draft-wessels-dns-zone-digest-03.txt   draft-wessels-dns-zone-digest-04.txt 
Internet Engineering Task Force D. Wessels Internet Engineering Task Force D. Wessels
Internet-Draft P. Barber Internet-Draft P. Barber
Intended status: Experimental M. Weinberg Intended status: Experimental M. Weinberg
Expires: April 12, 2019 Verisign Expires: April 25, 2019 Verisign
W. Kumari W. Kumari
Google Google
W. Hardaker W. Hardaker
USC/ISI USC/ISI
October 9, 2018 October 22, 2018
Message Digest for DNS Zones Message Digest for DNS Zones
draft-wessels-dns-zone-digest-03 draft-wessels-dns-zone-digest-04
Abstract Abstract
This document describes an experimental protocol and new DNS Resource This document describes an experimental protocol and new DNS Resource
Record that can be used to provide an message digest over DNS zone Record that can be used to provide an message digest over DNS zone
data. The ZONEMD Resource Record conveys the message digest data in data. The ZONEMD Resource Record conveys the message digest data in
the zone itself. When a zone publisher includes an ZONEMD record, the zone itself. When a zone publisher includes an ZONEMD record,
recipients can verify the zone contents for accuracy and recipients can verify the zone contents for accuracy and
completeness. This provides assurance that received zone data completeness. This provides assurance that received zone data
matches published data, regardless of how the zone data has been matches published data, regardless of how the zone data has been
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 12, 2019. This Internet-Draft will expire on April 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Design Overview . . . . . . . . . . . . . . . . . . . . . 5 1.2. Design Overview . . . . . . . . . . . . . . . . . . . . . 5
1.3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.1. Root Zone . . . . . . . . . . . . . . . . . . . . . . 6 1.3.1. Root Zone . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2. Providers, Secondaries, and Anycast . . . . . . . . . 6 1.3.2. Providers, Secondaries, and Anycast . . . . . . . . . 6
1.3.3. Response Policy Zones . . . . . . . . . . . . . . . . 6 1.3.3. Response Policy Zones . . . . . . . . . . . . . . . . 7
1.3.4. Centralized Zone Data Service . . . . . . . . . . . . 7 1.3.4. Centralized Zone Data Service . . . . . . . . . . . . 7
1.3.5. General Purpose Comparison Check . . . . . . . . . . 7 1.3.5. General Purpose Comparison Check . . . . . . . . . . 7
1.4. Requirements Language . . . . . . . . . . . . . . . . . . 7 1.4. Requirements Language . . . . . . . . . . . . . . . . . . 7
2. The ZONEMD Resource Record . . . . . . . . . . . . . . . . . 7 2. The ZONEMD Resource Record . . . . . . . . . . . . . . . . . 7
2.1. ZONEMD RDATA Wire Format . . . . . . . . . . . . . . . . 7 2.1. ZONEMD RDATA Wire Format . . . . . . . . . . . . . . . . 8
2.1.1. The Serial Field . . . . . . . . . . . . . . . . . . 8 2.1.1. The Serial Field . . . . . . . . . . . . . . . . . . 8
2.1.2. The Digest Type Field . . . . . . . . . . . . . . . . 8 2.1.2. The Digest Type Field . . . . . . . . . . . . . . . . 8
2.1.3. The Reserved Field . . . . . . . . . . . . . . . . . 8 2.1.3. The Reserved Field . . . . . . . . . . . . . . . . . 9
2.1.4. The Digest Field . . . . . . . . . . . . . . . . . . 9 2.1.4. The Digest Field . . . . . . . . . . . . . . . . . . 9
2.2. ZONEMD Presentation Format . . . . . . . . . . . . . . . 9 2.2. ZONEMD Presentation Format . . . . . . . . . . . . . . . 9
2.3. ZONEMD Example . . . . . . . . . . . . . . . . . . . . . 9 2.3. ZONEMD Example . . . . . . . . . . . . . . . . . . . . . 9
3. Calculating the Digest . . . . . . . . . . . . . . . . . . . 9 3. Calculating the Digest . . . . . . . . . . . . . . . . . . . 9
3.1. Canonical Format and Ordering . . . . . . . . . . . . . . 9 3.1. Canonical Format and Ordering . . . . . . . . . . . . . . 9
3.1.1. Order of RRsets Having the Same Owner Name . . . . . 10 3.1.1. Order of RRsets Having the Same Owner Name . . . . . 10
3.1.2. Special Considerations for SOA RRs . . . . . . . . . 10 3.1.2. Special Considerations for SOA RRs . . . . . . . . . 10
