File: rfc8767.html

package info (click to toggle)
doc-rfc 20201128-1
links: PTS, VCS
area: non-free
in suites: bullseye
size: 1,307,124 kB
file content (1812 lines) | stat: -rw-r--r-- 73,857 bytes
parent folder | download | duplicates (2)
<!DOCTYPE html>
<html lang="en" class="RFC">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>RFC 8767: Serving Stale Data to Improve DNS Resiliency</title>
<meta content="David C Lawrence" name="author">
<meta content='Warren "Ace" Kumari' name="author">
<meta content="Puneet Sood" name="author">
<meta content="
       This document defines a method (serve-stale) for recursive resolvers to
use stale DNS data to avoid outages when authoritative nameservers
cannot be reached to refresh expired data. One of the motivations
for serve-stale is to make the DNS more resilient to DoS attacks
and thereby make them less attractive as an attack vector.
This document updates the definitions of TTL from RFCs 1034
and 1035 so that data can be kept in the cache beyond
the TTL expiry; it also updates RFC 2181 by interpreting
values with the high-order bit set as being positive, rather
than 0, and suggests a cap of 7 days. 
    " name="description">
<meta content="xml2rfc 2.41.0" name="generator">
<meta content="DNS" name="keyword">
<meta content="DDoS" name="keyword">
<meta content="Resiliency" name="keyword">
<meta content="Denial-of-Service" name="keyword">
<meta content="Expired" name="keyword">
<meta content="8767" name="rfc.number">
<link href="rfc8767.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*

  NOTE: Changes at the bottom of this file overrides some earlier settings.

  Once the style has stabilized and has been adopted as an official RFC style,
  this can be consolidated so that style settings occur only in one place, but
  for now the contents of this file consists first of the initial CSS work as
  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
  commented changes found necssary during the development of the v3
  formatters.

*/

/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */

@viewport {
  zoom: 1.0;
  width: extend-to-zoom;
}
@-ms-viewport {
  width: extend-to-zoom;
  zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
  max-width: 90%;
  margin: 1.5em auto;
  color: #222;
  background-color: #fff;
  font-size: 14px;
  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
  line-height: 1.6;
  scroll-behavior: smooth;
}
.ears {
  display: none;
}

/* headings */
#title, h1, h2, h3, h4, h5, h6 {
  margin: 1em 0 0.5em;
  font-weight: bold;
  line-height: 1.3;
}
#title {
  clear: both;
  border-bottom: 1px solid #ddd;
  margin: 0 0 0.5em 0;
  padding: 1em 0 0.5em;
}
.author {
  padding-bottom: 4px;
}
h1 {
  font-size: 26px;
  margin: 1em 0;
}
h2 {
  font-size: 22px;
  margin-top: -20px;  /* provide offset for in-page anchors */
  padding-top: 33px;
}
h3 {
  font-size: 18px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h4 {
  font-size: 16px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h5, h6 {
  font-size: 14px;
}
#n-copyright-notice {
  border-bottom: 1px solid #ddd;
  padding-bottom: 1em;
  margin-bottom: 1em;
}
/* general structure */
p {
  padding: 0;
  margin: 0 0 1em 0;
  text-align: left;
}
div, span {
  position: relative;
}
div {
  margin: 0;
}
.alignRight.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignRight.art-text pre {
  padding: 0;
}
.alignRight {
  margin: 1em 0;
}
.alignRight > *:first-child {
  border: none;
  margin: 0;
  float: right;
  clear: both;
}
.alignRight > *:nth-child(2) {
  clear: both;
  display: block;
  border: none;
}
svg {
  display: block;
}
.alignCenter.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
  padding: 0;
}
.alignCenter {
  margin: 1em 0;
}
.alignCenter > *:first-child {
  border: none;
  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
     support flexbox yet.
  */
  display: table;
  margin: 0 auto;
}

/* lists */
ol, ul {
  padding: 0;
  margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
  margin-left: 1em;
}
li {
  margin: 0 0 0.25em 0;
}
.ulCompact li {
  margin: 0;
}
ul.empty, .ulEmpty {
  list-style-type: none;
}
ul.empty li, .ulEmpty li {
  margin-top: 0.5em;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
  line-height: 100%;
  margin: 0 0 0 2em;
}

/* definition lists */
dl {
}
dl > dt {
  float: left;
  margin-right: 1em;
}
/* 
dl.nohang > dt {
  float: none;
}
*/
dl > dd {
  margin-bottom: .8em;
  min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
  margin-bottom: 0em;
}
dl > dd > dl {
  margin-top: 0.5em;
  margin-bottom: 0em;
}

/* links */
a {
  text-decoration: none;
}
a[href] {
  color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
  background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
  color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
  background-color: transparent;
  cursor: default;
} */

/* Figures */
tt, code, pre, code {
  background-color: #f9f9f9;
  font-family: 'Roboto Mono', monospace;
}
pre {
  border: 1px solid #eee;
  margin: 0;
  padding: 1em;
}
img {
  max-width: 100%;
}
figure {
  margin: 0;
}
figure blockquote {
  margin: 0.8em 0.4em 0.4em;
}
figcaption {
  font-style: italic;
  margin: 0 0 1em 0;
}
@media screen {
  pre {
    overflow-x: auto;
    max-width: 100%;
    max-width: calc(100% - 22px);
  }
}

/* aside, blockquote */
aside, blockquote {
  margin-left: 0;
  padding: 1.2em 2em;
}
blockquote {
  background-color: #f9f9f9;
  color: #111; /* Arlen: WCAG 2019 */
  border: 1px solid #ddd;
  border-radius: 3px;
  margin: 1em 0;
}
cite {
  display: block;
  text-align: right;
  font-style: italic;
}

/* tables */
table {
  width: 100%;
  margin: 0 0 1em;
  border-collapse: collapse;
  border: 1px solid #eee;
}
th, td {
  text-align: left;
  vertical-align: top;
  padding: 0.5em 0.75em;
}
th {
  text-align: left;
  background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
  background-color: #f5f5f5;
}
table caption {
  font-style: italic;
  margin: 0;
  padding: 0;
  text-align: left;
}
table p {
  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
     be allowed within tables more generally, it would be far better to select on a class. */
  margin: 0;
}

/* pilcrow */
a.pilcrow {
  color: #666; /* Arlen: AHDJ 2019 */
  text-decoration: none;
  visibility: hidden;
  user-select: none;
  -ms-user-select: none;
  -o-user-select:none;
  -moz-user-select: none;
  -khtml-user-select: none;
  -webkit-user-select: none;
  -webkit-touch-callout: none;
}
@media screen {
  aside:hover > a.pilcrow,
  p:hover > a.pilcrow,
  blockquote:hover > a.pilcrow,
  div:hover > a.pilcrow,
  li:hover > a.pilcrow,
  pre:hover > a.pilcrow {
    visibility: visible;
  }
  a.pilcrow:hover {
    background-color: transparent;
  }
}

/* misc */
hr {
  border: 0;
  border-top: 1px solid #eee;
}
.bcp14 {
  font-variant: small-caps;
}

.role {
  font-variant: all-small-caps;
}

/* info block */
#identifiers {
  margin: 0;
  font-size: 0.9em;
}
#identifiers dt {
  width: 3em;
  clear: left;
}
#identifiers dd {
  float: left;
  margin-bottom: 0;
}
#identifiers .authors .author {
  display: inline-block;
  margin-right: 1.5em;
}
#identifiers .authors .org {
  font-style: italic;
}

