<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-nygren-dnsop-domain-delegation-validation-00" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Domain Control Validation for DNS Delegations">Domain Control Validation for DNS Delegations</title>
    <seriesInfo name="Internet-Draft" value="draft-nygren-dnsop-domain-delegation-validation-00"/>
    <author initials="E." surname="Nygren" fullname="Erik Nygren">
      <organization>Akamai Technologies</organization>
      <address>
        <email>erik+ietf@nygren.org</email>
      </address>
    </author>
    <author initials="P." surname="Thomassen" fullname="Peter Thomassen">
      <organization>deSEC</organization>
      <address>
        <email>peter@desec.io</email>
      </address>
    </author>
    <author initials="S." surname="Huque" fullname="Shumon Huque">
      <organization>Salesforce</organization>
      <address>
        <email>shuque@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <workgroup>Domain Name System Operations</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 68?>

<t>The techniques specified in <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/> for using the DNS to verify ownership or control of a domain in the Domain Name System (DNS) rely on the domain already being properly delegated to a DNS authority. For the specific case where the Application Service Provider is providing authoritative DNS services, the existing approaches don't provide a way to bootstrap domain validation onto a new Authoritative DNS Application Service provider.</t>
      <t>This specification proposes a mechanism for "Domain Control Validation" for cases where the User and DNS Administrator are validating control over a domain to an Authoritative DNS Application Service Provider and thus do not have the ability to add records within the domain. In this case, validation must be performed by the User taking actions in the DNS Registrar or Parent Zone that demonstrate control over the domain, such as by adding DNS <tt>NS</tt> records as validation records.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://enygren.github.io/draft-nygren-dnsop-domain-delegation-validation/draft-nygren-dnsop-domain-delegation-validation.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-nygren-dnsop-domain-delegation-validation/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Domain Name System Operations Working Group mailing list (<eref target="mailto:dnsop@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnsop/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dnsop/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/enygren/draft-nygren-dnsop-domain-delegation-validation"/>.</t>
    </note>
  </front>
  <middle>
    <?line 74?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Application Service Providers providing Authoritative DNS services need a way for domain owners (Users) to prove that they control a particular DNS domain before the Application Service Provider can allow them to provision the authoritative domain, thus granting a DNS Administrator access to modify the domain.</t>
      <t>Security researchers have called out (see <xref target="SITTING-DUCKS"/>) that there is active exploitation of "lame delegations" (<xref target="RFC9499"/>) where domain registrations remain active and delegate to an Authoritative DNS Application Service Provider, but where the User account at that Application Service Provider has lapsed or where they have "deleted" the domain but not removed the delegation. Without validation, an attacker may be able to provision that domain at the Application Service Provider and gain control over it. For new domains there is also a potential race condition during registration where the domain owner who registers (and delegates) a domain could be beat out by an attacker in provisioning the domain in the Authoritative DNS Application Service Provider.</t>
      <t>While DNS <tt>TXT</tt> record validation as specified in <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/> works for existing domains that the domain's DNS Administrator can add records to (such as for transferring to a different Authoritative DNS Application Service Provider), this does not work for domains that are newly provisioned or where the User and DNS Administrator are trying to re-establish control over.</t>
      <t>For these cases, using DNS to demonstrate control over the domain must be performed through adding or modifying parent-side zone records, such as DNS <tt>NS</tt> records (<xref target="RFC1035"/>).</t>
      <t>This specification is also useful for performing validation during account recovery cases at Authoritative DNS Application Service Providers, where a User needs to validate that they have the control needed for a 2FA or password reset for a domain.</t>
      <t>While non-DNS mechanisms are possible, such as using EPP authInfo (<xref target="RFC5731"/>) or having the DNS Registrar add attributes to RDAP (<xref target="RFC9083"/>), those are not described in this specification.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
      <t>This specification uses the following terms defined in <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/>: <tt>Application Service Provider</tt>, <tt>DNS Administrator</tt>, <tt>Intermediary</tt>, <tt>User</tt>, <tt>Unique Token</tt>, and <tt>Validation Record</tt>.</t>
      <t>This specification uses the following terms defined in <xref target="RFC9499"/> for general DNS Terminology: <tt>Registrar</tt>, <tt>Registrant</tt>, <tt>Registry</tt>, <tt>Superordinate</tt>/<tt>Parent</tt>, <tt>Subordinate</tt>/<tt>Child</tt>, and <tt>Lame Delegation</tt>.</t>