3.2. Add ZONEMD Placeholder . . . . . . . . . . . . . . . . . 10 3.2. Add ZONEMD Placeholder . . . . . . . . . . . . . . . . . 10
3.3. Optionally Sign the Zone . . . . . . . . . . . . . . . . 10 3.3. Optionally Sign the Zone . . . . . . . . . . . . . . . . 11
3.4. Calculate the Digest . . . . . . . . . . . . . . . . . . 11 3.4. Calculate the Digest . . . . . . . . . . . . . . . . . . 11
3.4.1. Inclusion/Exclusion Rules . . . . . . . . . . . . . . 11 3.4.1. Inclusion/Exclusion Rules . . . . . . . . . . . . . . 11
3.5. Update ZONEMD RR . . . . . . . . . . . . . . . . . . . . 11 3.5. Update ZONEMD RR . . . . . . . . . . . . . . . . . . . . 12
4. Verifying Zone Message Digest . . . . . . . . . . . . . . . . 12 4. Verifying Zone Message Digest . . . . . . . . . . . . . . . . 12
5. Scope of Experimentation . . . . . . . . . . . . . . . . . . 13 5. Scope of Experimentation . . . . . . . . . . . . . . . . . . 13
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
6.1. ZONEMD RRtype . . . . . . . . . . . . . . . . . . . . . . 13 6.1. ZONEMD RRtype . . . . . . . . . . . . . . . . . . . . . . 13
6.2. ZONEMD Digest Type . . . . . . . . . . . . . . . . . . . 13 6.2. ZONEMD Digest Type . . . . . . . . . . . . . . . . . . . 14
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14
7.1. Attacks Against the Zone Digest . . . . . . . . . . . . . 13 7.1. Attacks Against the Zone Digest . . . . . . . . . . . . . 14
7.2. Attacks Utilizing the Zone Digest . . . . . . . . . . . . 14 7.2. Attacks Utilizing the Zone Digest . . . . . . . . . . . . 14
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 14 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
10. Implementation Status . . . . . . . . . . . . . . . . . . . . 14 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 15
10.1. Authors' Implementation . . . . . . . . . . . . . . . . 14 10.1. Authors' Implementation . . . . . . . . . . . . . . . . 15
10.2. Shane Kerr's Implementation . . . . . . . . . . . . . . 15 10.2. Shane Kerr's Implementation . . . . . . . . . . . . . . 15
11. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 15 11. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 16
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
12.1. Normative References . . . . . . . . . . . . . . . . . . 17 12.1. Normative References . . . . . . . . . . . . . . . . . . 17
12.2. Informative References . . . . . . . . . . . . . . . . . 18 12.2. Informative References . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Appendix A. Example Zones With Digests . . . . . . . . . . . . . 20
A.1. Simple EXAMPLE Zone . . . . . . . . . . . . . . . . . . . 20
A.2. The uri.arpa Zone . . . . . . . . . . . . . . . . . . . . 21
A.3. The ROOT-SERVERS.NET Zone with SHA384 . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
In the DNS, a zone is the collection of authoritative resource In the DNS, a zone is the collection of authoritative resource
records (RRs) sharing a common origin ([RFC7719]). Zones are often records (RRs) sharing a common origin ([RFC7719]). Zones are often
stored as files on disk in the so-called master file format stored as files on disk in the so-called master file format
[RFC1034]. Zones are generally distributed between name servers [RFC1034]. Zones are generally distributed between name servers
using the AXFR [RFC5936], and IXFR [RFC1995] protocols. Zone files using the AXFR [RFC5936], and IXFR [RFC1995] protocols. Zone files
can also be distributed outside of the DNS, with such protocols as can also be distributed outside of the DNS, with such protocols as
FTP, HTTP, rsync, and even via email. Currently there is no standard FTP, HTTP, rsync, and even via email. Currently there is no standard
skipping to change at page 9, line 32 skipping to change at page 9, line 38
integer. integer.
The Digest MUST be represented as a sequence of case-insensitive The Digest MUST be represented as a sequence of case-insensitive
hexadecimal digits. Whitespace is allowed within the hexadecimal hexadecimal digits. Whitespace is allowed within the hexadecimal
text. text.
