1
2
3
4
5Internet Engineering Task Force (IETF) W. Kumari
6Request for Comments: 8914 Google
7Category: Standards Track E. Hunt
8ISSN: 2070-1721 ISC
9 R. Arends
10 ICANN
11 W. Hardaker
12 USC/ISI
13 D. Lawrence
14 Salesforce
15 October 2020
16
17
18 Extended DNS Errors
19
20Abstract
21
22 This document defines an extensible method to return additional
23 information about the cause of DNS errors. Though created primarily
24 to extend SERVFAIL to provide additional information about the cause
25 of DNS and DNSSEC failures, the Extended DNS Errors option defined in
26 this document allows all response types to contain extended error
27 information. Extended DNS Error information does not change the
28 processing of RCODEs.
29
30Status of This Memo
31
32 This is an Internet Standards Track document.
33
34 This document is a product of the Internet Engineering Task Force
35 (IETF). It represents the consensus of the IETF community. It has
36 received public review and has been approved for publication by the
37 Internet Engineering Steering Group (IESG). Further information on
38 Internet Standards is available in Section 2 of RFC 7841.
39
40 Information about the current status of this document, any errata,
41 and how to provide feedback on it may be obtained at
42 https://www.rfc-editor.org/info/rfc8914.
43
44Copyright Notice
45
46 Copyright (c) 2020 IETF Trust and the persons identified as the
47 document authors. All rights reserved.
48
49 This document is subject to BCP 78 and the IETF Trust's Legal
50 Provisions Relating to IETF Documents
51 (https://trustee.ietf.org/license-info) in effect on the date of
52 publication of this document. Please review these documents
53 carefully, as they describe your rights and restrictions with respect
54 to this document. Code Components extracted from this document must
55 include Simplified BSD License text as described in Section 4.e of
56 the Trust Legal Provisions and are provided without warranty as
57 described in the Simplified BSD License.
58
59Table of Contents
60
61 1. Introduction and Background
62 1.1. Requirements Notation
63 2. Extended DNS Error EDNS0 Option Format
64 3. Extended DNS Error Processing
65 4. Defined Extended DNS Errors
66 4.1. Extended DNS Error Code 0 - Other
67 4.2. Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm
68 4.3. Extended DNS Error Code 2 - Unsupported DS Digest Type
69 4.4. Extended DNS Error Code 3 - Stale Answer
70 4.5. Extended DNS Error Code 4 - Forged Answer
71 4.6. Extended DNS Error Code 5 - DNSSEC Indeterminate
72 4.7. Extended DNS Error Code 6 - DNSSEC Bogus
73 4.8. Extended DNS Error Code 7 - Signature Expired
74 4.9. Extended DNS Error Code 8 - Signature Not Yet Valid
75 4.10. Extended DNS Error Code 9 - DNSKEY Missing
76 4.11. Extended DNS Error Code 10 - RRSIGs Missing
77 4.12. Extended DNS Error Code 11 - No Zone Key Bit Set
78 4.13. Extended DNS Error Code 12 - NSEC Missing
79 4.14. Extended DNS Error Code 13 - Cached Error
80 4.15. Extended DNS Error Code 14 - Not Ready
81 4.16. Extended DNS Error Code 15 - Blocked
82 4.17. Extended DNS Error Code 16 - Censored
83 4.18. Extended DNS Error Code 17 - Filtered
84 4.19. Extended DNS Error Code 18 - Prohibited
85 4.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer
86 4.21. Extended DNS Error Code 20 - Not Authoritative
87 4.22. Extended DNS Error Code 21 - Not Supported
88 4.23. Extended DNS Error Code 22 - No Reachable Authority
89 4.24. Extended DNS Error Code 23 - Network Error
90 4.25. Extended DNS Error Code 24 - Invalid Data
91 5. IANA Considerations
92 5.1. A New Extended DNS Error Code EDNS Option
93 5.2. New Registry for Extended DNS Error Codes
94 6. Security Considerations
95 7. References
96 7.1. Normative References
97 7.2. Informative References
98 Acknowledgements
99 Authors' Addresses
100
1011. Introduction and Background
102
103 There are many reasons that a DNS query may fail -- some of them
104 transient, some permanent; some can be resolved by querying another
105 server, some are likely best handled by stopping resolution.
