughout the document:</t> used throughout this document:</t>
<dl> <dl>
<dt>Encrypted DNS</dt><dd>A DNS protocol that provides an <dt>Encrypted DNS:</dt><dd>A DNS protocol that provides an
encrypted channel between a DNS client and server (e.g., DNS encrypted channel between a DNS client and server (e.g., DNS
over TLS (DoT) <xref over TLS (DoT) <xref
target="RFC7858"/>, HTTPS (DoH) <xref target="RFC7858"/>, DNS (queries) over HTTPS (DoH) <xref
target="RFC8484"/>, QUIC (DoQ) <xref target="RFC8484"/>, DNS over QUIC (DoQ) <xref
target="RFC9250"/>).</dd> target="RFC9250"/>).</dd>
<dt>Encrypted DNS resolver</dt><dd>Refers to a DNS resolver <dt>Encrypted DNS Resolver:</dt><dd>Refers to a DNS resolver
that supports any encrypted DNS scheme.</dd> that supports any encrypted DNS scheme.</dd>
<dt>Split-Horizon DNS</dt><dd>The DNS service provided by a resolver <dt>Split-Horizon DNS:</dt><dd>The DNS service provided by a resolver
that also acts as an authoritative server for some names, providing that also acts as an authoritative server for some names, providing
resolution results that are meaningfully different from those in the resolution results that are meaningfully different from those in the
Global DNS. (See "Split DNS" in <relref section="6" global DNS. (See the definition of "split DNS" in <xref section="6"
target="RFC9499"/>.)</dd> target="RFC9499"/>.)</dd>
<dt>Validated Split-Horizon</dt><dd>A split horizon configuration for <dt>Validated Split Horizon:</dt><dd>A split-horizon configuration that
some name is considered "validated" if the client has confirmed that is authorized by the parents of the affected names and confirmed by the
a parent of that name has authorized this resolver to serve its own client. Such authorization generally extends to the
responses for that name. Such authorization generally extends to the
entire subtree of names below the authorization point.</dd> entire subtree of names below the authorization point.</dd>
</dl> </dl>
<t>In this document, the terms 'owner' and 'operator' are used interchange ably <t>In this document, the terms "owner" and "operator" are used interchange ably
and refer to the individual or entity responsible for the management and and refer to the individual or entity responsible for the management and
maintenance of domains.</t> maintenance of domains.</t>
<t>Long lines in examples are wrapped using a single backslash ("\")
per <xref target="RFC8792"/>.</t>
</section> </section>
<section> <section>
<name>Scope</name> <name>Scope</name>
<t>The protocol in this document is designed to support the ability of <t>The protocol described in this document is designed to support the abil ity of
a domain owner to create or authorize a split-horizon view of their a domain owner to create or authorize a split-horizon view of their
domain. The protocol does not support split-horizon views created by domain. The protocol does not support split-horizon views created by
any other entity. Thus, DNS filtering is not enabled by this protocol.</t> any other entity. Thus, DNS filtering is not enabled by this protocol.</t>
<t>The protocol is applicable to any type of network offering <t>The protocol is applicable to any type of network offering
split-horizon DNS configuration. The endpoint does not need any prior split-horizon DNS configuration. The endpoint does not need any prior
configuration to confirm that a local domain hint was indeed authorized configuration to confirm that a local domain hint was indeed authorized
by the domain.</t> by the domain.</t>
<t>All of the special-use domain names registered with IANA <xref target=" <t>All of the Special-Use Domain Names registered with IANA <xref target="
RFC6761"/>, RFC6761"/>,
most notably ".home.arpa", "resolver.arpa.", "ipv4only.arpa." and ".local" most notably "home.arpa.", "resolver.arpa.", "ipv4only.arpa.", and "local.
, are never ", are never
unique to a specific DNS server's authority. All special-use domain names unique to a specific DNS server's authority. All Special-Use Domain Names
are outside the are outside the
scope of this document and MUST NOT be validated using the mechanism descr scope of this document and <bcp14>MUST NOT</bcp14> be validated using the
ibed in this document. </t> mechanism described in this document. </t>
<t> Use of this specification is limited to DNS servers that support authe <t>The use of this specification is limited to DNS servers that support au
nticated encryption and thenticated encryption and
split-horizon DNS names that are rooted in the global DNS.</t> split-horizon DNS names that are rooted in the global DNS.</t>
</section> </section>
<section> <section>
<name>Requirements</name> <name>Requirements</name>
<t>This solution seeks to fulfill the following requirements:</t> <t>This solution seeks to fulfill the following requirements:</t>
<ul> <dl newline="false" spacing="normal">
<li>No loss of security: No unauthorized party can impersonate <dt>No loss of security:</dt><dd>No unauthorized party can impersonate
a zone unless they could already do so without use of this a zone unless they could already do so without the use of this
specification.</li> specification.</dd>
<li>Least privilege: Local resolvers do not hold any <dt>Least privilege:</dt><dd>Local resolvers do not hold any
secrets that could weaken the security of the public zone if secrets that could weaken the security of the public zone if
compromised.</li> compromised.</dd>
<li>Local zone confidentiality: The specification does not leak <dt>Local zone confidentiality:</dt><dd>The specification does not leak
local network subdomains to anyone outside of the network.</li> local network subdomains to anyone outside of the network.</dd>
<li>Flexibility: The specification can represent and authorize <dt>Flexibility:</dt><dd>The specification can represent and authorize
a Split DNS zone structure.</li> a split DNS zone structure.</dd>
<li>DNSSEC Compatibility: The specification supports DNSSEC-based <dt>DNSSEC compatibility:</dt><dd>The specification supports DNSSEC-base
<xref target="RFC9364"/> object security for local zone contents.</li> d
</ul> object security for local zone contents per <xref target="RFC9364"/>.<
/dd>
</dl>
</section> </section>
<section anchor="establishing"> <section anchor="establishing">
<name>Establishing Local DNS Authority</name> <name>Establishing Local DNS Authority</name>
<t>A participating network <bcp14>MUST</bcp14> offer one or more <t>A participating network <bcp14>MUST</bcp14> offer one or more
encrypted resolvers via DHCP and Router Advertisement Options for the encrypted resolvers via DHCP and Router Advertisement options for the
Discovery of Network-designated Resolvers (DNR) <xref target="RFC9463"/>, Discovery of Network-designated Resolvers (DNR) <xref target="RFC9463"/>,
Discovery of Designated Resolvers (DDR) <xref target="RFC9462"/>, or an Discovery of Designated Resolvers (DDR) <xref target="RFC9462"/>, or an
equivalent mechanism (see <xref target="vpn"/>).</t> equivalent mechanism (see <xref target="vpn"/>).</t>
<t>To establish local authority, the network MUST convey one or more <t>To establish local authority, the network <bcp14>MUST</bcp14> convey on
"Authorization Claims" to the client. An "Authorization Claim" is an e or more
"authorization claims" to the client. An authorization claim is an
abstract structure comprising:</t> abstract structure comprising:</t>
<ul> <ul>
<li>An Authentication Domain Name (ADN) of a local encrypted resolver.</ li> <li>An Authentication Domain Name (ADN) of a local encrypted resolver.</ li>
<li>The DNS name of the authorizing parent zone.</li> <li>The DNS name of the authorizing parent zone.</li>
<li>A set of subdomains of this parent zone that are claimed by <li>A set of subdomains of this parent zone that are claimed by
the named local resolver (potentially including the entire parent the named local resolver (potentially including the entire parent
zone). To claim the entire parent zone, the claimed subdomain zone). To claim the entire parent zone, the claimed subdomain
will be represented as an asterisk symbol "*".</li> will be represented as an asterisk symbol ("*").</li>
<li>A ZONEMD Hash Algorithm (<relref section="5.3" target="RFC8976"/>). <li>A ZONEMD Hash Algorithm (<xref section="5.3" target="RFC8976"/>).
