[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 RFC 4592

dnsext Working Group                                           B. Halley
Internet Draft                                                   Nominum
Expiration Date: March 2004
                                                                E. Lewis
                                                                    ARIN

                                                          September 2003


                Clarifying the Role of Wild Card Domains
                       in the Domain Name System


                 draft-ietf-dnsext-wcard-clarify-02.txt

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   To view the list Internet-Draft Shadow Directories, see
   http://www.ietf.org/shadow.html.

Abstract

   The definition of wild cards is recast from the original in RFC 1034,
   in words that are more specific and in line with RFC 2119.  This
   document is meant to supplement the definition in RFC 1034 and to
   alter neither the spirit nor intent of that definition.









Halley & Lewis            [Expires March 2004]                  [Page 1]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


Table of Contents

          Abstract  ................................................   1
    1     Introduction  ............................................   2
    1.1   Document Limits  .........................................   3
    1.2   Existence  ...............................................   4
    1.3   An Example  ..............................................   4
    1.4   Empty Non-terminals  .....................................   5
    1.5   Terminology  .............................................   6
    2     Defining the Wild Card Domain Name  ......................   7
    3     Defining Existence  ......................................   8
    4     Impact of a Wild Card In a Query or in RDATA  ............   8
    5     Impact of a Wild Card Domain On a Response  ..............   9
    6     Considerations with Special Types  .......................  12
    6.1   SOA RR's at a Wild Card Domain Name  .....................  12
    6.2   NS RR's at a Wild Card Domain Name  ......................  12
    6.3   CNAME RR's at a Wild Card Domain Name  ...................  13
    6.4   DNAME RR's at a Wild Card Domain Name  ...................  13
    7     Security Considerations  .................................  14
    8     References  ..............................................  14
    9     Others Contributing to This Document  ....................  14
   10     Editors  .................................................  15
          Appendix A: Subdomains of Wild Card Domain Names  ........  16
          Full Copyright Statement  ................................  18
          Acknowledgement  .........................................  18




1. Introduction

   The first section of this document will give a crisp overview of what
   is begin defined, as well as the motivation rewording of an original
   document and making a change to bring the specification in line with
   implementations.  Examples are included to help orient the reader.

   Wild card domain names are defined in Section 4.3.3. of RFC 1034 as
   "instructions for synthesizing RRs." [RFC1034].  The meaning of this
   is that a specific, special domain name is used to construct
   responses in instances in which the query name is not otherwise
   represented in a zone.

   A wild card domain name has a specific range of influence on query
   names (QNAMEs) within a given class, which is rooted at the domain
   name containing the wild card label, and is limited by explicit
   entries, zone cuts and empty non-terminal domains (see section 1.3 of
   this document).




Halley & Lewis            [Expires March 2004]                  [Page 2]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   Note that a wild card domain name has no special impact on the search
   for a query type (QTYPE).  If a domain name is found that matches the
   QNAME (exact or a wild card) but the QTYPE is not found at that
   point, the proper response is that there is no data available.  The
   search does not continue on to seek other wild cards that might match
   the QTYPE.  To illustrate, a wild card owning an MX RR does not
   'cover' other names in the zone that own an A RR.  There are certain
   special case RR types that will be singled out for discussion, the
   SOA RR, NS RR, CNAME RR, and DNAME RR.

   Why is this document needed?  Empirical evidence suggests that the
   words in RFC 1034 are not clear enough.  There exist a number of
   implementations that have strayed (each differently) from that
   definition.  There also exists a misconception of operators that the
   wild card can be used to add a specific RR type to all names, such as
   the MX RR example cited above.  This document is also needed as input
   to efforts to extend DNS, such as the DNS Security Extensions [RFC
   2535].  Lack of a clear base specification has proven to result in
   extension documents that have unpredictable consequences.  (This is
   true in general, not just for DNS.)