/* The prepared/rendered info at the very bottom of the page */
.docInfo {
  color: #666; /* Arlen: WCAG 2019 */
  font-size: 0.9em;
  font-style: italic;
  margin-top: 2em;
}
.docInfo .prepared {
  float: left;
}
.docInfo .prepared {
  float: right;
}

/* table of contents */
#toc  {
  padding: 0.75em 0 2em 0;
  margin-bottom: 1em;
}
nav.toc ul {
  margin: 0 0.5em 0 0;
  padding: 0;
  list-style: none;
}
nav.toc li {
  line-height: 1.3em;
  margin: 0.75em 0;
  padding-left: 1.2em;
  text-indent: -1.2em;
}
/* references */
.references dt {
  text-align: right;
  font-weight: bold;
  min-width: 7em;
}
.references dd {
  margin-left: 8em;
  overflow: auto;
}

.refInstance {
  margin-bottom: 1.25em;
}

.references .ascii {
  margin-bottom: 0.25em;
}

/* index */
.index ul {
  margin: 0 0 0 1em;
  padding: 0;
  list-style: none;
}
.index ul ul {
  margin: 0;
}
.index li {
  margin: 0;
  text-indent: -2em;
  padding-left: 2em;
  padding-bottom: 5px;
}
.indexIndex {
  margin: 0.5em 0 1em;
}
.index a {
  font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
  .index ul {
    -moz-column-count: 2;
    -moz-column-gap: 20px;
  }
  .index ul ul {
    -moz-column-count: 1;
    -moz-column-gap: 0;
  }
}

/* authors */
address.vcard {
  font-style: normal;
  margin: 1em 0;
}

address.vcard .nameRole {
  font-weight: 700;
  margin-left: 0;
}
address.vcard .label {
  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
  margin: 0.5em 0;
}
address.vcard .type {
  display: none;
}
.alternative-contact {
  margin: 1.5em 0 1em;
}
hr.addr {
  border-top: 1px dashed;
  margin: 0;
  color: #ddd;
  max-width: calc(100% - 16px);
}

/* temporary notes */
.rfcEditorRemove::before {
  position: absolute;
  top: 0.2em;
  right: 0.2em;
  padding: 0.2em;
  content: "The RFC Editor will remove this note";
  color: #9e2a00; /* Arlen: WCAG 2019 */
  background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
  position: relative;
  padding-top: 1.8em;
  background-color: #ffd; /* Arlen: WCAG 2019 */
  border-radius: 3px;
}
.cref {
  background-color: #ffd; /* Arlen: WCAG 2019 */
  padding: 2px 4px;
}
.crefSource {
  font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
  body {
    padding-top: 2em;
  }
  #title {
    padding: 1em 0;
  }
  h1 {
    font-size: 24px;
  }
  h2 {
    font-size: 20px;
    margin-top: -18px;  /* provide offset for in-page anchors */
    padding-top: 38px;
  }
  #identifiers dd {
    max-width: 60%;
  }
  #toc {
    position: fixed;
    z-index: 2;
    top: 0;
    right: 0;
    padding: 0;
    margin: 0;
    background-color: inherit;
    border-bottom: 1px solid #ccc;
  }
  #toc h2 {
    margin: -1px 0 0 0;
    padding: 4px 0 4px 6px;
    padding-right: 1em;
    min-width: 190px;
    font-size: 1.1em;
    text-align: right;
    background-color: #444;
    color: white;
    cursor: pointer;
  }
  #toc h2::before { /* css hamburger */
    float: right;
    position: relative;
    width: 1em;
    height: 1px;
    left: -164px;
    margin: 6px 0 0 0;
    background: white none repeat scroll 0 0;
    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
    content: "";
  }
  #toc nav {
    display: none;
    padding: 0.5em 1em 1em;
    overflow: auto;
    height: calc(100vh - 48px);
    border-left: 1px solid #ddd;
  }
}

/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
  body {
    max-width: 724px;
    margin: 42px auto;
    padding-left: 1.5em;
    padding-right: 29em;
  }
  #toc {
    position: fixed;
    top: 42px;
    right: 42px;
    width: 25%;
    margin: 0;
    padding: 0 1em;
    z-index: 1;
  }
  #toc h2 {
    border-top: none;
    border-bottom: 1px solid #ddd;
    font-size: 1em;
    font-weight: normal;
    margin: 0;
    padding: 0.25em 1em 1em 0;
  }
  #toc nav {
    display: block;
    height: calc(90vh - 84px);
    bottom: 0;
    padding: 0.5em 0 0;
    overflow: auto;
  }
  img { /* future proofing */
    max-width: 100%;
    height: auto;
  }
}

/* pagination */
@media print {
  body {

    width: 100%;
  }
  p {
    orphans: 3;
    widows: 3;
  }
  #n-copyright-notice {
    border-bottom: none;
  }
  #toc, #n-introduction {
    page-break-before: always;
  }
  #toc {
    border-top: none;
    padding-top: 0;
  }
  figure, pre {
    page-break-inside: avoid;
  }
  figure {
    overflow: scroll;
  }
  h1, h2, h3, h4, h5, h6 {
    page-break-after: avoid;
  }
  h2+*, h3+*, h4+*, h5+*, h6+* {
    page-break-before: avoid;
  }
  pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    font-size: 10pt;
  }
  table {
    border: 1px solid #ddd;
  }
  td {
    border-top: 1px solid #ddd;
  }
}

/* This is commented out here, as the string-set: doesn't
   pass W3C validation currently */
/*
.ears thead .left {
  string-set: ears-top-left content();
}

.ears thead .center {
  string-set: ears-top-center content();
}

.ears thead .right {
  string-set: ears-top-right content();
}

.ears tfoot .left {
  string-set: ears-bottom-left content();
}

.ears tfoot .center {
  string-set: ears-bottom-center content();
}

.ears tfoot .right {
  string-set: ears-bottom-right content();
}
*/

@page :first {
  padding-top: 0;
  @top-left {
    content: normal;
    border: none;
  }
  @top-center {
    content: normal;
    border: none;
  }
  @top-right {
    content: normal;
    border: none;
  }
}

@page {
  size: A4;
  margin-bottom: 45mm;
  padding-top: 20px;
  /* The follwing is commented out here, but set appropriately by in code, as
     the content depends on the document */
  /*
  @top-left {
    content: 'Internet-Draft';
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-left {
    content: string(ears-top-left);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-center {
    content: string(ears-top-center);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-right {
    content: string(ears-top-right);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @bottom-left {
    content: string(ears-bottom-left);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-center {
    content: string(ears-bottom-center);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-right {
      content: '[Page ' counter(page) ']';
      vertical-align: top;
      border-top: solid 1px #ccc;
  }
  */

}

/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
  z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
  clear: both;
}


/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
  vertical-align: top;
}

/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
  width: 8em;
}

/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
  margin-left: 1em;
}

/* Give floating toc a background color (needed when it's a div inside section */
#toc {
  background-color: white;
}

/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
  #toc h2 a,
  #toc h2 a:link,
  #toc h2 a:focus,
  #toc h2 a:hover,
  #toc a.toplink,
  #toc a.toplink:hover {
    color: white;
    background-color: #444;
    text-decoration: none;
  }
}

/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
  #toc {
    padding: 0 0 1em 1em;
  }
}

/* Style section numbers with more space between number and title */
.section-number {
  padding-right: 0.5em;
}