2.3. ZONEMD Example 2.3. ZONEMD Example
The following example shows a ZONEMD RR. The following example shows a ZONEMD RR.
example.com. 86400 IN ZONEMD ( 2018031500 4 0 FEBE3D4CE2EC2FFA4BA9 example.com. 86400 IN ZONEMD 2018031500 4 0 (
9D46CD69D6D29711E552 FEBE3D4CE2EC2FFA4BA99D46CD69D6D29711E55217057BEE
17057BEE7EB1A7B641A4 7EB1A7B641A47BA7FED2DD5B97AE499FAFA4F22C6BD647DE )
7BA7FED2DD5B97AE499F
AFA4F22C6BD647DE )
3. Calculating the Digest 3. Calculating the Digest
3.1. Canonical Format and Ordering 3.1. Canonical Format and Ordering
Calculation of the zone digest REQUIRES the RRs in a zone to be Calculation of the zone digest REQUIRES the RRs in a zone to be
processed in a consistent format and ordering. Correct ordering of processed in a consistent format and ordering. Correct ordering of
the zone depends on (1) ordering of owner names in the zone, (2) the zone depends on (1) ordering of owner names in the zone, (2)
ordering of RRsets with the same owner name, and (3) ordering of RRs ordering of RRsets with the same owner name, and (3) ordering of RRs
within an RRset. within an RRset.
skipping to change at page 10, line 30 skipping to change at page 10, line 35
Additionally, per established practices, the SOA record is generally Additionally, per established practices, the SOA record is generally
the first record in a zone file. However, according to the the first record in a zone file. However, according to the
requirement to sort RRsets with the same owner name by type, the SOA requirement to sort RRsets with the same owner name by type, the SOA
RR (type value 6) will not be first in the digest calculation. The RR (type value 6) will not be first in the digest calculation. The
zone's NS RRset (type value 2) at the apex MUST be processed before zone's NS RRset (type value 2) at the apex MUST be processed before
the SOA RR. the SOA RR.
3.2. Add ZONEMD Placeholder 3.2. Add ZONEMD Placeholder
In preparation for calculating the zone digest, any existing ZONEMD In preparation for calculating the zone digest, any existing ZONEMD
record MUST first be deleted from the zone. record at the zone apex MUST first be deleted.
FOR DISCUSSION: Should non-apex ZONEMD records be allowed in a zone?
Or forbidden?
Prior to calculation of the digest, and prior to signing with DNSSEC, Prior to calculation of the digest, and prior to signing with DNSSEC,
a placeholder ZONEMD record MUST be added to the zone. This serves a placeholder ZONEMD record MUST be added to the zone apex. This
two purposes: (1) it allows the digest to cover the Serial, Reserved, serves two purposes: (1) it allows the digest to cover the Serial,
and Digest Type field values, and (2) ensures that appropriate Reserved, and Digest Type field values, and (2) ensures that
denial-of-existence (NSEC, NSEC3) records are created if the zone is appropriate denial-of-existence (NSEC, NSEC3) records are created if
signed with DNSSEC. the zone is signed with DNSSEC.
It is RECOMMENDED that the TTL of the ZONEMD record match the TTL of It is RECOMMENDED that the TTL of the ZONEMD record match the TTL of
the SOA. the SOA.
In the placeholder record, the Serial field MUST be set to the In the placeholder record, the Serial field MUST be set to the
current SOA Serial. The Digest Type field MUST be set to the value current SOA Serial. The Digest Type field MUST be set to the value
for the chosen digest algorithm. The Digest field MUST be set to all for the chosen digest algorithm. The Digest field MUST be set to all
zeroes and of length appropriate for the chosen digest algorithm. zeroes and of length appropriate for the chosen digest algorithm.
3.3. Optionally Sign the Zone 3.3. Optionally Sign the Zone
skipping to change at page 11, line 36 skipping to change at page 11, line 44
o All records in the zone including glue records MUST be included. o All records in the zone including glue records MUST be included.
o More than one SOA MUST NOT be included. o More than one SOA MUST NOT be included.
o The placeholder ZONEMD RR MUST be included. o The placeholder ZONEMD RR MUST be included.
o If the zone is signed, DNSSEC RRs MUST be included, except: o If the zone is signed, DNSSEC RRs MUST be included, except:
o The RRSIG covering ZONEMD MUST NOT be included. o The RRSIG covering ZONEMD MUST NOT be included.
FOR DISCUSSION: Ambiguities about records that are in/out of zone. FOR DISCUSSION: How should the protocol handle occluded data? A
For example, see Jinmei message to dnsop 2018-06-01 and followups. DNAME/NS record can occlude existing data, technically making it out-
BIND will load and AXFR data "occluded" by DNAME/NS. of-zone. However, BIND (and others) will load and AXFR such occluded
data.
3.5. Update ZONEMD RR 3.5. Update ZONEMD RR
Once the zone digest has been calculated, its value is then copied to Once the zone digest has been calculated, its value is then copied to
the Digest field of the ZONEMD record. the Digest field of the ZONEMD record.