106 Unfortunately, the error signals that a DNS server can return are
107 very limited and are not very expressive. This means that
108 applications and resolvers often have to "guess" at what the issue
109 is, e.g., was the answer marked REFUSED because of a lame delegation
110 or because the nameserver is still starting up and loading zones? Is
111 a SERVFAIL a DNSSEC validation issue, or is the nameserver
112 experiencing some other failure? What error messages should be
113 presented to the user or logged under these conditions?
114
115 A good example of issues that would benefit from additional error
116 information are errors caused by DNSSEC validation issues. When a
117 stub resolver queries a name that is DNSSEC bogus [RFC8499] (using a
118 validating resolver), the stub resolver receives only a SERVFAIL in
119 response. Unfortunately, the SERVFAIL Response Code (RCODE) is used
120 to signal many sorts of DNS errors, and so the stub resolver's only
121 option is to ask the next configured DNS resolver. The result of
122 trying the next resolver is one of two outcomes: either the next
123 resolver also validates and a SERVFAIL is returned again or the next
124 resolver is not a validating resolver and the user is returned a
125 potentially harmful result. With an Extended DNS Error (EDE) option
126 enclosed in the response message, the resolver is able to return a
127 more descriptive reason as to why any failures happened or add
128 additional context to a message containing a NOERROR RCODE.
129
130 This document specifies a mechanism to extend DNS errors to provide
131 additional information about the cause of an error. The Extended DNS
132 Error codes described in this document can be used by any system that
133 sends DNS queries and receives a response containing an EDE option.
134 Different codes are useful in different circumstances, and thus
135 different systems (stub resolvers, recursive resolvers, and
136 authoritative resolvers) might receive and use them.
137
1381.1. Requirements Notation
139
140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
142 "OPTIONAL" in this document are to be interpreted as described in
143 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
144 capitals, as shown here.
145
1462. Extended DNS Error EDNS0 Option Format
147
148 This document uses an Extended Mechanism for DNS (EDNS0) [RFC6891]
149 option to include Extended DNS Error (EDE) information in DNS
150 messages. The option is structured as follows:
151
152 1 1 1 1 1 1
153 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
154 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
155 0: | OPTION-CODE |
156 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
157 2: | OPTION-LENGTH |
158 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
159 4: | INFO-CODE |
160 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
161 6: / EXTRA-TEXT ... /
162 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
163
164
165 Field definition details:
166
167 OPTION-CODE:
168 2 octets / 16 bits (defined in [RFC6891]) contains the value 15
169 for EDE.
170
171 OPTION-LENGTH:
172 2 octets / 16 bits (defined in [RFC6891]) contains the length of
173 the payload (everything after OPTION-LENGTH) in octets and should
174 be 2 plus the length of the EXTRA-TEXT field (which may be a zero-
175 length string).
176
177 INFO-CODE:
178 16 bits, which is the principal contribution of this document.
179 This 16-bit value, encoded in network most significant bit (MSB)
180 byte order, provides the additional context for the RESPONSE-CODE
181 of the DNS message. The INFO-CODE serves as an index into the
182 "Extended DNS Errors" registry, defined and created in
183 Section 5.2.
184
185 EXTRA-TEXT:
186 a variable-length, UTF-8-encoded [RFC5198] text field that may
187 hold additional textual information. This information is intended
188 for human consumption (not automated parsing). EDE text may be
189 null terminated but MUST NOT be assumed to be; the length MUST be
190 derived from the OPTION-LENGTH field. The EXTRA-TEXT field may be
191 zero octets in length, indicating that there is no EXTRA-TEXT
192 included. Care should be taken not to include private information
193 in the EXTRA-TEXT field that an observer would not otherwise have
194 access to, such as account numbers.
195
196 The Extended DNS Error (EDE) option can be included in any response
197 (SERVFAIL, NXDOMAIN, REFUSED, even NOERROR, etc.) to a query that
198 includes an OPT pseudo-RR [RFC6891]. This document includes a set of
199 initial codepoints but is extensible via the IANA registry defined
200 and created in Section 5.2.