    </section>
    <section anchor="purpose">
      <name>Purpose of Domain Control Validation for Delegation</name>
      <t>Domain Control Validation for Delegation allows a User to demonstrate to an Application Service Provider providing Authoritative DNS services that the User's DNS Administrator should be given control over a Child Zone corresponding to a domain.</t>
      <t>Because this challenge becomes publicly visible as soon as it is published into the DNS, the security properties rely on the causal relationship between the Application Service Provider generating a specific challenge and the challenge appearing in the DNS at a specified location.</t>
      <t>For Domain Control Validation for Delegation, the DNS challenge must appear in a Parent Side record.</t>
      <t>For the case where the domain is delegated from a delegation-centric zone operated by a DNS Registry, this addition needs to demonstrate that the User is also the DNS Registrant in control of the domain. The causal relationship in this case is:</t>
      <artwork><![CDATA[
   Application Service Provider for Authoritative DNS (challenge generation)
   -> User / Registrant for Child/Subordinate Domain
   -> Registrar
   -> Registry
   -> Parent/Superordinate DNS Zone update
   -> Application Service Provider for Authoritative DNS (for validation)
]]></artwork>
      <t>In the case where a domain is delegated from a parent that is not a delegation-centric zone in a registry, the Parent Zone DNS Administrator is making changes to demonstrate control over the zone, with a causal relationship of:</t>
      <artwork><![CDATA[
   Application Service Provider for Authoritative DNS (challenge generation)
   -> User / Registrant for Child Domain
   -> Parent Zone DNS Administrator
   -> Parent DNS Zone update
   -> Application Service Provider for Authoritative DNS (for validation)
]]></artwork>
    </section>
    <section anchor="threat-model">
      <name>Threat Model</name>
      <t>The threat model here is an extension of that in  <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/>, however this is the more narrow and specific case since the application (Authoritative DNS service) is known.</t>
      <t>The specific threats we are concerned with include:</t>
      <ul spacing="normal">
        <li>
          <t>T1. An attacker is able to exploit a pre-existing lame delegation to provision Authoritative DNS services at the target of the lame delegation without approval from the domain owner.</t>
        </li>
        <li>
          <t>T2. An attacker is able to exploit a race condition in the DNS registration and/or delegation process to gain control over the zone for a domain at an Authoritative DNS Application Service Provider. This might happen either before or after the domain has been delegated, but prior to the actual owner of the domain provisioning control.</t>
        </li>
        <li>
          <t>T3. An attacker might try to transfer a domain within an Authoritative DNS Application Service Provider from the rightful owner/operator's account to an account controlled by the attacker.</t>
        </li>
        <li>
          <t>T4. An attacker who can spoof DNS responses might be able to defeat validation, absent DNSSEC validation.</t>
        </li>
      </ul>
      <t>Since information in the DNS is public, the attacker should be assumed to have access to any validation records.</t>
      <t>Threats NOT covered by this include:</t>
      <ul spacing="normal">
        <li>
          <t>N1. Compromise of the Authoritative DNS Application Service Provider or compromise of the User's account there. This could also be used by an attacker to take over control of the domain.</t>
        </li>
        <li>
          <t>N2. A User retaining control over a domain at a DNS Application Service Provider when a new owner/Registrant for the domain delegates it.</t>
        </li>
      </ul>
      <t>Note that covered threat T3 and not-covered threat N2 are in-tension. When a domain transfers ownership at the parent without moving between Authoritative DNS Application Service Providers, it should be possible to transfer operational control to the new owner, but extreme care must be taken to authorize this transfer.</t>
      <t>As threats T1 and T2 are mitigated by one-off validation, there is no need for validation records to persist.</t>
    </section>
    <section anchor="recommendations">
      <name>Recommendations</name>
      <t>Domain Control Validation during DNS delegation is implemented through DNS NS Record based validation as described below.</t>
      <section anchor="ns-record">
        <name>NS Record based Validation</name>
        <t>The RECOMMENDED method of doing DNS-based domain control validation is to use a DNS <tt>NS</tt> record containing a Unique Token as the Validation Record within one of the parent-side zone NS record delegations. The Authoritative DNS Application Service Provider supplies an additional DNS authority name to use that contains this Unique Token.</t>
        <t>The Unique Token SHOULD be encoded with Base32 encoding (<xref section="6" sectionFormat="comma" target="RFC4648"/>) or hexadecimal base16 encoding (<xref section="8" sectionFormat="comma" target="RFC4648"/>).</t>
        <t>The QNAME is the domain being validated, and the RDATA MUST contain a nameserver name that contains a Unique Token provided by the Application Service Provider (constructed according to the properties described in <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/>).</t>
        <t>For example, in the parent-side zone:</t>
        <sourcecode type="dns"><![CDATA[
   $domain  IN NS   ns1.example.com.