/* prevent monospace from becoming overly large */
tt, code, pre, code {
  font-size: 95%;
}

/* Fix the height/width aspect for ascii art*/
pre.sourcecode,
.art-text pre {
  line-height: 1.12;
}


/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
  float: right;
  margin-right: 0.5em;
}

/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
  float: left;
  margin-right: 1em;
}
dl.dlNewline > dt {
  float: none;
}

/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
  text-align: left;
}
table td.text-center,
table th.text-center {
  text-align: center;
}
table td.text-right,
table th.text-right {
  text-align: right;
}

/* Make the alternative author contact informatio look less like just another
   author, and group it closer with the primary author contact information */
.alternative-contact {
  margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
  margin: 0 0 0 2em;
}

/* With it being possible to set tables with alignment
  left, center, and right, { width: 100%; } does not make sense */
table {
  width: auto;
}

/* Avoid reference text that sits in a block with very wide left margin,
   because of a long floating dt label.*/
.references dd {
  overflow: visible;
}

/* Control caption placement */
caption {
  caption-side: bottom;
}

/* Limit the width of the author address vcard, so names in right-to-left
   script don't end up on the other side of the page. */

address.vcard {
  max-width: 30em;
  margin-right: auto;
}

/* For address alignment dependent on LTR or RTL scripts */
address div.left {
  text-align: left;
}
address div.right {
  text-align: right;
}

/* Provide table alignment support.  We can't use the alignX classes above
   since they do unwanted things with caption and other styling. */
table.right {
 margin-left: auto;
 margin-right: 0;
}
table.center {
 margin-left: auto;
 margin-right: auto;
}
table.left {
 margin-left: 0;
 margin-right: auto;
}

/* Give the table caption label the same styling as the figcaption */
caption a[href] {
  color: #222;
}

@media print {
  .toplink {
    display: none;
  }

  /* avoid overwriting the top border line with the ToC header */
  #toc {
    padding-top: 1px;
  }

  /* Avoid page breaks inside dl and author address entries */
  .vcard {
    page-break-inside: avoid;
  }