For interoperability purposes implementations MUST support the For interoperability purposes, implementations <bcp14>MUST</bcp14> su
pport the
"mandatory to implement" hash algorithms defined in "mandatory to implement" hash algorithms defined in
<relref section="2.2.3" target="RFC8976"/>. </li> <xref section="2.2.3" target="RFC8976"/>. </li>
<li>A high-entropy salt, up to 255 octets.</li> <li>A high-entropy salt, up to 255 octets.</li>
</ul> </ul>
<t>If the local encrypted resolver is identified by name (e.g., DNR), that <t>If the local encrypted resolver is identified by name (e.g., using DNR)
identifying name MUST be the one used in any corresponding Authorization , that
Claim. Otherwise (e.g., DDR using IP addresses), the resolver MUST identifying name <bcp14>MUST</bcp14> be the name used in any corresponding
authorization
claim. Otherwise (e.g., DDR using IP addresses), the resolver <bcp14>MUST
</bcp14>
present a validatable certificate containing a subjectAltName that present a validatable certificate containing a subjectAltName that
matches the Authorization Claim using the validation techniques for matches the authorization claim using the validation techniques for
matching as described in <xref target="RFC9525"/>.</t> matching as described in <xref target="RFC9525"/>.</t>
<t>The network then provides each Authorization Claim to the parent zone o perator. <t>The network then provides each authorization claim to the parent zone o perator.
If the contents are approved, the parent zone operator computes a "Verific ation Token" If the contents are approved, the parent zone operator computes a "Verific ation Token"
according to the following procedure:</t> according to the following procedure:</t>
<ol> <ol>
<li>Convert all subdomains into canonical form and sort them in canonica l <li>Convert all subdomains into canonical form and sort them in canonica l
order (<relref section="6" target="RFC4034"/>).</li> order (<xref section="6" target="RFC4034"/>).</li>
<li>Replace the suffix corresponding to the parent zone with a zero <li>Replace the suffix corresponding to the parent zone with a zero
octet.</li> octet.</li>
<li>Let $X be the concatenation of the resulting pseudo-FQDNs.</li> <li>Let $X be the concatenation of the resulting pseudo-FQDNs.</li>
<li>Let len($SALT) be the number of octets of salt, as a single octet.</ li> <li>Let len($SALT) be the number of octets of salt, as a single octet.</ li>
<li>Let $TOKEN = hash(len($SALT) || $SALT || $X). Where "||" denotes con catenation and hash is the ZONEMD Hash Algorithm.</li> <li>Let $TOKEN = hash(len($SALT) || $SALT || $X), where "||" denotes con catenation and hash is the ZONEMD Hash Algorithm.</li>
</ol> </ol>
<t>The zone operator then publishes a "Verification Record" with the <t>The zone operator then publishes a "Verification Record" with the
following structure, following the best practices outlined in Sections 5.1 following structure, following the best practices outlined in
and 5.2 of Sections&nbsp;<xref target="I-D.ietf-dnsop-domain-verification-techniques"
<xref target="I-D.ietf-dnsop-domain-verification-techniques"/>:</t> sectionFormat="bare" section="5.2"/> and <xref target="I-D.ietf-dnsop-domain-ve
<ul> rification-techniques"
<li>Type = TXT.</li> sectionFormat="bare" section="5.3"/> of <xref target="I-D.ietf-dnsop-domain-veri
fication-techniques"/>:</t>
<ul>
<li>Type = TXT</li>
<li>Owner Name = Concatenation of the ADN, "_splitdns-challenge", and <li>Owner Name = Concatenation of the ADN, "_splitdns-challenge", and
the parent zone name.</li> the parent zone name</li>
<li>Contents = "key/value" pairs, e.g., "token=base64url($TOKEN)" (witho ut padding)</li> <li>Contents = "key/value" pairs, e.g., "token=base64url($TOKEN)" (witho ut padding)</li>
</ul> </ul>
<t>By publishing this record, the parent zone authorizes the local <t>By publishing this record, the parent zone authorizes the local
encrypted resolver to serve these subdomains authoritatively.</t> encrypted resolver to serve these subdomains authoritatively.</t>
<section> <section>
<name>Example</name> <name>Example</name>
<t>Consider the following authorization claim:</t> <t>Consider the following authorization claim:</t>
<ul> <ul>
<li>ADN = "resolver17.parent.example"</li> <li>ADN = "resolver17.parent.example"</li>
<li>Parent = "parent.example"</li> <li>Parent = "parent.example"</li>
<li>Subdomains = "payroll.parent.example", <li>Subdomains = "payroll.parent.example",
"secret.project.parent.example"</li> "secret.project.parent.example"</li>
<li>Hash Algorithm = SHA-384 <xref target="RFC6234"/></li> <li>Hash Algorithm = SHA-384 <xref target="RFC6234"/></li>
<li>Salt = "example salt octets (should be random)"</li> <li>Salt = "example salt octets (should be random)"</li>
</ul> </ul>
<t>To approve this claim, the zone operator would publish the following record:</t> <t>To approve this claim, the zone operator would publish the following record:</t>
<t>NOTE: '\' line wrapping per <xref target="RFC8792"/></t>
<sourcecode type="dns-rr"> <sourcecode type="dns-rr">
resolver17.parent.example._splitdns-challenge.parent.example. \ resolver17.parent.example._splitdns-challenge.parent.example. \
IN TXT "token=z1qyK7QWwQPkT-ZmVW-tAQbsNyYenTNBPp5ogYB8S1wesVCR\ IN TXT "token=z1qyK7QWwQPkT-ZmVW-tAQbsNyYenTNBPp5ogYB8S1wesVCR\
-KJDv2eFwfJcWQM" -KJDv2eFwfJcWQM"
</sourcecode> </sourcecode>
</section> </section>
<section> <section>
<name>Conveying Authorization Claims</name> <name>Conveying Authorization Claims</name>
<t> <t>
The Authorization Claim is an abstract structure that must be encoded in The authorization claim is an abstract structure that must be encoded in
some concrete syntax in order to convey it from the network to the cli ent. some concrete syntax in order to convey it from the network to the cli ent.
This section defines some encodings of the Authorization Claims. This section defines some encodings of the authorization claims.
</t> </t>
<section> <section>
<name>Using DHCP</name> <name>Using DHCP</name>
<t> <t>
In DHCP, each Authorization Claim is encoded as a DHCP Authenticatio
n In DHCP, each authorization claim is encoded as a DHCP Authenticatio
Option (<xref target="RFC3118"/> and <relref section="21.11" target= n
"RFC8415"/>), option (<xref target="RFC3118"/> and <xref section="21.11" target="R
using the Protocol value $TBD1, "Split DNS Authentication". In DHCPv FC8415"/>),
4 <xref target="RFC2131"/>, the long-options using the Protocol value 4, "Split-horizon DNS". In DHCPv4 <xref tar
mechanism described in <relref section="8" target="RFC3396"/> MUST b get="RFC2131"/>, the mechanism for splitting long options as
e used if the described in <xref section="8" target="RFC3396"/> <bcp14>MUST</bcp14
authentication option exceeds the maximum DHCPv4 option size of 255 > be used if the
octets. The Algorithm field Authentication option exceeds the maximum DHCPv4 option size of 255
octets. The Algorithm field
provides the ZONEMD Hash Algorithm, represented by its registered Va lue. provides the ZONEMD Hash Algorithm, represented by its registered Va lue.
