draft-ietf-homenet-dot-12.txt   draft-ietf-homenet-dot-13.txt 
Network Working Group P. Pfister Network Working Group P. Pfister
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Updates: RFC7788 (if approved) T. Lemon Updates: RFC7788 (if approved) T. Lemon
Intended status: Standards Track Nominum, Inc. Intended status: Standards Track Nominum, Inc.
Expires: February 11, 2018 August 10, 2017 Expires: March 2, 2018 August 29, 2017
Special Use Domain 'home.arpa.' Special Use Domain 'home.arpa.'
draft-ietf-homenet-dot-12 draft-ietf-homenet-dot-13
Abstract Abstract
This document specifies the behavior that is expected from the Domain This document specifies the behavior that is expected from the Domain
Name System with regard to DNS queries for names ending with Name System with regard to DNS queries for names ending with
'.home.arpa.', and designates this domain as a special-use domain '.home.arpa.', and designates this domain as a special-use domain
name. 'home.arpa.' is designated for non-unique use in residential name. 'home.arpa.' is designated for non-unique use in residential
home networks. Home Networking Control Protocol (HNCP) is updated to home networks. Home Networking Control Protocol (HNCP) is updated to
use the 'home.arpa.' domain instead of '.home'. use the 'home.arpa.' domain instead of '.home'.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 11, 2018. This Internet-Draft will expire on March 2, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 12 skipping to change at page 2, line 12
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. General Guidance . . . . . . . . . . . . . . . . . . . . . . 3 3. General Guidance . . . . . . . . . . . . . . . . . . . . . . 3
4. Domain Name Reservation Considerations . . . . . . . . . . . 3 4. Domain Name Reservation Considerations . . . . . . . . . . . 4
5. Updates to Home Networking Control Protocol . . . . . . . . . 5 5. Updates to Home Networking Control Protocol . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Delegation of 'home.arpa.' . . . . . . . . . . . . . . . . . 7 6.1. Local Significance . . . . . . . . . . . . . . . . . . . 6
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6.2. Insecure Delegation . . . . . . . . . . . . . . . . . . . 7
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 6.3. Bypassing Manually Configured Resolvers . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Delegation of 'home.arpa.' . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 8 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
Users and devices within a home network (hereafter "homenet") require Users and devices within a home network (hereafter "homenet") require
devices and services to be identified by names that are unique within devices and services to be identified by names that are unique within
the boundaries of the homenet [RFC7368]. The naming mechanism needs the boundaries of the homenet [RFC7368]. The naming mechanism needs
to function without configuration from the user. While it may be to function without configuration from the user. While it may be
possible for a name to be delegated by an ISP, homenets must also possible for a name to be delegated by an ISP, homenets must also
function in the absence of such a delegation. A default name with a function in the absence of such a delegation. A default name with a
scope limited to each individual homenet needs to be used. scope limited to each individual homenet needs to be used.
skipping to change at page 3, line 39 skipping to change at page 3, line 44
nodes and/or services that are located within a homenet (e.g., a nodes and/or services that are located within a homenet (e.g., a
printer, or a toaster). printer, or a toaster).
DNS queries for names ending with '.home.arpa.' are resolved using DNS queries for names ending with '.home.arpa.' are resolved using
local resolvers on the homenet. Such queries MUST NOT be recursively local resolvers on the homenet. Such queries MUST NOT be recursively
forwarded to servers outside the logical boundaries of the homenet. forwarded to servers outside the logical boundaries of the homenet.
Some service discovery user interfaces that are expected to be used Some service discovery user interfaces that are expected to be used
on homenets conceal information such as domain names from end users. on homenets conceal information such as domain names from end users.
However, it is still expected that in some cases, users will need to However, it is still expected that in some cases, users will need to
see, remember, and even type, names ending with 'home.arpa.'. It is see, remember, and even type, names ending with 'home.arpa.'. The
therefore desirable that users identify the domain and understand working group hopes that this name will in some way indicate to as
that using it expresses the intention to connect to a service that is many readers as possible that such domain names are referring to
specific to the homenet to which they are connected. Enforcing the devices in the home, but we recognize that it is an imperfect
fulfillment of this intention is out of scope for this document. solution.
4. Domain Name Reservation Considerations 4. Domain Name Reservation Considerations
This section defines the behavior of systems involved in domain name This section defines the behavior of systems involved in domain name
resolution when resolving queries for names ending with '.home.arpa.' resolution when resolving queries for names ending with '.home.arpa.'
