REFER: A New Referral Mechanism for the DNS
draft-jabley-dnsop-refer-00

Document Type Active Internet-Draft (individual)
Author Joe Abley 
Last updated 2021-02-12
Stream (None)
Intended RFC status (None)
Formats pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           J. Abley
Internet-Draft                                  Public Interest Registry
Intended status: Experimental                          February 12, 2021
Expires: August 16, 2021

              REFER: A New Referral Mechanism for the DNS
                      draft-jabley-dnsop-refer-00

Abstract

   The Domain Name System (DNS) incorporates a namespace that is
   comprised, in practice, of multiple so-called zones.  Each zone is,
   in principal, a finite tree structure which can be administered
   autonomously, and is connected to exactly one parent zone and zero or
   more child zones.  These connection points are known as zone cuts; a
   parent zone contains information that allows the servers responsible
   for the child zone to be found.

   The current DNS specification encodes that information about child
   zones using an "NS" resource record set in the parent zone, and a
   corresponding "NS" resource record set in the child zone.  These two
   resource record sets have identical owner names, class, and resource
   record type but can differ in other respects such as the time-to-live
   (TTL) attribute, the resource record data associated with each set
   and the availability of cryptographic signatures.  This property of
   being similar, related but potentially different has led to
   operational complexity.

   This document proposes a change to how zone cuts are encoded in the
   parent zone, allowing the resource records in the parent and the
   child zone to be more clearly distinguished and protected separately
   using cryptographic signatures.

   It is not at all clear that this is a good idea.  To restate in
   stronger terms, the goal of the experiment described in this document
   is to determine just how bad an idea this is.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

Abley                    Expires August 16, 2021                [Page 1]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 16, 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  An Assortment of Problem Statements . . . . . . . . . . . . .   4
     3.1.  Privacy . . . . . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Ambiguity Across a Zone Cut . . . . . . . . . . . . . . .   4
     3.3.  Masking of Parental RRSets by Children  . . . . . . . . .   5
   4.  The REFER Mechanism . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   5
     4.2.  The REFER Resource Record Type  . . . . . . . . . . . . .   6
     4.3.  The REFER OK EDNS(0) Option . . . . . . . . . . . . . . .   6
     4.4.  DNS Protocol Modifications  . . . . . . . . . . . . . . .   7
       4.4.1.  Changes to Deployed Zone Data . . . . . . . . . . . .   7
       4.4.2.  Changes to DNS Server Behaviour . . . . . . . . . . .   8
         4.4.2.1.  Authoritative Servers . . . . . . . . . . . . . .   8
         4.4.2.2.  Recursive Servers . . . . . . . . . . . . . . . .   9
         4.4.2.3.  Other DNS Servers . . . . . . . . . . . . . . . .   9
     4.5.  Backwards Compatibility and Incremental Deployment  . . .   9
     4.6.  Transport Considerations  . . . . . . . . . . . . . . . .   9
   5.  Goals of Experiment . . . . . . . . . . . . . . . . . . . . .  10
     5.1.  Implementation  . . . . . . . . . . . . . . . . . . . . .  10
     5.2.  Gauging the Desperation of the Camel  . . . . . . . . . .  10
     5.3.  Incremental Deployment  . . . . . . . . . . . . . . . . .  10
     5.4.  Effects on DNS Traffic  . . . . . . . . . . . . . . . . .  10
     5.5.  Effects on DNS Zone Provisioning  . . . . . . . . . . . .  11

Abley                    Expires August 16, 2021                [Page 2]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

     5.6.  Policy Hurdles At and Near the Root . . . . . . . . . . .  11
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  12
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  12
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Appendix A.  Editorial Notes  . . . . . . . . . . . . . . . . . .  13
     A.1.  Venue for Discussion  . . . . . . . . . . . . . . . . . .  13
     A.2.  Change History  . . . . . . . . . . . . . . . . . . . . .  14
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  14

1.  Introduction

   The Domain Name System (DNS) base specification ([RFC1034],
   [RFC1035]) has been extended many times since its original
   publication.  The use of two corresponding NS resource-record sets to
   signal the existence of a zone cut, one in the parent zone and one in
   the child zone, has resulted in some operational complexity.  However
   the cost of changing the nature of the referral mechanism given the
   wide and varied assortment of dependent software deployed on the
   Internet has always been assumed to be so high that it makes more
   sense to work around that complexity than it does to review the
   suitability of the incumbent mechanism.  This document proposes to
   challenge that assumption.