The Replay Detection Method value <bcp14>MUST</bcp14> be 0x00. The A uthentication Information The Replay Detection Method value <bcp14>MUST</bcp14> be 0x00. The A uthentication Information
<bcp14>MUST</bcp14> contain the following information, concatenated: </t> <bcp14>MUST</bcp14> contain the following information, concatenated: </t>
<ol> <ol>
<li>The ADN in canonical form.</li> <li>The ADN in canonical form.</li>
<li>The parent name in canonical form.</li> <li>The parent name in canonical form.</li>
<li>A one-octet "salt length" field.</li> <li>A one-octet "salt length" field.</li>
<li>The salt value.</li> <li>The salt value.</li>
<li>The $X value defined in <xref target="establishing"/>.</li> <li>The $X value as defined in <xref target="establishing"/>.</li>
</ol> </ol>
</section> </section>
<section anchor="splitclaims"> <section anchor="splitclaims">
<name>Using Provisioning Domains</name> <name>Using Provisioning Domains</name>
<t>When using <xref target="RFC8801">Provisioning Domains</xref>, the <t>When using <xref target="RFC8801">PvDs</xref>, the
Authorization Claims are represented by the PvD Additional authorization claims are represented by the PvD Additional
Information key "splitDnsClaims", whose value is a Information key "splitDnsClaims", whose value is a
JSON Array. Each entry in the array <bcp14>MUST</bcp14> be a JSON obj ect JSON array. Each entry in the array <bcp14>MUST</bcp14> be a JSON obj ect
with the following structure:</t> with the following structure:</t>
<ul> <dl newline="false" spacing="normal">
<li>"resolver": The ADN as a dot-separated name.</li> <dt>"resolver":</dt><dd>The ADN as a dot-separated name.</dd>
<li>"parent": The parent zone name as a dot-separated name.</li> <dt>"parent":</dt><dd>The parent zone name as a dot-separated name.<
<li>"subdomains": An array containing the claimed subdomains, as /dd>
<dt>"subdomains":</dt><dd>An array containing the claimed subdomains
, as
dot-separated names with the parent suffix already removed, in dot-separated names with the parent suffix already removed, in
canonical order. To claim the entire parent zone, the claimed su bdomain canonical order. To claim the entire parent zone, the claimed su bdomain
will be represented as an asterisk symbol "*".</li> will be represented as an asterisk symbol ("*").</dd>
<li>"algorithm": The hash algorithm is represented by its "Mnemonic" <dt>"algorithm":</dt><dd>The hash algorithm, represented by its "Mne
string from the ZONEMD Hash Algorithms registry (<relref target= monic"
"RFC8976" string from the "ZONEMD Hash Algorithms" registry (<xref target=
section="5.2" displayFormat="comma"/>).</li> "RFC8976"
<li>"salt": The salt, encoded in base64url <xref target="RFC4648"/>. section="5.3" sectionFormat="of"/>).</dd>
</li> <dt>"salt":</dt><dd>The salt, encoded in base64url <xref target="RFC
</ul> 4648"/>.</dd>
</dl>
<t>Future specifications aiming to define new keys will need to add them to the <t>Future specifications aiming to define new keys will need to add them to the
IANA registry defined in <xref target="IANA"/>. DNS client implementatio IANA registry defined in <xref target="new-split-claims-registry"/>. DNS
ns client implementations
will ignore any keys they don't recognize but may also report about will ignore any keys they don't recognize but may also report
unknown keys.</t> unknown keys.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="validating"> <section anchor="validating">
<name>Validating Authority over Local Domain Hints</name> <name>Validating Authority over Local Domain Hints</name>
<t>To validate an Authorization Claim provided by the network, DNS clients <t>To validate an authorization claim provided by the network, DNS clients
<bcp14>MUST</bcp14> resolve the Verification Record for that name. <bcp14>MUST</bcp14> resolve the Verification Record for that name.
If the resolution produces an RRSet containing the expected token for this If the resolution produces an RRset containing the expected token for this
Claim, the client <bcp14>SHALL</bcp14> regard the named resolver as claim, the client <bcp14>SHALL</bcp14> regard the named resolver as
authoritative for the claimed subdomains. Clients <bcp14>MUST</bcp14> igno re authoritative for the claimed subdomains. Clients <bcp14>MUST</bcp14> igno re
any unrecognized keys in the Verification Record.</t> any unrecognized keys in the Verification Record.</t>
<t>Each validation of authority applies only to a specific ADN. <t>Each validation of authority applies only to a specific ADN.
If a network offers multiple encrypted resolvers, each claimed If a network offers multiple encrypted resolvers, each claimed
subdomain may be authorized for a distinct subset of the network-provided subdomain may be authorized for a distinct subset of the network-provided
resolvers.</t> resolvers.</t>
<t>A zone is termed a "Validated Split-Horizon zone" after successful <t>A zone is termed a "Validated Split-Horizon zone" after successful
validation using a "tamperproof" DNS resolution method, i.e., a method validation using a "tamperproof" DNS resolution method, i.e., a method
that is not subject to interference by the local network operator. Two that is not subject to interference by the local network operator. Two
possible tamperproof resolution methods are presented below.</t> possible tamperproof resolution methods are presented below.</t>
<section anchor="validating-external"> <section anchor="validating-external">
<name>Using a Pre-configured External Resolver</name> <name>Using a Preconfigured External Resolver</name>
<t>This method applies only if the client is already configured with <t>This method applies only if the client is already configured with
a default resolution strategy that sends queries to a resolver outside a default resolution strategy that sends queries to a resolver outside
of the network over a encrypted transport. That resolution strategy is of the network over an encrypted transport. That resolution strategy is
considered "tamperproof" because any actor who could modify the considered tamperproof because any actor who could modify the
response could already modify all of the user's other DNS responses. response could already modify all of the user's other DNS responses.
If the client cannot obtain a response from the external resolver within a If the client cannot obtain a response from the external resolver within a
reasonable timeout period, it MUST consider the verification process reasonable timeframe, it <bcp14>MUST</bcp14> consider the verification p rocess
to have failed.</t> to have failed.</t>
<t>To ensure that this assumption holds, clients <bcp14>MUST NOT</bcp14> <t>To ensure that this assumption holds, clients <bcp14>MUST NOT</bcp14>
relax the acceptance rules they would otherwise apply when using this relax the acceptance rules they would otherwise apply when using this
resolver. For example, if the client would check the Authenticated Data (AD) resolver. For example, if the client would check the Authenticated Data (AD)
bit or validate RRSIGs locally when using this resolver, it must also do so bit or validate RRSIGs locally when using this resolver, it must also do so
when resolving TXT records for this purpose. Alternatively, a client mig ht when resolving TXT records for this purpose. The client <bcp14>MAY</bcp1 4>
perform DNSSEC validation for the verification query perform DNSSEC validation for the verification query
even if it has disabled DNSSEC validation for other DNS queries.</t> even if it has disabled DNSSEC validation for other DNS queries.</t>
</section> </section>
<!-- validating-external -->
<section anchor="validating-dnssec"> <section anchor="validating-dnssec">
<name>Using DNSSEC</name> <name>Using DNSSEC</name>
<t>The client resolves the Verification Record using any resolution meth od of <t>The client resolves the Verification Record using any resolution meth od of
its choice (e.g., querying one of the network-provided resolvers, its choice (e.g., querying one of the network-provided resolvers,
performing iterative resolution locally), and performs full DNSSEC performing iterative resolution locally) and performs full DNSSEC
validation locally <xref target="RFC6698"/>. The result is validation locally <xref target="RFC6698"/>. The result is
processed based on its DNSSEC validation state (<relref section="4.3" processed based on its DNSSEC validation state (<xref section="4.3"
target="RFC4035" displayFormat="comma"/>): </t> target="RFC4035" sectionFormat="of"/>): </t>
<ul empty="true">
<li><strong>Secure</strong>: The response is used for validation.</li> <dl newline="false" spacing="normal">
<li><strong>Bogus</strong> or <strong>Indeterminate</strong>: The resp <dt><strong>Secure</strong>:</dt><dd>The response is used for validati
onse is rejected and on.</dd>
validation is considered to have failed.</li> <dt><strong>Bogus</strong> or <strong>Indeterminate</strong>:</dt><dd>
<li><strong>Insecure</strong>: The client <bcp14>SHOULD</bcp14> retry The response is rejected, and
the validation validation is considered to have failed.</dd>
process using a different method, such as the one in <xref <dt><strong>Insecure</strong>:</dt><dd>The client <bcp14>SHOULD</bcp14
> retry the validation
process using a different method, such as the method described in <x
ref
target="validating-external"/>, to ensure compatibility with target="validating-external"/>, to ensure compatibility with
unsigned names. If the client chooses not to retry (e.g., no configu red policy to validate unsigned names. If the client chooses not to retry (e.g., no configu red policy to validate
the authorization claim using an external resolver), it MUST conside the authorization claim using an external resolver), it <bcp14>MUST<
r /bcp14> consider
validation to have failed.</li> validation to have failed.</dd>
</ul> </dl>
</section> </section>
<!-- validating-DNSSEC -->
</section> </section>
<!-- Validating -->
<section> <section>
<name>Delegating DNSSEC across Split DNS Boundaries</name> <name>Delegating DNSSEC Across Split DNS Boundaries</name>
<t>When the local zone can be signed with globally trusted keys for the pa rent <t>When the local zone can be signed with globally trusted keys for the pa rent
zone, support for DNSSEC can be accomplished simply by placing a zone cut at zone, support for DNSSEC can be accomplished by simply placing a zone cut at
the parent zone and including a suitable DS record for the local resolver' s the parent zone and including a suitable DS record for the local resolver' s
DNSKEY. Zones in this configuration appear the same to validating stubs w hether DNSKEY. Zones in this configuration appear the same to validating stubs w hether
or not they implement this specification.</t> or not they implement this specification.</t>
<t>To enable DNSSEC validation of local DNS names without requiring <t>To enable DNSSEC validation of local DNS names without requiring
the local resolver to hold DNSSEC private keys that are valid for the pare nt the local resolver to hold DNSSEC private keys that are valid for the pare nt
zone, parent zones <bcp14>MAY</bcp14> add a "ds=..." key to the Verificati on zone, parent zones <bcp14>MAY</bcp14> add a "ds=..." key to the Verificati on
Record whose value is the RDATA of a single DS record, base64url-encoded. Record whose value is the RDATA of a single DS record, encoded in base64ur
This l. This
DS record authorizes a DNSKEY whose Owner Name is "resolver.arpa."</t> DS record authorizes a DNSKEY whose owner name is "resolver.arpa."</t>
<t>To validate DNSSEC, the client first fetches and validates the Verifica tion <t>To validate DNSSEC, the client first fetches and validates the Verifica tion
Record. If it is valid and contains a "ds" key, the client <bcp14>MAY</bc p14> Record. If it is valid and contains a "ds" key, the client <bcp14>MAY</bc p14>
send a DNSKEY query for "resolver.arpa." to the local encrypted resolver. send a DNSKEY query for "resolver.arpa." to the local encrypted resolver.