   $domain  IN NS   ns2.example.com.
   $domain  IN NS   ns-<unique-token>.authdnsdv.example.net.
]]></sourcecode>
        <t>To validate these, the Application Service Provider queries for the parent-side NS records for the domain being validated.</t>
        <t>Application Service Providers MUST validate that one of the parent-side DNS NS records is the DNS authority name they provided to that User for that specific domain and contains the matching Unique Token. The Application Service Provider MUST allow other NS records to also be present alongside the NS record being used for validation.</t>
        <t>Note that using a recursive resolver to perform the validation may not be possible due to the need to distinguish child-side from parent-side NS records.</t>
        <t>The validation NS record MUST be included in-addition to (rather than instead of) other NS records which will persist following the removal of the validation NS record.</t>
        <t>Token metadata is not readily possible with this approach.</t>
        <section anchor="authoritative-name-servers-for-ns-validation-records">
          <name>Authoritative name servers for NS validation records</name>
          <t>The Application Service Provider SHOULD provide the NS record authoritative server name for validation from a different TLD (top-level domain) from the domain being validated.</t>
          <t>Because the validation authoritative server name would then be out-of-bailiwick relative to the domain being validated, it would not receive glue records in the parent zone's delegation response, requiring resolvers to perform a separate address resolution before it can be queried. This may make some resolver implementations less likely to select it during ordinary server selection, compared to already-glued in-bailiwick authorities, reducing (but not eliminating) the likelihood of this validation-only NS record being used for ongoing production query traffic.</t>
          <t>The Application Service Provider MUST operate DNS service on IP addresses returned by the A/AAAA records for the authoritative server name, and those IPs must be treated as authoritative name servers for the zone.</t>
          <t>Note that Registrars often have restrictions preventing in-bailiwick authorities from being referenced without first provisioning them, which is another reason for using a name from an unrelated TLD.</t>
          <t>For example, one setup for validating <tt>foo.example</tt> might include:</t>
          <sourcecode type="dns"><![CDATA[
   foo.example. IN NS   ns1.dnsprovider.example.
   foo.example. IN NS   ns2.dnsprovider.example.
   foo.example. IN NS   ns-<unique-token>.authdnsdv.example.net.
   ns1.dnsprovider.example. IN AAAA 2001:db8:1::1
                            IN A    203.0.113.1
   ns2.dnsprovider.example. IN AAAA 2001:db8:2::2
                            IN A    192.0.2.5
   *.authdnsdv.example.net. IN AAAA 2001:db8:1::5
                            IN A    203.0.113.1
]]></sourcecode>
          <t>which allows the <tt>ns*.dnsprovider.example</tt> to be configured as authorities to be returned in Additional records within the <tt>.example</tt> domain.</t>
