"DNS Referral Response Size Issues", Paul Vixie, Akira Kato, 14-Jul-08. ( bytes)

With a mandated default minimum maximum UDP message size of 512 octets, the DNS protocol presents some special problems for zones wishing to expose a moderate or high number of authority servers (NS RRs). This document explains the operational issues caused by, or related to this response size limit, and suggests ways to optimize the use of this limited space. Guidance is offered to DNS server implementors and to DNS zone operators.

"Preventing Use of Recursive Nameservers in Reflector Attacks", Joao Luis Damas, Frederico Neves, 1-Sep-08. ( bytes)

This document describes ways to prevent the use of default configured recursive nameservers as reflectors in Denial of Service (DoS) attacks. Recommended configuration as measures to mitigate the attack are given.

"Locally-served DNS Zones", Mark Andrews, 10-Jul-08. ( bytes)

Experience has shown that there are a number of DNS zones all iterative resolvers and recursive nameservers should, unless configured otherwise, automatically serve. RFC 4193 specifies that this should occur for D.F.IP6.ARPA. This document extends the practice to cover the IN-ADDR.ARPA zones for RFC 1918 address space and other well known zones with similar characteristics.

"Considerations for the use of DNS Reverse Mapping", Daniel Senie, Andrew Sullivan, 13-Mar-08. ( bytes)

Mapping of addresses to names is a feature of DNS. Many sites implement it, many others do not. Some applications attempt to use it as a part of a security strategy. This document outlines what should be taken into account when deciding whether to implement reverse mappings of addresses to names, suggests that site administrators implement reverse mappings if there are no strong considerations against such mappings, and provides considerations to be taken into account when using reverse mappings.

"Initializing a DNS Resolver with Priming Queries", Peter Koch, Matt Larson, 14-Jul-08. ( bytes)

This document describes the initial queries a DNS resolver is supposed to emit to initialize its cache with a current NS RRSet for the root zone as well as the necessary address information.

"DNSSEC Trust Anchor Configuration and Maintenance", Matt Larson, Olafur Gudmundsson, 14-Jul-08. ( bytes)

This document recommends a preferred format for specifying trust anchors in DNSSEC validating security-aware resolvers and describes how such a resolver should initialize trust anchors for use. This document also describes different mechanisms for keeping trust anchors up to date over time.

"Requirements for Management of Name Servers for the DNS", Wesley Hardaker, 3-Sep-08. ( bytes)

Management of name servers for the Domain Name Service (DNS) has traditionally been done using vendor-specific monitoring, configuration and control methods. Although some service monitoring platforms can test the functionality of the DNS itself there is not a interoperable way to manage (monitor, control and configure) the internal aspects of a name server itself. This document discusses the requirements of a management system for DNS name servers. A management solution that is designed to manage the DNS can use this document as a shopping list of needed features.

Return to Internet-Draft directory.

Return to IETF home page.