in Index   Prev   Next

RFC 8499

DNS Terminology

Pages: 50
Best Current Practice: 219
Obsoletes:  7719
Updates:  2308
Part 3 of 4 – Pages 28 to 36
First   Prev   Next

Top   ToC   RFC8499 - Page 28   prevText

9. Registration Model

Registry: The administrative operation of a zone that allows registration of names within that zone. People often use this term to refer only to those organizations that perform registration in large delegation-centric zones (such as TLDs); but formally, whoever decides what data goes into a zone is the registry for that zone. This definition of "registry" is from a DNS point of view; for some zones, the policies that determine what can go in the zone are decided by zones that are superordinate and not the registry operator. Registrant: An individual or organization on whose behalf a name in a zone is registered by the registry. In many zones, the registry and the registrant may be the same entity, but in TLDs they often are not. Registrar: A service provider that acts as a go-between for registrants and registries. Not all registrations require a registrar, though it is common to have registrars involved in registrations in TLDs. EPP: The Extensible Provisioning Protocol (EPP), which is commonly used for communication of registration information between registries and registrars. EPP is defined in [RFC5730]. WHOIS: A protocol specified in [RFC3912], often used for querying registry databases. WHOIS data is frequently used to associate registration data (such as zone management contacts) with domain names. The term "WHOIS data" is often used as a synonym for the registry database, even though that database may be served by different protocols, particularly RDAP. The WHOIS protocol is also used with IP address registry data.
Top   ToC   RFC8499 - Page 29
   RDAP:  The Registration Data Access Protocol, defined in [RFC7480],
      [RFC7481], [RFC7482], [RFC7483], [RFC7484], and [RFC7485].  The
      RDAP protocol and data format are meant as a replacement for

   DNS operator:  An entity responsible for running DNS servers.  For a
      zone's authoritative servers, the registrant may act as their own
      DNS operator, their registrar may do it on their behalf, or they
      may use a third-party operator.  For some zones, the registry
      function is performed by the DNS operator plus other entities who
      decide about the allowed contents of the zone.

   Public suffix:  "A domain that is controlled by a public registry."
      (Quoted from [RFC6265], Section 5.3) A common definition for this
      term is a domain under which subdomains can be registered by third
      parties and on which HTTP cookies (which are described in detail
      in [RFC6265]) should not be set.  There is no indication in a
      domain name whether it is a public suffix; that can only be
      determined by outside means.  In fact, both a domain and a
      subdomain of that domain can be public suffixes.

      There is nothing inherent in a domain name to indicate whether it
      is a public suffix.  One resource for identifying public suffixes
      is the Public Suffix List (PSL) maintained by Mozilla

      For example, at the time this document is published, the ""
      domain is listed as a public suffix in the PSL.  (Note that this
      example might change in the future.)

      Note that the term "public suffix" is controversial in the DNS
      community for many reasons, and it may be significantly changed in
      the future.  One example of the difficulty of calling a domain a
      public suffix is that designation can change over time as the
      registration policy for the zone changes, such as was the case
      with the "uk" TLD in 2014.

   Subordinate and Superordinate:  These terms are introduced in
      [RFC5731] for use in the registration model, but not defined
      there.  Instead, they are given in examples.  "For example, domain
      name '' has a superordinate relationship to host name'...  For example, host is a
      subordinate host of domain, but it is a not a
      subordinate host of domain"  (Quoted from [RFC5731],
      Section 1.1) These terms are strictly ways of referring to the
      relationship standing of two domains where one is a subdomain of
      the other.
Top   ToC   RFC8499 - Page 30