          <t>If the example domain were to be within <tt>.net</tt> then authorities outside of <tt>.net</tt> would want to be used for validation purposes.</t>
        </section>
      </section>
      <section anchor="deleg-svcparam">
        <name>DELEG SvcParam based Validation (future)</name>
        <t>Once DELEG (<xref target="I-D.draft-ietf-deleg"/>) is widely deployed, another option would be for a SvcParam to be registered for validation purposes. This would be defined in a future specification but would include the validation Unique Token along with the delegation:</t>
        <artwork><![CDATA[
foo.example.  DELEG include-delegparam=config2.example.net. validation=<unique-token>
]]></artwork>
      </section>
      <section anchor="removal-and-cleanup">
        <name>Removal and Cleanup</name>
        <t>After validation is performed, the User SHOULD remove the validation record from the parent zone.</t>
      </section>
    </section>
    <section anchor="supporting-multiple-authoritative-dns-providers">
      <name>Supporting Multiple Authoritative DNS Providers</name>
      <t>Nothing in this specification prevents a zone from having multiple Authoritative DNS Providers, as the NS records may simultaneous include authoritative name servers from the multiple providers (possibly including ones used for validation).</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>Many of the Security Considerations are shared with <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/> and are not repeated here. Additional considerations follow.</t>
      <section anchor="dns-spoofing-and-dnssec-validation">
        <name>DNS Spoofing and DNSSEC Validation</name>
        <t>The parent side zone SHOULD be signed using DNSSEC <xref target="RFC9364"/> to protect Validation Records against DNS spoofing attacks, including from on-path attackers.</t>
        <t>Application Service Providers MUST use a trusted DNSSEC validating resolver to verify Validation Records they have requested to be deployed.</t>
        <t>Application Service Providers MUST confirm that the NS validation records are present in the parent-side zone.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>TODO - consider if any exist.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC4648">
          <front>
            <title>The Base16, Base32, and Base64 Data Encodings</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="October" year="2006"/>
            <abstract>
              <t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4648"/>
          <seriesInfo name="DOI" value="10.17487/RFC4648"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.draft-ietf-dnsop-domain-verification-techniques">
          <front>
            <title>Domain Control Validation using DNS</title>
            <author fullname="Shivan Kaul Sahib" initials="S. K." surname="Sahib">
              <organization>Brave Software</organization>
            </author>
            <author fullname="Shumon Huque" initials="S." surname="Huque">
              <organization>Salesforce</organization>
            </author>
            <author fullname="Paul Wouters" initials="P." surname="Wouters">
