rfc6303.txt revision 9b97400166683a5b80bb28e95425237261af1e0f
15a44745412679c30a6d022733925af70a38b715David LawrenceInternet Engineering Task Force (IETF) M. Andrews
15a44745412679c30a6d022733925af70a38b715David LawrenceRequest for Comments: 6303 ISC
15a44745412679c30a6d022733925af70a38b715David LawrenceBCP: 163 July 2011
15a44745412679c30a6d022733925af70a38b715David LawrenceCategory: Best Current Practice
15a44745412679c30a6d022733925af70a38b715David LawrenceISSN: 2070-1721
15a44745412679c30a6d022733925af70a38b715David Lawrence Locally Served DNS Zones
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence Experience with the Domain Name System (DNS) has shown that there are
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence a number of DNS zones that all iterative resolvers and recursive
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence nameservers should automatically serve, unless configured otherwise.
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews RFC 4193 specifies that this should occur for D.F.IP6.ARPA. This
ea31416b4fcdf23732355a8002f93f29e3b3d2dbAndreas Gustafsson document extends the practice to cover the IN-ADDR.ARPA zones for RFC
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence 1918 address space and other well-known zones with similar
64e41159a919b0711321fe688ca5da4f4d1b7d80Bob Halley characteristics.
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob HalleyStatus of This Memo
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley This memo documents an Internet Best Current Practice.
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff This document is a product of the Internet Engineering Task Force
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff (IETF). It represents the consensus of the IETF community. It has
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff received public review and has been approved for publication by the
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff Internet Engineering Steering Group (IESG). Further information on
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff BCPs is available in Section 2 of RFC 5741.
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff Information about the current status of this document, any errata,
3d776d762914d1b675b4fd49728ce353ccf6f77eBrian Wellington and how to provide feedback on it may be obtained at
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid LawrenceCopyright Notice
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence Copyright (c) 2011 IETF Trust and the persons identified as the
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence document authors. All rights reserved.
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson This document is subject to BCP 78 and the IETF Trust's Legal
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson Provisions Relating to IETF Documents
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson (http://trustee.ietf.org/license-info) in effect on the date of
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson publication of this document. Please review these documents
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence carefully, as they describe your rights and restrictions with respect
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence to this document. Code Components extracted from this document must
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence include Simplified BSD License text as described in Section 4.e of
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence the Trust Legal Provisions and are provided without warranty as
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence described in the Simplified BSD License.
e893dce91279d7313a579f72caae3941f6dc5a27David LawrenceAndrews Best Current Practice [Page 1]
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob HalleyRFC 6303 Locally Served DNS Zones July 2011
ce8c568e0d6106bb87069453505e09bc66754b40Andreas Gustafsson This document may contain material from IETF Documents or IETF
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Contributions published or made publicly available before November
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley 10, 2008. The person(s) controlling the copyright in some of this
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley material may not have granted the IETF Trust the right to allow
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley modifications of such material outside the IETF Standards Process.
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Without obtaining an adequate license from the person(s) controlling
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley the copyright in such materials, this document may not be modified
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley outside the IETF Standards Process, and derivative works of it may
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley not be created outside the IETF Standards Process, except to format
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley it for publication as an RFC or to translate it into languages other
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley than English.
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob HalleyTable of Contents
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff 1. Introduction ....................................................2
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff 1.1. Reserved Words .............................................3
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson 2. Effects on Sites Using RFC 1918 Addresses .......................3
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson 3. Changes to Iterative Resolver Behaviour .........................4
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson 4. Lists Of Zones Covered ..........................................5
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson 4.1. RFC 1918 Zones .............................................5
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson 4.2. RFC 5735 and RFC 5737 Zones ................................5
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson 4.3. Local IPv6 Unicast Addresses ...............................6
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 4.4. IPv6 Locally Assigned Local Addresses ......................6
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 4.5. IPv6 Link-Local Addresses ..................................7
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 4.6. IPv6 Example Prefix ........................................7
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 5. Zones That Are Out of Scope .....................................7
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 6. IANA Considerations .............................................8
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 7. Security Considerations .........................................8
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 8. Acknowledgements ................................................9
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 9. References ......................................................9
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 9.1. Normative References .......................................9
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence 9.2. Informative References ....................................10
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence1. Introduction
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Experience with the Domain Name System (DNS, [RFC1034] and [RFC1035])
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence has shown that there are a number of DNS zones that all iterative
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence resolvers and recursive nameservers SHOULD automatically serve,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence unless intentionally configured otherwise. These zones include, but
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence are not limited to, the IN-ADDR.ARPA zones for the address space
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence allocated by [RFC1918] and the IP6.ARPA zones for locally assigned
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence unique local IPv6 addresses defined in [RFC4193].