(as per [RFC6761]). (as per [RFC6761]).
1. Users can use names ending with '.home.arpa.' just as they would 1. Users can use names ending with '.home.arpa.' just as they would
use any other domain name. The 'home.arpa.' name is chosen to be use any other domain name. The 'home.arpa.' name is chosen to be
readily recognized by users as signifying that the name is readily recognized by users as signifying that the name is
addressing a service on the homenet to which the user's device is addressing a service on the homenet to which the user's device is
connected. connected.
2. Application software SHOULD NOT treat names ending in 2. Application software SHOULD NOT treat names ending in
'home.arpa.' differently than other names. In particular, there 'home.arpa.' differently than other names. In particular, there
is no basis for trusting names that are subdomains of is no basis for trusting names that are subdomains of
'home.arpa.' (see Section 6). 'home.arpa.' (see Section 6).
3. Name resolution APIs and libraries MUST NOT recognize names that 3. Name resolution APIs and libraries MUST NOT recognize names that
end in '.home.arpa.' as special and MUST NOT treat them end in '.home.arpa.' as special and MUST NOT treat them as having
differently. Name resolution APIs MUST send queries for such special significance, except that it may be necessary that such
names to a recursive DNS server that is configured to be APIs not bypass the locally configured recursive resolvers.
authoritative for the 'home.arpa.' zone appropriate to the
homenet. One or more IP addresses for recursive DNS servers will
usually be supplied to the client through router advertisements
or DHCP. If a host is configured to use a resolver other than
one that is authoritative for the appropriate 'home.arpa.' zone,
the client may be unable to resolve, or may receive incorrect
results for, names in sub domains of 'home.arpa.'.
4. Caching resolvers conforming to this specification MUST support One or more IP addresses for recursive DNS servers will usually
DNSSEC queries. While validation is not required, it is strongly be supplied to the client through router advertisements or DHCP.
encouraged; a caching resolver that does not validate answers For an administrative domain that uses names in 'home.arpa.',
that can be validated may cache invalid data; this will prevent such as a homenet, the recursive resolvers provided by that
validating stub resolvers from successfully validating answers. domain will be able to answer queries for subdomains of
home.arpa; other resolvers will not, or will provide answers that
are not correct within that administrative domain.
Unless configured otherwise, recursive resolvers and DNS proxies A host that is configured to use a resolver other than one that
MUST behave as described in Locally Served Zones ([RFC6303] has been provided by the local network may be unable to resolve,
Section 3). That is, queries for domains that are subdomains of or may receive incorrect results for, names in sub domains of
'home.arpa.' MUST NOT be forwarded, with one important 'home.arpa.'. In order to avoid this, it is permissible that
exception: a query for a DS record when the DO bit ([RFC4035] hosts use the locally-provided resolvers for resolving
section 3.2.1) set MUST return the correct answer for that 'home.arpa.' even when they are configured to use other
question, including correct information in the authority section resolvers.
that proves that the record is nonexistent.
So for example a query for the NS record for 'home.arpa.' MUST 4.
NOT result in that query being forwarded to an upstream cache nor
to the authoritative DNS server for '.arpa.'. However, as
necessary to provide accurate authority information, a query for
the DS record MUST result in whatever queries are necessary being
forwarded; typically, this will just be a query for the DS
record, since the necessary authority information will be
included in the authority section of the response if the DO bit
is set.
In addition to the behavior specified above, recursive resolvers A. Recursive resolvers at sites using 'home.arpa.' MUST
that can be used in a homenet MUST be configurable with a transparently support DNSSEC queries: queries for DNSSEC
delegation to an authoritative server for that particular records and queries with the DO bit set ([RFC4035] section
homenet's instance of the domain 'home.arpa.'. 3.2.1). While validation is not required, it is strongly
encouraged: a caching recursive resolver that does not
validate answers that can be validated may cache invalid
data. This in turn will prevent validating stub resolvers
from successfully validating answers.
It is permissible to combine the recursive resolver function for B. Unless configured otherwise, recursive resolvers and DNS
general DNS lookups with an authoritative resolver for proxies MUST behave as described in Locally Served Zones
'home.arpa.'; in this case, rather than forwarding queries for ([RFC6303] Section 3). That is, queries for domains that are
subdomains of 'home.arpa.' to an authoritative server, the subdomains of 'home.arpa.' MUST NOT be forwarded, with one
caching resolver answers them authoritatively. The behavior with important exception: a query for a DS record when the DO bit
respect to forwarding queries specifically for 'home.arpa.' set MUST return the correct answer for that question,
remains the same. including correct information in the authority section that
proves that the record is nonexistent.