              <organization>Aiven</organization>
            </author>
            <author fullname="Erik Nygren" initials="E." surname="Nygren">
              <organization>Akamai Technologies</organization>
            </author>
            <author fullname="Tim Wicinski" initials="T." surname="Wicinski">
              <organization>Cox Communications</organization>
            </author>
            <date day="21" month="June" year="2026"/>
            <abstract>
              <t>   Many application services on the Internet need to verify ownership or
   control of a domain in the Domain Name System (DNS).  The general
   term for this process is "Domain Control Validation", and it can be
   done using a variety of methods such as email, HTTP/HTTPS, or the DNS
   itself.  This document focuses only on DNS-based methods, which
   typically involve the Application Service Provider requesting a DNS
   record with a specific format and content to be visible in the domain
   to be verified.  There is wide variation in the details of these
   methods today.  This document provides some best practices to avoid
   known problems.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-domain-verification-techniques-13"/>
        </reference>
        <reference anchor="I-D.draft-ietf-deleg">
          <front>
            <title>Extensible Delegation for DNS</title>
            <author fullname="Petr Špaček" initials="P." surname="Špaček">
              <organization>ISC</organization>
            </author>
            <author fullname="Ralf Weber" initials="R." surname="Weber">
              <organization>Akamai Technologies</organization>
            </author>
            <author fullname="David C Lawrence" initials="" surname="Lawrence">
              <organization>Salesforce</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   This document specifies a new extensible method for the delegation of
   authority for a domain in the Domain Name System (DNS) using DELEG
   and DELEGPARAM records.

   A delegation in the DNS enables efficient and distributed management
   of the DNS namespace.  The traditional DNS delegation is based on NS
   records which contain only hostnames of servers and no other
   parameters.  The new delegation records are extensible, can be
   secured with DNSSEC, and eliminate the problem of having two sources
   of truth for delegation information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-deleg-10"/>
        </reference>
        <reference anchor="SUBDOMAIN-TAKEOVER" target="https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers">
          <front>
            <title>Subdomain takeovers</title>
            <author initials="" surname="Mozilla">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SITTING-DUCKS" target="https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/">
          <front>
            <title>Don’t Let Your Domain Name Become a Sitting Duck</title>
            <author initials="B." surname="Krebs" fullname="Brian Krebs">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RFC9499">
          <front>
            <title>DNS Terminology</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