If the zone is signed with DNSSEC, the appropriate RRSIG records If the zone is signed with DNSSEC, the appropriate RRSIG records
covering the ZONEMD record MUST then be added or updated. Because covering the ZONEMD record MUST then be added or updated. Because
the ZONEMD placeholder was added prior to signing, the zone will the ZONEMD placeholder was added prior to signing, the zone will
already have the appropriate denial-of-existence (NSEC, NSEC3) already have the appropriate denial-of-existence (NSEC, NSEC3)
skipping to change at page 12, line 21 skipping to change at page 12, line 32
The recipient of a zone that has a message digest record can verify The recipient of a zone that has a message digest record can verify
the zone by calculating the digest as follows: the zone by calculating the digest as follows:
1. The verifier SHOULD first determine whether or not to expect 1. The verifier SHOULD first determine whether or not to expect
DNSSEC records in the zone. This can be done by examining DNSSEC records in the zone. This can be done by examining
locally configured trust anchors, or querying for (and locally configured trust anchors, or querying for (and
validating) DS RRs in the parent zone. For zones that are validating) DS RRs in the parent zone. For zones that are
provably unsigned, digest validation continues at step 4 below. provably unsigned, digest validation continues at step 4 below.
2. For zones that are provably signed, the existence of the ZONEMD 2. For zones that are provably signed, the existence of the apex
record MUST be verified. If the ZONEMD record provably does not ZONEMD record MUST be verified. If the ZONEMD record provably
exist, digest verification cannot be done. If the ZONEMD record does not exist, digest verification cannot be done. If the
does provably exist, but is not found in the zone, digest ZONEMD record does provably exist, but is not found in the zone,
verification MUST NOT be considered successful. digest verification MUST NOT be considered successful.
3. For zones that are provably signed, the SOA RR and ZONEMD RR(set) 3. For zones that are provably signed, the SOA RR and ZONEMD RR(set)
MUST have valid signatures, chaining up to a trust anchor. If MUST have valid signatures, chaining up to a trust anchor. If
DNSSEC validation of the SOA or ZONEMD records fails, digest DNSSEC validation of the SOA or ZONEMD records fails, digest
verification MUST NOT be considered successful. verification MUST NOT be considered successful.
4. If the zone contains more than one ZONEMD RR, digest verification 4. If the zone contains more than one apex ZONEMD RR, digest
MUST NOT be considered successful. verification MUST NOT be considered successful.
5. The SOA Serial field MUST exactly match the ZONEMD Serial field. 5. The SOA Serial field MUST exactly match the ZONEMD Serial field.
If the fields to not match, digest verification MUST NOT be If the fields to not match, digest verification MUST NOT be
considered successful. considered successful.
6. The ZONEMD Digest Type field MUST be checked. If the verifier 6. The ZONEMD Digest Type field MUST be checked. If the verifier
does not support the given digest type, it SHOULD report that the does not support the given digest type, it SHOULD report that the
zone digest could not be verified due to an unsupported zone digest could not be verified due to an unsupported
algorithm. algorithm.
skipping to change at page 13, line 23 skipping to change at page 13, line 34
evaluate to the methods defined in this document, particularly with evaluate to the methods defined in this document, particularly with
regard to the wide variety of DNS zones in use on the Internet. regard to the wide variety of DNS zones in use on the Internet.
Additionally, the ZONEMD record defined in this document includes a Additionally, the ZONEMD record defined in this document includes a
Reserved field. The authors have a particular future use in mind for Reserved field. The authors have a particular future use in mind for
this field, namely to support efficient digests in large, dynamic this field, namely to support efficient digests in large, dynamic
zones. We intend to conduct future experiments using Merkle trees of zones. We intend to conduct future experiments using Merkle trees of
varying depth. The choice of tree depth can be encoded in this varying depth. The choice of tree depth can be encoded in this
reserved field. reserved field.
FOR DISCUSSION: The authors are willing to remove the Reserved field
from this specification if the working group would prefer it. It
would mean, however, that a future version of this protocol designed
to efficiently support large, dynamic zones would most likely require
a new RR type.
The duration of the experiment is expected to be no less than two The duration of the experiment is expected to be no less than two
years from the publication of this document. If the experiment is years from the publication of this document. If the experiment is
successful, it is expected that the findings of the experiment will successful, it is expected that the findings of the experiment will
result in an updated document for Standards Track approval. result in an updated document for Standards Track approval.