At least one resulting DNSKEY RR <bcp14>MUST</bcp14> match the DS RDATA fr om At least one resulting DNSKEY Resource Record (RR) <bcp14>MUST</bcp14> mat ch the DS RDATA from
the "ds" key in the Verification Record. All local resolution results for the "ds" key in the Verification Record. All local resolution results for
subdomains in this claim <bcp14>MUST</bcp14> offer RRSIGs that chain to a subdomains in this claim <bcp14>MUST</bcp14> offer RRSIGs that chain to a
DNSKEY whose RDATA is identical to one of these approved DNSKEYs.</t> DNSKEY whose RDATA is identical to one of these approved DNSKEYs.</t>
<t>The "ds" key <bcp14>MAY</bcp14> appear multiple <t>The "ds" key <bcp14>MAY</bcp14> appear multiple
times in a single Verification Record, in order to authorize multiple DNSK EYs times in a single Verification Record, in order to authorize multiple DNSK EYs
for this local encrypted resolver. If the "ds" key is not present in a va for this local encrypted resolver.</t>
lid <t>Note that when the local resolver does not have a globally trusted DNSK
Verification Record, the client <bcp14>MUST</bcp14> disable DNSSEC validat EY, any claimed subdomains <bcp14>MUST</bcp14> be marked as
ion unsigned in the public DNS. Otherwise, local resolution results would be
when resolving the claimed subdomains via this local encrypted resolver.</ rejected
t>
<t>Note that in this configuration, any claimed subdomains MUST be marked
as
unsigned in the public DNS. Otherwise, resolution results would be reject
ed
by validating stubs that do not implement this specification.</t> by validating stubs that do not implement this specification.</t>
<figure> <figure>
<name>Example use of "ds=..."</name> <name>Example Use of "ds=..."</name>
<sourcecode> <sourcecode type="dns-rr">
;; Parent zone. ;; Parent zone.
$ORIGIN parent.example. $ORIGIN parent.example.
; Parent zone's public KSK and ZSK ; Parent zone's public Key Signing Key (KSK)
; and Zone Signing Key (ZSK).
@ IN DNSKEY 257 3 5 ABCD...= @ IN DNSKEY 257 3 5 ABCD...=
@ IN DNSKEY 256 3 5 DCBA...= @ IN DNSKEY 256 3 5 DCBA...=
; Verification Record containing DS RDATA for the local ; Verification Record containing DS RDATA for the local
; resolver's KSK. This is an ordinary public TXT record, ; resolver's KSK. This is an ordinary public TXT record,
; secured by RRSIGs from the public ZSK. ; secured by RRSIGs from the public ZSK.
resolver.example._splitdns-challenge IN TXT "token=abc...,ds=QWE..." resolver.example._splitdns-challenge IN TXT "token=abc...,ds=QWE..."
; NSEC record indicating that unsigned delegations are permitted at ; NSEC record indicating that unsigned delegations are permitted at
; this subdomain. This is required for compatibility with non-split-aware ; this subdomain. This is required for compatibility with
; validating stub resolvers. If the claimed label is confidential, the ; non-split-aware validating stub resolvers. If the claimed label is
; parent zone can conceal it using NSEC3 (with or without "opt-out"). ; confidential, the parent zone can conceal it using NSEC3 (with or
; without "opt-out").
@ IN NSEC subdomain.parent.example. NS @ IN NSEC subdomain.parent.example. NS
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Local zone, claiming "subdomain.parent.example". ;; Local zone, claiming "subdomain.parent.example".
; The local resolver's KSK, validated by the Verification Record. ; The local resolver's KSK, validated by the Verification Record.
; It may not have a corresponding RRSIG. ; It may not have a corresponding RRSIG.
resolver.arpa. IN DNSKEY 257 3 5 ASDF...= resolver.arpa. IN DNSKEY 257 3 5 ASDF...=
skipping to change at line 473 skipping to change at line 450
subdomain.parent.example. IN AAAA 2001:db8::17 subdomain.parent.example. IN AAAA 2001:db8::17
subdomain.parent.example IN RRSIG AAAA 5 3 ... \ subdomain.parent.example IN RRSIG AAAA 5 3 ... \
(ZSK key tag) subdomain.parent.example. ... (ZSK key tag) subdomain.parent.example. ...
deeper.subdomain.parent.example. IN AAAA 2001:db8::18 deeper.subdomain.parent.example. IN AAAA 2001:db8::18
deeper.subdomain.parent.example IN RRSIG AAAA 5 3 ... \ deeper.subdomain.parent.example IN RRSIG AAAA 5 3 ... \
(ZSK key tag) subdomain.parent.example. ... (ZSK key tag) subdomain.parent.example. ...
