Networking Research

Update on DNS

By: Jaap Akkerhuis, Peter Koch

Date: May 7, 2007

line break image

This is an update on recent DNS activities based on current active working groups related to this area.


Within the DNS Extensions working group, work is progressing steadily. A number of Internet-Drafts, including the ones on DNS Security Extensions (DNSSEC) Hashed Authenticated Denial of Existence (NSEC3) and DNS Name Server Identifier Option (NSID), have passed Last Call and are making their way to standard, experimental, or informational requests for comments (RFCs). For complete details, please consult the minutes and/or the WG status tracker.


Scott Rose gave a presentation on the DNAME clarification draft. This document is chartered by the WG to update RFC 2672, and it addresses issues that people have had with the original specification and implementation or operational experience. It also provides a clearer understanding of DNS and aliasing in general. The editors have started an issues tracker and are looking for feedback on the issues.

DNS Hardening

An Internet-Draft was adopted as a work item that explains how resolvers can be made less vulnerable to spoofed DNS responses without adding protocol extensions such as DNSSEC. There were critical remarks about the lack of terminology and missing operational considerations. Several people stepped forward to improve the draft, and it is expected to be ready for Last Call this coming summer.

The 2929bis Template Argument

This is an experiment for allocation of new Resource Record (RR) types. The idea is that a lightweight process – for instance, a recommendation by a designated expert – might be sufficient to decide whether a new Resource Record should be allocated. One lesson learned is that 2929bis needs to be updated in order to establish what is expected of the expert and what the boundaries of the expert are. In addition, it was decided that the process should be reviewed by the Internet Assigned Numbers Authority (IANA) and that the template may still need to be tweaked. Once the experiment has been completed, the area director will schedule it for an evaluation by the Internet Engineering Steering Group (IESG).

Is There a Future for DNSSEC?

Many drafts related to DNSSEC have been completed or are expected to be completed soon. The question is whether the DNSEXT WG should be closed or whether it should live on in some form. Typically, once the work is done, a WG is abandoned. One argument against abandoning the group is that the DNSEXT WG is often asked to comment on proposals done by other groups. Another is that it might be good to have the WG around to help advance the DNSSEC RFCs from proposed standard to the next level: draft standard. There have been cases where a WG is in a dormant state-for instance, the Point-to-Point Protocol (PPP) WG-or, in the case of the provreg WG, has maintained an active mail list for these purposes.


The DNS Operations WG is still very active and in fact ran out of time during the meeting.

Some of the older Internet-Drafts, such as DNS Response Size Issues, are moving forward.

Reverse Mapping

Although lively discussions are still happening in this area, the discussion about the need for reversed mapping is expected to come to some close. The Internet- Draft is expected to be ready soon for WG Last Call.

AS112 in a Box Work Continues

AS112 is the popular term for how to deal with DNS queries that actually shouldn’t happen – such as queries for the reverse mapping of private address space defined in RFC 1918, which managed to escape a local network and make it into the Internet. The project, named after the origin Autonomous System 112, consists of a loosely coupled anycast cloud that responds to these queries to take load off the root name servers. (See for a description.) To date, there is no detailed explanation available for end users or potential contributors. The WG is trying to fill that gap by creating a first document about it. The document “Help, I’m Attacked by” is expected to go to the IESG soon. The need to explain how the current process surrounding the AS112 system actually works was identified.

New Work Items

Now that the WG has reached almost of all its milestones, there is still work to do in DNS operations. First, the management of large and distributed clusters of name servers is becoming more common but currently lacks automated, nonproprietary support for configuration and synchronisation. A similar problem arises for the remote control of DNS secondary servers. The WG is now going to examine the need to address various DNS operational scenarios.

Two ICANN committees – the Root Server System Advisory Committee (RSSAC) and the Security and Stability Advisory Committee (SSAC) – jointly started an investigation earlier this year on how adding AAAA Resource Records for the root name servers would influence the DNS resolver priming process. While their results have been promising, it turned out that the priming process itself – although current practice – isn’t fully specified and poses some questions related to DNSSEC.

Lixia Zhang presented some research on the effect of TTL (time-to-live) values for so-called infrastructure records – name server and address records – on the resolvability of a domain during longer periods of failure. While there is a general trend to treat DNS data more dynamically, there are side effects on both the infrastructure and the leaves in the DNS tree if the feature of caching is defeated by very low TTL values. This will be further investigated by the WG.


The ENUM WG, dealing with the mapping of telephone numbers into the DNS, expected an interesting debate on the future of infrastructure ENUM, a supplement to the core ENUM protocol aimed at providers of telephony services. Just before the IETF meeting there was some confusion about the state of consensus as well as the political implications (for details, refer to Geoff Huston’s excellent article on, but this was resolved at least to the extent that the WG maintained its consensus, and other considerations will be taken into account as appropriate during the evaluation process.

Two other items are remaining for the ENUM WG: in response to various ENUM service registrations and in preparation of a closedown of the WG, guidelines are developed on how to write and review ENUM service specifications.

The second major remaining task is an update of the base ENUM specification, for which a draft has already been published that tries to overcome some of the drawbacks of the Naming Authority Pointer (NAPTR)-based design in response to real-world deployment experiences.

Note: For an in-depth look at DNS infrastructure, see the March 2007 issue of the Internet Protocol Journal at