6. IANA Considerations 6. IANA Considerations
6.1. ZONEMD RRtype 6.1. ZONEMD RRtype
This document uses a new DNS RR type, ZONEMD, whose value TBD has This document uses a new DNS RR type, ZONEMD, whose value TBD has
skipping to change at page 17, line 5 skipping to change at page 17, line 26
o Gave ZONEMD digest types their own status, separate from DS digest o Gave ZONEMD digest types their own status, separate from DS digest
types. Request IANA to create a registry. types. Request IANA to create a registry.
o Added Reserved field for future work supporting dynamic updates. o Added Reserved field for future work supporting dynamic updates.
o Be more rigorous about having just ONE ZONEMD record in the zone. o Be more rigorous about having just ONE ZONEMD record in the zone.
o Expanded use cases. o Expanded use cases.
From -03 to -04:
o Added an appendix with example zones and digests.
o Clarified that only apex ZONEMD RRs shall be processed.
12. References 12. References
12.1. Normative References 12.1. Normative References
[iana-ds-digest-types] [iana-ds-digest-types]
IANA, "Delegation Signer (DS) Resource Record (RR) Type IANA, "Delegation Signer (DS) Resource Record (RR) Type
Digest Algorithms", April 2012, Digest Algorithms", April 2012,
<https://www.iana.org/assignments/ds-rr-types/ <https://www.iana.org/assignments/ds-rr-types/
ds-rr-types.xhtml>. ds-rr-types.xhtml>.
skipping to change at page 20, line 5 skipping to change at page 20, line 33
[RPZ] Vixie, P. and V. Schryver, "DNS Response Policy Zones [RPZ] Vixie, P. and V. Schryver, "DNS Response Policy Zones
(RPZ)", draft-vixie-dnsop-dns-rpz-00 (work in progress), (RPZ)", draft-vixie-dnsop-dns-rpz-00 (work in progress),
June 2018, <https://tools.ietf.org/html/ June 2018, <https://tools.ietf.org/html/
draft-vixie-dnsop-dns-rpz-00>. draft-vixie-dnsop-dns-rpz-00>.
[ZoneDigestHackathon] [ZoneDigestHackathon]
Kerr, S., "Prototype implementation of ZONEMD for the IETF Kerr, S., "Prototype implementation of ZONEMD for the IETF
102 hackathon in Python", July 2018, 102 hackathon in Python", July 2018,
<https://github.com/shane-kerr/ZoneDigestHackathon>. <https://github.com/shane-kerr/ZoneDigestHackathon>.
Appendix A. Example Zones With Digests
This appendex contains example zone files with accurate ZONEMD
records. These can be used to verify an implementation of the zone
digest protocol.
A.1. Simple EXAMPLE Zone
Here, the EXAMPLE zone contains an SOA record, NS and glue records,
and a ZONEMD record for digest type 2 (SHA256).
example. 86400 IN SOA ns1 admin 2018031900 (
1800 900 604800 86400 )
86400 IN NS ns1
86400 IN NS ns2
86400 IN ZONEMD 2018031900 2 0 (
2d1dc6806312e79b
a86e64bad290e1c1
61f4ee8cb9d490e9
5a00d1e686b12826 )
ns1 3600 IN A 127.0.0.1
ns2 3600 IN AAAA ::1
A.2. The uri.arpa Zone
The URI.ARPA zone retreived 2018-10-21.
; <<>> DiG 9.9.4 <<>> @lax.xfr.dns.icann.org uri.arpa axfr
; (2 servers found)
;; global options: +cmd
uri.arpa. 3600 IN SOA sns.dns.icann.org. (
noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 )
uri.arpa. 3600 IN RRSIG NSEC 8 2 3600 (
20181028142623 20181007205525 47155 uri.arpa.
eEC4w/oXLR1Epwgv4MBiDtSBsXhqrJVvJWUpbX8XpetAvD35bxwNCUTi
/pAJVUXefegWeiriD2rkTgCBCMmn7YQIm3gdR+HjY/+o3BXNQnz97f+e
HAE9EDDzoNVfL1PyV/2fde9tDeUuAGVVwmD399NGq9jWYMRpyri2kysr q/g= )
uri.arpa. 86400 IN RRSIG NS 8 2 86400 (
20181028172020 20181007175821 47155 uri.arpa.