201
2023. Extended DNS Error Processing
203
204 When the response grows beyond the requestor's UDP payload size
205 [RFC6891], servers SHOULD truncate messages by dropping EDE options
206 before dropping other data from packets. Implementations SHOULD set
207 the truncation bit when dropping EDE options. Because long EXTRA-
208 TEXT fields may trigger truncation (which is undesirable given the
209 supplemental nature of EDE), implementers and operators creating EDE
210 options SHOULD avoid lengthy EXTRA-TEXT contents.
211
212 When a resolver or forwarder receives an EDE option, whether or not
213 (and how) to pass along EDE information on to their original client
214 is implementation dependent. Implementations MAY choose to not
215 forward information, or they MAY choose to create a new EDE option(s)
216 that conveys the information encoded in the received EDE. When doing
217 so, the source of the error SHOULD be attributed in the EXTRA-TEXT
218 field, since an EDNS0 option received by the original client will
219 appear to have come from the resolver or forwarder sending it.
220
221 This document does not allow or prohibit any particular extended
222 error codes and information to be matched with any particular RCODEs.
223 Some combinations of extended error codes and RCODEs may seem
224 nonsensical (such as resolver-specific extended error codes received
225 in responses from authoritative servers), so systems interpreting the
226 extended error codes MUST NOT assume that a combination will make
227 sense. Receivers MUST be able to accept EDE codes and EXTRA-TEXT in
228 all messages, including those with a NOERROR RCODE but need not act
229 on them. Applications MUST continue to follow requirements from
230 applicable specifications on how to process RCODEs no matter what EDE
231 values are also received. Senders MAY include more than one EDE
232 option and receivers MUST be able to accept (but not necessarily
233 process or act on) multiple EDE options in a DNS message.
234
2354. Defined Extended DNS Errors
236
237 This document defines some initial EDE codes. The mechanism is
238 intended to be extensible, and additional codepoints can be
239 registered in the "Extended DNS Errors" registry (Section 5.2). The
240 INFO-CODE from the EDE EDNS option is used to serve as an index into
241 the "Extended DNS Error" IANA registry, the initial values for which
242 are defined in the following subsections.
243
2444.1. Extended DNS Error Code 0 - Other
245
246 The error in question falls into a category that does not match known
247 extended error codes. Implementations SHOULD include an EXTRA-TEXT
248 value to augment this error code with additional information.
249
2504.2. Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm
251
252 The resolver attempted to perform DNSSEC validation, but a DNSKEY
253 RRset contained only unsupported DNSSEC algorithms.
254
2554.3. Extended DNS Error Code 2 - Unsupported DS Digest Type
256
257 The resolver attempted to perform DNSSEC validation, but a DS RRset
258 contained only unsupported Digest Types.
259
2604.4. Extended DNS Error Code 3 - Stale Answer
261
262 The resolver was unable to resolve the answer within its time limits
263 and decided to answer with previously cached data instead of
264 answering with an error. This is typically caused by problems
265 communicating with an authoritative server, possibly as result of a
266 denial of service (DoS) attack against another network. (See also
267 Code 19.)
268
2694.5. Extended DNS Error Code 4 - Forged Answer
270
271 For policy reasons (legal obligation or malware filtering, for
272 instance), an answer was forged. Note that this should be used when
273 an answer is still provided, not when failure codes are returned
274 instead. See Blocked (15), Censored (16), and Filtered (17) for use
275 when returning other response codes.
276
2774.6. Extended DNS Error Code 5 - DNSSEC Indeterminate
278
279 The resolver attempted to perform DNSSEC validation, but validation
280 ended in the Indeterminate state [RFC4035].
281
2824.7. Extended DNS Error Code 6 - DNSSEC Bogus
283
284 The resolver attempted to perform DNSSEC validation, but validation
285 ended in the Bogus state.
286
2874.8. Extended DNS Error Code 7 - Signature Expired
288
289 The resolver attempted to perform DNSSEC validation, but no
290 signatures are presently valid and some (often all) are expired.
291
2924.9. Extended DNS Error Code 8 - Signature Not Yet Valid
293
294 The resolver attempted to perform DNSSEC validation, but no
295 signatures are presently valid and at least some are not yet valid.
296
2974.10. Extended DNS Error Code 9 - DNSKEY Missing
298
299 A DS record existed at a parent, but no supported matching DNSKEY
300 record could be found for the child.
301
3024.11. Extended DNS Error Code 10 - RRSIGs Missing
303
304 The resolver attempted to perform DNSSEC validation, but no RRSIGs
305 could be found for at least one RRset where RRSIGs were expected.