10. General DNSSEC

Most DNSSEC terms are defined in [RFC4033], [RFC4034], [RFC4035], and [RFC5155]. The terms that have caused confusion in the DNS community are highlighted here. DNSSEC-aware and DNSSEC-unaware: These two terms, which are used in some RFCs, have not been formally defined. However, Section 2 of [RFC4033] defines many types of resolvers and validators, including "non-validating security-aware stub resolver", "non-validating stub resolver", "security-aware name server", "security-aware recursive name server", "security-aware resolver", "security-aware stub resolver", and "security-oblivious 'anything'". (Note that the term "validating resolver", which is used in some places in DNSSEC-related documents, is also not defined in those RFCs, but is defined below.) Signed zone: "A zone whose RRsets are signed and that contains properly constructed DNSKEY, Resource Record Signature (RRSIG), Next Secure (NSEC), and (optionally) DS records." (Quoted from [RFC4033], Section 2) It has been noted in other contexts that the zone itself is not really signed, but all the relevant RRsets in the zone are signed. Nevertheless, if a zone that should be signed contains any RRsets that are not signed (or opted out), those RRsets will be treated as bogus, so the whole zone needs to be handled in some way. It should also be noted that, since the publication of [RFC6840], NSEC records are no longer required for signed zones: a signed zone might include NSEC3 records instead. [RFC7129] provides additional background commentary and some context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide authenticated denial- of-existence responses. NSEC and NSEC3 are described below. Unsigned zone: Section 2 of [RFC4033] defines this as "a zone that is not signed". Section 2 of [RFC4035] defines this as a "zone that does not include these records [properly constructed DNSKEY, Resource Record Signature (RRSIG), Next Secure (NSEC), and (optionally) DS records] according to the rules in this section..." There is an important note at the end of Section 5.2 of [RFC4035] that defines an additional situation in which a zone is considered unsigned: "If the resolver does not support any of the algorithms listed in an authenticated DS RRset, then the resolver will not be able to verify the authentication path to the child zone. In this case, the resolver SHOULD treat the child zone as if it were unsigned."
Top   ToC   RFC8499 - Page 31
   NSEC:  "The NSEC record allows a security-aware resolver to
      authenticate a negative reply for either name or type
      non-existence with the same mechanisms used to authenticate other
      DNS replies."  (Quoted from [RFC4033], Section 3.2) In short, an
      NSEC record provides authenticated denial of existence.

      "The NSEC resource record lists two separate things: the next
      owner name (in the canonical ordering of the zone) that contains
      authoritative data or a delegation point NS RRset, and the set of
      RR types present at the NSEC RR's owner name."  (Quoted from
      Section 4 of RFC 4034)

   NSEC3:  Like the NSEC record, the NSEC3 record also provides
      authenticated denial of existence; however, NSEC3 records mitigate
      zone enumeration and support Opt-Out.  NSEC3 resource records
      require associated NSEC3PARAM resource records.  NSEC3 and
      NSEC3PARAM resource records are defined in [RFC5155].

      Note that [RFC6840] says that [RFC5155] "is now considered part of
      the DNS Security Document Family as described by Section 10 of
      [RFC4033]".  This means that some of the definitions from earlier
      RFCs that only talk about NSEC records should probably be
      considered to be talking about both NSEC and NSEC3.

   Opt-out:  "The Opt-Out Flag indicates whether this NSEC3 RR may cover
      unsigned delegations."  (Quoted from [RFC5155], Section
      Opt-out tackles the high costs of securing a delegation to an
      insecure zone.  When using Opt-Out, names that are an insecure
      delegation (and empty non-terminals that are only derived from
      insecure delegations) don't require an NSEC3 record or its
      corresponding RRSIG records.  Opt-Out NSEC3 records are not able
      to prove or deny the existence of the insecure delegations.
      (Adapted from [RFC7129], Section 5.1)

   Insecure delegation:  "A signed name containing a delegation (NS
      RRset), but lacking a DS RRset, signifying a delegation to an
      unsigned subzone."  (Quoted from [RFC4956], Section 2)

   Zone enumeration:  "The practice of discovering the full content of a
      zone via successive queries."  (Quoted from [RFC5155],
      Section 1.3) This is also sometimes called "zone walking".  Zone
      enumeration is different from zone content guessing where the
      guesser uses a large dictionary of possible labels and sends
      successive queries for them, or matches the contents of NSEC3
      records against such a dictionary.
Top   ToC   RFC8499 - Page 32
   Validation:  Validation, in the context of DNSSEC, refers to one of
      the following:

      *  Checking the validity of DNSSEC signatures,

      *  Checking the validity of DNS responses, such as those including
         authenticated denial of existence, or

      *  Building an authentication chain from a trust anchor to a DNS
         response or individual DNS RRsets in a response

      The first two definitions above consider only the validity of
      individual DNSSEC components such as the RRSIG validity or NSEC
      proof validity.  The third definition considers the components of
      the entire DNSSEC authentication chain; thus, it requires
      "configured knowledge of at least one authenticated DNSKEY or DS
      RR" (as described in [RFC4035], Section 5).