ATyV2A2A8ZoggC+68u4GuP5MOUuR+2rr3eWOkEU55zAHld/7FiBxl4ln
4byJYy7NudUwlMOEXajqFZE7DVl8PpcvrP3HeeGaVzKqaWj+aus0jbKF
Bsvs2b1qDZemBfkz/IfAhUTJKnto0vSUicJKfItu0GjyYNJCz2CqEuGD Wxc= )
uri.arpa. 600 IN RRSIG MX 8 2 600 (
20181028170556 20181007175821 47155 uri.arpa.
e7/r3KXDohX1lyVavetFFObp8fB8aXT76HnN9KCQDxSnSghNM83UQV0t
lTtD8JVeN1mCvcNFZpagwIgB7XhTtm6Beur/m5ES+4uSnVeS6Q66HBZK
A3mR95IpevuVIZvvJ+GcCAQpBo6KRODYvJ/c/ZG6sfYWkZ7qg/Em5/+3 4UI= )
uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 (
20181028152832 20181007175821 15796 uri.arpa.
nzpbnh0OqsgBBP8St28pLvPEQ3wZAUdEBuUwil+rtjjWlYYiqjPxZ286
XF4Rq1usfV5x71jZz5IqswOaQgia91ylodFpLuXD6FTGs2nXGhNKkg1V
chHgtwj70mXU72GefVgo8TxrFYzxuEFP5ZTP92t97FVWVVyyFd86sbbR
6DZj3uA2wEvqBVLECgJLrMQ9Yy7MueJl3UA4h4E6zO2JY9Yp0W9woq0B
dqkkwYTwzogyYffPmGAJG91RJ2h6cHtFjEZe2MnaY2glqniZ0WT9vXXd
uFPm0KD9U77Ac+ZtctAF9tsZwSdAoL365E2L1usZbA+K0BnPPqGFJRJk
5R0A1w== )
uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 (
20181028152832 20181007175821 55480 uri.arpa.
lWtQV/5szQjkXmbcD47/+rOW8kJPksRFHlzxxmzt906+DBYyfrH6uq5X
nHvrUlQO6M12uhqDeL+bDFVgqSpNy+42/OaZvaK3J8EzPZVBHPJykKMV
63T83aAiJrAyHzOaEdmzLCpalqcEE2ImzlLHSafManRfJL8Yuv+JDZFj
2WDWfEcUuwkmIZWX11zxp+DxwzyUlRl7x4+ok5iKZWIg5UnBAf6B8T75
WnXzlhCw3F2pXI0a5LYg71L3Tp/xhjN6Yy9jGlIRf5BjB59X2zra3a2R
PkI09SSnuEwHyF1mDaV5BmQrLGRnCjvwXA7ho2m+vv4SP5dUdXf+GTeA
1HeBfw== )
uri.arpa. 3600 IN RRSIG SOA 8 2 3600 (
20181029114753 20181008222815 47155 uri.arpa.
qn8yBNoHDjGdT79U2Wu9IIahoS0YPOgYP8lG+qwPcrZ1BwGiHywuoUa2
Mx6BWZlg+HDyaxj2iOmox+IIqoUHhXUbO7IUkJFlgrOKCgAR2twDHrXu
9BUQHy9SoV16wYm3kBTEPyxW5FFm8vcdnKAF7sxSY8BbaYNpRIEjDx4A JUc= )
uri.arpa. 3600 IN NSEC ftp.uri.arpa. NS SOA (
MX RRSIG NSEC DNSKEY )
uri.arpa. 86400 IN NS a.iana-servers.net.
uri.arpa. 86400 IN NS b.iana-servers.net.
uri.arpa. 86400 IN NS c.iana-servers.net.
uri.arpa. 86400 IN NS ns2.lacnic.net.
uri.arpa. 86400 IN NS sec3.apnic.net.
uri.arpa. 600 IN MX 10 pechora.icann.org.
uri.arpa. 3600 IN DNSKEY 256 3 8 (
AwEAAcBi7tSart2J599zbYWspMNGN70IBWb4ziqyQYH9MTB/VCz6WyUK
uXunwiJJbbQ3bcLqTLWEw134B6cTMHrZpjTAb5WAwg4XcWUu8mdcPTiL
Bl6qVRlRD0WiFCTzuYUfkwsh1Rbr7rvrxSQhF5rh71zSpwV5jjjp65Wx
SdJjlH0B )
uri.arpa. 3600 IN DNSKEY 257 3 8 (
AwEAAbNVv6ulgRdO31MtAehz7j3ALRjwZglWesnzvllQl/+hBRZr9QoY
cO2I+DkO4Q1NKxox4DUIxj8SxPO3GwDuOFR9q2/CFi2O0mZjafbdYtWc
3zSdBbi3q0cwCIx7GuG9eqlL+pg7mdk9dgdNZfHwB0LnqTD8ebLPsrO/
Id7kBaiqYOfMlZnh2fp+2h6OOJZHtY0DK1UlssyB5PKsE0tVzo5s6zo9
iXKe5u+8WTMaGDY49vG80JPAKE7ezMiH/NZcUMiE0PRZ8D3foq2dYuS5
ym+vA83Z7v8A+Rwh4UGnjxKB8zmr803V0ASAmHz/gwH5Vb0nH+LObwFt
l3wpbp+Wpm8= )
uri.arpa. 3600 IN DNSKEY 257 3 8 (
AwEAAbwnFTakCvaUKsXji4mgmxZUJi1IygbnGahbkmFEa0L16J+TchKR
wcgzVfsxUGa2MmeA4hgkAooC3uy+tTmoMsgy8uq/JAj24DjiHzd46LfD
FK/qMidVqFpYSHeq2Vv5ojkuIsx4oe4KsafGWYNOczKZgH5loGjN2aJG
mrIm++XCphOskgCsQYl65MIzuXffzJyxlAuts+ecAIiVeqRaqQfr8LRU
7wIsLxinXirprtQrbor+EtvlHp9qXE6ARTZDzf4jvsNpKvLFZtmxzFf3
e/UJz5eHjpwDSiZL7xE8aE1o1nGfPtJx9ZnB3bapltaJ5wY+5XOCKgY0
xmJVvNQlwdE= )
ftp.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
20181028080856 20181007175821 47155 uri.arpa.