So for example a query for the NS record for 'home.arpa.'
MUST NOT result in that query being forwarded to an upstream
cache nor to the authoritative DNS server for '.arpa.'.
However, as necessary to provide accurate authority
information, a query for the DS record MUST result in
whatever queries are necessary being forwarded; typically,
this will just be a query for the DS record, since the
necessary authority information will be included in the
authority section of the response if the DO bit is set.
C. In addition to the behavior specified above, recursive
resolvers that can be used in a homenet MUST be configurable
with a delegation to an authoritative server for that
particular homenet's instance of the domain 'home.arpa.'.
It is permissible to combine the recursive resolver function
for general DNS lookups with an authoritative resolver for
'home.arpa.'; in this case, rather than forwarding queries
for subdomains of 'home.arpa.' to an authoritative server,
the caching resolver answers them authoritatively. The
behavior with respect to forwarding queries specifically for
'home.arpa.' remains the same.
5. No special processing of 'home.arpa.' is required for 5. No special processing of 'home.arpa.' is required for
authoritative DNS server implementations. It is possible that an authoritative DNS server implementations. It is possible that an
authoritative DNS server might attempt to check the authoritative authoritative DNS server might attempt to check the authoritative
servers for 'home.arpa.' for a delegation beneath that name servers for 'home.arpa.' for a delegation beneath that name
before answering authoritatively for such a delegated name. In before answering authoritatively for such a delegated name. In
such a case, because the name always has only local significance such a case, because the name always has only local significance
there will be no such delegation in the 'home.arpa.' zone, and so there will be no such delegation in the 'home.arpa.' zone, and so
the server would refuse to answer authoritatively for such a the server would refuse to answer authoritatively for such a
zone. A server that implements this sort of check MUST be zone. A server that implements this sort of check MUST be
skipping to change at page 6, line 25 skipping to change at page 6, line 45
(Section 10.6) for the network to use a different one. In case (Section 10.6) for the network to use a different one. In case
multiple are announced, the domain of the node with the greatest multiple are announced, the domain of the node with the greatest
node identifier takes precedence. node identifier takes precedence.
The 'home.arpa.' special-use name does not require a special The 'home.arpa.' special-use name does not require a special
resolution protocol. Names for which the rightmost two labels are resolution protocol. Names for which the rightmost two labels are
'home.arpa.' are resolved using the DNS protocol [RFC1035]. 'home.arpa.' are resolved using the DNS protocol [RFC1035].
6. Security Considerations 6. Security Considerations
6.1. Local Significance
A DNS record that is returned as a response to a query for an FQDN in A DNS record that is returned as a response to a query for an FQDN in
the domain '.home.arpa.' is expected to have local significance. It the domain '.home.arpa.' is expected to have local significance. It
is expected to be returned by a server involved in name resolution is expected to be returned by a server involved in name resolution
for the homenet the device is connected in. However, such response for the homenet the device is connected in. However, such response
MUST NOT be considered more trustworthy than would be a similar MUST NOT be considered more trustworthy than would be a similar
response for any other DNS query. response for any other DNS query.
Because 'home.arpa.' is not globally scoped and cannot be secured Because 'home.arpa.' is not globally scoped and cannot be secured
using DNSSEC based on the root domain's trust anchor, there is no way using DNSSEC based on the root domain's trust anchor, there is no way
to tell, using a standard DNS query, in which homenet scope an answer to tell, using a standard DNS query, in which homenet scope an answer
belongs. Consequently, users may experience surprising results with belongs. Consequently, users may experience surprising results with
such names when roaming to different homenets. To prevent this from such names when roaming to different homenets. To prevent this from
happening, it may be useful for the resolver to identify different happening, it may be useful for the resolver to identify different
homenets on which it has resolved names, but this is out of scope for homenets on which it has resolved names, but this is out of scope for
this document. this document.
It is not possible to install a trust anchor for this zone in the Locally Served Zones ([RFC6303] section 7) recommends installing
'.arpa' zone. The reason for this is that in order to do so, it trust anchors for locally served zones. However, in order for this
would be necessary to have the key-signing key for the zone to be effective, there must be some way of configuring the trust
anchor in the host. Homenet currently specifies no mechanism for
configuring such trust anchors. As a result, while this advice
sounds good, it is not practicable.