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David LawrenceAndrews Best Current Practice [Page 2]
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David LawrenceRFC 6303 Locally Served DNS Zones July 2011
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence This recommendation is made because data has shown that significant
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence leakage of queries for these namespaces is occurring, despite
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence instructions to restrict them, and because it has therefore become
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence necessary to deploy sacrificial nameservers to protect the immediate
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence parent nameservers for these zones from excessive, unintentional
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence query load [AS112] [RFC6304] [RFC6305]. There is every expectation
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence that the query load will continue to increase unless steps are taken
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence as outlined here.
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence Additionally, queries from clients behind badly configured firewalls
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence that allow outgoing queries for these namespaces, but drop the
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence responses, put a significant load on the root servers (forward zones
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence but not reverse zones are configured). They also cause operational
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence load for the root server operators, as they have to reply to
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence enquiries about why the root servers are "attacking" these clients.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Changing the default configuration will address all these issues for
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence the zones listed in Section 4.
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence [RFC4193] recommends that queries for D.F.IP6.ARPA be handled
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence locally. This document extends the recommendation to cover the
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence IN-ADDR.ARPA zones for [RFC1918] and other well-known IN-ADDR.ARPA
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence and IP6.ARPA zones for which queries should not appear on the public
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence It is hoped that by doing this the number of sacrificial servers
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence [AS112] will not have to be increased, and may in time be reduced.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence This recommendation should also help DNS responsiveness for sites
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence that are using [RFC1918] addresses but do not follow the last
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence paragraph in Section 3 of [RFC1918].
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence1.1. Reserved Words
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff document are to be interpreted as described in [RFC2119].
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff2. Effects on Sites Using RFC 1918 Addresses
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff For most sites using [RFC1918] addresses, the changes here will have
1ce985ab3c6670662d555c108b35fed84a6a1001David Lawrence little or no detrimental effect. If the site does not already have
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence the reverse tree populated, the only effect will be that the name
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence error responses will be generated locally rather than remotely.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence For sites that do have the reverse tree populated, most will either
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence have a local copy of the zones or will be forwarding the queries to
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence servers that have local copies of the zone. Therefore, this
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence recommendation will not be relevant.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid LawrenceAndrews Best Current Practice [Page 3]
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid LawrenceRFC 6303 Locally Served DNS Zones July 2011
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence The most significant impact will be felt at sites that make use of
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence delegations for [RFC1918] addresses and have populated these zones.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence These sites will need to override the default configuration expressed
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence in this document to allow resolution to continue. Typically, such
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence sites will be fully disconnected from the Internet and have their own
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence root servers for their own non-Internet DNS tree.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff3. Changes to Iterative Resolver Behaviour
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff Unless configured otherwise, an iterative resolver will now return
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff authoritatively (AA=1) name errors (RCODE=3) for queries within the
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff zones in Section 4, with the obvious exception of queries for the
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff zone name itself where SOA, NS, and "no data" responses will be
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff returned as appropriate to the query type. One common way to do this
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff all at once is to serve empty (SOA and NS only) zones.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff An implementation of this recommendation MUST provide a mechanism to
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson disable this new behaviour, and SHOULD allow this decision on a zone-
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson by-zone basis.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson If using empty zones one SHOULD NOT use the same NS and SOA records
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson as used on the public Internet servers, as that will make it harder
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson to detect the origin of the responses and thus any leakage to the
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson public Internet servers. It is RECOMMENDED that the NS record
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson defaults to the name of the zone and the SOA MNAME defaults to the
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson name of the only NS RR's (Resource Record's) target. The SOA RNAME
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson SHOULD default to "nobody.invalid." [RFC2606]. Implementations
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson SHOULD provide a mechanism to set these values. No address records
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews need to be provided for the nameserver.