      [RFC4033], Section 2, says that a "Validating Security-Aware Stub
      Resolver... performs signature validation" and uses a trust anchor
      "as a starting point for building the authentication chain to a
      signed DNS response"; thus, it uses the first and third
      definitions above.  The process of validating an RRSIG resource
      record is described in [RFC4035], Section 5.3.

      [RFC5155] refers to validating responses throughout the document,
      in the context of hashed authenticated denial of existence; this
      uses the second definition above.

      The term "authentication" is used interchangeably with
      "validation", in the sense of the third definition above.
      [RFC4033], Section 2, describes the chain linking trust anchor to
      DNS data as the "authentication chain".  A response is considered
      to be authentic if "all RRsets in the Answer and Authority
      sections of the response [are considered] to be authentic" (Quoted
      from [RFC4035]) DNS data or responses deemed to be authentic or
      validated have a security status of "secure" ([RFC4035],
      Section 4.3; [RFC4033], Section 5).  "Authenticating both DNS keys
      and data is a matter of local policy, which may extend or even
      override the [DNSSEC] protocol extensions..." (Quoted from
      [RFC4033], Section 3.1)

      The term "verification", when used, is usually a synonym for
Top   ToC   RFC8499 - Page 33
   Validating resolver:  A security-aware recursive name server,
      security-aware resolver, or security-aware stub resolver that is
      applying at least one of the definitions of validation (above), as
      appropriate to the resolution context.  For the same reason that
      the generic term "resolver" is sometimes ambiguous and needs to be
      evaluated in context (see Section 6), "validating resolver" is a
      context-sensitive term.

   Key signing key (KSK):  DNSSEC keys that "only sign the apex DNSKEY
      RRset in a zone."  (Quoted from [RFC6781], Section 3.1)

   Zone signing key (ZSK):  "DNSSEC keys that can be used to sign all
      the RRsets in a zone that require signatures, other than the apex
      DNSKEY RRset."  (Quoted from [RFC6781], Section 3.1) Also note
      that a ZSK is sometimes used to sign the apex DNSKEY RRset.

   Combined signing key (CSK):  "In cases where the differentiation
      between the KSK and ZSK is not made, i.e., where keys have the
      role of both KSK and ZSK, we talk about a Single-Type Signing
      Scheme."  (Quoted from [RFC6781], Section 3.1) This is sometimes
      called a "combined signing key" or "CSK".  It is operational
      practice, not protocol, that determines whether a particular key
      is a ZSK, a KSK, or a CSK.

   Secure Entry Point (SEP):  A flag in the DNSKEY RDATA that "can be
      used to distinguish between keys that are intended to be used as
      the secure entry point into the zone when building chains of
      trust, i.e., they are (to be) pointed to by parental DS RRs or
      configured as a trust anchor....  Therefore, it is suggested that
      the SEP flag be set on keys that are used as KSKs and not on keys
      that are used as ZSKs, while in those cases where a distinction
      between a KSK and ZSK is not made (i.e., for a Single-Type Signing
      Scheme), it is suggested that the SEP flag be set on all keys."
      (Quoted from [RFC6781], Section 3.2.3) Note that the SEP flag is
      only a hint, and its presence or absence may not be used to
      disqualify a given DNSKEY RR from use as a KSK or ZSK during

      The original definition of SEPs was in [RFC3757].  That definition
      clearly indicated that the SEP was a key, not just a bit in the
      key.  The abstract of [RFC3757] says: "With the Delegation Signer
      (DS) resource record (RR), the concept of a public key acting as a
      secure entry point (SEP) has been introduced.  During exchanges of
      public keys with the parent there is a need to differentiate SEP
      keys from other public keys in the Domain Name System KEY (DNSKEY)
      resource record set.  A flag bit in the DNSKEY RR is defined to
Top   ToC   RFC8499 - Page 34
      indicate that DNSKEY is to be used as a SEP."  That definition of
      the SEP as a key was made obsolete by [RFC4034], and the
      definition from [RFC6781] is consistent with [RFC4034].