HClGAqPxzkYkAT7Q/QNtQeB6YrkP6EPOef+9Qo5/2zngwAewXEAQiyF9
jD1USJiroM11QqBS3v3aIdW/LXORs4Ez3hLcKNO1cKHsOuWAqzmE+BPP
Arfh8N95jqh/q6vpaB9UtMkQ53tM2fYU1GszOLN0knxbHgDHAh2axMGH lqM= )
ftp.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
20181028103644 20181007205525 47155 uri.arpa.
WoLi+vZzkxaoLr2IGZnwkRvcDf6KxiWQd1WZP/U+AWnV+7MiqsWPZaf0
9toRErerGoFOiOASNxZjBGJrRgjmavOM9U+LZSconP9zrNFd4dIu6kp5
YxlQJ0uHOvx1ZHFCj6lAt1ACUIw04ZhMydTmi27c8MzEOMepvn7iH7r7 k7k= )
ftp.uri.arpa. 3600 IN NSEC http.uri.arpa. NAPTR (
RRSIG NSEC )
ftp.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
"!^ftp://([^:/?#]*).*$!\\1!i" . )
http.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
20181029010647 20181007175821 47155 uri.arpa.
U03NntQ73LHWpfLmUK8nMsqkwVsOGW2KdsyuHYAjqQSZvKbtmbv7HBmE
H1+Ii3Z+wtfdMZBy5aC/6sHdx69BfZJs16xumycMlAy6325DKTQbIMN+
ift9GrKBC7cgCd2msF/uzSrYxxg4MJQzBPvlkwXnY3b7eJSlIXisBIn7 3b8= )
http.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
20181029011815 20181007205525 47155 uri.arpa.
T7mRrdag+WSmG+n22mtBSQ/0Y3v+rdDnfQV90LN5Fq32N5K2iYFajF7F
Tp56oOznytfcL4fHrqOE0wRc9NWOCCUec9C7Wa1gJQcllEvgoAM+L6f0
RsEjWq6+9jvlLKMXQv0xQuMX17338uoD/xiAFQSnDbiQKxwWMqVAimv5 7Zs= )
http.uri.arpa. 3600 IN NSEC mailto.uri.arpa. NAPTR (
RRSIG NSEC )
http.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
"!^http://([^:/?#]*).*$!\\1!i" . )
mailto.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
20181028110727 20181007175821 47155 uri.arpa.
GvxzVL85rEukwGqtuLxek9ipwjBMfTOFIEyJ7afC8HxVMs6mfFa/nEM/
IdFvvFg+lcYoJSQYuSAVYFl3xPbgrxVSLK125QutCFMdC/YjuZEnq5cl
fQciMRD7R3+znZfm8d8u/snLV9w4D+lTBZrJJUBe1Efc8vum5vvV7819 ZoY= )
mailto.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
20181028141825 20181007205525 47155 uri.arpa.
MaADUgc3fc5v++M0YmqjGk3jBdfIA5RuP62hUSlPsFZO4k37erjIGCfF
j+g84yc+QgbSde0PQHszl9fE/+SU5ZXiS9YdcbzSZxp2erFpZOTchrpg
916T4vx6i59scodjb0l6bDyZ+mtIPrc1w6b4hUyOUTsDQoAJYxdfEuMg Vy4= )
mailto.uri.arpa. 3600 IN NSEC urn.uri.arpa. NAPTR (
RRSIG NSEC )
mailto.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
"!^mailto:(.*)@(.*)$!\\2!i" . )
urn.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
20181028123243 20181007175821 47155 uri.arpa.