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews Below is an example of a generic empty zone in master file format.
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews It will produce a negative cache Time to Live (TTL) of 3 hours.
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews @ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews @ 10800 IN NS @
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson The SOA RR is needed to support negative caching [RFC2308] of name
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson error responses and to point clients to the primary master for DNS
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson dynamic updates.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson SOA values of particular importance are the MNAME, the SOA RR's TTL,
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson and the negTTL value. Both TTL values SHOULD match. The rest of the
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson SOA timer values MAY be chosen arbitrarily since they are not
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson intended to control any zone transfer activity.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson The NS RR is needed as some UPDATE [RFC2136] clients use NS queries
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson to discover the zone to be updated. Having no address records for
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson the nameserver is expected to abort UPDATE processing in the client.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas GustafssonAndrews Best Current Practice [Page 4]
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas GustafssonRFC 6303 Locally Served DNS Zones July 2011
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson4. Lists Of Zones Covered
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson The following subsections are the initial contents of the IANA
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson registry as described in the IANA Considerations section. Following
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson the caveat in that section, the list contains only reverse zones
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson corresponding to permanently assigned address space. The zone name
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson is the entity to be registered.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson4.1. RFC 1918 Zones
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson The following zones correspond to the IPv4 address space reserved in
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson +----------------------+
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson +----------------------+
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff +----------------------+
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington4.2. RFC 5735 and RFC 5737 Zones
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington The following zones correspond to those address ranges from [RFC5735]
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff and [RFC5737] that are not expected to appear as source or
08a768e82ad64ede97f640c88e02984b59122753Michael Graff destination addresses on the public Internet; as such, there are no
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington globally unique names associated with the addresses in these ranges.
d6230d416b9fd6cdd22bd3918073ed0f847c247eBrian WellingtonAndrews Best Current Practice [Page 5]
5f9e583552f53de12062bfff12e47250abce378fBrian WellingtonRFC 6303 Locally Served DNS Zones July 2011
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington The recommendation to serve an empty zone 127.IN-ADDR.ARPA is not an
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington attempt to discourage any practice to provide a PTR RR for
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington 1.0.0.127.IN-ADDR.ARPA locally. In fact, a meaningful reverse
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington mapping should exist, but the exact setup is out of the scope of this
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington document. Similar logic applies to the reverse mapping for ::1
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington (Section 4.3). The recommendations made here simply assume that no
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington other coverage for these domains exists.
d6230d416b9fd6cdd22bd3918073ed0f847c247eBrian Wellington +------------------------------+-----------------------+
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington | Zone | Description |
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington +------------------------------+-----------------------+
08a768e82ad64ede97f640c88e02984b59122753Michael Graff | 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK |
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff | 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK |
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff | 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL |
08a768e82ad64ede97f640c88e02984b59122753Michael Graff | 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 |
08a768e82ad64ede97f640c88e02984b59122753Michael Graff | 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 |
08a768e82ad64ede97f640c88e02984b59122753Michael Graff | 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 |
08a768e82ad64ede97f640c88e02984b59122753Michael Graff | 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST |
08a768e82ad64ede97f640c88e02984b59122753Michael Graff +------------------------------+-----------------------+
08a768e82ad64ede97f640c88e02984b59122753Michael Graff4.3. Local IPv6 Unicast Addresses
08a768e82ad64ede97f640c88e02984b59122753Michael Graff The reverse mappings ([RFC3596], Section 2.5 ("IP6.ARPA Domain")) for
08a768e82ad64ede97f640c88e02984b59122753Michael Graff the IPv6 Unspecified (::) and Loopback (::1) addresses ([RFC4291],
08a768e82ad64ede97f640c88e02984b59122753Michael Graff Sections 2.4, 2.5.2, and 2.5.3) are covered by these two zones:
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington +-------------------------------------------+
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington +-------------------------------------------+
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington +-------------------------------------------+
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington Note: Line breaks and escapes ('\') have been inserted above for
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington readability and to adhere to line width constraints. They are not
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington parts of the zone names.