Also, although in principle it might be useful to install a trust
anchor for a particular instance of 'home.arpa.', it's reasonable to
expect that a host with such a trust anchor might from time to time
connect to more than one network with its own instance of
'home.arpa.'. Such a host would be unable to access services on any
instance of 'home.arpa.' other than the one for which a trust anchor
was configured.
It is in principle possible to attach an identifier to an instance of
'home.arpa.' that could be used to identify which trust anchor to
rely on for validating names in that particular instance. However,
the security implications of this are complicated, and such a
mechanism, as well as a discussion of those implications, is out of
scope for this document.
6.2. Insecure Delegation
It is not possible to install a trust anchor (a DS RR) for this zone
in the '.arpa' zone. The reason for this is that in order to do so,
it would be necessary to have the key-signing key for the zone
([RFC4034] Section 5). Since the zone is not globally unique, no one ([RFC4034] Section 5). Since the zone is not globally unique, no one
key would work. key would work.
An alternative would be to install a authenticated denial of An alternative would be to provide a authenticated denial of
existence ([RFC4033] Section 3.2). However, this assumes that existence ([RFC4033] Section 3.2). This would be done simply by not
validation is being done on a caching resolver that is aware of the having a delegation from the 'arpa.' zone. However, this requires
special local meaning of 'home.arpa.'. If a host stub resolver the validating resolver to treat 'home.arpa.' specially. If a
validating resolver that doesn't treat 'home.arpa.' specially
attempts to validate a name in 'home.arpa.', an authenticated denial attempts to validate a name in 'home.arpa.', an authenticated denial
of existence of 'home' as a subdomain of 'arpa.' would cause the of existence of 'home' as a subdomain of 'arpa.' would cause the
validation to fail. Therefore, the only delegation that will allow validation to fail. Therefore, the only delegation that will allow
names under 'home.arpa.' to be resolved is an insecure delegation, as names under 'home.arpa.' to be resolved by all validating resolvers
in [RFC6303] section 7. is an insecure delegation as in [RFC6303] section 7.
Consequently, unless a trust anchor for the particular instance of Consequently, unless a trust anchor for the particular instance of
the 'home.arpa.' zone being validated is manually configured on the the 'home.arpa.' zone being validated is manually configured on the
validating resolver, DNSSEC signing of names within the 'home.arpa.' validating resolver, DNSSEC signing and validation of names within
zone is not possible. the 'home.arpa.' zone is not possible.
Although in principle it might be useful to install a trust anchor 6.3. Bypassing Manually Configured Resolvers
for a particular instance of 'home.arpa.', it's reasonable to expect
that a host with such a trust anchor might from time to time connect
to more than one network with its own instance of 'home.arpa.'. Such
a host would be unable to access services on any instance of
'home.arpa.' other than the one for which a trust anchor was
configured.
It is in principle possible to attach an identifier to an instance of In Section 4, item 3, an exception is made to the behavior of stub
'home.arpa.' that could be used to identify which trust anchor to resolvers allowing them to query local resolvers for subdomains of
rely on for validating names in that particular instance. However, 'home.arpa.' even when they have been manually configured to use
the security implications of this are complicated, and such a other resolvers. This behavior obviously has security and privacy
mechanism, as well as a discussion of those implications, is out of implications, and may not be desirable depending on the context. It
scope for this document. may be better to simply ignore this exception and, when one or more
recursive resolvers are configured manually, simply fail to provide
correct answers for subdomains of 'home.arpa.'. At this time we do
not have operational experience that would guide us in making this
decision; implementors are encouraged to consider the context in
which their software will be deployed when deciding how to resolve
this question.
7. Delegation of 'home.arpa.' 7. Delegation of 'home.arpa.'
In order to be fully functional, there must be a delegation of In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST 'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST
NOT include a DS record, and MUST point to one or more black hole NOT include a DS record, and MUST point to one or more black hole
servers, for example 'blackhole-1.iana.org.' and 'blackhole- servers, for example 'blackhole-1.iana.org.' and 'blackhole-
2.iana.org.'. The reason that this delegation must not be signed is 2.iana.org.'. The reason that this delegation must not be signed is
that not signing the delegation breaks the DNSSEC chain of trust, that not signing the delegation breaks the DNSSEC chain of trust,
which prevents a validating stub resolver from rejecting names which prevents a validating stub resolver from rejecting names
skipping to change at page 8, line 8 skipping to change at page 9, line 8
9. Acknowledgments 9. Acknowledgments
The authors would like to thank Stuart Cheshire for his prior work on The authors would like to thank Stuart Cheshire for his prior work on
'.home', as well as the homenet chairs: Mark Townsley and Ray Bellis. '.home', as well as the homenet chairs: Mark Townsley and Ray Bellis.