   Another reason this clarification is needed is to answer questions
   regarding authenticated denial of existence, a service introduced in
   the DNS Security Extensions [RFC 2535].  Prior to the work leading up
   to this document, it had been feared that a large number of proof
   records (NXTs) might be needed in each reply because of the unknown
   number of potential wild card domains that were thought to be
   applicable.  One outcome of this fear is a now discontinued document
   solving a problem that is now known not to exist.  I.e., this
   clarification has the impact of defending against unwarranted
   protocol surgery.  It is not "yet another" effort to just rewrite the
   early specifications for the sake of purity.

   Although the effort to define the DNS Security Extensions has
   prompted this document, the clarifications herein relate to basic DNS
   only.  No DNS Security Extensions considerations are mentioned in the
   document.

1.1. Document Limits

   This document limits itself to reinforcing the concepts in RFC 1034.
   In the effort to do this, a few issues have been discussed that
   change parts of what is in RFC 1034.  The discussions have been held
   within the DNS Extensions Working Group.







Halley & Lewis            [Expires March 2004]                  [Page 3]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   Briefly, the issues raised include:
     - The lack of clarity in the definition of domain name existence
     - Implications of a wild card domain name owning any of the
       following resource record sets: DNAME [RFC 2672], CNAME, NS, and
       SOA
     - Whether RFC 1034 meant to allow special processing of CNAME RR's
       owned by wild card domain names

1.2. Existence

   The notion that a domain name 'exists' will arise numerous times in
   this discussion.  RFC 1034 raises the issue of existence in a number
   of places, usually in reference to non-existence and often in
   reference to processing involving wild card domain names.  RFC 1034
   contains algorithms that describe how domain names impact the
   preparation of an answer and does define wild cards as a means of
   synthesizing answers.  Because of this a discussion on wild card
   domain names has to start with the issue of existence.

   To help clarify the topic of wild cards, a positive definition of
   existence is needed.  Complicating matters, though, is the
   realization that existence is relative.  To an authoritative server,
   a domain name exists if the domain name plays a role following the
   algorithms of preparing a response.  To a resolver, a domain name
   exists if there is any data available corresponding to the name.  The
   difference between the two is the synthesis of records according to a
   wild card.

   For the purposes of this document, the point of view of an
   authoritative server is adopted.  A domain name is said to exist if
   it plays a role in the execution of the algorithms in RFC 1034.

1.3. An Example

   For example, consider this wild card domain name: *.example.  Any
   query name under example. is a candidate to be matched (answered) by
   this wild card, i.e., to have an response returned that is
   synthesized from the wild card's RR sets.  Although any name is a
   candidate, not all queries will match.












Halley & Lewis            [Expires March 2004]                  [Page 4]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   To further illustrate this, consider this zone:

             $ORIGIN example.
             @                IN  SOA
                                  NS
                                  NS
             *                    TXT "this is a wild card"
                                  MX  10 mailhost.example.
             host1                A   10.0.0.1
             _ssh._tcp.host1      SRV
             _ssh._tcp.host2      SRV
             subdel               NS


   The following queries would be synthesized from the wild card:

        QNAME=host3.example. QTYPE=MX, QCLASS=IN
             the answer will be a "host3.example. IN MX ..."
        QNAME=host3.example. QTYPE=A, QCLASS=IN
             the answer will reflect "no error, but no data"
             because there is no A RR set at '*'

   The following queries would not be synthesized from the wild card:

        QNAME=host1.example., QTYPE=MX, QCLASS=IN
             because host1.example. exists
        QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
             because _tcp.host1.example. exists (without data)
        QNAME=_telnet._tcp.host2.example., QTYPE=SRV, QCLASS=IN
             because host2.example. exists (without data)
        QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
             because subdel.example. exists and is a zone cut

   To the server, the following domains are considered to exist in the
   zone: *, host1, _tcp.host1, _ssh._tcp.host1, host2, _tcp.host2,
   _ssh._tcp.host2, and subdel.  To a resolver, many more domains appear
   to exist via the synthesis of the wild card.

1.4. Empty Non-terminals

   Empty non-terminals are domain names that own no data but have
   subdomains.  This is defined in section 3.1 of RFC 1034:

#    The domain name space is a tree structure.  Each node and leaf on the
#    tree corresponds to a resource set (which may be empty).  The domain
#    system makes no distinctions between the uses of the interior nodes and
#    leaves, and this memo uses the term "node" to refer to both.