   This document is organised as follows.  A curated assortment of
   problems associated with the incumbent referral mechanism can be
   found in Section 3.  Section 4 contains a proposed, experimental
   replacement mechanism.  Experiments intended to assess the proposed
   new mechanism and compare it with the incumbent mechanism are
   described in Section 5.  IANA considerations, including code-point
   assignments, are presented in Section 7 and the security implications
   of the proposed new mechanism are discussed in Section 6.

2.  Terminology

   This document uses various terminology specific to the DNS.  For
   definitions and discussion of particular terms, see [RFC8499].

   The new referral mechanism described in this document is referred to
   in this document "the REFER Mechanism" and referral responses that
   follow it are referred to as "REFER Responses".  The conventional,
   current, standard mechanism described in [RFC1034] and [RFC1035] that
   the REFER Mechanism seeks to replace (or augment, see Section 4.5) is
   referred to as the "Standard Referral Mechanism" and corresponding
   referrals using that mechanism are referred to as Standard Referrals.

Abley                    Expires August 16, 2021                [Page 3]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   This document uses capitalized keywords such as MUST and MAY to
   describe the requirements for using the registered RR types.  The
   intended meaning of those keywords in this document are the same as
   those described in [RFC2119].  Although these keywords are often used
   to specify normative requirements in IETF Standards, their use in
   this document does not imply that this document is a standard of any
   kind.

3.  An Assortment of Problem Statements

   A handful of indicative problem statements that seem relevant to this
   proposal are included below.  This is not an exhaustive list.

3.1.  Privacy

   A Standard Referral response from an authoritative DNS server
   includes an NS RRset.  It is not possible for the response to include
   a corresponding RRSIG RRset, since the administrator of a parent zone
   is generally not in possession of the private keys needed to make
   signatures in a child zone.  The lack of signatures means that the
   Standard Referral response is subject to on-path substitution
   attacks, even if both parent and child zones are signed and the
   originator of the request that triggered the referral response
   requests DNSSEC data (with DO=1) and is capable of validating
   responses.

   While it is to be hoped that a validating resolver that falls victim
   to such an attack would not cache subsequent responses from an
   attacker's server, since sooner or later something would fail
   validation, the metadata about the query and the query contents (e.g.
   a non-minimised QNAME) will have leaked in the process of finding
   out.

   The REFER Mechanism does not suffer from this problem, since the
   delegation information published in the parent and child zones does
   not overload the same RRtype, and hence can be unambiguously signed
   separately in both places, allowing validators to identify on-path
   substitution attacks without leaking queries to rogue servers.  Other
   work has attempted to address this problem, e.g.
   [I-D.fujiwara-dnsop-delegation-information-signer].

3.2.  Ambiguity Across a Zone Cut

   When following a Standard Referral response from an authoritative
   server to a child zone, DNS resolvers cannot always be relied upon to
   retrieve an NS RRset from child nameservers.  Instead they may simply
   cache the NS RRset with the same owner name received in the Standard
   Referral response from the parent.  This can result in NS RRsets

Abley                    Expires August 16, 2021                [Page 4]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   being cached without signatures, since no signatures over the NS
   RRset can normally be included in a referral response, or the
   parent's choice of TTL being used in the cache instead of the
   child's, or inaccurate data being cached in the case where the
   child's authoritative data is not the same as the data published in
   the parent zone.

   The REFER Mechanism does not suffer from this problem, since the
   RRset obtained from the parent has a different RRtype from any set
   obtained from the child; any query that requires an NS RRset would
   necessarily involve a response from the child and cannot be satisfied
   by a referral response from the parent.  Other work has attempted to
   address this problem, e.g.  [I-D.ietf-dnsop-ns-revalidation].