}
/* Avoid wrapping of URLs in references */
@media screen {
  .references a {
    white-space: nowrap;
  }
}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
  font-variant: small-caps;
  font-weight: bold;
  font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
 h2 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 31px;
 }
 h3 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
 h4 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
/* Float artwork pilcrow to the right */
@media screen {
  .artwork a.pilcrow {
    display: block;
    line-height: 0.7;
    margin-top: 0.15em;
  }
}
/* Make pilcrows on dd visible */
@media screen {
  dd:hover > a.pilcrow {
    visibility: visible;
  }
}
/* Make the placement of figcaption match that of a table's caption
   by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
   margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
  margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
   possibly even requiring a new line */
@media print {
  a.pilcrow {
    display: none;
  }
}
/* Styling for the external metadata */
div#external-metadata {
  background-color: #eee;
  padding: 0.5em;
  margin-bottom: 0.5em;
  display: none;
}
div#internal-metadata {
  padding: 0.5em;                       /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
  clear: both;
  margin: 0 0 -1em;
  padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
  margin-bottom: 0.25em;
  min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
  border-left: 1px solid #ddd;
  margin: 1em 0 1em 2em;
  padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
  margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
  figcaption, table caption {
    page-break-before: avoid;
  }
}
/* Font size adjustments for print */
@media print {
  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
  h4    { font-size: 1em;       padding-top: 1.5em; }
  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
  .artwork,
  .sourcecode {
    margin-bottom: 1em;
  }
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
  min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: lower-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background sligthtly */
table {
  border: 1px solid #ddd;
}
td {
  border-top: 1px solid #ddd;
}
tr:nth-child(2n+1) > td {
  background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
  #toc nav { display: none; }
  #toc.active nav { display: block; }
}
</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<link href="https://dx.doi.org/10.17487/rfc8767" rel="alternate">
  <link href="urn:issn:2070-1721" rel="alternate">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale-10" rel="prev">
  </head>
<body>
<script src="https://www.rfc-editor.org/js/metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left">RFC 8767</td>
<td class="center">DNS Serve-Stale</td>
<td class="right">March 2020</td>
</tr></thead>
<tfoot><tr>
<td class="left">Lawrence, et al.</td>
<td class="center">Standards Track</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-stream">Stream:</dt>
<dd class="stream">Internet Engineering Task Force (IETF)</dd>
<dt class="label-rfc">RFC:</dt>
<dd class="rfc"><a href="https://www.rfc-editor.org/rfc/rfc8767" class="eref">8767</a></dd>
<dt class="label-updates">Updates:</dt>
<dd class="updates">
<a href="https://www.rfc-editor.org/rfc/rfc1034" class="eref">1034</a>, <a href="https://www.rfc-editor.org/rfc/rfc1035" class="eref">1035</a>, <a href="https://www.rfc-editor.org/rfc/rfc2181" class="eref">2181</a> </dd>
<dt class="label-category">Category:</dt>
<dd class="category">Standards Track</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2020-03" class="published">March 2020</time>
    </dd>
<dt class="label-issn">ISSN:</dt>
<dd class="issn">2070-1721</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
      <div class="author-name">D. Lawrence</div>
<div class="org">Oracle</div>
</div>
<div class="author">
      <div class="author-name">W. Kumari</div>
<div class="org">Google</div>
</div>
<div class="author">
      <div class="author-name">P. Sood</div>
<div class="org">Google</div>
</div>
</dd>
</dl>
</div>
<h1 id="rfcnum">RFC 8767</h1>
<h1 id="title">Serving Stale Data to Improve DNS Resiliency</h1>
<section id="section-abstract">
      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">This document defines a method (serve-stale) for recursive resolvers to
use stale DNS data to avoid outages when authoritative nameservers
cannot be reached to refresh expired data. One of the motivations
for serve-stale is to make the DNS more resilient to DoS attacks
and thereby make them less attractive as an attack vector.
This document updates the definitions of TTL from RFCs 1034
and 1035 so that data can be kept in the cache beyond
the TTL expiry; it also updates RFC 2181 by interpreting
values with the high-order bit set as being positive, rather
than 0, and suggests a cap of 7 days.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
        <h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
        </h2>
<p id="section-boilerplate.1-1">
            This is an Internet Standards Track document.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further
            information on Internet Standards is available in Section 2 of 
            RFC 7841.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <span><a href="https://www.rfc-editor.org/info/rfc8767">https://www.rfc-editor.org/info/rfc8767</a></span>.<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
        <h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
        </h2>
<p id="section-boilerplate.2-1">
            Copyright (c) 2020 IETF Trust and the persons identified as the
            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Simplified BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Simplified BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
        </h2>
<nav class="toc"><ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.1">
            <p id="section-toc.1-1.1.1"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a><a href="#section-toc.1-1.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.2">
            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-terminology" class="xref">Terminology</a><a href="#section-toc.1-1.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.3">
            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-background" class="xref">Background</a><a href="#section-toc.1-1.3.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.4">
            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-standards-action" class="xref">Standards Action</a><a href="#section-toc.1-1.4.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.5">
            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-example-method" class="xref">Example Method</a><a href="#section-toc.1-1.5.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.6">
            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-implementation-consideratio" class="xref">Implementation Considerations</a><a href="#section-toc.1-1.6.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.7">
            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-implementation-caveats" class="xref">Implementation Caveats</a><a href="#section-toc.1-1.7.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.8">
            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-implementation-status" class="xref">Implementation Status</a><a href="#section-toc.1-1.8.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.9">
            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-edns-option" class="xref">EDNS Option</a><a href="#section-toc.1-1.9.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.10">
            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-security-considerations" class="xref">Security Considerations</a><a href="#section-toc.1-1.10.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.11">
            <p id="section-toc.1-1.11.1"><a href="#section-11" class="xref">11</a>. <a href="#name-privacy-considerations" class="xref">Privacy Considerations</a><a href="#section-toc.1-1.11.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.12">
            <p id="section-toc.1-1.12.1"><a href="#section-12" class="xref">12</a>. <a href="#name-nat-considerations" class="xref">NAT Considerations</a><a href="#section-toc.1-1.12.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.13">
            <p id="section-toc.1-1.13.1"><a href="#section-13" class="xref">13</a>. <a href="#name-iana-considerations" class="xref">IANA Considerations</a><a href="#section-toc.1-1.13.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.14">
            <p id="section-toc.1-1.14.1"><a href="#section-14" class="xref">14</a>. <a href="#name-references" class="xref">References</a><a href="#section-toc.1-1.14.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.14.2.1">
                <p id="section-toc.1-1.14.2.1.1"><a href="#section-14.1" class="xref">14.1</a>.  <a href="#name-normative-references" class="xref">Normative References</a><a href="#section-toc.1-1.14.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.14.2.2">
                <p id="section-toc.1-1.14.2.2.1"><a href="#section-14.2" class="xref">14.2</a>.  <a href="#name-informative-references" class="xref">Informative References</a><a href="#section-toc.1-1.14.2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.15">
            <p id="section-toc.1-1.15.1"><a href="#section-appendix.a" class="xref"></a><a href="#name-acknowledgements" class="xref">Acknowledgements</a><a href="#section-toc.1-1.15.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.16">
            <p id="section-toc.1-1.16.1"><a href="#section-appendix.b" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a><a href="#section-toc.1-1.16.1" class="pilcrow">¶</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
