Technical requirements for authoritative name servers

This document describes the baseline technical conformance criteria for authoritative name servers. These are evaluated for changes to delegations in domains that IANA maintains, such as the DNS root zone.

1 Definitions

1.1 The designated zone is the domain for which the change of delegation is sought, and for which IANA maintains the parent zone.

1.2 For the purposes of this document, an authoritative name server is a DNS server that has been designated to answer authoritatively for the designated zone, and is being requested to be listed in the delegation. It is recorded by its fully-qualified domain name, potentially along with its IP addresses. 

1.3 Name server tests are completed against each unique tuple of a hostname, an IP address, and a protocol. If a hostname has multiple IP addresses, for example, the tests will be conducted against each IP address.

2 Technical requirements 

2.1 Minimum number of name servers 

2.1.1There must be at least two NS records listed in a delegation, and the hosts must not resolve to the same IP address.

2.2 Valid hostnames

2.2.1 The hostnames used for the name servers must comply with the requirements for valid hostnames described in RFC 1123, section 2.1.

2.3 Name server reachability

2.3.1 The name servers must answer DNS queries over both the UDP and TCP protocols on port 53.

2.3.2 Tests will be conducted from multiple network locations to verify the name server is responding.

2.4 Answer authoritatively

2.4.1 The name servers must answer authoritatively for the designated zone. Responses to queries to the name servers for the designated zone must have the “AA”-bit set.

2.4.2 This will be tested by querying for the SOA record of the designated zone with no “RD”-bit set.

2.5 Network diversity

2.5.1 The name servers must be in at least two topologically separate networks.

2.5.2 A network is defined as an origin autonomous system in the BGP routing table.

2.5.3 The requirement is assessed through inspection of views of the BGP routing table.

2.6 Consistency between glue and authoritative data

2.6.1 For name servers which have IP addresses listed as glue, the IP addresses must match the authoritative A and AAAA records for that host.

2.7 Consistency between delegation and zone

2.7.1 The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.

2.8 Consistency between authoritative name servers

2.8.1 The data served by the authoritative name servers for the designated zone must be consistent.

2.8.2 All authoritative name servers must serve the same NS record set for the designated domain.

2.8.3 All authoritative name servers must serve the same SOA record for the designated domain.

2.8.3.1 If for operational reasons the zone content fluctuates rapidly, the serial numbers need only be loosely coherent.

2.9 No truncation of referrals

2.9.1 Referrals from the parent zone's name servers must fit into a non-EDNS0 UDP DNS packet and therefore the DNS payload must not exceed 512 octets.

2.9.2 The required delegation information in the referral is a complete set of NS records, and the minimal set of requisite glue records. The response size is assessed as a response to a query with a maximum-sized QNAME.

2.9.3 The minimal set of requisite glue records is considered to be:

2.9.3.1 One A record, if all authoritative name servers are in-bailiwick of the parent zone; and,

2.9.3.2 One AAAA record, if there are any IPv6-capable authoritative name servers and all IPv6-capable authoritative name servers are in-bailiwick of the parent zone.

2.10 Prohibited networks

2.10.1 The authoritative name server IP addresses must not be in specially designated networks that are either not globally routable, or are otherwise unsuited for authoritative name service.

2.10.2 IPv4 networks considered not globally routable are 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, and 224.0.0.0/3. (see RFC 3330)

2.10.3 IPv6 networks considered not globally routable are ::/128, ::1/128, 2001:2::/48, 2001:10::/28, 2001:DB8::/32, FC00::/7 and FE80::/10. (see RFC 5156)

2.10.4 Other prohibited networks are:

2.10.4.1 ::FFFF:0:0/96 (IPv4 mapped addresses, see RFC 4291)

2.10.4.2 2001::/32 (Teredo, see RFC 4380)

2.10.4.3 2002::/16 (6to4, see RFC 3056)

2.10.4.4 192.88.99.0/24 (6to4, see RFC 3068)

2.11 No open recursive name service

2.11.1 The authoritative name servers must not provide recursive name service.

2.11.2 This requirement is tested by sending a query outside the jurisdiction of the authority with the “RD”-bit set.

2.12 Same source address

2.12.1 Responses from the authoritative name servers must contain the same source IP address as the destination IP address of the initial query.

3 Useful References

3.1 Domain Names — Concepts and Facilities (RFC 1034)

3.2 Domain Names — Implementation and Specification (RFC 1035)

3.3 Preventing Use of Recursive Nameservers in Reflector Attacks (RFC 5358)

3.4 Operational Considerations and Issues with IPv6 DNS (RFC 4472)

3.5 Extension Mechanisms for DNS (EDNS0) (RFC 2671)

3.6 DNS Referral Response Size Issues

3.7 DNS Transport over TCP - Implementation Requirements (RFC 5966)

3.8 IANA IPv6 Special Purpose Address Registry

3.9 Special-use IPv6 Addresses (RFC 5156)

3.10 Special-use IPv4 Addresses (RFC 5735