Hgsw4Deops1O8uWyELGe6hpR/OEqCnTHvahlwiQkHhO5CSEQrbhmFAWe
UOkmGAdTEYrSz+skLRQuITRMwzyFf4oUkZihGyhZyzHbcxWfuDc/Pd/9
DSl56gdeBwy1evn5wBTms8yWQVkNtphbJH395gRqZuaJs3LD/qTyJ5Dp LvA= )
urn.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
20181029071816 20181007205525 47155 uri.arpa.
ALIZD0vBqAQQt40GQ0Efaj8OCyE9xSRJRdyvyn/H/wZVXFRFKrQYrLAS
D/K7q6CMTOxTRCu2J8yes63WJiaJEdnh+dscXzZkmOg4n5PsgZbkvUSW
BiGtxvz5jNncM0xVbkjbtByrvJQAO1cU1mnlDKe1FmVB1uLpVdA9Ib4J hMU= )
urn.uri.arpa. 3600 IN NSEC uri.arpa. NAPTR RRSIG (
NSEC )
urn.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
"/urn:([^:]+)/\\1/i" . )
uri.arpa. 3600 IN SOA sns.dns.icann.org. (
noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 )
;; Query time: 66 msec
;; SERVER: 192.0.32.132#53(192.0.32.132)
;; WHEN: Sun Oct 21 20:39:28 UTC 2018
;; XFR size: 34 records (messages 1, bytes 3941)
uri.arpa. 3600 IN ZONEMD 2018100702 2 0 (
a921ef5658f31bc6ac3e72a000f8d60a1a933153cf1df8be8153925
60c665b14 )
A.3. The ROOT-SERVERS.NET Zone with SHA384
The ROOT-SERVERS.NET zone retreived 2018-10-21.
root-servers.net. 3600000 IN SOA a.root-servers.net. (
nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 )
root-servers.net. 3600000 IN NS a.root-servers.net.
root-servers.net. 3600000 IN NS b.root-servers.net.
root-servers.net. 3600000 IN NS c.root-servers.net.
root-servers.net. 3600000 IN NS d.root-servers.net.
root-servers.net. 3600000 IN NS e.root-servers.net.
root-servers.net. 3600000 IN NS f.root-servers.net.
root-servers.net. 3600000 IN NS g.root-servers.net.
root-servers.net. 3600000 IN NS h.root-servers.net.
root-servers.net. 3600000 IN NS i.root-servers.net.
root-servers.net. 3600000 IN NS j.root-servers.net.
root-servers.net. 3600000 IN NS k.root-servers.net.
root-servers.net. 3600000 IN NS l.root-servers.net.
root-servers.net. 3600000 IN NS m.root-servers.net.
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
a.root-servers.net. 3600000 IN A 198.41.0.4
b.root-servers.net. 3600000 IN MX 20 mail.isi.edu.
b.root-servers.net. 3600000 IN AAAA 2001:500:200::b
b.root-servers.net. 3600000 IN A 199.9.14.201
c.root-servers.net. 3600000 IN AAAA 2001:500:2::c
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d
d.root-servers.net. 3600000 IN A 199.7.91.13
e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
f.root-servers.net. 3600000 IN A 192.5.5.241
g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN AAAA 2001:500:1::53
h.root-servers.net. 3600000 IN A 198.97.190.53
i.root-servers.net. 3600000 IN MX 10 mx.i.root-servers.org.
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
i.root-servers.net. 3600000 IN A 192.36.148.17
j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
j.root-servers.net. 3600000 IN A 192.58.128.30
k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
k.root-servers.net. 3600000 IN A 193.0.14.129
l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42
l.root-servers.net. 3600000 IN A 199.7.83.42
m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
m.root-servers.net. 3600000 IN A 202.12.27.33
root-servers.net. 3600000 IN SOA a.root-servers.net. (
nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 )
root-servers.net. 3600000 IN ZONEMD 2018091100 4 0 (
327b45e1f70a95eb83e1b9aaaa0642b9e1d0f007db5ce45858cd336a79
78a0239f4517edfd11445f2b9f70900816fdfd )
Authors' Addresses Authors' Addresses
Duane Wessels Duane Wessels
Verisign Verisign
12061 Bluemont Way 12061 Bluemont Way
Reston, VA 20190 Reston, VA 20190
Phone: +1 703 948-3200 Phone: +1 703 948-3200
Email: dwessels@verisign.com Email: dwessels@verisign.com
URI: http://verisign.com URI: http://verisign.com
 End of changes. 22 change blocks. 
38 lines changed or deleted 275 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/