   Trust anchor:  "A configured DNSKEY RR or DS RR hash of a DNSKEY RR.
      A validating security-aware resolver uses this public key or hash
      as a starting point for building the authentication chain to a
      signed DNS response.  In general, a validating resolver will have
      to obtain the initial values of its trust anchors via some secure
      or trusted means outside the DNS protocol."  (Quoted from
      [RFC4033], Section 2)

   DNSSEC Policy (DP):  A statement that "sets forth the security
      requirements and standards to be implemented for a DNSSEC-signed
      zone."  (Quoted from [RFC6841], Section 2)

   DNSSEC Practice Statement (DPS):  "A practices disclosure document
      that may support and be a supplemental document to the DNSSEC
      Policy (if such exists), and it states how the management of a
      given zone implements procedures and controls at a high level."
      (Quoted from [RFC6841], Section 2)

   Hardware security module (HSM):  A specialized piece of hardware that
      is used to create keys for signatures and to sign messages without
      ever disclosing the private key.  In DNSSEC, HSMs are often used
      to hold the private keys for KSKs and ZSKs and to create the
      signatures used in RRSIG records at periodic intervals.

   Signing software:  Authoritative DNS servers that support DNSSEC
      often contain software that facilitates the creation and
      maintenance of DNSSEC signatures in zones.  There is also stand-
      alone software that can be used to sign a zone regardless of
      whether the authoritative server itself supports signing.
      Sometimes signing software can support particular HSMs as part of
      the signing process.

11. DNSSEC States

A validating resolver can determine that a response is in one of four states: secure, insecure, bogus, or indeterminate. These states are defined in [RFC4033] and [RFC4035], although the definitions in the two documents differ a bit. This document makes no effort to reconcile the definitions in the two documents, and takes no position as to whether they need to be reconciled.
Top   ToC   RFC8499 - Page 35
   Section 5 of [RFC4033] says:

      A validating resolver can determine the following 4 states:

      Secure: The validating resolver has a trust anchor, has a chain
         of trust, and is able to verify all the signatures in the

      Insecure: The validating resolver has a trust anchor, a chain
         of trust, and, at some delegation point, signed proof of the
         non-existence of a DS record.  This indicates that subsequent
         branches in the tree are provably insecure.  A validating
         resolver may have a local policy to mark parts of the domain
         space as insecure.

      Bogus: The validating resolver has a trust anchor and a secure
         delegation indicating that subsidiary data is signed, but
         the response fails to validate for some reason: missing
         signatures, expired signatures, signatures with unsupported
         algorithms, data missing that the relevant NSEC RR says
         should be present, and so forth.

      Indeterminate: There is no trust anchor that would indicate that a
         specific portion of the tree is secure.  This is the default
         operation mode.

   Section 4.3 of [RFC4035] says:

      A security-aware resolver must be able to distinguish between four

      Secure: An RRset for which the resolver is able to build a chain
          of signed DNSKEY and DS RRs from a trusted security anchor to
          the RRset.  In this case, the RRset should be signed and is
          subject to signature validation, as described above.

      Insecure: An RRset for which the resolver knows that it has no
         chain of signed DNSKEY and DS RRs from any trusted starting
         point to the RRset.  This can occur when the target RRset lies
         in an unsigned zone or in a descendent [sic] of an unsigned
         zone.  In this case, the RRset may or may not be signed, but
         the resolver will not be able to verify the signature.

      Bogus: An RRset for which the resolver believes that it ought to
         be able to establish a chain of trust but for which it is
         unable to do so, either due to signatures that for some reason
         fail to validate or due to missing data that the relevant
         DNSSEC RRs indicate should be present.  This case may indicate
Top   ToC   RFC8499 - Page 36
         an attack but may also indicate a configuration error or some
         form of data corruption.

      Indeterminate: An RRset for which the resolver is not able to
         determine whether the RRset should be signed, as the resolver
         is not able to obtain the necessary DNSSEC RRs.  This can occur
         when the security-aware resolver is not able to contact
         security-aware name servers for the relevant zones.

12. Security Considerations

These definitions do not change any security considerations for the DNS.

13. IANA Considerations

This document has no IANA actions.

(page 36 continued on part 4)

Next Section