              <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="219"/>
          <seriesInfo name="RFC" value="9499"/>
          <seriesInfo name="DOI" value="10.17487/RFC9499"/>
        </reference>
        <reference anchor="RFC1035">
          <front>
            <title>Domain names - implementation and specification</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1035"/>
          <seriesInfo name="DOI" value="10.17487/RFC1035"/>
        </reference>
        <reference anchor="RFC5731">
          <front>
            <title>Extensible Provisioning Protocol (EPP) Domain Name Mapping</title>
            <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
            <date month="August" year="2009"/>
            <abstract>
              <t>This document describes an Extensible Provisioning Protocol (EPP) mapping for the provisioning and management of Internet domain names stored in a shared central repository. Specified in XML, the mapping defines EPP command syntax and semantics as applied to domain names. This document obsoletes RFC 4931. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="69"/>
          <seriesInfo name="RFC" value="5731"/>
          <seriesInfo name="DOI" value="10.17487/RFC5731"/>
        </reference>
        <reference anchor="RFC9083">
          <front>
            <title>JSON Responses for the Registration Data Access Protocol (RDAP)</title>
            <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
            <author fullname="A. Newton" initials="A." surname="Newton"/>
            <date month="June" year="2021"/>
            <abstract>
              <t>This document describes JSON data structures representing registration information maintained by Regional Internet Registries (RIRs) and Domain Name Registries (DNRs). These data structures are used to form Registration Data Access Protocol (RDAP) query responses. This document obsoletes RFC 7483.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="95"/>
          <seriesInfo name="RFC" value="9083"/>
          <seriesInfo name="DOI" value="10.17487/RFC9083"/>
        </reference>
        <reference anchor="RFC9364">
          <front>
            <title>DNS Security Extensions (DNSSEC)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="237"/>
          <seriesInfo name="RFC" value="9364"/>
          <seriesInfo name="DOI" value="10.17487/RFC9364"/>
        </reference>
      </references>
    </references>
    <?line 258?>

<section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Thank you to Peter Thomassen, ..., (add names here) for their feedback and suggestions on this document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8Vb63LbRpb+j6folbcqUpYXXRzHZs0koSUlUcW6jEmPd2Zr
KwSBJtklAM2gAWoYl1PzGvNvnmUeZZ5kz6W70SApWfLs1uqHLYKN0+d+vnO6
1e12o0pVmRyIvTOdx6oQp7qoSp2JP8aZSuNK6ULMdCnOrkbiTGZyTo/MXpTq
pIhzeDEt41nVLdbzUhbdtDB62U2JVDf167srT617eBglcSXnulwPhCpmOorU
shyIqqxNdXx4+OrwOLqV6ztdpgNxUVSyLGTVPcNdoshUcZH+HGe6gJ3X0sCD
UsY5LDwffx+ZPC6rn3+pdSXNQBQ6WqqB+K9KJx1hdAkrZwZ+W+f4y39Hq4E4
ieLptJSrp4sfAX+381LXy+bdK9CHGK1NJXNxvZSlX7uSRS0HkRCPfEGIar1E
m7yHTVQxFz/ge/gcXsvgOan5OyWrWU+Xc/wiLpMFfLGoqqUZ9Pu4Dh+pley5