306
3074.12. Extended DNS Error Code 11 - No Zone Key Bit Set
308
309 The resolver attempted to perform DNSSEC validation, but no Zone Key
310 Bit was set in a DNSKEY.
311
3124.13. Extended DNS Error Code 12 - NSEC Missing
313
314 The resolver attempted to perform DNSSEC validation, but the
315 requested data was missing and a covering NSEC or NSEC3 was not
316 provided.
317
3184.14. Extended DNS Error Code 13 - Cached Error
319
320 The resolver is returning the SERVFAIL RCODE from its cache.
321
3224.15. Extended DNS Error Code 14 - Not Ready
323
324 The server is unable to answer the query, as it was not fully
325 functional when the query was received.
326
3274.16. Extended DNS Error Code 15 - Blocked
328
329 The server is unable to respond to the request because the domain is
330 on a blocklist due to an internal security policy imposed by the
331 operator of the server resolving or forwarding the query.
332
3334.17. Extended DNS Error Code 16 - Censored
334
335 The server is unable to respond to the request because the domain is
336 on a blocklist due to an external requirement imposed by an entity
337 other than the operator of the server resolving or forwarding the
338 query. Note that how the imposed policy is applied is irrelevant
339 (in-band DNS filtering, court order, etc.).
340
3414.18. Extended DNS Error Code 17 - Filtered
342
343 The server is unable to respond to the request because the domain is
344 on a blocklist as requested by the client. Functionally, this
345 amounts to "you requested that we filter domains like this one."
346
3474.19. Extended DNS Error Code 18 - Prohibited
348
349 An authoritative server or recursive resolver that receives a query
350 from an "unauthorized" client can annotate its REFUSED message with
351 this code. Examples of "unauthorized" clients are recursive queries
352 from IP addresses outside the network, blocklisted IP addresses,
353 local policy, etc.
354
3554.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer
356
357 The resolver was unable to resolve an answer within its configured
358 time limits and decided to answer with a previously cached NXDOMAIN
359 answer instead of answering with an error. This may be caused, for
360 example, by problems communicating with an authoritative server,
361 possibly as result of a denial of service (DoS) attack against
362 another network. (See also Code 3.)
363
3644.21. Extended DNS Error Code 20 - Not Authoritative
365
366 An authoritative server that receives a query with the Recursion
367 Desired (RD) bit clear, or when it is not configured for recursion
368 for a domain for which it is not authoritative, SHOULD include this
369 EDE code in the REFUSED response. A resolver that receives a query
370 with the RD bit clear SHOULD include this EDE code in the REFUSED
371 response.
372
3734.22. Extended DNS Error Code 21 - Not Supported
374
375 The requested operation or query is not supported.
376
3774.23. Extended DNS Error Code 22 - No Reachable Authority
378
379 The resolver could not reach any of the authoritative name servers
380 (or they potentially refused to reply).
381
3824.24. Extended DNS Error Code 23 - Network Error
383
384 An unrecoverable error occurred while communicating with another
385 server.
386
3874.25. Extended DNS Error Code 24 - Invalid Data
388
389 The authoritative server cannot answer with data for a zone it is
390 otherwise configured to support. Examples of this include its most
391 recent zone being too old or having expired.
392
3935. IANA Considerations
394
3955.1. A New Extended DNS Error Code EDNS Option
396
397 This document defines a new EDNS(0) option, entitled "Extended DNS
398 Error", with the assigned value of 15 from the "DNS EDNS0 Option
399 Codes (OPT)" registry:
400
401 +=======+====================+==========+===========+
402 | Value | Name | Status | Reference |
403 +=======+====================+==========+===========+
404 | 15 | Extended DNS Error | Standard | RFC 8914 |
405 +-------+--------------------+----------+-----------+
406
407 Table 1
408
4095.2. New Registry for Extended DNS Error Codes
410
411 IANA has created and will maintain a new registry called "Extended
412 DNS Error Codes" on the "Domain Name System (DNS) Parameters" web
413 page as follows:
414
415 +===============+=========================+
416 | Range | Registration Procedures |
417 +===============+=========================+
418 | 0 - 49151 | First Come First Served |
419 +---------------+-------------------------+
420 | 49152 - 65535 | Private Use |
421 +---------------+-------------------------+
422
423 Table 2
424
425 The "Extended DNS Error Codes" registry is a table with three
426 columns: INFO-CODE, Purpose, and Reference. The initial content is
427 as below.