      <h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
      </h2>
<p id="section-1-1">Traditionally, the Time To Live (TTL) of a DNS Resource Record (RR) has been
understood to represent the maximum number of seconds that a record
can be used before it must be discarded, based on its description and
usage in <span>[<a href="#RFC1035" class="xref">RFC1035</a>]</span> and clarifications in <span>[<a href="#RFC2181" class="xref">RFC2181</a>]</span>.<a href="#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">This document expands the definition of the TTL
to explicitly allow for expired data to be used in the exceptional
circumstance that a recursive resolver is unable to refresh the
information.  It is predicated on the observation that authoritative
answer unavailability can cause outages even when the underlying data
those servers would return is typically unchanged.<a href="#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">We describe a method below for this use of stale data, balancing the
competing needs of resiliency and freshness.<a href="#section-1-3" class="pilcrow">¶</a></p>
<p id="section-1-4">This document updates the definitions of TTL from <span>[<a href="#RFC1034" class="xref">RFC1034</a>]</span>
and <span>[<a href="#RFC1035" class="xref">RFC1035</a>]</span> so that data can be kept in the cache beyond 
the TTL expiry; it also updates <span>[<a href="#RFC2181" class="xref">RFC2181</a>]</span> by interpreting
values with the high-order bit set as being positive, rather
than 0, and also suggests a cap of 7 days.<a href="#section-1-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="terminology">
<section id="section-2">
      <h2 id="name-terminology">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
      </h2>
<p id="section-2-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>",
       "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>",
       "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>",
       "<span class="bcp14">SHOULD NOT</span>",
       "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">NOT RECOMMENDED</span>",
       "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document
       are to be interpreted as described in BCP 14
       <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span> when, and only
       when, they appear in all capitals, as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p>
<p id="section-2-2">For a glossary of DNS terms, please see <span>[<a href="#RFC8499" class="xref">RFC8499</a>]</span>.<a href="#section-2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="background">
<section id="section-3">
      <h2 id="name-background">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-background" class="section-name selfRef">Background</a>
      </h2>
<p id="section-3-1">There are a number of reasons why an authoritative server may become
unreachable, including Denial-of-Service (DoS) attacks, network
issues, and so on.  If a recursive server is unable to contact the
authoritative servers for a query but still has relevant data that has
aged past its TTL, that information can still be useful for generating
an answer under the metaphorical assumption that "stale bread is
better than no bread."<a href="#section-3-1" class="pilcrow">¶</a></p>
<p id="section-3-2"><span>[<a href="#RFC1035" class="xref">RFC1035</a>], <a href="https://www.rfc-editor.org/rfc/rfc1035#section-3.2.1" class="relref">Section 3.2.1</a></span>
 says that the TTL "specifies the time
interval that the resource record may be cached before the source of
the information should again be consulted." <span>[<a href="#RFC1035" class="xref">RFC1035</a>], <a href="https://www.rfc-editor.org/rfc/rfc1035#section-4.1.3" class="relref">Section 4.1.3</a></span> further
says that the TTL "specifies the time interval (in seconds) that the
resource record may be cached before it should be discarded."<a href="#section-3-2" class="pilcrow">¶</a></p>
<p id="section-3-3">A natural English interpretation of these remarks would seem to be
clear enough that records past their TTL expiration must not be used.
However, <span>[<a href="#RFC1035" class="xref">RFC1035</a>]</span> predates the more rigorous terminology of
<span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>, which softened the interpretation of "may" and "should".<a href="#section-3-3" class="pilcrow">¶</a></p>
<p id="section-3-4"><span>[<a href="#RFC2181" class="xref">RFC2181</a>]</span> aimed to provide "the
      precise definition of the Time to
Live," but <span><a href="https://www.rfc-editor.org/rfc/rfc2181#section-8" class="relref">Section 8</a> of [<a href="#RFC2181" class="xref">RFC2181</a>]</span>
was mostly concerned with the numeric range of
values rather than data expiration behavior.  It does, however, close
that section by noting, "The TTL specifies a maximum time to live, not
a mandatory time to live."  This wording again does not contain BCP 14
key words <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>, but it does convey the natural language
connotation that data becomes unusable past TTL expiry.<a href="#section-3-4" class="pilcrow">¶</a></p>
<p id="section-3-5">As of the time of this writing, several large-scale operators use stale
data for answers in some way.
 A number of recursive resolver packages,
including BIND, Knot Resolver, OpenDNS, and Unbound, provide options to use stale data.
Apple macOS can also use stale data as part of the Happy Eyeballs algorithms in
mDNSResponder.  The collective operational experience is that using stale data
can provide significant benefit with minimal downside.<a href="#section-3-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="standards-action">
<section id="section-4">
      <h2 id="name-standards-action">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-standards-action" class="section-name selfRef">Standards Action</a>
      </h2>
<p id="section-4-1">The definition of TTL in Sections <a href="https://www.rfc-editor.org/rfc/rfc1035#section-3.2.1" class="relref">3.2.1</a> and <a href="https://www.rfc-editor.org/rfc/rfc1035#section-4.1.3" class="relref">4.1.3</a> of <span>[<a href="#RFC1035" class="xref">RFC1035</a>]</span> is
amended to read:<a href="#section-4-1" class="pilcrow">¶</a></p>
<dl class="dlParallel" id="section-4-2">
        <dt id="section-4-2.1">TTL</dt>
<dd style="margin-left: 2.5em" id="section-4-2.2">
  a 32-bit unsigned integer number of seconds that specifies the
duration that the resource record <span class="bcp14">MAY</span> be cached before the source of
the information <span class="bcp14">MUST</span> again be consulted.  Zero values are interpreted
to mean that the RR can only be used for the transaction in progress,
and should not be cached.  Values <span class="bcp14">SHOULD</span> be capped on the order of
days to weeks, with a recommended cap of 604,800 seconds (7 days). If the
data is unable to be authoritatively refreshed when the TTL expires,
the record <span class="bcp14">MAY</span> be used as though it is unexpired. See Sections <a href="#example-method" class="xref">5</a>
and <a href="#implementation-considerations" class="xref">6</a> of
[RFC8767] for details.<a href="#section-4-2.2" class="pilcrow">¶</a>
</dd>
</dl>
<p id="section-4-3">Interpreting values that have the high-order bit set as being
positive, rather than 0, is a change from <span>[<a href="#RFC2181" class="xref">RFC2181</a>]</span>, the rationale
for which is explained in <a href="#implementation-considerations" class="xref">Section 6</a>.
Suggesting a cap of 7 days, rather than the 68 years allowed by the full
31 bits of 
<span><a href="https://www.rfc-editor.org/rfc/rfc2181#section-8" class="relref">Section 8</a> of [<a href="#RFC2181" class="xref">RFC2181</a>]</span>, reflects the current practice of major modern DNS
resolvers.<a href="#section-4-3" class="pilcrow">¶</a></p>
<p id="section-4-4">When returning a response containing stale records, a recursive
resolver <span class="bcp14">MUST</span> set the TTL of each expired record in the message to a
value greater than 0, with a <span class="bcp14">RECOMMENDED</span> value of 30 seconds. See
<a href="#implementation-considerations" class="xref">Section 6</a> for explanation.<a href="#section-4-4" class="pilcrow">¶</a></p>
<p id="section-4-5">Answers from authoritative servers that have a DNS response code of
either 0 (NoError) or 3 (NXDomain) and the Authoritative Answer (AA)
bit set <span class="bcp14">MUST</span> be considered to have refreshed the data at the resolver.
Answers from authoritative servers that have any other response code
<span class="bcp14">SHOULD</span> be considered a failure to refresh the data and therefore leave
any previous state intact. See <a href="#implementation-considerations" class="xref">Section 6</a> for
a discussion.<a href="#section-4-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="example-method">
<section id="section-5">
      <h2 id="name-example-method">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-example-method" class="section-name selfRef">Example Method</a>
      </h2>
<p id="section-5-1">There is more than one way a recursive resolver could
responsibly implement this resiliency feature while still respecting
the intent of the TTL as a signal for when data is to be refreshed.<a href="#section-5-1" class="pilcrow">¶</a></p>
<p id="section-5-2">In this example method, four notable timers drive considerations for
the use of stale data:<a href="#section-5-2" class="pilcrow">¶</a></p>
<ul>
<li id="section-5-3.1">A client response timer, which is the maximum amount of time a
recursive resolver should allow between the receipt of a resolution
request and sending its response.<a href="#section-5-3.1" class="pilcrow">¶</a>
</li>
<li id="section-5-3.2">A query resolution timer, which caps the total amount of time a