ZX180J+W+s7IPlHo45tzVS3qKbwr2Yb9JxoUaWRgUFMF+1taPSbeU/qpVJ+6
vreo8gxUHdfVQpeDKBJd4EuAg4EnnPfEFRGiR+y256W6DZ+CguJC/UrEBmJ4
G8NeYiyTRaEzPVfgarhKsgEkvPwfqNfvrJzwdnvLm54YL4BfY1q73kjw541v
2juncnR+Gu61xFe+S6WRCeixvcuoJ36sf6llsMNoUefgtM3jNvlRnEkDHp3I
cA+zwOXfzfFTL9F5FBW6zOGVFbhthEHafMLXLrpnPTYQKqFtnhUoZ6YSNlCF
ClRA29zzJtrSfjV69/rs+nJ4cdUdD386v/7j+dsBPccfl6RG9ZS3EVV8KzXs
ReHCP872wv90WU2X+leVZXFDLS7nEtzVeWsqVzLTEIC9nFdSuIDfvRv1Ic+Z
/ns57Y9kUpeqWvc9Dz97HqwAF+PxxdUP3bN3pz+Ntnk/08U///q3SryRlfiT
riGpBFngtQS1SxGLkaoqDPmzOrl9WDS29+tSxYX4qZRTc698t/gtZBYrAVq4
f3x4/Lx/+DXIV1TdDDLsGlhyNkTS3Smx1I27hlnqpsBSP4p6vV4UdbtdEU8h
+8YJpOXxQorG1MIsZQI+IFNQv/jw4TO85eNHSru1QVVUQB0TcKUFLV8LfVeA
1hdqCd4tEpuy9QzUZ70DHQTf2s6z+0DpQJQyAyq8yL4SZ1BJ0rWYStxzWaI/
wCKbbUAW2D4mPtgYqEjxPeyPNKzEiUhiI8XdQpaSng+Xy8xKJ0ayXKlEiptS
r1QKaUAZ3AZ+xw0dUQoz2sbweihZSEn+RRlyjHgJL8XJAvQMtvuisjTQd+7i
NXI51bpCyyydaE2aBJlJjELeieHWjru4tdTLHlpZedvaVagmbYCVWORgPEg0
JifL3V9P9+h71JMJFPUOpBVQ25mPNFdACUSoYGkMS5wEIL839wrfcCKiVMUj
RfIGwP2gPqEiAS1UYhGvmJt4qjKwL1FNU/CWBNAIsAvVTIVO0wOAAh9BLShP
J1R0DmgGfAnSd4nZE/xnum4khcxBtkyo4nt3BYbfyjlJXqJr34DsRSX+DHAH
FsQVeCMkd1KMbCui4QkQTp0sRGxwQ+CekgkQnlyNJl4S+Dbg1T61YZ2rNM1k
FEXPEH6VGsIeV0XRQ7oMXXnbCs6Vwe9AEeyo6AXWeBzOYh9VYw5Q60jMigyS
rb2ssVgCxFNJDeiGKFsKUwnkHhFySYyBnuk7XJq7nZRRNhe0o9AplHxkXsYF
B+AuH01AOoP0cp1ihgp8JIpc6QBFG4koDKUlZ0uAGdCIriuxb6SEZNkqIh8/
HnglgHjgZ+gxK8wGy0wTmxjTM7GXYYpLA4Qq9j98+Pbt96evnr96hWQ41Ky6
Sutk7H2l5ATIpDEoXNL7rLDqiCmIsxnaSaJrcGWSBf550EoLcM8sXhrUTNlQ
WrPO9pA7SMh7YfbGLTGEQRbwnJS/8uroifcQuqjlxus7KFlcVXFyC1vmMWZ+
CPxMbnoFhp0tEdWnPQzVN8fFrfBUFdcKzLtMzAQ2zQzm5CW0LeBhcSagqFJ4
p4r2SMF5wO9CowXqDWMIHmu7jgIqtCUEls+WYIssRXmnEmRCvWCuCNShikYF
rgS3S+vTfAKC4P1CZbxwMv7PsUtFYRqK/5eQA7ZmhvKLL5qNzq0N+cEXZkcs
U44Isj64w75LqUgUlhVmJksyClVTiHj4jJn6aVo56HDxSDWmRvBe5DxIjJZf
LIDgOABGvE02IuNT5bMq15bZUnahUwM3V2bRclGwkAUzRnJ17lj4ZaHXI0rP
jqJXLaB1nS9cIYIdOEESxqLqBvASwMuvWOKsxpsKtlW3bFI7Ojz5CpLabkzi
Iqo2clZnpE7LD24a+JuNK5eacA+QZ22xSfxUawLfbJCYzYG1jrzHbhnWM480
nCZxMagLmY3F8fdD1NQSekQcg1DZqOx3vqhwPBXg/MiYR1+GDA6gzCjIZY0q
2ZbnNzdU4y6gpXPK/OrrkyOsEBoT7yoE3A0WwXiA5FAqyLOShHp7NrzxNebw
5QlQQG8GMMj+qhGsmATe4GCutgzVI4gBAHGFaQ8LETmwnIHz0mfuK25BXXdk
/L3Ld6PxXof/F1fX9Pvb8z+8u3h7foa/j34cvnnjf4nsitGP1+/enDW/NW+e
Xl9enl+d8cvwVLQeRXuXwz/tdYirveub8cX11fDNnpcFGsM6x5inANPo9gqn
VcsSixOoPGrJ//r05h9/P3oOSe3fQGPHR0dQle2Hl0dfP8e0tZAF76YLiHX+
iN4SAeQH2CCoScnAPZfgkhm4GybMBSR+gW7Xi373baYgirovvv0m2hkZNfo1
GnemEQORqWUJLpOi0v+lpDsQk4diY9IRk63UhA9pwAeJQsXlGj9j5ND/RFiM
9a0sJqyVSTCTe0v5YLI7ATxOzAYcUWTNJdRPqL3I5VhirsC5zxrk8lGAfLkP
RRV8Is5HNWQZYEoVEOqT/oSxO38zDZ6fQtymTqQ3CNuaweKEY+KmLrGrQmD3
ibGkf1N8eLbktz5G0aNfIihsXMLaSPIW+z0Edh6F+X3NxU12VlxwYotH5vB2
sdnikca4CQKrQzJcIjTyxdclxNcyicH0th9bILIu5ghxcIwB/UkNRS+BwMIK
ijAPo0cz7FAVNeM1lUVyECBtsyC33252YgcDlZKmNUTArRG5yYxBNc4mprK6
k7L4NGZk37PNRTNK8CJwnyrDJ5QR8IWgdUSoECCoTPs8i5X9sU7R8fSa7aiu
B1nINaYjLN1cmxv8sDkDcbjRBLOUWalztF0zyk2AXglSExDQNAznnjkOS9Ha
IiaEE8S7L7Itzw09zuOBzaoG/Icwfdbq68f32FQF/T5QHkTRb7/9hoO3Bw2M
Gt6OkP1Gwc4DdHGAxLrfMOv9kFkkQqHQDxKKNat9yaeq9ue1/chW67cyFXFC
sVUvEaTYpZ8jDj5u4NUBaSa6KDZ9In7IIxgTsgUVg+L73YRcsQw8Q7YmJtuJ
BijmPHlBtDSXW56zBWxxnw4NfmCrXQ6hZ/8vPtC2+4NSt9f8H5sbqtd4UWJX
eanBbFCWKvrYzfHjRzsq5hX0SPguuIB2DTpgY0ca7AKF+FxE0hEAjSTbEcgr
hgQ5jomKuCz1HaXV9uAWMHJiJ4CBQvbvLW4HSPa2AAjWY8k8ORbRiDuGw+BX