</sourcecode></figure> </sourcecode></figure>
</section> </section>
<section> <section>
<name>Examples of Split-Horizon DNS Configuration</name> <name>Example Split-Horizon DNS Configuration</name>
<t>Two examples are shown below. The first example shows a company <t>Consider an organization that operates "example.com" and runs a
with an internal-only DNS server that claims the entire zone for that
company (e.g., <tt>*.example.com</tt>). In the second example, the
internal servers resolves only a
subdomain of the company's zone (e.g., <tt>*.internal.example.com</tt>).</
t>
<section anchor="internal-only">
<name>Split-Horizon Entire Zone</name>
<t>Consider an organization that operates "example.com", and runs a
different version of its global domain on its internal network.</t> different version of its global domain on its internal network.</t>
<t>First, the host and network both need to support one of the discovery <t>First, the host and network both need to support one of the discovery
mechanisms described in <xref target="establishing"/>. <xref target="fig -learn"/> mechanisms described in <xref target="establishing"/>. <xref target="fig -learn"/>
shows discovery using DNR and PvD.</t> shows discovery using information from the DNR and the PvD.</t>
<t>Validation is then perfomed using either <xref <t>Validation is then performed using either <xref
target="example-verify-external">an external resolver</xref> or <xref target="example-verify-external">an external resolver</xref> or <xref
target="example-verify-dnssec">DNSSEC</xref>.</t> target="example-verify-dnssec">DNSSEC</xref>.</t>
<ul empty="true">
<li><strong>Steps 1-2</strong>: The client determines the network's DN <dl newline="false" spacing="normal">
S <dt><strong>Steps 1-2</strong>:</dt><dd>The client determines the netw
server (dns.example.net) and Provisioning Domain (pvd.example.com) ork's DNS
using <xref target="RFC9463">DNR</xref> and <xref server (<tt>dns.example.net</tt>) and PvD ID (<tt>pvd.example.com</t
target="RFC8801">PvD</xref>, using one of DNR Router Solicitation, t>)
DHCPv4, or DHCPv6.</li> using DNR and a PvD, along with one of the following: DNR Router Sol
<li><strong>Step 3-5</strong>: The client connects to dns.example.net icitation,
DHCPv4, or DHCPv6.</dd>
<dt><strong>Steps 3-5</strong>:</dt><dd>The client connects to <tt>dns
.example.net</tt>
using an encrypted transport as indicated in <xref using an encrypted transport as indicated in <xref
target="RFC9463">DNR</xref>, authenticating the server to target="RFC9463">DNR</xref>, authenticating the server to
its name using TLS (<relref target="RFC8310" section="8" its name using TLS (<xref target="RFC8310" section="8"
displayFormat="comma"/>), and sectionFormat="of"/>), and
sends it a query for the address of <tt>pvd.example.com</tt>.</li> sends it a query for the address of <tt>pvd.example.com</tt>.</dd>
<li><t><strong>Steps 6-7</strong>: The client connects to the PvD serv <dt><strong>Steps 6-7</strong>:</dt><dd><t>The client connects to the
er, PvD server,
validates its certificate, and retrieves the provisioning domain validates its certificate, and retrieves the PvD Additional Informat
JSON information indicated by the associated PvD. The PvD ion
contains:</t> indicated by the associated PvD. The JSON object contains:</t>
<sourcecode type="json">{ <sourcecode type="json">{
"identifier": "pvd.example.com", "identifier": "pvd.example.com",
"expires": "2025-05-23T06:00:00Z", "expires": "2025-05-23T06:00:00Z",
"prefixes": ["2001:db8:1::/48", "2001:db8:4::/48"], "prefixes": ["2001:db8:1::/48", "2001:db8:4::/48"],
"splitDnsClaims": [{ "splitDnsClaims": [{
"resolver": "dns.example.net", "resolver": "dns.example.net",
"parent": "example.com", "parent": "example.com",
"subdomains": ["*"], "subdomains": ["*"],
"algorithm": "SHA384", "algorithm": "SHA384",
"salt": "abc...123" "salt": "abc...123"
}] }]
}</sourcecode> }</sourcecode>
<t>The JSON keys "identifier", "expires", and "prefixes" <t>The JSON keys "identifier", "expires", and "prefixes"
are defined in <xref target="RFC8801"/>.</t></li> are defined in <xref target="RFC8801"/>.</t></dd>
</ul> </dl>
<figure anchor="fig-learn"> <figure anchor="fig-learn">
<name>An Example of Learning Local Claims of DNS Authority</name> <name>An Example of Learning Local Claims of DNS Authority</name>
<artwork><![CDATA[ <artwork><![CDATA[
+---------+ +--------------------+ +------------+ +--------+ +---------+ +--------------------+ +------------+ +--------+
| Client | | Network's | | Network | | Router | | Client | | Network's | | Network | | Router |
| | | Encrypted Resolver | | PvD Server | | | | | | Encrypted Resolver | | PvD Server | | |
+---------+ +--------------------+ +------------+ +--------+ +---------+ +--------------------+ +------------+ +--------+
| | | | | | | |
| Router Solicitation or | | | | Router Solicitation or | | |
| DHCPv4/DHCPv6 (1) | | | | DHCPv4/DHCPv6 (1) | | |
skipping to change at line 546 skipping to change at line 515
|-| now knows DNR ADN & | | | | |-| now knows DNR ADN & | | | |
| | PvD FQDN | | | | | | PvD FQDN | | | |
| |---------------------------/ | | | | |---------------------------/ | | |
| | | | | | | |
| TLS connection to dns.example.net (3) | | | TLS connection to dns.example.net (3) | |
|------------------------------------>| | | |------------------------------------>| | |
| ---------------------------\ | | | | ---------------------------\ | | |
|-| validate TLS certificate | | | | |-| validate TLS certificate | | | |
| |--------------------------/ | | | | |--------------------------/ | | |
| | | | | | | |
| resolve pvd.example.com (4) | | | | resolve pvd.example.com (4) | | |
|------------------------------------>| | | |------------------------------------>| | |
| | | | | | | |
| A or AAAA records (5) | | | | A or AAAA records (5) | | |
|<------------------------------------| | | |<------------------------------------| | |
| | | | | | | |
| https://pvd.example.com/.well-known/pvd (6) | | | https://pvd.example.com/.well-known/pvd (6) | |
|---------------------------------------------->| | |---------------------------------------------->| |
| | | | | | | |
| 200 OK (JSON Additional Information) (7) | | | 200 OK (JSON Additional Information) (7) | |
|<----------------------------------------------| | |<----------------------------------------------| |
| ----------------------------------\ | | | | ----------------------------------\ | | |
|-| {..., "splitDnsClaims": [...] } | | | | |-| {..., "splitDnsClaims": [...] } | | | |
| |---------------------------------/ | | | | |---------------------------------/ | | |
]]></artwork> ]]></artwork>
</figure> </figure>
<section anchor="example-verify-external"> <section anchor="example-verify-external">
<name>Verification Using an External Resolver</name> <name>Verification Using an External Resolver</name>
<t><xref target="fig-learn2"/> shows the steps performed to verify the local <t><xref target="fig-learn2"/> shows the steps performed to verify the local
claims of DNS authority using an external resolver.</t> claims of DNS authority using an external resolver.</t>
<ul empty="true">
<li><strong>Steps 1-2</strong>: The client uses an encrypted DNS <dl newline="false" spacing="normal">
<dt><strong>Steps 1-2</strong>:</dt><dd>The client uses an encrypted
DNS
connection to an external resolver to issue TXT connection to an external resolver to issue TXT
queries for the Verification Records. The TXT lookup returns queries for the Verification Records. The TXT lookup returns
a token that matches the claim.</li> a token that matches the claim.</dd>
<li><strong>Step 3</strong>: The client has validated that <dt><strong>Step 3</strong>:</dt><dd>The client has validated that
<tt>example.com</tt> has authorized <tt>dns.example.net</tt> <tt>example.com</tt> has authorized <tt>dns.example.net</tt>
to serve <tt>example.com</tt>. When the client connects using an to serve <tt>example.com</tt>. When the client connects using an
encrypted transport as indicated in <xref encrypted transport as indicated in <xref
target="RFC9463">DNR</xref>, it will authenticate target="RFC9463">DNR</xref>, it will authenticate
the server to its name using TLS (<relref target="RFC8310" the server to its name using TLS (<xref target="RFC8310"
section="8" displayFormat="comma"/>), and send queries to resolve section="8" sectionFormat="of"/>) and send queries to resolve
any names that fall within the claimed zones.</li> any names that fall within the claimed zones.</dd>
</ul> </dl>
<figure anchor="fig-learn2"> <figure anchor="fig-learn2">
<name>Verifying claims using an external resolver</name> <name>Verifying Claims Using an External Resolver</name>
<artwork><![CDATA[ <artwork><![CDATA[
+---------+ +--------------------+ +----------+ +---------+ +--------------------+ +----------+
| Client | | Network's | | External | | Client | | Network's | | External |
| | | Encrypted Resolver | | Resolver | | | | Encrypted Resolver | | Resolver |
+---------+ +--------------------+ +----------+ +---------+ +--------------------+ +----------+
| | | | | |
| TLS connection | | | TLS connection | |
|--------------------------------------------------->| |--------------------------------------------------->|
| ---------------------------\ | | | ---------------------------\ | |
|-| validate TLS certificate | | | |-| validate TLS certificate | | |
| |--------------------------| | | | |--------------------------| | |
| | | | | |
| TXT? dns.example.net.\ | | | TXT? dns.example.net.\ | |
| _splitdns-challenge.example.com (1) | | | _splitdns-challenge.example.com (1) | |
|--------------------------------------------------->| |--------------------------------------------------->|
| | | | | |
| TXT "token=ABC..." (2) | | | TXT "token=ABC..." (2) | |
|<---------------------------------------------------| |<---------------------------------------------------|
| --------------------------------\ | | | --------------------------------\ | |
|-| dns.example.net is authorized | | | |-| dns.example.net is authorized | | |
| ----------------------\---------| | | | ----------------------\---------| | |
|-| finished validation | | | |-| finished validation | | |
| |---------------------| | | | |---------------------| | |
| | | | | |
| use dns.example.net when | | | use dns.example.net when | |
| resolving example.com (3) | | | resolving example.com (3) | |
|----------------------------------------->| | |----------------------------------------->| |
| | | | | |
]]></artwork> ]]></artwork>
</figure> </figure>
</section> </section>
<!-- external -->
<section anchor="example-verify-dnssec"> <section anchor="example-verify-dnssec">
<name>Verification using DNSSEC</name> <name>Verification Using DNSSEC</name>
<t><xref target="fig-learn3"/> shows the steps performed to verify the local <t><xref target="fig-learn3"/> shows the steps performed to verify the local
claims of DNS authority using DNSSEC.</t> claims of DNS authority using DNSSEC.</t>
<ul empty="true">
<li><strong>Steps 1-2</strong>: The DNSSEC-validating client queries <dl newline="false" spacing="normal">
the network encrypted resolver to issue TXT queries for the <dt><strong>Steps 1-2</strong>:</dt><dd>The DNSSEC-validating client
queries
the network's encrypted resolver to issue TXT queries for the
Verification Records. The TXT lookup will return Verification Records. The TXT lookup will return
a signed response containing the expected token. The client then a signed response containing the expected token. The client then
performs full DNSSEC validation locally.</li> performs full DNSSEC validation locally.</dd>
<li><strong>Step 3</strong>: If the DNSSEC validation is successful <dt><strong>Step 3</strong>:</dt><dd>If the DNSSEC validation is suc
and cessful and
the token matches, then this Authorization Claim is validated. the token matches, then this authorization claim is validated.
