Internet-Draft Base Protocol Requirements for the Root July 2025
Abley Expires 26 January 2026 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-jabley-root-zone-ground-rules-latest
Published:
Intended Status:
Standards Track
Expires:
Author:
J. Abley
Cloudflare

Base Protocol Requirements for the Root Zone of the DNS

Abstract

The root zone of the DNS is, in almost all ways, a DNS zone like any other, and shares the same DNS protocol requirements. However, there are a small number of ways in which the root zone is special, in some cases as a consequence of the wider DNS protocol protocol or for operational reason. This document describes some ways in which the root zone is special and imposes corresponding technical requirements on the contents of the root zone. These requirements form a minimal starting point for other policies that relate to the root zone of the DNS, many of which are developed and implemented outside the IETF.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://ableyjoe.github.io/draft-jabley-root-zone-ground-rules/draft-jabley-root-zone-ground-rules.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-jabley-root-zone-ground-rules/.

Discussion of this document takes place on the dnsop Working Group mailing list (mailto:dnsop@ietf.org), which is archived at https://datatracker.ietf.org/wg/dnsop/about/. Subscribe at https://www.ietf.org/mailman/listinfo/dnsop/.

Source for this draft and an issue tracker can be found at https://github.com/ableyjoe/draft-jabley-root-zone-ground-rules.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 26 January 2026.

Table of Contents

1. Introduction

The Domain Name System (DNS), originally specified in [RFC1034] and [RFC1035], implements a namespace that is distributed structurally as a collection of zones, connected together as a tree. The root zone in the DNS is the ancestor of all other zones and has no parent.

From the perspective of the DNS protocol, all zones in the DNS share the same essential properties. However, the root zone is special in some ways by virtue of its location within the namespace. For example, as the ancestor of all other zones, a chain of trust to a key used to generate signatures in other zones relies upon secure delegations being used from the root zone for direct children.

This document describes a minimal set of technical constraints for the construction of the root zone. This document specifically does not aim to encapsulate a complete or sufficient set of policies for the root zone to meet the wider requirements of the DNS, for all of which this document defers to other competent authorities.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

This document assumes a familiarity with the DNS terminology described in [RFC9499].

3. Technical, Protocol Constraints on Root Zone Generation

3.1. Constraints Commnon to All Zones

The root zone MUST include exactly one SOA resource record with empty owner name and class IN. This is a consequence of the requirements for DNS zones described in [RFC1034] and [RFC1035].

The root zone MUST include an NS resource record set with empty owner name and class IN, as described in [RFC1034] and [RFC1035]. This is a consequence of the requirements for DNS zones described in [RFC1034] and [RFC1035].

This document does not specify particular values for the SOA parameters included in the SOA resource record RDATA, the NS record targets, the number of NS resource records in the NS RRSet or the TTL of any of the RRSets described above. All such policy decisions are instead deferred to the appropriate competent authorities.

3.2. Special Constraints for the Root Zone

The root zone MUST NOT include A or AAAA resource records with empty owner name and class IN. Multiple specifications make use of an empty domain name to mean "not available", including [RFC2782], [RFC7505] and [RFC9460]. However, some naive DNS clients are observed to misinterpret such signals, with the result that queries with empty QNAME, QCLASS="IN" and QTYPE="A" or "AAAA" are observed at root servers. Positive responses to such queries would have poor security characteristics and are therefore prohibited.

DNSSEC MUST be deployed in the root zone, as specified in [RFC9364].

This document does not specify practices around key management, signature generation, algorithm choice or any other parameter choices.

It is acknowledged that correct and proper management of DNSSEC in the root zone includes making pragmatic, operational decisions, and this document specifically does not specify how DNSSEC should be deployed in any particular circumstance or at any particular time. All such policy decisions are instead deferred to the appropriate competent authorities.

4. Security Considerations

This document aims to provide certainty for fundamental, technical protocol aspects of the root zone of the DNS, including the deployment of DNSSEC in the root zone.

This document does not present any new risks to the Internet.

5. IANA Considerations

This document describes technical, protocol constraints on the generation of the DNS root zone which should be incorporated as appropriate into the root zone management responsibilities of the IANA.

6. References

6.1. Normative References

[RFC1034]
Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, , <https://www.rfc-editor.org/rfc/rfc1034>.
[RFC1035]
Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, , <https://www.rfc-editor.org/rfc/rfc1035>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC9364]
Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237, RFC 9364, DOI 10.17487/RFC9364, , <https://www.rfc-editor.org/rfc/rfc9364>.
[RFC9499]
Hoffman, P. and K. Fujiwara, "DNS Terminology", BCP 219, RFC 9499, DOI 10.17487/RFC9499, , <https://www.rfc-editor.org/rfc/rfc9499>.

6.2. Informative References

[RFC2782]
Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, DOI 10.17487/RFC2782, , <https://www.rfc-editor.org/rfc/rfc2782>.
[RFC7505]
Levine, J. and M. Delany, "A "Null MX" No Service Resource Record for Domains That Accept No Mail", RFC 7505, DOI 10.17487/RFC7505, , <https://www.rfc-editor.org/rfc/rfc7505>.
[RFC9460]
Schwartz, B., Bishop, M., and E. Nygren, "Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)", RFC 9460, DOI 10.17487/RFC9460, , <https://www.rfc-editor.org/rfc/rfc9460>.

Acknowledgments

Your! Name! Here!

Author's Address

Joe Abley
Cloudflare
Amsterdam
Netherlands