draft-iab-dns-choices-05.txt   draft-iab-dns-choices-06.txt 
Network Working Group IAB Network Working Group IAB
Internet-Draft P. Faltstrom, Ed. Internet-Draft P. Faltstrom, Ed.
Intended status: Standards Track R. Austein, Ed. Intended status: Informational R. Austein, Ed.
Expires: August 21, 2008 P. Koch, Ed. Expires: January 15, 2009 P. Koch, Ed.
February 18, 2008 July 14, 2008
Design Choices When Expanding DNS Design Choices When Expanding DNS
draft-iab-dns-choices-05 draft-iab-dns-choices-06
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 21, 2008. This Internet-Draft will expire on January 15, 2009.
Copyright Notice
Copyright (C) The IETF Trust (2008).
Abstract Abstract
This note discusses how to extend the DNS with new data for a new This note discusses how to extend the DNS with new data for a new
application. DNS extension discussions too often focus on reuse of application. DNS extension discussions too often focus on reuse of
the TXT Resource Record Type. This document lists different the TXT Resource Record Type. This document lists different
mechanisms to extend the DNS, and concludes that the use of a new DNS mechanisms to extend the DNS, and concludes that the use of a new DNS
Resource Record Type is the best solution. Resource Record Type is the best solution.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Extension mechanisms . . . . . . . . . . . . . . . . . . . . . 5 3. Extension mechanisms . . . . . . . . . . . . . . . . . . . . . 5
3.1. Place selectors inside the RDATA of existing Resource 3.1. Place selectors inside the RDATA of existing Resource
Record Types . . . . . . . . . . . . . . . . . . . . . . . 5 Record Types . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Add a prefix to the owner name . . . . . . . . . . . . . . 5 3.2. Add a prefix to the owner name . . . . . . . . . . . . . . 6
3.3. Add a suffix to the owner name . . . . . . . . . . . . . . 6 3.3. Add a suffix to the owner name . . . . . . . . . . . . . . 7
3.4. Add a new Class . . . . . . . . . . . . . . . . . . . . . 7 3.4. Add a new Class . . . . . . . . . . . . . . . . . . . . . 7
3.5. Add a new Resource Record Type . . . . . . . . . . . . . . 7 3.5. Add a new Resource Record Type . . . . . . . . . . . . . . 8
4. Zone boundaries are invisible to applications . . . . . . . . 8 4. Zone boundaries are invisible to applications . . . . . . . . 9
5. Why adding a new Resource Record Type is the preferred 5. Why adding a new Resource Record Type is the preferred
solution . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 solution . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Conclusion and Recommendation . . . . . . . . . . . . . . . . 12 6. Conclusion and Recommendation . . . . . . . . . . . . . . . . 13
7. Creating A New Resource Record Type . . . . . . . . . . . . . 13 7. Creating A New Resource Record Type . . . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
11.1. Normative References . . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . . 16
11.2. Informative References . . . . . . . . . . . . . . . . . . 14 11.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
Intellectual Property and Copyright Statements . . . . . . . . . . 16 Intellectual Property and Copyright Statements . . . . . . . . . . 18
1. Introduction 1. Introduction
The DNS stores multiple categories of data. The two most commonly The DNS stores multiple categories of data. The two most commonly
used categories are infrastructure data for the DNS system itself (NS used categories are infrastructure data for the DNS system itself (NS
and SOA Resource Records) and data which have to do with mappings and SOA Resource Records) and data which have to do with mappings
between domain names and IP addresses (A, AAAA and PTR Resource between domain names and IP addresses (A, AAAA and PTR Resource
Records). There are other categories as well, some of which are tied Records). There are other categories as well, some of which are tied
to specific applications like email (MX Resource Records), while to specific applications like email (MX Resource Records), while
others are generic Resource Record Types used to convey information others are generic Resource Record Types used to convey information
for multiple protocols (SRV and NAPTR Resource Records). for multiple protocols (SRV and NAPTR Resource Records).
When storing data in the DNS for a new application, the data are When storing data in the DNS for a new application, the goal must be
usually tied to a "normal" domain name, so that the application can to store data in such a way that the application can query for the
query for the data it wants, while minimizing the impact on existing data it wants, while minimizing the impact on both existing
applications. applications and the amount of extra data transfered to the client.
This implies a number of design choices have to be made, where the
most important is to ensure that an as precise selection of what data
to return must be made already in the query. A query that consists
of the triple Owner, Resource Record Type and Resource Record Class.