Halley & Lewis            [Expires March 2004]                  [Page 5]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   The parenthesized "which may be empty" specifies that empty non-
   terminals are explicitly recognized.  According to the definition of
   existence in this document, empty non-terminals do exist at the
   server.

   Carefully reading the above paragraph can lead to an interpretation
   that all possible domains exist - up to the suggested limit of 255
   octets for a domain name [RFC 1035].  For example, www.example. may
   have an A RR, and as far as is practically concerned, is a leaf of
   the domain tree.  But the definition can be taken to mean that
   sub.www.example. also exists, albeit with no data.  By extension, all
   possible domains exist, from the root on down.  As RFC 1034 also
   defines "an authoritative name error indicating that the name does
   not exist" in section 4.3.1, this is not the intent of the original
   document.

   RFC1034's wording is to be clarified by adding the following
   paragraph:

        A node is considered to have an impact on the algorithms of
        4.3.2 if it is a leaf node with any resource sets or an interior
        node, with or without a resource set, that has a subdomain that
        is a leaf node with a resource set.  A QNAME and QCLASS matching
        an existing node never results in a response return code of
        authoritative name error.

   The terminology in the above paragraph is chosen to remain as close
   to that in the original document.  The term "with" is a alternate
   form for "owning" in this case, hence "a leaf node owning resources
   sets, or an interior node, owning or not owning any resource set,
   that has a leaf node owning a resource set as a subdomain," is the
   proper interpretation of the middle sentence.

   As an aside, an "authoritative name error" has been called NXDOMAIN
   in some RFCs, such as RFC 2136 [RFC 2136].  NXDOMAIN is the mnemonic
   assigned to such an error by at least one implementation of DNS.  As
   this mnemonic is specific to implementations, it is avoided in the
   remainder of this document.

1.5. Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in the document entitled
   "Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]

   Requirements are denoted by paragraphs that begin with with the
   following convention: 'R'<sect>.<count>.



Halley & Lewis            [Expires March 2004]                  [Page 6]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   Quotations of RFC 1034 (as has already been done once above) are
   denoted by a '#' in the leftmost column.

2. Defining the Wild Card Domain Name

   A wild card domain name is defined by having the initial label be:

        0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)

   This defines domain names that may play a role in being a wild card,
   that is, being a source for synthesized answers.  Domain names
   conforming to this definition that appear in queries and RDATA
   sections do not have any special role.  These cases will be described
   in more detail in following sections.

   R2.1 A domain name that is to be interpreted as a wild card MUST
        begin with a label of '0000 0001 0010 1010' in binary.

   The first octet is the normal label type and length for a 1 octet
   long label, the second octet is the ASCII representation [RFC 20] for
   the '*' character.  In RFC 1034, ASCII encoding is assumed to be the
   character encoding.

   In the master file formats used in RFCs, a "*" is a legal
   representation for the wild card label.  Even if the "*" is escaped,
   it is still interpreted as the wild card when it is the only
   character in the label.

   R2.2 A server MUST treat a wild card domain name as the basis of
        synthesized answers regardless of any "escape" sequences in the
        input format.

   RFC 1034 and RFC 1035 ignore the case in which a domain name might be
   "the*.example.com." The interpretation is that this domain name in a
   zone would only match queries for "the*.example.com" and not have any
   other role.

   Note: By virtue of this definition, a wild card domain name may have
   a subdomain.  The subdomain (or sub-subdomain) itself may also be a
   wild card.  E.g., *.*.example. is a wild card, so is *.sub.*.example.
   More discussion on this is given in Appendix A.










Halley & Lewis            [Expires March 2004]                  [Page 7]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


3. Defining Existence

   As described in the Introduction, a precise definition of existence
   is needed.

   R3.1 An authoritative server MUST treat a domain name as existing
        during the execution of the algorithms in RFC 1034 when the
        domain name conforms to the following definition.  A domain name
        is defined to exist if the domain name owns data and/or has a
        subdomain that exists.