428
429 +=============+==============================+===============+
430 | INFO-CODE | Purpose | Reference |
431 +=============+==============================+===============+
432 | 0 | Other Error | Section 4.1 |
433 +-------------+------------------------------+---------------+
434 | 1 | Unsupported DNSKEY Algorithm | Section 4.2 |
435 +-------------+------------------------------+---------------+
436 | 2 | Unsupported DS Digest Type | Section 4.3 |
437 +-------------+------------------------------+---------------+
438 | 3 | Stale Answer | Section 4.4 |
439 | | | and [RFC8767] |
440 +-------------+------------------------------+---------------+
441 | 4 | Forged Answer | Section 4.5 |
442 +-------------+------------------------------+---------------+
443 | 5 | DNSSEC Indeterminate | Section 4.6 |
444 +-------------+------------------------------+---------------+
445 | 6 | DNSSEC Bogus | Section 4.7 |
446 +-------------+------------------------------+---------------+
447 | 7 | Signature Expired | Section 4.8 |
448 +-------------+------------------------------+---------------+
449 | 8 | Signature Not Yet Valid | Section 4.9 |
450 +-------------+------------------------------+---------------+
451 | 9 | DNSKEY Missing | Section 4.10 |
452 +-------------+------------------------------+---------------+
453 | 10 | RRSIGs Missing | Section 4.11 |
454 +-------------+------------------------------+---------------+
455 | 11 | No Zone Key Bit Set | Section 4.12 |
456 +-------------+------------------------------+---------------+
457 | 12 | NSEC Missing | Section 4.13 |
458 +-------------+------------------------------+---------------+
459 | 13 | Cached Error | Section 4.14 |
460 +-------------+------------------------------+---------------+
461 | 14 | Not Ready | Section 4.15 |
462 +-------------+------------------------------+---------------+
463 | 15 | Blocked | Section 4.16 |
464 +-------------+------------------------------+---------------+
465 | 16 | Censored | Section 4.17 |
466 +-------------+------------------------------+---------------+
467 | 17 | Filtered | Section 4.18 |
468 +-------------+------------------------------+---------------+
469 | 18 | Prohibited | Section 4.19 |
470 +-------------+------------------------------+---------------+
471 | 19 | Stale NXDomain Answer | Section 4.20 |
472 +-------------+------------------------------+---------------+
473 | 20 | Not Authoritative | Section 4.21 |
474 +-------------+------------------------------+---------------+
475 | 21 | Not Supported | Section 4.22 |
476 +-------------+------------------------------+---------------+
477 | 22 | No Reachable Authority | Section 4.23 |
478 +-------------+------------------------------+---------------+
479 | 23 | Network Error | Section 4.24 |
480 +-------------+------------------------------+---------------+
481 | 24 | Invalid Data | Section 4.25 |
482 +-------------+------------------------------+---------------+
483 | 25-49151 | Unassigned | |
484 +-------------+------------------------------+---------------+
485 | 49152-65535 | Reserved for Private Use | Section 5.2 |
486 +-------------+------------------------------+---------------+
487
488 Table 3
489
4906. Security Considerations
491
492 Though DNSSEC continues to be deployed, unfortunately a significant
493 number of clients (~11% according to [GeoffValidation]) that receive
494 a SERVFAIL from a validating resolver because of a DNSSEC validation
495 issue will simply ask the next (potentially non-validating) resolver
496 in their list and thus don't get the protections that DNSSEC should
497 provide.
498
499 EDE information is unauthenticated information, unless secured by a
500 form of secured DNS transaction, such as [RFC2845], [RFC2931],
501 [RFC8094], or [RFC8484]. An attacker (e.g., a man in the middle
502 (MITM) or malicious recursive server) could insert an extended error
503 response into untrusted data -- although, ideally, clients and
504 resolvers would not trust any unauthenticated information. As such,
505 EDE content should be treated only as diagnostic information and MUST
506 NOT alter DNS protocol processing. Until all DNS answers are
507 authenticated via DNSSEC or the other mechanisms mentioned above,
508 there are some trade-offs. As an example, an attacker who is able to
509 insert the DNSSEC Bogus Extended Error into a DNS message could
510 instead simply reply with a fictitious address (A or AAAA) record.
