]> ICANN

paul.hoffman@icann.org

Salesforce

shuque@gmail.com

NLnet Labs

Science Park 400 Amsterdam 1098 XH Netherlands willem@nlnetlabs.nl

Operations and Management Area Domain Name System Operations Internet-Draft DNS Resolver Delegation Revalidation Authoritative Name Server Record NS Parent Child Resource Record Set This document extends the list ranking the trustworthiness of domain name system (DNS) data (see ). The list is extended with entries for root server names and addresses built-in resolvers, and provided via a root hints file with the lowest trustworthiness, as wel as an entry for data which is verifiable DNSSEC secure with the highest trustworthiness. This document furthermore assigns ranked values to the positions of the list for easier reference and comparison of trustworthiness of DNS data. Status information for this document may be found at . Discussion of this document takes place on the DNSOP Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction This draft's intention is currently just to start re-evaluation and re-thinking of about ranking trustworthiness of DNS data.

Trustworthiness values Value Data AAA Data from a primary zone file other than occluded data, and all data that is verifiable DNSSEC secure regardless off were it came from AA Data from a zone transfer other than occluded data A The authoritative data included in the answer section of an authoritative reply A- Data from the authority section of an authoritative answer BBB Occluded data from a primary zone, or occluded data from a zone transfer BB Data from the answer section of a non-authoritative answer, and non-authoritative data from the answer section of authoritative answers B Additional information from an authoritative answer, Data from the authority section of a non-authoritative answer, Additional information from non-authoritative answers. CCC Names and addresses for the root servers from a hints file CC Names and addresses for the root servers built into resolver software

IANA Considerations This document does not require any IANA actions.

Security Considerations The process of replacing RRsets in a resolvers cache with the RRsets with a higher trustworthiness ranking, either passively or pro-actively by explicit querying, is crucial to the security of the DNS.

&RFC2181;

Acknowledgements Thanks to all the people that contributed to the discussion surrounding the re-evaluation of how the trustworthiness of DNS data should be ranked.