   Note that at a zone boundary, the domain name owns data, including
   the NS RR set.  At the delegating server, the NS RR set is not
   authoritative, but that is of no consequence here.  The domain name
   owns data, therefore, it exists.

   R3.2 An authoritative server MUST treat a domain name that has
        neither a resource record set nor an existing subdomain as non-
        existent when executing the algorithm in section 4.3.2. of RFC
        1034.

   A note on terminology.  A domain transcends zones, i.e., all DNS data
   is in the root domain but segmented into zones of control.  In this
   document, there are references to a "domain name" in the context of
   existing "in a zone." In this usage, a domain name is the root of a
   domain, not the entire domain.  The domain's root point is said to
   "exist in a zone" if the zone is authoritative for the name.  RR sets
   existing in a domain need not be owned by the domain's root domain
   name, but are owned by other domain names in the domain.

4. Impact of a Wild Card In a Query or in RDATA

   When a wild card domain name appears in a question, e.g., the query
   name is "*.example.", the response in no way differs from any other
   query.  In other words, the wild card label in a QNAME has no special
   meaning, and query processing will proceed using '*' as a literal
   query name.

   R4.1 A wild card domain name acting as a QNAME MUST be treated as any
        other QNAME, there MUST be no special processing accorded it.

   If a wild card domain name appears in the RDATA of a CNAME RR or any
   other RR that has a domain name in it, the same rule applies.  In the
   instance of a CNAME RR, the wild card domain name is used in the same
   manner of as being the original QNAME.  For other RR's, rules vary
   regarding what is done with the domain name(s) appearing in them, in
   no case does the wild card hold special meaning.




Halley & Lewis            [Expires March 2004]                  [Page 8]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   R4.2 A wild card domain name appearing in any RR's RDATA MUST be
        treated as any other domain name in that situation, there MUST
        be no special processing accorded it.

5. Impact of a Wild Card Domain On a Response

   The description of how wild cards impact response generation is in
   RFC 1034, section 4.3.2.  That passage contains the algorithm
   followed by a server in constructing a response.  Within that
   algorithm, step 3, part 'c' defines the behavior of the wild card.
   The algorithm is directly quoted in lines that begin with a '#' sign.
   Commentary is interleaved.

   There is a documentation issue deserving some explanation.  The
   algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
   code, i.e., it's steps are not intended to be followed in strict
   order.  The "algorithm" is a suggestion.  As such, in step 3, parts
   a, b, and c, do not have to be implemented in that order.

   Another issue needing explanation is that RFC 1034 is a full
   standard.  There is another RFC, RFC 2672, which makes, or proposes
   an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME
   RR.  RFC 2672 is a proposed standard.  The dilemma in writing these
   clarifications is knowing which document is the one being clarified.
   Fortunately, the difference between RFC 1034 and RFC 2672 is not
   significant with respect to wild card synthesis, so this document
   will continue to state that it is clarifying RFC 1034.  If RFC 2672
   progresses along the standards track, it will need to refer to
   modifying RFC 1034's algorithm as amended here.

   The context of part 'c' is that the search is progressing label by
   label through the QNAME.  (Note that the data being searched is the
   authoritative data in the server, the cache is searched in step 4.)
   Step 3's part 'a' covers the case that the QNAME has been matched in
   full, regardless of the presence of a CNAME RR.  Step 'b' covers
   crossing a cut point, resulting in a referral.  All that is left is
   to look for the wild card.

   Step 3 of the algorithm also assumes that the search is looking in
   the zone closest to the answer, i.e., in the same class as QCLASS and
   as close to the authority as possible on this server.  If the zone is
   not the authority, then a referral is given, possibly one indicating
   lameness.








Halley & Lewis            [Expires March 2004]                  [Page 9]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


#         c. If at some label, a match is impossible (i.e., the
#            corresponding label does not exist), look to see if a
#            the "*" label exists.

   The above paragraph refers to finding the domain name that exists in
   the zone and that most encloses the QNAME.  Such a domain name will
   mark the boundary of candidate wild card domain names that might be
   used to synthesize an answer.  (Remember that at this point, if the
   most enclosing name is the same as the QNAME, part 'a' would have
   recorded an exact match.)  The existence of the enclosing name means
   that no wild card name higher in the tree is a candidate to answer
   the query.