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington4.4. IPv6 Locally Assigned Local Addresses
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington Section 4.4 of [RFC4193] already required special treatment of:
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington +--------------+
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington +--------------+
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington +--------------+
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian WellingtonAndrews Best Current Practice [Page 6]
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian WellingtonRFC 6303 Locally Served DNS Zones July 2011
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington4.5. IPv6 Link-Local Addresses
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington IPv6 Link-Local Addresses as described in [RFC4291], Section 2.5.6
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington are covered by four distinct reverse DNS zones:
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington +----------------+
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington +----------------+
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington +----------------+
af5ad488cbf17988fbd36a25c908737412ccd382Brian Wellington4.6. IPv6 Example Prefix
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington IPv6 example prefix [RFC3849].
f317c00e0d5978f29285ea062b34ec73dc419095Brian Wellington +--------------------------+
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington +--------------------------+
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington +--------------------------+
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington Note: 8.B.D.0.1.0.0.2.IP6.ARPA is not being used as an example here.
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington5. Zones That Are Out of Scope
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington IPv6 site-local addresses (deprecated, see [RFC4291] Sections 2.4 and
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington 2.5.7), and IPv6 non-locally assigned local addresses ([RFC4193]) are
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence not covered here.
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence It is expected that IPv6 site-local addresses will be self correcting
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence as IPv6 implementations remove support for site-local addresses.
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence However, sacrificial servers for the zones C.E.F.IP6.ARPA through
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence F.E.F.IP6.ARPA may still need to be deployed in the short term if the
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence traffic becomes excessive.
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence For IPv6 non-locally assigned local addresses (L = 0) [RFC4193],
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence there has been no decision made about whether the Regional Internet
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence Registries (RIRs) will provide delegations in this space or not. If
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence they don't, then C.F.IP6.ARPA will need to be added to the list in
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence Section 4.4. If they do, then registries will need to take steps to
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence ensure that nameservers are provided for these addresses.
9a2574531e3d2ced31072200b416467fdee0c29cDavid LawrenceAndrews Best Current Practice [Page 7]
9ceaa92a8ca8a0270ba296d44599e94d95033759Andreas GustafssonRFC 6303 Locally Served DNS Zones July 2011
9ceaa92a8ca8a0270ba296d44599e94d95033759Andreas Gustafsson IP6.INT was once used to provide reverse mapping for IPv6. IP6.INT
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson was deprecated in [RFC4159] and the delegation removed from the INT
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson zone in June 2006. While it is possible that legacy software
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson continues to send queries for names under the IP6.INT domain, this
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson document does not specify that IP6.INT be considered a local zone.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson This document has also deliberately ignored names immediately under
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson the root domain. While there is a subset of queries to the root
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson nameservers that could be addressed using the techniques described
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson here (e.g., .local, .workgroup, and IPv4 addresses), there is also a
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson vast amount of traffic that requires a different strategy (e.g.,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson lookups for unqualified hostnames, IPv6 addresses).
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson6. IANA Considerations
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson IANA has established a registry of zones that require this default
ea31416b4fcdf23732355a8002f93f29e3b3d2dbAndreas Gustafsson behaviour. The initial contents of this registry are defined in
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Section 4. Implementors are encouraged to periodically check this
971d1fe83172bce09d6319c5735d243d68d8cb47Andreas Gustafsson registry and adjust their implementations to reflect changes therein.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson This registry can be amended through "IETF Review" as per [RFC5226].