CR5kpuxKsE1Wp3ia8qUYH/XEMGy9jZ9C2CkPhgX2ba6Z3Zj1tOcVDxRimxT5
dMAlvE1id3ZQQmNmMC8H5uagoYeMHz+C8Y1RRlCtWuMMMEUf296GD9jdjdS2
xykuMls9EdW/pw6rMNNjVlDzBc5/ocSBGyoczbiZIu4wq9p9Lg6opljaff7i
odeyVJpwFLlQUtWgPx7MtMpLe7ZiJSOVnrRVymxBciOadu7QCGzn0U8ffHub
lrgBdsnEZZ/rrkaU5rpiRoHuk+U1a8bZjldi/3mbfZxG4TQFABtCWTI6gjfE
5yxaMHIDcI5JoTWgmxqbskbnp8E3OFKlSPUnk23Xclgu6bRYDHAmdNZ1zmc6
1Io389u4WO8ejY9tRGOfSIMCpwNMLkE8X0E8n+ocTJwrxvBPH5fxsdYmDYuf
vWWo62P/5YEewRyQrjYWOgW2QAeKbyXHz27Qg8xjTHPdgTYWHt5/4kJo85OC
YBdrz5vYxTaKWRAUflCJ09IoutIOyTlt27IxPqHMDdCgu/HN1TElW4WFgOpI
T7zn/d0pkQ0hE5wg2qxogYdLf7mmSYiD8E+eBEHya7zNTWNaUazdhQ/IEU7D
NnN4bXFWgbJYyhwxVCn9iA2NycdezNqvtvFx9EGDQ+PL0PiIdDZmBeWQjOcO
X0Ma7erZrBV4fjRdaD6yadf6cDQKUhgwKDeu2JbnuSxSe7Lw4VnZfvJgc2rn
cXSs0xQCDK98mUmctQQDRVxFYJ6myNMYXb49S27GL1MJbS5w+OzZ1ivB9h+e
FabLklmcEoyDRC5BzSlGTKotl10m4WfqLFDAhCINYU8ab44yabmNL2i/g2kH
so5OsDXtcOmeGqRZ4LTBBJVSLC0OzoK4m3liBjI1fisJl7luy45H/Pk3XUFw
ItpQJakM+2IolgVILUntPA68WRaJTh06eg1qPTnmZ6iffR6TPX/x/GUHGKXT
SPHCjSzlX+IUQFcOzKE9jl584sWXbnAsxR+uhpfnDhn6k8RgSox13TXfb8+G
46Gg0aOVEvMaKADxFY57SRctJWwY1h6l+9L5oP73E2pK6oSGiUlC/drcZYhg
CtGaMn4mVj6w3TvoEkOt44rppn9xqyOAKPYN/25VJi6u0PGEKMxRz5LAOya9
exYdP2ZR93c1cdetUHff9NDpYN905V8uJGQdajrGrRm7xJP4T+oXSJeoPleE
QlF9FJnNGrXhHb1PHYqTu7Tn//eEr81nbl/rlLvCDc8PvCuRPwBVKtnMLHzy
bYir1UUahiZUgLhKFihKK0Q5TzykNZKHD9A1geSAZaxFFoAs8cQCR+OZLuYk
Hm7aJCdWI8GUdmVp1X0+ssAOP6mhyKxw1GR0tmI0Y890iHJ47yJe09QgLLtp
LZvSykpLuZeq6RgMG2q2AgHj3a5gc0awVSMPqYUOAAgHYih2/YgKzw+h0i+o
hYgRqJpKxlhKDraVeLdQyQLSYJa5yhpOsRGx4wF37KHbLnaQU0o4ULNi+DJ2
kxS84KTwGNEphtItD9TsrSKqks82igX5Hac5jgjYahsNsH4edB+b8N2NpbZT
tO9ehFl1A3244aE/dR0Dzf0K8lyGF/ms0x9sda7bwduMjFuavJ+TO4J0FYJK
MDcARYBOAANUpu5UcmsnQyvvbffVFFVZSmyVROI786yWTfyHCZhy7xcmREWu
kerAb7/Uyl4Q4OgwYXjEwD9QwfQDHllil0PraiJje1zgB/s0EInTYuraYgim
HLsGg5cTffR5PGZhXoZUM3WL83DY2gCbSYVELaLjWSN0sVaVvICQJnY5cWlv
1/ENvC4qgkKoUayziMJjaVheJ1Tf3a0Pmakcp5nw8ICnGsiMWmhGbOThwRV0
Ol+7NxtBytL2CqC9+kRaWSO0nkFS7T3C0Skh2Cl2OITB44KLG2cJOkOoapoL
OUzQH8LPVvm51yMdPsHjoosb07QHiPvpGHLj3a1YdrOUVur1g2TolGbQTHGX
DDzj8JWNDjmeDm7pDGK3qTgCWb2lpGBNLMjDHmumSlNt3TPJOzYJ0kyQEyQI
Y+xBhSsKnBgoExSiLijygDakgk0sgwXXgJqXrTwCRCYzrR2amNiBRNPJB0An
WNdrgR343t+PdAseeOH4qS88EgQ9wA0SI486Pjw8GqTTl4OjweAouEe8/YNv
4P/Hhye9w97R0UnvKHqA/e0djgeD40ftcPTqGHY47n2Fq7+8R7qdEnz1ZAkI
KLJj2VNPdPxJYb7cJdXEnugDaJqpeV22I0nxwcFUNuEL+XrYdEk7LoxOGtL+
xPKCa7j9wk/1pL9QYN+foCImXHZCHiCICKRAirNLuKrcxTy4c6OgjfppD4oN
9ezPxNn5m/MfxGiV3ECZyLf74v1ZDULKA2iQqQB1zSrBipJDl3yNUzgmsL/d
e+BqbNMUaiKVdJt6mek1t1Uc2nrJY2c3K+GJrufGqZmvtD0gCxcsTyY46o8F
C7BxS4AuKdJyG/ObKKDdlCOSdXgpHJjb059WAFuNWLqsB9LY79mfjtsO3uz5
+3a8s9M+w7kKgz7M9aeZjIt6CZ0HTaXb4wZ/8arTnH9a0MU3IzeFtCXQQ6UA
cCAUFKN6udQlpcvLOqsU+un2JME3PFRDFv5cesd9cSoa2Brz/B73tbeO8kfQ
77jpSACZEaQYhW/HhdS1n8Y+WPicvH7Tpe/Z9i08XltChGAKaXbF0gEryV0O
OIXCiERie3/pEqfJFqnfs4gGcmZBGIjc63NvPaJvuJtXpVxy+ecRcZCZkvbm
3Fu4RABKHeGoniosXybEwXuTCxj5WB9ppk7NHMeoOUadvziIr9urNicv8JIT
n1VViA+3BlygCzzqMXxIaTwnNMLGmao3B5kPFLCM8VzWjrjN47pxHsfRXxvK
dPNsIUDRwZ+b7OC0ucWH+Fsa+wcilHk4xT2OG0oI1MXaOfTO1orv9Nmm+p7Z
jL06VKpVnGx74vj67Fp0vfmFmtFJB50pkg9fDK+G22+1LrrhqVeheaX9ywXc
FP9mYAoWoP2HCR6HZjKd4ytEIi5uxVrXqJ6NP3/riF6v1xH7eLuQJmnkrwcO
lqpSzKBdR9p8VlvP56Bpcly9cQsPGPkf4bgnTs06AAA=

-->

</rfc>