511 Note that DNS RCODEs also contain no authentication and can be just
512 as easily manipulated.
513
514 By design, EDE potentially exposes additional information via DNS
515 resolution processes that may leak information. An example of this
516 is the Prohibited EDE code (18), which may leak the fact that the
517 name is on a blocklist.
518
5197. References
520
5217.1. Normative References
522
523 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
524 Requirement Levels", BCP 14, RFC 2119,
525 DOI 10.17487/RFC2119, March 1997,
526 <https://www.rfc-editor.org/info/rfc2119>.
527
528 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
529 Rose, "Protocol Modifications for the DNS Security
530 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
531 <https://www.rfc-editor.org/info/rfc4035>.
532
533 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
534 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008,
535 <https://www.rfc-editor.org/info/rfc5198>.
536
537 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
538 for DNS (EDNS(0))", STD 75, RFC 6891,
539 DOI 10.17487/RFC6891, April 2013,
540 <https://www.rfc-editor.org/info/rfc6891>.
541
542 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
543 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
544 May 2017, <https://www.rfc-editor.org/info/rfc8174>.
545
546 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
547 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
548 January 2019, <https://www.rfc-editor.org/info/rfc8499>.
549
550 [RFC8767] Lawrence, D., Kumari, W., and P. Sood, "Serving Stale Data
551 to Improve DNS Resiliency", RFC 8767,
552 DOI 10.17487/RFC8767, March 2020,
553 <https://www.rfc-editor.org/info/rfc8767>.
554
5557.2. Informative References
556
557 [GeoffValidation]
558 Huston, G., "A quick review of DNSSEC Validation in
559 today's Internet", June 2016, <http://www.potaroo.net/
560 presentations/2016-06-27-dnssec.pdf>.
561
562 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
563 Wellington, "Secret Key Transaction Authentication for DNS
564 (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000,
565 <https://www.rfc-editor.org/info/rfc2845>.
566
567 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
568 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September
569 2000, <https://www.rfc-editor.org/info/rfc2931>.
570
571 [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
572 Transport Layer Security (DTLS)", RFC 8094,
573 DOI 10.17487/RFC8094, February 2017,
574 <https://www.rfc-editor.org/info/rfc8094>.
575
576 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
577 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
578 <https://www.rfc-editor.org/info/rfc8484>.
579
580Acknowledgements
581
582 The authors wish to thank Joe Abley, Mark Andrews, Tim April,
583 Vittorio Bertola, Stephane Bortzmeyer, Vladimir Cunat, Ralph Dolmans,
584 Peter DeVries, Peter van Dijk, Mats Dufberg, Donald Eastlake, Bob
585 Harold, Paul Hoffman, Geoff Huston, Shane Kerr, Edward Lewis, Carlos
586 M. Martinez, George Michelson, Eric Orth, Michael Sheldon, Puneet
587 Sood, Petr Spacek, Ondrej Sury, John Todd, Loganaden Velvindron, and
588 Paul Vixie. They also vaguely remember discussing this with a number
589 of people over the years but have forgotten who all of them were.
590 Apologies if we forgot to acknowledge your contributions.
591
592 One author also wants to thank the band Infected Mushroom for
593 providing a good background soundtrack. Another author would like to
594 thank the band Mushroom Infectors. This was funny at the time we
595 wrote it, but we cannot remember why...
596
597Authors' Addresses
598
599 Warren Kumari
600 Google
601 1600 Amphitheatre Parkway
602 Mountain View, CA 94043
603 United States of America
604
605 Email: warren@kumari.net
606
607
608 Evan Hunt
609 ISC
610 950 Charter St
611 Redwood City, CA 94063
612 United States of America
613
614 Email: each@isc.org
615
616
617 Roy Arends
618 ICANN
619
620 Email: roy.arends@icann.org
621
622
623 Wes Hardaker
624 USC/ISI
625 P.O. Box 382
626 Davis, CA 95617
627 United States of America
628
629 Email: ietf@hardakers.net
630
631
632 David C Lawrence
633 Salesforce
634 415 Mission St
635 San Francisco, CA 94105
636 United States of America
637
638 Email: tale@dd.org
639