Once the client connects using an encrypted transport as indicated Once the client connects using an encrypted transport as indicated
in <xref target="RFC9463">DNR</xref>, it will authenticate in <xref target="RFC9463">DNR</xref>, it will authenticate
the server to its name using TLS (<relref target="RFC8310" the server to its name using TLS (<xref target="RFC8310"
section="8" displayFormat="comma"/>), and send queries to resolve section="8" sectionFormat="of"/>) and send queries to resolve
any names that fall within the claimed zones.</li> any names that fall within the claimed zones.</dd>
</ul> </dl>
<figure anchor="fig-learn3"> <figure anchor="fig-learn3">
<name>An Example of Verifying Claims using DNSSEC</name> <name>An Example of Verifying Claims Using DNSSEC</name>
<artwork><![CDATA[ <artwork><![CDATA[
+---------+ +--------------------+ +---------+ +--------------------+
| Client | | Network's | | Client | | Network's |
| | | Encrypted Resolver | | | | Encrypted Resolver |
+---------+ +--------------------+ +---------+ +--------------------+
| | | |
| DNSSEC OK (DO), TXT? dns.example.net.\ | | DNSSEC OK (DO), TXT? dns.example.net.\ |
| _splitdns-challenge.example.com (1) | | _splitdns-challenge.example.com (1) |
|-------------------------------------------------------------->| |-------------------------------------------------------------->|
| | | |
| TXT token=DEF..., Signed Answer (RRSIG) (2) | | TXT token=DEF..., Signed Answer (RRSIG) (2) |
|<--------------------------------------------------------------| |<--------------------------------------------------------------|
| -------------------------------------\ | | -------------------------------------\ |
|-| DNSKEY+TXT matches RRSIG, use TXT | | |-| DNSKEY+TXT matches RRSIG, use TXT | |
| |------------------------------------| | | |------------------------------------| |
| --------------------------------\ | | --------------------------------\ |
|-| dns.example.net is authorized | | |-| dns.example.net is authorized | |
| |-------------------------------| | | |-------------------------------| |
| ----------------------\ | | ----------------------\ |
|-| finished validation | | |-| finished validation | |
| |---------------------| | | |---------------------| |
| | | |
| use encrypted network-designated resolver for example.com (3) | | use encrypted network-designated resolver for example.com (3) |
|-------------------------------------------------------------->| |-------------------------------------------------------------->|
| | | |
]]></artwork> ]]></artwork>
</figure> </figure>
</section> </section>
</section>
</section> </section>
<section anchor="operatonal"> <section anchor="operational">
<name>Operational Efficiency in Split-Horizon Deployments</name> <name>Operational Efficiency in Split-Horizon Deployments</name>
<t>In many split-horizon deployments, all non-public domain names are <t>In many split-horizon deployments, all non-public domain names are
placed in a separate child zone (e.g., <tt>internal.example.com</tt>). placed in a separate child zone (e.g., <tt>internal.example.com</tt>).
In this configuration, the message flow is similar to <xref In this configuration, the message flow is similar to the flow described
target="internal-only"/>, except that queries for hosts not within the in <xref
target="example-verify-external"/>, except that queries for hosts not wi
thin the
subdomain (e.g., <tt>www.example.com</tt>) are sent to the subdomain (e.g., <tt>www.example.com</tt>) are sent to the
external resolver rather than the resolver for internal.example.com.</t> external resolver rather than the resolver for <tt>internal.example.com<
<t>As in <xref target="internal-only"/>, the internal DNS /tt>.</t>
<t>As specified in <xref target="example-verify-external"/>, the interna
l DNS
server will need a certificate signed by a Certification Authority (CA) trusted by the server will need a certificate signed by a Certification Authority (CA) trusted by the
client.</t> client.</t>
<t>Although placing internal domains inside a child domain is unnecessar <t>Although placing internal domains inside a child domain is not necess
y to prevent leakage, ary to prevent leakage,
such placement reduces the frequency of changes to the Verification Reco such placement reduces the frequency of changes to the Verification Reco
rd, this document rd. This document
recommends the internal domains be kept in a child zone of the local dom recommends that the internal domains be kept in a child zone of the loca
ain hints l domain hints
advertised by the network. For example, if the PvD "dnsZones" entry is advertised by the network. For example, if the PvD "dnsZones" entry is
"internal.example.com" and the network-provided DNS resolver is "ns1.int ernal.example.com", "internal.example.com" and the network-provided DNS resolver is "ns1.int ernal.example.com",
the network operator can structure the internal domain names as the network operator can structure the internal domain names as
"private1.internal.example.com", "private2.internal.example.com", "private1.internal.example.com", "private2.internal.example.com",
etc. The network-designated resolver will be used to resolve the subdoma ins of etc. The network-designated resolver will be used to resolve the subdoma ins of
the local domain hint "*.internal.example.com".</t> the local domain hint "*.internal.example.com".</t>
</section> </section>
<section anchor="vpn"> <section anchor="vpn">
<name>Validation with IKEv2</name> <name>Validation with IKEv2</name>
<t>When the endpoint is using a VPN tunnel and the tunnel is IPsec, the en crypted DNS resolver hosted by <t>When the endpoint is using a VPN tunnel and the tunnel is IPsec, the en crypted DNS resolver hosted by
the VPN service provider can be securely discovered by the endpoint the VPN service provider can be securely discovered by the endpoint
using the ENCDNS_IP*_* IKEv2 Configuration Payload Attribute Types using the ENCDNS_IP* IKEv2 Configuration Payload Attribute Types
defined in <xref target="RFC9464"/>. The VPN client defined in <xref target="RFC9464"/>. The VPN client
can use the mechanism defined in Section 6 to validate that the discovered can use the mechanism defined in <xref target="validating"/> to validate t hat the discovered
encrypted DNS resolver is authorized to answer for the claimed subdomains. </t> encrypted DNS resolver is authorized to answer for the claimed subdomains. </t>
<t>Other VPN tunnel types have similar configuration capabilities, not <t>Other VPN tunnel types have similar configuration capabilities. Note th
detailed here.</t> at those
capabilities are not discussed in this document.</t>
</section> </section>
<section anchor="aclaim"> <section anchor="aclaim">
<name>Authorization Claim Update</name> <name>Authorization Claim Update</name>
<t>A verification record is only valid until it expires. Expiry occurs whe <t>A Verification Record is only valid until it expires. Expiry occurs whe
n the Time To Live (TTL) n the Time To Live (TTL)
or DNSSEC signature validity period ends. Shortly before verification reco or DNSSEC signature validity period ends. Shortly before Verification Reco
rd expiry, clients MUST rd expiry, clients <bcp14>MUST</bcp14>
fetch the verification records again and repeat the verification procedure fetch the Verification Records again and repeat the verification procedure