3.3.  Masking of Parental RRSets by Children

   A nameserver serving both parent and child zones will normally not
   provide a Standard Referral response from the parent if a response
   can be formulated with data obtained from the child.  This means that
   the parent's NS RRset will normally be obscured from view, masked by
   the corresponding NS RRset at the child's apex.  This has the
   potential to hide operational problems that might later become
   apparent, e.g. if the child zone is moved to different nameservers.

   The REFER Mechanism does not suffer from the same problem, since the
   delegation information in the parent and child do not share the same,
   overloaded RRtype; consequently both the parent zone data and the
   child zone data can be queried independently, without ambiguity.

4.  The REFER Mechanism

4.1.  Overview

   The REFER Mechanism can be summarised as follows:

   o  Introduce a new RRtype for publishing delegation information in
      the parent zone, which has similar semantics to NS used for the
      same purpose, except that the rules for signing the RRset are
      specified to be the same as DS, i.e. signatures belong in the
      parent;

   o  Specify a new EDNS(0) option which, when present in a query sent
      to an authoritative server, signals to the server that REFER
      referrals are supported and requested by the client;

   o  Introduce new, optional functionality in authoritative servers
      such that queries requesting REFER responses will receive a REFER
      Response, if available;

Abley                    Expires August 16, 2021                [Page 5]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   o  Preserve the Standard Referral response for queries that do not
      explicitly request the new behaviour, or for responses that are
      generated from zones that do not include new-style delegation
      RRtypes.

   Complete deployment of the REFER Mechanism requires changes in all
   DNS zones, all authoritative servers and all clients of authoritative
   servers (e.g. recursive servers).  This seems like an unrealistic
   expectation.  However, it seems intuitively true that certain modes
   of incremental deployment may have useful characteristics;
   determining whether this hypothesis holds in practice is one of the
   objectives of this experiment, as described in Section 5.  For more
   discussion of incremental deployment, see Section 4.5.

   The REFER Mechanism is described in more detail in the sections that
   follow.

4.2.  The REFER Resource Record Type

   The REFER resource record (RR) is used to store a single nameserver
   name in the DNS.  It is intended to be used in a parent zone to
   signal the presence of a zone cut and to specify the nameservers to
   which a child zone is delegated.

   The type value for the REFER RR is TBA1.

   The REFER RR is class-independent.  However, interpretation of the
   REFER RR by DNS servers in processing DNS queries and responses is
   only specified for class IN.

   The REFER RR has no special time-to-live (TTL) requirements.

   The RDATA for a REFER RR and its wire format is precisely the same as
   for the NS RR, as described in [RFC1035] section 3.3.11.

   The presentation format of the REFER RR is precisely the same as for
   the NS RR, with the REFER keyword replacing the NS keyword.

4.3.  The REFER OK EDNS(0) Option

   The REFER Mechanism requires a means for the originator of a query to
   signal to a server that if a referral response is generated, a REFER
   Response is requested.  The most consistent approach to achieve this
   signalling seems to follow the approach used with the DO bit, as
   specified in [RFC3225] and [RFC4035] section 3.2.1.  However, since
   EDNS(0) header bits are in short supply (there are only 15 of them
   available for assignment, see [RFC6891]) this seems inappropriate for

Abley                    Expires August 16, 2021                [Page 6]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   an experimental proposal.  Instead, this document specifies a
   separate, optional EDNS(0) option.

   The REFER OK EDNS(0) option is encoded as an OPTION-CODE of TBA2, an
   OPTION-LENGTH of zero and no OPTION-DATA, as follows:

                  +0 (MSB)                            +1 (LSB)
       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    0: |                   OPTION-CODE = TBA2                          |
       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    2: |                   OPTION-LENGTH = 0                           |
       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+

   The REFER OK EDNS(0) option MAY be included alongside other EDNS(0)
   options in the same query.