   Once the closest enclosing node is identified, there's the matter of
   what exists below it.  It may have subdomains, but none will be
   closer to the QNAME.  One of the subdomains just might be a wild
   card.  If it exists, this is the only wild card eligible to be used
   to synthesize an answer for the query.  Even if the closest enclosing
   node conforms to the syntax rule in section 2 for being a wild card
   domain name, the closest enclosing node is not eligible to be a
   source of a synthesized answer.

   The only wild card domain name that is a candidate to synthesize an
   answer will be the "*" subdomain of the closest enclosing domain
   name.  Three possibilities can happen.  The "*" subdomain does not
   exist, the "*" subdomain does but does not have an RR set of the same
   type as the QTYPE, or it exists and has the desired RR set.

   For the sake of brevity, the closest enclosing node can be referred
   to as the "closest encloser." The closest encloser is the most
   important concept in this clarification.  Describing the closest
   encloser is a bit tricky, but it is an easy concept.

   To find the closest encloser, you have to first locate the zone that
   is the authority for the query name.  This eliminates the need to be
   concerned that the closest encloser is a cut point.  In addition, we
   can assume too that the query name does not exist, hence the closest
   encloser is not equal to the query name.  We can assume away these
   two cases because they are handled in steps 2, 3a and 3b of section
   4.3.2.'s algorithm.

   What is left is to identify the existing domain name that would have
   been up the tree (closer to the root) from the query name.  Knowing
   that an exact match is impossible, if there is a "*" label descending
   from the unique closest encloser, this is the one and only wild card
   from which an answer can be synthesized for the query.





Halley & Lewis            [Expires March 2004]                 [Page 10]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   To illustrate, using the example in section 1.2 of this document, the
   following chart shows QNAMEs and the closest enclosers.  In
   Appendix A there is another chart showing unusual cases.

        QNAME                        Closest Encloser     Wild Card Source
        host3.example.               example.             *.example.
        _telnet._tcp.host1.example.  _tcp.host1.example.  no wild card
        _telnet._tcp.host2.example.  host2.example.       no wild card
        _telnet._tcp.host3.example.  example.             *.example.
        _chat._udp.host3.example.    example.             *.example.

   Note that host1.subdel.example. is in a subzone, so the search for it
   ends in a referral in part 'b', thus does not enter into finding a
   closest encloser.

   The fact that a closest encloser will be the only superdomain that
   can have a candidate wild card will have an impact when it comes to
   designing authenticated denial of existence proofs.

#            If the "*" label does not exist, check whether the name
#            we are looking for is the original QNAME in the query
#            or a name we have followed due to a CNAME.  If the name
#            is original, set an authoritative name error in the
#            response and exit.  Otherwise just exit.

   The above passage says that if there is not even a wild card domain
   name to match at this point (failing to find an explicit answer
   elsewhere), we are to return an authoritative name error at this
   point.  If we were following a CNAME, the specification is unclear,
   but seems to imply that a no error return code is appropriate, with
   just the CNAME RR (or sequence of CNAME RRs) in the answer section.

#            If the "*" label does exist, match RRs at that node
#            against QTYPE.  If any match, copy them into the answer
#            section, but set the owner of the RR to be QNAME, and
#            not the node with the "*" label.  Go to step 6.

   This final paragraph covers the role of the QTYPE in the process.
   Note that if no resource record set matches the QTYPE the result is
   that no data is copied, but the search still ceases ("Go to step
   6.").  In the following section, a suggested change is made to this,
   under the heading "CNAME RRs at a Wild Card Domain Name."









Halley & Lewis            [Expires March 2004]                 [Page 11]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


6. Considerations with Special Types

   For the purposes of this section, "special" means that a record
   induces processing at the server beyond simple lookup.  The special
   types in this section are SOA, NS, CNAME, and DNAME.  SOA is special
   because it is used as a zone marker and has an impact on step 2 of
   the algorithm in 4.3.2.  NS denotes a cut point and has an impact on
   step 3b.  CNAME redirects the query and is mentioned in steps 3a and
   3b.  DNAME is a "CNAME generator."