recursive resolver spends processing the query.<a href="#section-5-3.2" class="pilcrow">¶</a>
</li>
<li id="section-5-3.3">A failure recheck timer, which limits the frequency at which a
failed lookup will be attempted again.<a href="#section-5-3.3" class="pilcrow">¶</a>
</li>
<li id="section-5-3.4">A maximum stale timer, which caps the amount of time
that records will be kept past their expiration.<a href="#section-5-3.4" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-5-4">Most recursive resolvers already have the query resolution timer and,
effectively, some kind of failure recheck timer.  The client
response timer and maximum stale timer are new concepts for this
mechanism.<a href="#section-5-4" class="pilcrow">¶</a></p>
<p id="section-5-5">When a recursive resolver receives a request, it should start
the client response timer.  This timer is used to avoid client
timeouts.  It should be configurable, with a recommended value of 1.8
seconds as being just under a common timeout value of 2 seconds while
still giving the resolver a fair shot at resolving the name.<a href="#section-5-5" class="pilcrow">¶</a></p>
<p id="section-5-6">The resolver then checks its cache for any unexpired records that
satisfy the request and returns them if available.  If it
finds no relevant unexpired data and the Recursion Desired flag is not
set in the request, it should immediately return the response without
consulting the cache for expired records.  Typically, this response
would be a referral to authoritative nameservers covering the zone,
but the specifics are implementation dependent.<a href="#section-5-6" class="pilcrow">¶</a></p>
<p id="section-5-7">If iterative lookups will be done, then the failure recheck timer is
consulted.  Attempts to refresh from non-responsive or otherwise
failing authoritative nameservers are recommended to be done no more
frequently than every 30 seconds.  If this request was received within
this period, the cache may be immediately consulted for stale data to
satisfy the request.<a href="#section-5-7" class="pilcrow">¶</a></p>
<p id="section-5-8">Outside the period of the failure recheck timer, the resolver
should start the query resolution timer and begin the iterative
resolution process.  This timer bounds the work done by the resolver
when contacting external authorities and is commonly around 10 to 30
seconds.  If this timer expires on an attempted lookup that is still
being processed, the resolution effort is abandoned.<a href="#section-5-8" class="pilcrow">¶</a></p>
<p id="section-5-9">If the answer has not been completely determined by the time the
client response timer has elapsed, the resolver should then check its
cache to see whether there is expired data that would satisfy the
request.  If so, it adds that data to the response message with a TTL
greater than 0 (as specified in <a href="#standards-action" class="xref">Section 4</a>).  The response is then sent to
the client while the resolver continues its attempt to refresh the
data.<a href="#section-5-9" class="pilcrow">¶</a></p>
<p id="section-5-10">When no authorities are able to be reached during a resolution
attempt, the resolver should attempt to refresh the delegation and
restart the iterative lookup process with the remaining time on the
query resolution timer. This resumption should be done only once
per resolution effort.<a href="#section-5-10" class="pilcrow">¶</a></p>
<p id="section-5-11">Outside the resolution process, the maximum stale timer is used for
cache management and is independent of the query resolution
process. This timer is conceptually different from the maximum cache
TTL that exists in many resolvers, the latter being a clamp on the
value of TTLs as received from authoritative servers and recommended
to be 7 days in the TTL definition in <a href="#standards-action" class="xref">Section 4</a>.
The maximum stale timer
should be configurable. It defines the length of time after a record
expires that it should be retained in the cache.  The suggested value
is between 1 and 3 days.<a href="#section-5-11" class="pilcrow">¶</a></p>
</section>
</div>
<div id="implementation-considerations">
<section id="section-6">
      <h2 id="name-implementation-consideratio">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-implementation-consideratio" class="section-name selfRef">Implementation Considerations</a>
      </h2>
<p id="section-6-1">This document mainly describes the issues behind serving stale data
and intentionally does not provide a formal algorithm. The concept is
not overly complex, and the details are best left to resolver authors
to implement in their codebases. The processing of serve-stale is a
local operation, and consistent variables between deployments are not
needed for interoperability.  However, we would like to highlight the
impact of various implementation choices, starting with the timers
involved.<a href="#section-6-1" class="pilcrow">¶</a></p>
<p id="section-6-2">The most obvious of these is the maximum stale timer. If this variable
is too large, it could cause excessive cache memory usage, but if it is
too small, the serve-stale technique becomes less effective, as the
record may not be in the cache to be used if needed.  Shorter values,
even less than a day, can effectively handle the vast majority of
outages.  Longer values, as much as a week, give time for monitoring
systems to notice a resolution problem and for human intervention to
fix it; operational experience has been that sometimes the right
people can be hard to track down and unfortunately slow to remedy the
situation.<a href="#section-6-2" class="pilcrow">¶</a></p>
<p id="section-6-3">Increased memory consumption could be mitigated by prioritizing
  removal of stale records over non-expired records during cache
  exhaustion.  Eviction strategies could consider additional factors,
  including the last time of use or the popularity of a record, to
  retain active but stale records.  A feature to manually flush
  only stale records could also be useful.<a href="#section-6-3" class="pilcrow">¶</a></p>
<p id="section-6-4">The client response timer is another variable that deserves
consideration. If this value is too short, there exists the risk that
stale answers may be used even when the authoritative server is
actually reachable but slow; this may result in undesirable answers
being returned. Conversely, waiting too long will negatively impact
user experience.<a href="#section-6-4" class="pilcrow">¶</a></p>
<p id="section-6-5">The balance for the failure recheck timer is responsiveness in
detecting the renewed availability of authorities versus the extra
resource use for resolution. If this variable is set too large, stale
answers may continue to be returned even after the authoritative
server is reachable; per <span>[<a href="#RFC2308" class="xref">RFC2308</a>], <a href="https://www.rfc-editor.org/rfc/rfc2308#section-7" class="relref">Section 7</a></span>, this should be no
more than 5 minutes.  If this variable is too small, authoritative
servers may be targeted with a significant amount of excess traffic.<a href="#section-6-5" class="pilcrow">¶</a></p>
<p id="section-6-6">Regarding the TTL to set on stale records in the response,
historically TTLs of 0 seconds have been problematic for some
implementations, and negative values can't effectively be communicated
to existing software.  Other very short TTLs could lead to congestive
collapse as TTL-respecting clients rapidly try to refresh.  The
recommended value of 30 seconds not only sidesteps those potential problems
with no practical negative consequences, it also rate-limits
further queries from any client that honors the TTL, such as a
forwarding resolver.<a href="#section-6-6" class="pilcrow">¶</a></p>
<p id="section-6-7">As for the change to treat a TTL with the high-order bit set as
positive and then clamping it, as opposed to <span>[<a href="#RFC2181" class="xref">RFC2181</a>]</span> treating it
as zero, the rationale here is basically one of engineering simplicity
versus an inconsequential operational history.  Negative TTLs had no
rational intentional meaning that wouldn't have been satisfied by just
sending 0 instead, and similarly there was realistically no practical
purpose for sending TTLs of 2^25 seconds (1 year) or more.  There's
also no record of TTLs in the wild having the most significant bit set
in the DNS Operations, Analysis, and Research Center's (DNS-OARC's) "Day in the Life" samples <span>[<a href="#DITL" class="xref">DITL</a>]</span>.  With no apparent
reason for
operators to use them intentionally, that leaves either errors or
non-standard experiments as explanations as to why such TTLs might be
encountered, with neither providing an obviously compelling reason as
to why having the leading bit set should be treated differently from
having any of the next eleven bits set and then capped per
<a href="#standards-action" class="xref">Section 4</a>.<a href="#section-6-7" class="pilcrow">¶</a></p>
<p id="section-6-8">Another implementation consideration is the use of
stale nameserver addresses for lookups.  This is mentioned explicitly
because, in some resolvers, getting the addresses for nameservers is
a separate path from a normal cache lookup. If authoritative server
addresses are not able to be refreshed, resolution can possibly still
be successful if the authoritative servers themselves are up.  For
instance, consider an attack on a top-level domain that takes its
nameservers offline; serve-stale resolvers that had expired glue
addresses for subdomains within that top-level domain would still be able to
resolve names within those subdomains, even those it had not
previously looked up.<a href="#section-6-8" class="pilcrow">¶</a></p>
<p id="section-6-9">The directive in <a href="#standards-action" class="xref">Section 4</a> that only NoError and NXDomain
responses should invalidate any previously associated answer stems