We would also like to thank Paul Hoffman for providing review and We would also like to thank Paul Hoffman for providing review and
comments on the IANA considerations section, Andrew Sullivan for his comments on the IANA considerations section, Andrew Sullivan for his
review and proposed text, and Suzanne Woolf and Ray Bellis for their review and proposed text, and Suzanne Woolf and Ray Bellis for their
very detailed review comments and process insights. Thanks to Mark very detailed review comments and process insights. Thanks to Mark
Andrews for providing an exhaustive reference list on the topic of Andrews for providing an exhaustive reference list on the topic of
insecure delegations. insecure delegations. Thanks to Dale Worley for catching a rather
egregious mistake and for the Gen-Art review, and to Daniel Migault
for a thorough SecDir review.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC3172] Huston, G., Ed., "Management Guidelines & Operational [RFC3172] Huston, G., Ed., "Management Guidelines & Operational
Requirements for the Address and Routing Parameter Area Requirements for the Address and Routing Parameter Area
Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172, Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172,
September 2001, <http://www.rfc-editor.org/info/rfc3172>. September 2001, <https://www.rfc-editor.org/info/rfc3172>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<http://www.rfc-editor.org/info/rfc4035>. <https://www.rfc-editor.org/info/rfc4035>.
[RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163,
RFC 6303, DOI 10.17487/RFC6303, July 2011, RFC 6303, DOI 10.17487/RFC6303, July 2011,
<http://www.rfc-editor.org/info/rfc6303>. <https://www.rfc-editor.org/info/rfc6303>.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, DOI 10.17487/RFC6761, February 2013, RFC 6761, DOI 10.17487/RFC6761, February 2013,
<http://www.rfc-editor.org/info/rfc6761>. <https://www.rfc-editor.org/info/rfc6761>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <http://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10.2. Informative References 10.2. Informative References
[ICANN1] "New gTLD Collision Risk Mitigation", October 2013, [ICANN1] "New gTLD Collision Risk Mitigation", October 2013,
<https://www.icann.org/en/system/files/files/new-gtld- <https://www.icann.org/en/system/files/files/new-gtld-
collision-mitigation-05aug13-en.pdf>. collision-mitigation-05aug13-en.pdf>.
[ICANN2] "New gTLD Collision Occurence Management", October 2013, [ICANN2] "New gTLD Collision Occurence Management", October 2013,
<https://www.icann.org/en/system/files/files/resolutions- <https://www.icann.org/en/system/files/files/resolutions-
new-gtld-annex-1-07oct13-en.pdf>. new-gtld-annex-1-07oct13-en.pdf>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005, RFC 4033, DOI 10.17487/RFC4033, March 2005,
<http://www.rfc-editor.org/info/rfc4033>. <https://www.rfc-editor.org/info/rfc4033>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<http://www.rfc-editor.org/info/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J. [RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J.
Weil, "IPv6 Home Networking Architecture Principles", Weil, "IPv6 Home Networking Architecture Principles",
RFC 7368, DOI 10.17487/RFC7368, October 2014, RFC 7368, DOI 10.17487/RFC7368, October 2014,
<http://www.rfc-editor.org/info/rfc7368>. <https://www.rfc-editor.org/info/rfc7368>.
[RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking
Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April
2016, <http://www.rfc-editor.org/info/rfc7788>. 2016, <https://www.rfc-editor.org/info/rfc7788>.
[SUDN] "Special-Use Domain Names Registry", July 2012, [SUDN] "Special-Use Domain Names Registry", July 2012,
<http://www.iana.org/assignments/special-use-domain-names/ <http://www.iana.org/assignments/special-use-domain-names/
special-use-domain-names.xhtml>. special-use-domain-names.xhtml>.
Authors' Addresses Authors' Addresses
Pierre Pfister Pierre Pfister
Cisco Systems Cisco Systems
Paris Paris
 End of changes. 31 change blocks. 
97 lines changed or deleted 143 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/