6.1. SOA RR's at a Wild Card Domain Name

   If the owner of an SOA record conforms to the basic rules of owning
   an SOA RR (meaning it is the apex of a zone) the impact on the search
   algorithm is not in section 3c (where records are synthesized) as
   would be expected.  The impact is really in step 2 of the algorithm,
   the choice of zone.

   We are no longer talking about whether or not an SOA RR can be
   synthesized in a response because we are shifting attention to step
   2.  We are now talking about what it means for a name server to
   synthesize a zone for a response.  To date, no implementation has
   done this.  Thinking ahead though, anyone choosing to pursue this
   would have to be aware that a server would have to be able to
   distinguish between queries for data it will have to synthesize and
   queries that ought to be treated as if they were prompted by a lame
   delegation.

   It is not a protocol error to have an SOA RR owned by a wild card
   domain name, just as it is not an error to have zone name be
   syntactically equivalent to a domain name.  However, this situation
   requires careful consideration of how a server chooses the
   appropriate zone for an answer.  And an SOA RR is not able to be
   synthesized as in step 3c.

6.2. NS RR's at a Wild Card Domain Name

   Complimentary to the issue of an SOA RR owned by a wild card domain
   name is the issue of NS RR's owned by a wild card domain name.  In
   this instance, each machine being referred to in the RDATA of the NS
   RR has to be able to understand the impact of this on step 2, the
   choosing of the authoritative zone.

   Referring to the same machine in such a NS RR will probably not work
   well.  This is because the server may become confused as to whether
   the query name ought to be answered by the zone owning the NS RR in
   question or a synthesized zone.  (It isn't known in advance that the
   query name will invoke the wild card synthesis.)



Halley & Lewis            [Expires March 2004]                 [Page 12]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   The status of other RR's owned by a wild card domain name is the same
   as if the owner name was not a wild card domain name.  I.e., when
   there is a NS RR at a wild card domain name, other records are
   treated as being below the zone cut.

   Is it not a protocol error to have a NS RR owned by a wild card
   domian name, complimentary to the case of a SOA RR.  However, for
   this to work, an implementation has to know how to synthesize a zone.

6.3. CNAME RR's at a Wild Card Domain Name

   The issue of CNAME RR's owned by wild card domain names has prompted
   a suggested change to the last paragraph of step 3c of the algorithm
   in 4.3.2.  The changed text is this:

        If the "*" label does exist and if the data at the node is a
        CNAME and QTYPE doesn't match CNAME, copy the CNAME RR into the
        answer section of the response, set the owner of the CNAME RR to
        be QNAME, and then change QNAME to the canonical name in the
        CNAME RR, and go back to step 1.

        If the "*" label does exist and either QTYPE is CNAME or the
        data at the node is not a CNAME, then match RRs at that node
        against QTYPE.  If any match, copy them into the answer section,
        but set the owner of the RR to be QNAME, and not the node with
        the "*" label.  Go to step 6.

   Apologies if the above isn't clear, but an attempt was made to stitch
   together the passage using just the phrases in section 3a and 3c of
   the algorithm so as to preserve the original flavor.

   In case the passage as suggested isn't clear enough, the intent is to
   make "landing" at a wild card name and finding a CNAME the same as if
   this happened as a result of a direct match.  I.e., Finding a CNAME
   at the name matched in step 3c is supposed to have the same impact as
   finding the CNAME in step 3a.

6.4. DNAME RR's at a Wild Card Domain Name

   The specification of the DNAME RR, which is at the proposed level of
   standardization, is not as mature as the full standard in RFC 1034.
   Because of this, or the reason for this is, there appears to be a
   host of issues with that definition and it's rewrite of the algorithm
   in 4.3.2.  For the time being, when it comes to wild card processing
   issues, a DNAME can be considered to be a CNAME synthesizer.  A DNAME
   at a wild card domain name is effectively the same as a CNAME at a
   wild card domain name.