. This ensures the . This ensures the
availability of updated and valid verification records.</t> availability of updated and valid Verification Records.</t>
<t>A new verification record must be added to the RRset before the corresp <t>A new Verification Record must be added to the RRset before the corresp
onding Authorization onding authorization
Claim is updated. After the claim is updated, the following procedures ca claim is updated. After the claim is updated, the following procedures ca
n be used:</t> n be used:</t>
<ol> <ol>
<li>DHCP reconfiguration can be initiated by a DHCP server that has prev iously communicated with a DHCP client and <li>DHCP reconfiguration can be initiated by a DHCP server that has prev iously communicated with a DHCP client and
negotiated for the DHCP client to listen for Reconfigure messages, to prompt negotiated for the DHCP client to listen for Reconfigure messages, to prompt
the DHCP clients for the DHCP client to
dynamically requesting the updated Authorization Claim. This process avo dynamically request the updated authorization claim. This process avoids
ids the need for the need for
the client to wait for its current lease to complete and request a new o ne, enabling the lease the client to wait for its current lease to complete and request a new o ne, enabling the lease
renewal to be driven by the DHCP server.</li> renewal to be driven by the DHCP server.</li>
<li>The sequence number in the RA PvD option <li>The sequence number in the RA PvD Option
will be incremented, requiring clients to fetch PvD additional informati can be incremented, requiring clients to fetch PvD Additional Informatio
on from the HTTPS n from the HTTPS
server due to the updated sequence number in the new RA (<relref target= server due to the updated sequence number in the new RA (<xref target="R
"RFC8801" section="4.1" FC8801" section="4.1"
displayFormat="comma"/>).</li> sectionFormat="of"/>).</li>
<li>The old verification record needs to be maintained until the DHCP le <li>The old Verification Record needs to be maintained until the DHCP le
ase time or PvD ase or PvD Additional Information expires.</li>
Additional Information expiry.</li>
</ol> </ol>
</section> </section>
<section anchor="Security"> <section anchor="Security">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>The Authentication Domain Names of authorized local encrypted resolvers <t>The ADNs of authorized local encrypted resolvers are
are revealed in the owner names of Verification Records. This makes it easier
revealed in the Owner Names of Verification Records. This makes it easier for
for
domain owners to understand which resolvers they are currently authorizing to domain owners to understand which resolvers they are currently authorizing to
implement Split DNS. However, this could create a confidentiality issue if the implement split DNS. However, this could create a confidentiality issue if the
local encrypted resolver's name contains sensitive information or is part of a local encrypted resolver's name contains sensitive information or is part of a
secret subdomain. To mitigate the impact of such leakage, local resolvers should secret subdomain. To mitigate the impact of such leakage, local resolvers should
be given names that do not reveal any sensitive information.</t> be given names that do not reveal any sensitive information.</t>
<t> The security properties of hashing algorithms are not fixed. Algorithm Agility <t> The security properties of hashing algorithms are not fixed. Algorithm agility
(see <xref target="RFC7696"/>) is achieved by providing implementations wi th (see <xref target="RFC7696"/>) is achieved by providing implementations wi th
flexibility to choose hashing algorithms from the ZONEMD Schemes registry the flexibility to choose hashing algorithms from the "ZONEMD Hash Algorit
(<relref target="RFC8976" section="5.2" displayFormat="comma"/>).</t> hms" registry
<t>The entropy of salt depends on a high-quality pseudo-random number gene (<xref target="RFC8976" section="5.3" sectionFormat="of"/>).</t>
rator. <t>The entropy of a salt depends on a high-quality pseudorandom number gen
erator.
For further discussion on random number generation, see <xref target="RFC4 086"/>. For further discussion on random number generation, see <xref target="RFC4 086"/>.
The salt MUST be regenerated whenever the authorization claim is updated.< /t> The salt <bcp14>MUST</bcp14> be regenerated whenever the authorization cla im is updated.</t>
</section> </section>
<section anchor="IANA"> <section anchor="IANA">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<section> <section>
<name>DHCP Split DNS Authentication Algorithm</name> <name>New DHCP Authentication Algorithm for Split DNS</name>
<t>IANA is requested to add the following entry to the "Protocol Name Sp <t>IANA has added the following entry to the "Protocol Name Space
ace Values" registry in the "Dynamic Host Configuration Protocol (DHCP)
Values" registry on the "Dynamic Host Configuration Protocol (DHCP) Authentication Option Name Spaces" registry group:</t>
Authentication Option Name Spaces" page:</t>
<ul> <dl newline="false" spacing="normal">
<li>Value: $TBD1</li> <dt>Value:</dt><dd>4</dd>
<li>Description: Split-horizon DNS</li> <dt>Description:</dt><dd>Split-horizon DNS</dd>
<li>Reference: (This Document)</li> <dt>Reference:</dt><dd>RFC 9704</dd>
</ul> </dl>
</section> </section>
<section> <section>
<name>Provisioning Domains Split DNS Additional Information</name> <name>New PvD Additional Information Type for Split DNS</name>
<t>IANA is requested to add the following entry to the "Additional <t>IANA has added the following entry to the "Additional
Information PvD Keys" registry under the "Provisioning Domains (PvDs)" r Information PvD Keys" registry in the "Provisioning Domains (PvDs)" regi
egistry group:</t> stry group:</t>
<ul>
<li>JSON key: "splitDnsClaims"</li> <dl newline="false" spacing="normal">
<li>Description: "Verifiable locally served domains"</li> <dt>JSON key:</dt><dd>splitDnsClaims</dd>
<li>Type: Array of Objects</li> <dt>Description:</dt><dd>Verifiable locally served domains</dd>
<li><t>Example: </t><sourcecode type="json">[{ <dt>Type:</dt><dd>Array of Objects</dd>
<dt>Example:</dt><dd><sourcecode type="json">[{
"resolver": "dns.example.net", "resolver": "dns.example.net",
"parent": "example.com", "parent": "example.com",
"subdomains": ["sub"], "subdomains": ["sub"],
"algorithm": "SHA384", "algorithm": "SHA384",
"salt": "abc...123" "salt": "abc...123"
}]</sourcecode></li> }]</sourcecode></dd>
<li>Reference: (This document)</li> <dt>Reference:</dt><dd>RFC 9704</dd>
</ul> </dl>
</section> </section>
<section> <section anchor="new-split-claims-registry">
<name>New PvD Split DNS Claims Registry</name> <name>New PvD Split DNS Claims Registry</name>
<t>IANA is requested to create a new registry "PvD Split DNS Claims" Reg <t>IANA has created a new registry called "PvD Split DNS Claims"
istry, within the "Provisioning Domains (PvDs)" registry group. This new regis
within the "Provisioning Domains (PvDs)" registry page. This new regist try
ry
reserves JSON keys for use in sub-dictionaries under the splitDnsClaims JSON key. reserves JSON keys for use in sub-dictionaries under the splitDnsClaims JSON key.