from the fact that no other RCODEs that a resolver normally
encounters make any assertions regarding the name in the question or
any data associated with it.  This comports with existing resolver
behavior where a failed lookup (say, during prefetching) doesn't
impact the existing cache state.  Some authoritative server operators
have said that they would prefer stale answers to be used in the event
that their servers are responding with errors like ServFail instead of
giving true authoritative answers.  Implementers <span class="bcp14">MAY</span> decide to return
stale answers in this situation.<a href="#section-6-9" class="pilcrow">¶</a></p>
<p id="section-6-10">Since the goal of serve-stale is to provide resiliency for all obvious
errors to refresh data, these other RCODEs are treated as though they
are equivalent to not getting an authoritative response.  Although
NXDomain for a previously existing name might well be an error, it is
not handled that way because there is no effective way to distinguish
operator intent for legitimate cases versus error cases.<a href="#section-6-10" class="pilcrow">¶</a></p>
<p id="section-6-11">During discussion in the IETF, it was suggested that,
if all authorities return responses with an RCODE of Refused,
it may be an explicit signal to take down the zone from
servers that still have the zone's delegation pointed to them.
Refused, however, is also
overloaded to mean multiple possible failures that could represent
transient configuration failures.  Operational experience has shown
that purposely returning Refused is a poor way to achieve an
explicit takedown of a zone compared to either updating the delegation
or returning NXDomain with a suitable SOA for extended negative
caching.  Implementers <span class="bcp14">MAY</span> nonetheless consider whether to
treat all authorities returning Refused as preempting the use of stale
data.<a href="#section-6-11" class="pilcrow">¶</a></p>
</section>
</div>
<div id="implementation-caveats">
<section id="section-7">
      <h2 id="name-implementation-caveats">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-implementation-caveats" class="section-name selfRef">Implementation Caveats</a>
      </h2>
<p id="section-7-1">Stale data is used only when refreshing has failed in order to adhere
to the original intent of the design of the DNS and the behavior
expected by operators.  If stale data were to always be used
immediately and then a cache refresh attempted after the client
response has been sent, the resolver would frequently be sending data
that it would have had no trouble refreshing.  Because modern resolvers use
techniques like prefetching and request coalescing for efficiency, it
is not necessary that every client request needs to trigger a new
lookup flow in the presence of stale data, but rather that a
good-faith effort has been recently made to refresh the stale data
before it is delivered to any client.<a href="#section-7-1" class="pilcrow">¶</a></p>
<p id="section-7-2">It is important to continue the resolution attempt after the stale
response has been sent, until the query resolution timeout, because
some pathological resolutions can take many seconds to succeed as they
cope with unavailable servers, bad networks, and other problems.
Stopping the resolution attempt when the response with expired data
has been sent would mean that answers in these pathological cases
would never be refreshed.<a href="#section-7-2" class="pilcrow">¶</a></p>
<p id="section-7-3">The continuing prohibition against using data with a 0-second TTL
beyond the current transaction explicitly extends to it being unusable
even for stale fallback, as it is not to be cached at all.<a href="#section-7-3" class="pilcrow">¶</a></p>
<p id="section-7-4">Be aware that Canonical Name (CNAME) and DNAME records <span>[<a href="#RFC6672" class="xref">RFC6672</a>]</span> mingled in the expired
cache with other records at the same owner name can cause surprising
results.  This was observed with an initial implementation in BIND
when a hostname changed from having an IPv4 Address (A) record to a
CNAME.  The version of BIND being used did not evict other types in
the cache when a CNAME was received, which in normal operations is not
a significant issue.  However, after both records expired and the
authorities became unavailable, the fallback to stale answers returned
the older A instead of the newer CNAME.<a href="#section-7-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="implementation-status">
<section id="section-8">
      <h2 id="name-implementation-status">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-implementation-status" class="section-name selfRef">Implementation Status</a>
      </h2>
<p id="section-8-1">The algorithm described in <a href="#example-method" class="xref">Section 5</a> was
originally implemented as a patch to BIND 9.7.0.  It has been in use
on Akamai's production network since 2011; it effectively
smoothed over transient failures and longer outages that would have
resulted in major incidents.  The patch was contributed to the Internet
Systems Consortium, and the functionality is now available in BIND 9.12
and later via the options stale-answer-enable, stale-answer-ttl, and
max-stale-ttl.<a href="#section-8-1" class="pilcrow">¶</a></p>
<p id="section-8-2">Unbound has a similar feature for serving stale answers and will
respond with stale data immediately if it has recently tried and
failed to refresh the answer by prefetching.  Starting from
version 1.10.0, Unbound can also be configured to follow the
algorithm described in <a href="#example-method" class="xref">Section 5</a>.  Both behaviors can be
configured and fine-tuned with the available serve-expired-*
options.<a href="#section-8-2" class="pilcrow">¶</a></p>
<p id="section-8-3">Knot Resolver has a demo module here:
<span>&lt;<a href="https://knot-resolver.readthedocs.io/en/stable/modules-serve_stale.html">https://knot-resolver.readthedocs.io/en/stable/modules-serve_stale.html</a>&gt;</span>.<a href="#section-8-3" class="pilcrow">¶</a></p>
<p id="section-8-4">Apple's system resolvers are also known to use stale answers, but the
details are not readily available.<a href="#section-8-4" class="pilcrow">¶</a></p>
<p id="section-8-5">In the research paper "When the Dike Breaks: Dissecting DNS Defenses
During DDoS" <span>[<a href="#DikeBreaks" class="xref">DikeBreaks</a>]</span>, the authors detected some use of
stale answers by resolvers when authorities came under attack.  Their
research results suggest that more widespread adoption of the technique
would significantly improve resiliency for the large number of requests
that fail or experience abnormally long resolution times during an attack.<a href="#section-8-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="edns-option">
<section id="section-9">
      <h2 id="name-edns-option">
<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-edns-option" class="section-name selfRef">EDNS Option</a>
      </h2>
<p id="section-9-1">During the discussion of serve-stale in the IETF,
it was suggested that an EDNS option <span>[<a href="#RFC6891" class="xref">RFC6891</a>]</span> should be
available.  One proposal was to use it to opt in to getting data that is
possibly stale, and another was to signal when stale data has been used for a response.<a href="#section-9-1" class="pilcrow">¶</a></p>
<p id="section-9-2">The opt-in use case was rejected, as the technique was meant to be
immediately useful in improving DNS resiliency for all clients.<a href="#section-9-2" class="pilcrow">¶</a></p>
<p id="section-9-3">The reporting case was ultimately also rejected because
even the simpler version of a proposed
option was still too much bother to implement for too little perceived
value.<a href="#section-9-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="security-considerations">
<section id="section-10">
      <h2 id="name-security-considerations">
<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
      </h2>
<p id="section-10-1">The most obvious security issue is the increased likelihood of DNSSEC
validation failures when using stale data because signatures could be
returned outside their validity period. Stale negative records can increase
the time window where newly published TLSA or DS RRs may not be used due
to cached NSEC or NSEC3 records. These scenarios would only be an issue if
the authoritative servers are unreachable (the only time the techniques in
this document are used), and thus serve-stale does not introduce a new
failure in place of what would have otherwise been success.<a href="#section-10-1" class="pilcrow">¶</a></p>
<p id="section-10-2">Additionally, bad actors have been known to use DNS caches to keep
records alive even after their authorities have gone away. The serve-stale
feature potentially makes the attack easier, although without introducing
a new risk. In addition, attackers could combine this with a DDoS attack on
authoritative servers with the explicit intent of having stale information
cached for a longer period of time. But if attackers have this capacity, they probably could
do much worse than prolonging the life of old data.<a href="#section-10-2" class="pilcrow">¶</a></p>
<p id="section-10-3">In <span>[<a href="#CloudStrife" class="xref">CloudStrife</a>]</span>, it was demonstrated how stale DNS data, namely
hostnames pointing to addresses that are no longer in use by the owner
of the name, can be used to co-opt security -- for example, to get
domain-validated certificates fraudulently issued to an attacker.
While this document does not create a new vulnerability in this area, it
does potentially enlarge the window in which such an attack could be
made.  A proposed mitigation is that certificate authorities should fully
look up each name starting at the DNS root for every name lookup.