Halley & Lewis            [Expires March 2004]                 [Page 13]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


7. Security Considerations

   This document is refining the specifications to make it more likely
   that security can be added to DNS.  No functional additions are being
   made, just refining what is considered proper to allow the DNS,
   security of the DNS, and extending the DNS to be more predictable.

8. References

   Normative References

   [RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969

   [RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris,
               Nov-01-1987

   [RFC 1035] Domain Names - Implementation and Specification, P.V
               Mockapetris, Nov-01-1987

   [RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S
               Bradner, March 1997

   Informative References

   [RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P. Vixie,
               Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997

   [RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999

   [RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999

9. Others Contributing to This Document

   Others who have directly caused text to appear in the document: Paul
   Vixie and Olaf Kolkman.  Many others have indirect influences on the
   content.















Halley & Lewis            [Expires March 2004]                 [Page 14]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


10. Editors

        Name:         Bob Halley
        Affiliation:  Nominum, Inc.
        Address:      2385 Bay Road, Redwood City, CA 94063 USA
        Phone:        +1-650-381-6016
        EMail:        Bob.Halley@nominum.com

        Name:         Edward Lewis
        Affiliation:  ARIN
        Address:      3635 Concorde Pkwy, Suite 200, Chantilly, VA 20151 USA
        Phone:        +1-703-227-9854
        Email:        edlewis@arin.net

   Comments on this document can be sent to the editors or the mailing
   list for the DNSEXT WG, namedroppers@ops.ietf.org.



































Halley & Lewis            [Expires March 2004]                 [Page 15]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


Appendix A: Subdomains of Wild Card Domain Names

   In reading the definition of section 2 carefully, it is possible to
   rationalize unusual names as legal.  In the example given,
   *.example. could have subdomains of *.sub.*.example. and even the
   more direct *.*.example.  (The implication here is that these domain
   names own explicit resource records sets.)  Although defining these
   names is not easy to justify, it is important that implementions
   account for the possibility.  This section will give some further
   guidence on handling these names.

   The first thing to realize is that by all definitions, subdomains of
   wild card domain names are legal.  In analyzing them, one realizes
   that they cause no harm by their existence.  Because of this, they
   are allowed to exist, i.e., there are no special case rules made to
   disallow them.  The reason for not preventing these names is that the
   prevention would just introduce more code paths to put into
   implementations.

   The concept of "closest enclosing" existing names is important to
   keep in mind.  It is also important to realize that a wild card
   domain name can be a closest encloser of a query name.  For example,
   if *.*.example. is defined in a zone, and the query name is
   a.*.example., then the closest enclosing domain name is *.example.
   Keep in mind that the closest encloser is not eligible to be a source
   of synthesized answers, just the subdomain of it that has the first
   label "*".

   To illustrate this, the following chart shows some matches.  Assume
   that the names *.example., *.*.example., and *.sub.*.example. are
   defined in the zone.

        QNAME               Closest Encloser  Wild Card Source
        a.example.          example.          *.example.
        b.a.example.        example.          *.example.
        a.*.example.        *.example.        *.*.example.
        b.a.*.example.      *.example.        *.*.example.
        b.a.*.*.example.    *.*.example.      no wild card
        a.sub.*.example.    sub.*.example.    *.sub.*.example.
        b.a.sub.*.example.  sub.*.example.    *.sub.*.example.
        a.*.sub.*.example.  *.sub.*.example.  no wild card
        *.a.example.        example.          *.example.
        a.sub.b.example.    example.          *.example.

   Recall that the closest encloser itself cannot be the wild card.
   Therefore the match for b.a.*.*.example. has no applicable wild card.





Halley & Lewis            [Expires March 2004]                 [Page 16]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


   Finally, if a query name is sub.*.example., any answer available will
   come from an exact name match for sub.*.example.  No wild card
   synthesis is performed in this case.
















































Halley & Lewis            [Expires March 2004]                 [Page 17]

Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003


Full Copyright Statement

   Copyright (C) The Internet Society 2003.  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Halley & Lewis            [Expires March 2004]                 [Page 18]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/