   A single DNS query SHOULD include zero or one REFER OK option;
   including more than one does not change the intended signal and hence
   serves no purpose.  Systems which receive more than one REFER OK
   option in a single query should behave precisely as if only a single
   REFER OK option had been included.

   A DNS response generated by a system that supports the REFER
   Mechanism, in response to a query that included the REFER OK option,
   should also include a single REFER OK option in the response, even if
   the response is not a referral.

   Any DNS system which receives a DNS message containing more than one
   REFER OK option should behave precisely as if only a single REFER OK
   option had been included.

4.4.  DNS Protocol Modifications

4.4.1.  Changes to Deployed Zone Data

   In order for a referral response to be constructed using the REFER
   Mechanism, the corresponding zone cut must be provisioned in the zone
   data loaded in the server using a REFER RRset.  An NS RRset with the
   same owner name MAY also be present, but is not required.  If both NS
   and REFER RRsets exist at the same owner name, both RRsets SHOULD
   point to the same set of servers, since operational confusion might
   well result from them being different.  However, zone administrators
   MAY deliberately make the RDATA of each RRset different, e.g. for the
   purposes of experimental measurement.

   In a signed zone REFER RRsets MUST be signed, regardless of whether
   the zone cut that they are being used to provision represents a
   secure delegation or an insecure delegation.  The keys used to

Abley                    Expires August 16, 2021                [Page 7]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   generate RRSIGs over a REFER RRset are those published in the parent
   zone that contains the REFER RRset, similarly to the way in which DS
   RRsets are signed.

4.4.2.  Changes to DNS Server Behaviour

4.4.2.1.  Authoritative Servers

   An authoritative server that supports the REFER Mechanism MUST check
   for the existence of the RO option in queries it receives.  The
   existence or non-existence of the RO option in the query MUST be
   retained as part of the query attributes used to build a
   corresponding response.

   When generating a referral response, the intention is that an
   authoritative server that supports the REFER Mechanism should send
   referrals that are identical to the Standard Mechanism if the
   corresponding query does not include the RO option, but should always
   prefer to include REFER RRsets over NS RRsets at all other times.

   1.  If the query included the RO option and zone data above the zone
       cut incudes a REFER RRset, that REFER RRset MUST be included in
       the referral response precisely as an NS RRset would be included
       under the Standard Mechanism.  An RRSIG RRset over the REFER
       RRset MUST also be included, if available.

   2.  If the query included the RO option and zone data above the zone
       cut does not include a REFER RRset, the NS RRset MUST be included
       precisely as it would under the Standard Mechanism.

   3.  If the query did not include the RO option and zone data above
       the zone cut includes an NS RRset, that NS RRset MUST be included
       precisely as it would be under the Standard Mechanism.

   4.  If the query did not include the RO option and zone data above
       the zone cut does not include an NS RRset, an NS RRset MUST be
       synthesised from the REFER RRset that is present.

   No referral response should ever include both a REFER and an NS RRset
   to communicate the target servers of a delegation.

   An authoritative server that supports the REFER Mechanism MUST
   include the RO option in every response to a query in which the RO
   option was present, and MUST NOT include the RO option in any other
   response, regardless of whether the response is a referral.

Abley                    Expires August 16, 2021                [Page 8]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

4.4.2.2.  Recursive Servers

   A recursive server that supports the REFER Mechanism:

   1.  MUST include the RO option in every query it sends;

   2.  MUST interpret and use REFER RRsets received in referral
       responses in precisely the same way that NS RRsets received in
       referral responses are interpreted when following the iterative
       resolution process;

   3.  MUST use NS RRsets in preference to REFER RRsets with the same
       owner name and QCLASS if both are present in the cache.

4.4.2.3.  Other DNS Servers

   No changes are required to DNS forwarders.

4.5.  Backwards Compatibility and Incremental Deployment

   The intent is that authoritative DNS servers supporting the REFER
   Mechanism should generate identical responses to those following the
   Standard Mechanism for all queries received without the RO option.
   This allows a single server to support clients that do not support
   the REFER Mechanism as well as those that do, and ensures a
   consistent experience for clients that do not support the REFER
   Mechanism regardless of whether it is deployed on any authoritative
   server.