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson As part of this review process, it should be noted that once a zone
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson is added it is effectively added permanently; once an address range
1706598239da403b86f4befa4c08175d9e101014Andreas Gustafsson starts being configured as a local zone in systems on the Internet,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson it will be impossible to reverse those changes.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson IANA should coordinate with the RIRs to ensure that, as DNS Security
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson (DNSSEC) is deployed in the reverse tree, delegations for these zones
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington are made in the manner described in Section 7.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson7. Security Considerations
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington During the initial deployment phase, particularly where [RFC1918]
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington addresses are in use, there may be some clients that unexpectedly
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington receive a name error rather than a PTR record. This may cause some
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington service disruption until their recursive nameserver(s) have been
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington re-configured.
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington namespaces, the zones listed above will need to be delegated as
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington insecure delegations, or be within insecure zones. This will allow
c356cd618dacb13d47ee9bee78d22a9802d4645eBrian Wellington DNSSEC validation to succeed for queries in these spaces despite not
1706598239da403b86f4befa4c08175d9e101014Andreas Gustafsson being answered from the delegated servers.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson It is recommended that sites actively using these namespaces secure
ce7994d137a013133e874b92604183923267fc94Brian Wellington them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence anchors. This will protect the clients from accidental import of
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence unsigned responses from the Internet.
566a01eb745d49bd866971062388cd11d525b60dDavid LawrenceAndrews Best Current Practice [Page 8]
489b76292622f5bc18bf1a18845f8166a73bd797Brian WellingtonRFC 6303 Locally Served DNS Zones July 2011
489b76292622f5bc18bf1a18845f8166a73bd797Brian Wellington8. Acknowledgements
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson This work was supported by the US National Science Foundation
2271edc0b4ba96e69a283eced420b94ffb678beeBrian Wellington (research grant SCI-0427144) and DNS-OARC.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson9.1. Normative References
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson STD 13, RFC 1034, November 1987.
489b76292622f5bc18bf1a18845f8166a73bd797Brian Wellington [RFC1035] Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
489b76292622f5bc18bf1a18845f8166a73bd797Brian Wellington SPECIFICATION", STD 13, RFC 1035, November 1987.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson and E. Lear, "Address Allocation for Private Internets",
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson BCP 5, RFC 1918, February 1996.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Requirement Levels", BCP 14, RFC 2119, March 1997.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson "Dynamic Updates in the Domain Name System (DNS UPDATE)",
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson RFC 2136, April 1997.
fa280ff02ad0c29616a0c3a22ef02cbb3f6db7efDavid Lawrence [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson NCACHE)", RFC 2308, March 1998.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
fa280ff02ad0c29616a0c3a22ef02cbb3f6db7efDavid Lawrence Names", BCP 32, RFC 2606, June 1999.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson "DNS Extensions to Support IP Version 6", RFC 3596,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Rose, "Protocol Modifications for the DNS Security
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Extensions", RFC 4035, March 2005.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC4159] Huston, G., "Deprecation of "ip6.int"", BCP 109, RFC 4159,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Addresses", RFC 4193, October 2005.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas GustafssonAndrews Best Current Practice [Page 9]
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas GustafssonRFC 6303 Locally Served DNS Zones July 2011
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Architecture", RFC 4291, February 2006.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson IANA Considerations Section in RFCs", BCP 26, RFC 5226,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson9.2. Informative References
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [AS112] "AS112 Project", <http://www.as112.net/>.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Reserved for Documentation", RFC 3849, July 2004.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson BCP 153, RFC 5735, January 2010.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Reserved for Documentation", RFC 5737, January 2010.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC6304] Abley, J. and W. Maton, "AS112 Nameserver Operations",
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson RFC 6304, July 2011.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson [RFC6305] Abley, J. and W. Maton, "I'm Being Attacked by
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson PRISONER.IANA.ORG!", RFC 6305, July 2011.
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas GustafssonAuthor's Address
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence Mark P. Andrews
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Internet Systems Consortium
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson 950 Charter Street
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson Redwood City, CA 94063
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson EMail: marka@isc.org
9ceaa92a8ca8a0270ba296d44599e94d95033759Andreas GustafssonAndrews Best Current Practice [Page 10]