Alternatively, certificate authorities should use a resolver that is not serving stale data.<a href="#section-10-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="privacy-considerations">
<section id="section-11">
      <h2 id="name-privacy-considerations">
<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-privacy-considerations" class="section-name selfRef">Privacy Considerations</a>
      </h2>
<p id="section-11-1">This document does not add any practical new privacy issues.<a href="#section-11-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="nat-considerations">
<section id="section-12">
      <h2 id="name-nat-considerations">
<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-nat-considerations" class="section-name selfRef">NAT Considerations</a>
      </h2>
<p id="section-12-1">The method described here is not affected by the use of NAT devices.<a href="#section-12-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="iana-considerations">
<section id="section-13">
      <h2 id="name-iana-considerations">
<a href="#section-13" class="section-number selfRef">13. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
      </h2>
<p id="section-13-1">This document has no IANA actions.<a href="#section-13-1" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-14">
      <h2 id="name-references">
<a href="#section-14" class="section-number selfRef">14. </a><a href="#name-references" class="section-name selfRef">References</a>
      </h2>
<section id="section-14.1">
        <h3 id="name-normative-references">
<a href="#section-14.1" class="section-number selfRef">14.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
        </h3>
<dl class="references">
<dt id="RFC1034">[RFC1034]</dt>
<dd>
<span class="refAuthor">Mockapetris, P.</span>, <span class="refTitle">"Domain names - concepts and facilities"</span>, <span class="seriesInfo">STD 13</span>, <span class="seriesInfo">RFC 1034</span>, <span class="seriesInfo">DOI 10.17487/RFC1034</span>, <time datetime="1987-11">November 1987</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc1034">https://www.rfc-editor.org/info/rfc1034</a>&gt;</span>. </dd>
<dt id="RFC1035">[RFC1035]</dt>
<dd>
<span class="refAuthor">Mockapetris, P.</span>, <span class="refTitle">"Domain names - implementation and specification"</span>, <span class="seriesInfo">STD 13</span>, <span class="seriesInfo">RFC 1035</span>, <span class="seriesInfo">DOI 10.17487/RFC1035</span>, <time datetime="1987-11">November 1987</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc1035">https://www.rfc-editor.org/info/rfc1035</a>&gt;</span>. </dd>
<dt id="RFC2119">[RFC2119]</dt>
<dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
<dt id="RFC2181">[RFC2181]</dt>
<dd>
<span class="refAuthor">Elz, R.</span><span class="refAuthor"> and R. Bush</span>, <span class="refTitle">"Clarifications to the DNS Specification"</span>, <span class="seriesInfo">RFC 2181</span>, <span class="seriesInfo">DOI 10.17487/RFC2181</span>, <time datetime="1997-07">July 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2181">https://www.rfc-editor.org/info/rfc2181</a>&gt;</span>. </dd>
<dt id="RFC2308">[RFC2308]</dt>
<dd>
<span class="refAuthor">Andrews, M.</span>, <span class="refTitle">"Negative Caching of DNS Queries (DNS NCACHE)"</span>, <span class="seriesInfo">RFC 2308</span>, <span class="seriesInfo">DOI 10.17487/RFC2308</span>, <time datetime="1998-03">March 1998</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2308">https://www.rfc-editor.org/info/rfc2308</a>&gt;</span>. </dd>
<dt id="RFC8174">[RFC8174]</dt>
<dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
</dl>
</section>
<section id="section-14.2">
        <h3 id="name-informative-references">
<a href="#section-14.2" class="section-number selfRef">14.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
        </h3>
<dl class="references">
<dt id="CloudStrife">[CloudStrife]</dt>
<dd>
<span class="refAuthor">Borgolte, K.</span><span class="refAuthor">, Fiebig, T.</span><span class="refAuthor">, Hao, S.</span><span class="refAuthor">, Kruegel, C.</span><span class="refAuthor">, and G. Vigna</span>, <span class="refTitle">"Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates"</span>, <span class="seriesInfo">DOI 10.1145/3232755.3232859</span>, <span class="seriesInfo">ACM 2018 Applied Networking Research Workshop</span>, <time datetime="2018-07">July 2018</time>, <span>&lt;<a href="https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_06A-4_Borgolte_paper.pdf">https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_06A-4_Borgolte_paper.pdf</a>&gt;</span>. </dd>
<dt id="DikeBreaks">[DikeBreaks]</dt>
<dd>
<span class="refAuthor">Moura, G.C.M.</span><span class="refAuthor">, Heidemann, J.</span><span class="refAuthor">, Müller, M.</span><span class="refAuthor">, Schmidt, R. de O.</span><span class="refAuthor">, and M. Davids</span>, <span class="refTitle">"When the Dike Breaks: Dissecting DNS Defenses During DDoS"</span>, <span class="seriesInfo">DOI 10.1145/3278532.3278534</span>, <span class="seriesInfo">ACM 2018 Internet Measurement Conference</span>, <time datetime="2018-10">October 2018</time>, <span>&lt;<a href="https://www.isi.edu/~johnh/PAPERS/Moura18b.pdf">https://www.isi.edu/~johnh/PAPERS/Moura18b.pdf</a>&gt;</span>. </dd>
<dt id="DITL">[DITL]</dt>
<dd>
<span class="refAuthor">DNS-OARC</span>, <span class="refTitle">"DITL Traces and Analysis"</span>, <time datetime="2018-01">January 2018</time>, <span>&lt;<a href="https://www.dns-oarc.net/oarc/data/ditl">https://www.dns-oarc.net/oarc/data/ditl</a>&gt;</span>. </dd>
<dt id="RFC6672">[RFC6672]</dt>
<dd>
<span class="refAuthor">Rose, S.</span><span class="refAuthor"> and W. Wijngaards</span>, <span class="refTitle">"DNAME Redirection in the DNS"</span>, <span class="seriesInfo">RFC 6672</span>, <span class="seriesInfo">DOI 10.17487/RFC6672</span>, <time datetime="2012-06">June 2012</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6672">https://www.rfc-editor.org/info/rfc6672</a>&gt;</span>. </dd>
<dt id="RFC6891">[RFC6891]</dt>
<dd>
<span class="refAuthor">Damas, J.</span><span class="refAuthor">, Graff, M.</span><span class="refAuthor">, and P. Vixie</span>, <span class="refTitle">"Extension Mechanisms for DNS (EDNS(0))"</span>, <span class="seriesInfo">STD 75</span>, <span class="seriesInfo">RFC 6891</span>, <span class="seriesInfo">DOI 10.17487/RFC6891</span>, <time datetime="2013-04">April 2013</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6891">https://www.rfc-editor.org/info/rfc6891</a>&gt;</span>. </dd>
<dt id="RFC8499">[RFC8499]</dt>
<dd>
<span class="refAuthor">Hoffman, P.</span><span class="refAuthor">, Sullivan, A.</span><span class="refAuthor">, and K. Fujiwara</span>, <span class="refTitle">"DNS Terminology"</span>, <span class="seriesInfo">BCP 219</span>, <span class="seriesInfo">RFC 8499</span>, <span class="seriesInfo">DOI 10.17487/RFC8499</span>, <time datetime="2019-01">January 2019</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8499">https://www.rfc-editor.org/info/rfc8499</a>&gt;</span>. </dd>
</dl>
</section>
</section>
<div id="acknowledgements">
<section id="section-appendix.a">
      <h2 id="name-acknowledgements">
<a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
      </h2>
<p id="section-appendix.a-1">The authors wish to thank <span class="contact-name">Brian Carpenter</span>,
      <span class="contact-name">Vladimir Cunat</span>, <span class="contact-name">Robert Edmonds</span>, <span class="contact-name">Tony Finch</span>,
<span class="contact-name">Bob Harold</span>, <span class="contact-name">Tatuya Jinmei</span>, <span class="contact-name">Matti Klock</span>, <span class="contact-name">Jason Moreau</span>, <span class="contact-name">Giovane Moura</span>,
<span class="contact-name">Jean Roy</span>, <span class="contact-name">Mukund Sivaraman</span>, <span class="contact-name">Davey Song</span>, <span class="contact-name">Paul Vixie</span>, <span class="contact-name">Ralf Weber</span>, and
<span class="contact-name">Paul Wouters</span> for their review and feedback.  <span class="contact-name">Paul Hoffman</span> deserves
special thanks for submitting a number of Pull Requests.<a href="#section-appendix.a-1" class="pilcrow">¶</a></p>
<p id="section-appendix.a-2">Thank you also to the following members of the IESG for their final
review:  <span class="contact-name">Roman Danyliw</span>, <span class="contact-name">Benjamin Kaduk</span>, <span class="contact-name">Suresh Krishnan</span>, <span class="contact-name">Mirja Kühlewind</span>, and <span class="contact-name">Adam Roach</span>.<a href="#section-appendix.a-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="section-appendix.b">
      <h2 id="name-authors-addresses">
<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
      </h2>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">David C Lawrence</span></div>
<div dir="auto" class="left"><span class="org">Oracle</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:tale@dd.org" class="email">tale@dd.org</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Warren "Ace" Kumari</span></div>
<div dir="auto" class="left"><span class="org">Google</span></div>
<div dir="auto" class="left"><span class="street-address">1600 Amphitheatre Parkway</span></div>
<div dir="auto" class="left">
<span class="locality">Mountain View</span>, <span class="region">CA</span> <span class="postal-code">94043</span>
</div>
<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:warren@kumari.net" class="email">warren@kumari.net</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Puneet Sood</span></div>
<div dir="auto" class="left"><span class="org">Google</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:puneets@google.com" class="email">puneets@google.com</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
  toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
  toc.classList.remove("active");
});
</script>
</body>
</html>