   A recursive DNS server that supports the REFER Mechanism may complete
   the iterative resolution process in the process of responding to a
   query by means of inbound REFER responses.  Such a server might not
   be able to respond to a subsequent query received with QTYPE=NS from
   the cache, but would need to initiate a new query in order to
   retrieve the apex NS RRset from the servers that are authoritative
   for the closest enclosing zone.  This additional query has the
   potential to increase response time, but has the advantage that the
   ambiguity that might otherwise arise around whether a particular NS
   RRset originates from above or below a zone cut is avoided.
   Additionally, NS RRsets that are consistently retrieved from servers
   below the zone cut have the opportunity to be cryptographically
   signed, improving cache integrity through the validation process.

4.6.  Transport Considerations

   The REFER Mechanism imposes no special requirements on DNS transport
   protocols.

Abley                    Expires August 16, 2021                [Page 9]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

5.  Goals of Experiment

   The overarching ambition of this experiment is to gauge whether a
   change in a fundamental aspect of the deployed DNS protocol, the
   referral mechanism, is plausible.  This document does not specify any
   experiments, but attempts to frame some indicative research
   questions.

   Since the two code points that are needed to carry out experiments
   will be allocated from protocol registries that are not generally
   managed with leases (i.e. assignments are essentially permanent)
   there is no time period specified for this experiment.

   The following are not intended to be an exhaustive list of research
   questions, but rather examples intended to seed discussion.

5.1.  Implementation

   Is the REFER Mechanism specification proposed in this document
   unambiguous and sufficient for it to be implemented?

5.2.  Gauging the Desperation of the Camel

   Can the REFER Mechanism be implemented in commonly-used DNS code
   bases without causing unacceptable complexity?

   This is a subjective question, but perhaps by gathering a diversity
   of answers from different teams working on different code bases a
   reasonable assessment can be made.

5.3.  Incremental Deployment

   Can the REFER Mechanism be deployed in an environment where support
   is absent in other clients and servers?

   A DNS implementation should interact with other clients and servers
   that do not support the REFER Mechanism identically regardless of
   whether it supports the REFER Mechanism itself.  That is, the
   mechanisms intended to provide backwards compatability to the
   Standard Mechanism should work.

5.4.  Effects on DNS Traffic

   What effect would the REFER Mechanism have on traffic if it was
   widely deployed?

Abley                    Expires August 16, 2021               [Page 10]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

5.5.  Effects on DNS Zone Provisioning

   What other systems, beyond those contemplated in this document,
   depend upon delegations being provisioned in DNS zones using NS
   RRsets?

   This proposal allows deployment of both NS and REFER RRsets at a
   single zone cut which might mitigate any negative effects of an NS-
   to-REFER transition, but that mitigation comes at the cost of
   increased zone size that might be significant in large, delegation-
   centric zones such as those published by some TLD registries.

5.6.  Policy Hurdles At and Near the Root

   How practical might it be to deploy REFER RRsets in the root zone, or
   TLD zones, and to support the REFER Mechanism in TLD and root
   servers?

6.  Security Considerations

   The REFER Mechanism, if implemented by authoritative DNS servers and
   their clients, has the potential to improve confidentiality of
   communications since it allows a referral response from an
   authoritative server to be signed.  A signed referral response can be
   validated and confirmed to be authentic before subsequent queries are
   sent to the servers listed in the referral, avoiding the possibility
   that the existence and contents of a query might be disclosed to an
   unauthorised endpoint.

   Since the signalling mechanism by which a client requests that the
   REFER Mechanism be used in sending any referral response has no
   cryptographic protection, this protocol is vulnerable to downgrade
   attacks: that is, an on-path attacker could eliminate the RO option
   from a query or replace a signed REFER RRset in a response with an
   unsigned NS RRset.  The impact of such an attack would be to
   eliminate any benefits of the REFER Mechanism and revert to the
   security characteristics of the Standard Mechanism.