The initial contents of this registry, as discussed in <xref target="spl itclaims"/>, The initial contents of this registry, as discussed in <xref target="spl itclaims"/>,
are listed below and will be added to the IANA registry:</t> are listed below and have been added to the registry:</t>
<figure anchor="fig-split-claims">
<name>Split DNS Claims</name> <table anchor="split-claims">
<artwork><![CDATA[ <name>Split DNS Claims</name>
+------------+-----------------------+---------+-----------------+-----------+ <thead>
| JSON key | Description | Type | Example | Reference | <tr>
+------------+-----------------------+---------+-----------------+-----------+ <th>JSON key</th>
| resolver | The Authentication | String |"dns.example.net"| [RFCXXXX] | <th>Description</th>
| | Domain Name | | | | <th>Type</th>
| | | | | | <th>Example</th>
| parent | The parent zone name | String | "example.com" | [RFCXXXX] | <th>Reference</th>
| | | | | | </tr>
| subdomains | An array containing | Array of| ["sub"] | | </thead>
| | the claimed subdomains| Strings | | [RFCXXXX] | <tbody>
| | | | | | <tr>
| algorithm | The hash algorithm | String | "SHA384" | [RFCXXXX] | <td>resolver</td>
| | | | | | <td>The Authentication Domain Name</td>
| salt | The salt (base64url) | String | "abc...123" | [RFCXXXX] | <td>String</td>
| | | | | | <td>"dns.example.net"</td>
+------------+-----------------------+---------+-----------------+-----------+ <td>RFC 9704</td>
]]></artwork> </tr>
</figure> <tr>
<td>parent</td>
<td>The parent zone name</td>
<td>String</td>
<td>"example.com"</td>
<td>RFC 9704</td>
</tr>
<tr>
<td>subdomains</td>
<td>An array containing the claimed subdomains</td>
<td>Array of Strings</td>
<td>["sub"]</td>
<td>RFC 9704</td>
</tr>
<tr>
<td>algorithm</td>
<td>The hash algorithm</td>
<td>String</td>
<td>"SHA384"</td>
<td>RFC 9704</td>
</tr>
<tr>
<td>salt</td>
<td>The salt (base64url)</td>
<td>String</td>
<td>"abc...123"</td>
<td>RFC 9704</td>
</tr>
</tbody>
</table>
<t>The keys defined in this document are mandatory. Any new assignments of keys will be considered <t>The keys defined in this document are mandatory. Any new assignments of keys will be considered
as optional for the purpose of the mechanism described in this document. </t> as optional for the purpose of the mechanism described in this document. </t>
<t>New assignments in the "PvD Split DNS Claims Registry" registry will be <t>New assignments in the "PvD Split DNS Claims" registry will be
administered by IANA through Expert Review <xref target="RFC8126"/>. Exp erts are administered by IANA through Expert Review <xref target="RFC8126"/>. Exp erts are
requested to ensure that defined keys do not overlap in names or semanti cs.</t> requested to ensure that defined keys do not overlap in names or semanti cs.</t>
<section> <section>
<name>Guidelines for the Designated Experts</name> <name>Guidelines for the Designated Experts</name>
<t>It is suggested that multiple designated experts be appointed for <t>It is suggested that multiple designated experts be appointed for
registry change requests.</t> registry change requests.</t>
<t>Criteria that should be applied by the designated experts include <t>Criteria that should be applied by the designated experts include
determining whether the proposed registration duplicates existing determining whether the proposed registration duplicates existing
entries and whether the registration description is clear and fits entries and whether the registration description is clear and fits
skipping to change at line 821 skipping to change at line 820
on the advice of one or more designated experts. Within the review on the advice of one or more designated experts. Within the review
period, the designated experts will either approve or deny the period, the designated experts will either approve or deny the
registration request, communicating this decision to IANA. Denials registration request, communicating this decision to IANA. Denials
should include an explanation and, if applicable, suggestions as to should include an explanation and, if applicable, suggestions as to
how to make the request successful.</t> how to make the request successful.</t>
</section> </section>
</section> </section>
<section> <section>
<name>DNS Underscore Name</name> <name>DNS Underscore Name</name>
<t>IANA is requested to add the following entry to the "Underscored and <t>IANA has added the following entry to the "Underscored and
Globally Scoped DNS Node Names" registry under the "Domain Name System ( Globally Scoped DNS Node Names" registry in the "Domain Name System (DNS
DNS) )
Parameters" registry group:</t> Parameters" registry group:</t>
<ul> <dl newline="false" spacing="normal">
<li>RR Type: TXT</li> <dt>RR Type:</dt><dd>TXT</dd>
<li>_NODE NAME: _splitdns-challenge</li> <dt>_NODE NAME:</dt><dd>_splitdns-challenge</dd>
<li>Reference: (This document)</li> <dt>Reference:</dt><dd>RFC 9704</dd>
</ul> </dl>
</section> </section>
</section> </section>
<section>
<name>Acknowledgements</name>
<t>Thanks to Mohamed Boucadair, Jim Reid, Tommy Pauly, Paul Vixie, Michael
Richardson,
Bernie Volz, Éric Vyncke and Vinny Parla for the discussion and comments.<
/t>
<t>Thanks to Tianran Zhou for the opsdir review, Anthony Somerset for the
dnsdir review,
Watson Ladd for the secdir review, Bob Halley for the intdir review and Ma
llory Knodel
for the genart review.</t>
<t>Thanks to Mohamed Boucadair for the Shepherd review.</t>
</section>
</middle> </middle>
<!-- *****BACK MATTER ***** -->
<back> <back>
<displayreference target="I-D.ietf-dnsop-domain-verification-techniques" to= "DOMAIN-VERIFICATION-TECHNIQUES"/>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.2 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
119.xml"/> 119.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.3 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
118.xml"/> 118.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.2 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
131.xml"/> 131.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
034.xml"/> 034.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
174.xml"/> 174.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
801.xml"/> 801.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.6 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
698.xml"/> 698.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
035.xml"/> 035.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
976.xml"/> 976.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
415.xml"/> 415.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.3 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
396.xml"/> 396.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.6 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
761.xml"/> 761.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
126.xml"/> 126.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
525.xml"/> 525.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
086.xml"/> 086.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
648.xml"/> 648.xml"/>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
499.xml"/> 499.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
598.xml"/> 598.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.7 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
686.xml"/> 686.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
806.xml"/> 806.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
106.xml"/> 106.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
702.xml"/> 702.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
704.xml"/> 704.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.6 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
731.xml"/> 731.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.5 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
986.xml"/> 986.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
310.xml"/> 310.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.7 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
696.xml"/> 696.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.7 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
858.xml"/> 858.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
484.xml"/> 484.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
250.xml"/> 250.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
364.xml"/> 364.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.6 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
234.xml"/> 234.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.6 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
762.xml"/> 762.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.87 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.87
92.xml"/> 92.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
463.xml"/> 463.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
464.xml"/> 464.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.94 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.94
62.xml"/> 62.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml-ids/referen
ce.I-D.ietf-dnsop-domain-verification-techniques.xml"/> <!-- draft-ietf-dnsop-domain-verification-techniques (I-D Exists) -->
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-dn
sop-domain-verification-techniques.xml"/>
</references> </references>
</references> </references>
<section numbered="false">
<name>Acknowledgements</name>
<t>Thanks to <contact fullname="Mohamed Boucadair"/>, <contact
fullname="Jim Reid"/>, <contact fullname="Tommy Pauly"/>, <contact
fullname="Paul Vixie"/>, <contact fullname="Michael Richardson"/>,
<contact fullname="Bernie Volz"/>, <contact fullname="Éric Vyncke"/>, and
<contact fullname="Vinny Parla"/> for the discussion and comments.</t>
<t>Thanks to <contact fullname="Tianran Zhou"/> for the opsdir review,
<contact fullname="Anthony Somerset"/> for the dnsdir review, <contact
fullname="Watson Ladd"/> for the secdir review, <contact fullname="Bob
Halley"/> for the intdir review, and <contact fullname="Mallory Knodel"/>
for the genart review.</t>
<t>Thanks to <contact fullname="Mohamed Boucadair"/> for the Shepherd revi
ew.</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 119 change blocks. 
479 lines changed or deleted 497 lines changed or added

This html diff was produced by rfcdiff 1.48.