DNS Resolver Information Key for DNSSEC validation
Afnic
7 avenue du 8 mai 1945
Guyancourt
78280
FR
bortzmeyer+ietf@nic.fr
https://www.afnic.fr/
General
Internet Engineering Task Force
DNS DNSSEC RESINFO
This document is the specification of a DNS Resolver
Information Key for DNSSEC validation, "dnssecval".
Introduction
RFC 9606 created a DNS record type RESINFO to
allow resolvers to publish information about their capabilities
and policies. This information is encoded as {key, value}
pairs. Keys are in an IANA registry and this specification adds
a new key, to indicate that the resolver validates with DNSSEC .
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14
when, and only when, they appear in
all capitals, as shown here.
The key
The name of the key is "dnssecval", for "DNSSEC validating
[resolver]". The presence of this key indicates that the DNS resolver
validates all answers with DNSSEC . Note
that, per the rules for the keys defined in Section 6.4 of
if there is no '=' in a key, then it is a boolean attribute, simply
identified as being present, with no value.
The resolver which announces this capability in a RESINFO
record MAY add DNSSEC-specific EDE (Extended DNS Error Codes,
) to the value of the "exterr" key.
IANA Considerations
IANA is requested to add "dnssecval" and a reference to this
document to the registry "DNS Resolver Information Keys".
Security Considerations
DNSSEC is a very important tool for the security of the DNS
and therefore it is important for users to know in advance if
the resolver they consider supports DNSSEC or not. It would be
better to assume that every resolver validates (thus rendering
this document useless) but it is not the case today.
As with any information published in the DNS, the key in the
RESINFO may be wrong or outdated. They should be regarded with care.
References
Normative References
Informative References
Acknowledgements
My cat did nothing to help.