   No new concerns relating to Systems Security [RFC3552] associated
   with the implementation or use of the REFER Mechanism have been
   identified.

7.  IANA Considerations

   This section is a placeholder, intended to demonstrate that there is
   an IANA action here without actually being very thorough about what
   it should be.  For example, both registries below support early
   assignment by expert review, and if that path is chosen then the

Abley                    Expires August 16, 2021               [Page 11]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   requests this document makes of the IANA will be different.  No
   request for code points has been made at this time.

   The IANA is requested to assign a value to the RRtype described in
   this document as TBA1 and to add the value to the Resource Record
   (RR) TYPEs registry as follows:

   +-------+-------+-------------------------------------+-------------+
   | TYPE  | Value | Meaning                             | Reference   |
   +-------+-------+-------------------------------------+-------------+
   | REFER | TBA1  | an authoritative name server viewed | (this       |
   |       |       | from a parent                       | document)   |
   +-------+-------+-------------------------------------+-------------+

   The IANA is requested to assign a value to the EDNS(0) option code
   described in this document as TBA2 and to add the value to the DNS
   EDNS0 Option Codes (OPT) registry as follows:

             +-------+----------+----------+-----------------+
             | Value | Name     | Status   | Reference       |
             +-------+----------+----------+-----------------+
             | TBA2  | REFER OK | Optional | (this document) |
             +-------+----------+----------+-----------------+

8.  Acknowledgements

   Many people have daydreamed wistfully over the years about the
   entrenched overloading of the NS RRset in the DNS.  At least some of
   them have done so out loud in bars, although it is entirely possible
   that they did not realise anybody was listening.

9.  References

9.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
              <https://www.rfc-editor.org/info/rfc1034>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

Abley                    Expires August 16, 2021               [Page 12]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

9.2.  Informative References

   [I-D.fujiwara-dnsop-delegation-information-signer]
              Fujiwara, K., "Delegation Information (Referrals) Signer
              for DNSSEC", draft-fujiwara-dnsop-delegation-information-
              signer-00 (work in progress), November 2020.

   [I-D.ietf-dnsop-ns-revalidation]
              Huque, S., Vixie, P., and R. Dolmans, "Delegation
              Revalidation by DNS Resolvers", draft-ietf-dnsop-ns-
              revalidation-00 (work in progress), September 2020.

   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC",
              RFC 3225, DOI 10.17487/RFC3225, December 2001,
              <https://www.rfc-editor.org/info/rfc3225>.

   [RFC3552]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC
              Text on Security Considerations", BCP 72, RFC 3552,
              DOI 10.17487/RFC3552, July 2003,
              <https://www.rfc-editor.org/info/rfc3552>.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
              <https://www.rfc-editor.org/info/rfc4035>.

   [RFC6891]  Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
              for DNS (EDNS(0))", STD 75, RFC 6891,
              DOI 10.17487/RFC6891, April 2013,
              <https://www.rfc-editor.org/info/rfc6891>.

Appendix A.  Editorial Notes

   This section (and sub-sections) to be removed prior to publication.

A.1.  Venue for Discussion

   This is not an IETF working group document.  However, at the risk of
   upsetting the dnsop working group chairs and having to buy them all
   drinks the next time we have a chance to actually travel to an actual
   meeting with an actual beer, the dnsop working group mailing list
   seems like a reasonable place to express fear and loathing at the
   idea that someone even bothered to write this document.

Abley                    Expires August 16, 2021               [Page 13]
Internet-Draft REFER: A New Referral Mechanism for the DNS February 2021

   There is no need to suggest that the previous paragraph seems
   expressly designed to manufacture opportunities for mild, amateur
   experiments in alcoholism.

A.2.  Change History

   00 Initial draft, circulated for the purposes of entertainment.

Author's Address

   Joe Abley
   Public Interest Registry
   470 Moore Street
   London, ON  N6C 2C2
   Canada

   Email: jabley@pir.org

Abley                    Expires August 16, 2021               [Page 14]