Historically, extending DNS to store application data tied to a Historically, extending DNS to store application data tied to a
domain name has been done in different ways at different times. MX domain name has been done in different ways at different times. MX
Resource Records were created as a new Resource Record Type Resource Records were created as a new Resource Record Type
specifically designed to support electronic mail. SRV records are a specifically designed to support electronic mail. SRV records are a
generic type which use a prefixing scheme in combination with a base generic type which use a prefixing scheme in combination with a base
domain name. Records associated with ENUM use a suffixing scheme. domain name. NAPTR records add selection data inside the RDATA. It
NAPTR records add selection data inside the RDATA. It is clear that is clear that the methods used to add new data types to the DNS have
the methods used to add new data types to the DNS have been been inconsistent, and the purpose of this document is to attempt to
inconsistent, and the purpose of this document is to attempt to
clarify the implications of each of these methods, both for the clarify the implications of each of these methods, both for the
applications that use them and for the rest of the DNS. applications that use them and for the rest of the DNS.
This document talks extensively about use of DNS wildcards. Many This document talks extensively about use of DNS wildcards. Many
people might think use of wildcards is not something that happens people might think use of wildcards is not something that happens
today. In reality though, wildcards are in use, especially for today. In reality though, wildcards are in use, especially for
certain application-specific data such as MX Resource Records. certain application-specific data such as MX Resource Records.
Because of this, the choice has to be made with existence of Because of this, the choice has to be made with existence of
wildcards in mind. wildcards in mind.
Another overall issue that must be taken into account is what the new Another overall issue that must be taken into account is what the new
data in the DNS are to describe. In some cases they might be data in the DNS are to describe. In some cases they might be
completely new data. In other cases they might be metadata tied to completely new data. In other cases they might be metadata tied to
data that already exist in the DNS. An example of new data is key data that already exist in the DNS. An example of new data is key
information for SSH and data used for fighting spam (metadata tied to information for SSH and data used for authenticating sender of email
MX Resource Records). If the new data are tied to data that already messages (metadata tied to MX Resource Records). If the new data are
exist in the DNS, an analysis should be made as to whether having tied to data that already exist in the DNS, an analysis should be
(for example) address records and SSH key information in different made as to whether having (for example) address records and SSH key
DNS zones is a problem, and if it is, whether the specification must information in different DNS zones is a problem, or if it is a bonus,
require all of the related data to be in the same zone. and if it is a problem, whether the specification must require all of
the related data to be in the same zone. One specific difference
between having the records in the same zone or not have to do with
maintenance of the records. If they are in the same zone, the same
maintainer (from a DNS perspective) manages the two records.
Specifically, they must be signed with the same DNSSEC keys if DNSSEC
is in use.
This document does not talk about what one should store in the DNS. This document does not talk about what one should store in the DNS.
It also doesn't discuss whether DNS should be used for service It also doesn't discuss whether DNS should be used for service
discovery, or whether DNS should be used for storage of data specific discovery, or whether DNS should be used for storage of data specific
for the service. In general, DNS is a protocol that, apart from for the service. In general, DNS is a protocol that, apart from
holding metadata that makes the DNS itself function (NS, SOA, DNSSEC holding metadata that makes the DNS itself function (NS, SOA, DNSSEC
Resource Record Types, etc), only holds references to service Resource Record Types, etc), only holds references to service
locations (SRV, NAPTR, A, AAAA Resource Record Types), but there are locations (SRV, NAPTR, A, AAAA Resource Record Types), but there are
exceptions (such as MX Resource Records). exceptions (such as MX Resource Records).
2. Background 2. Background
See [RFC2929] for a brief summary of DNS query structure. Readers See RFC 2929 [RFC2929] for a brief summary of DNS query structure.
interested in the full story should start with the base DNS Readers interested in the full story should start with the base DNS
specification in [RFC1035], and continue with the various documents specification in RFC 1035 [RFC1035], and continue with the various
that update, clarify, and extend the base specification. documents that update, clarify, and extend the base specification.
When composing a DNS query, the parameters used by the protocol are a When composing a DNS query, the parameters used by the protocol are a
triple: a DNS name, a DNS class, and a DNS record Type. Every triple: a DNS name, a DNS class, and a DNS Resource Record Type.
Resource Record matching a particular name, type and class is said to Every Resource Record matching a particular name, type and class is
belong to the same "RRSet", and the whole RRSet is always returned to said to belong to the same Resource Record Set (RRSet), and the whole
the client that queries for it. Splitting an RRSet is a protocol RRSet is always returned to the client that queries for it.
violation, because it results in coherency problems with the DNS Splitting an RRSet is a protocol violation (sending a partial RRSet,
caching mechanism. not truncating the DNS response), because it can result in coherency
problems with the DNS caching mechanism. See RFC 2181 section 5
[RFC2181] for more information.
Some discussions around extensions to the DNS include arguments Some discussions around extensions to the DNS include arguments
around MTU size. Note that most discussions about DNS and MTU size around MTU size. Note that most discussions about DNS and MTU size
are about the size of the whole DNS packet, not about the size of a are about the size of the whole DNS packet, not about the size of a
single RRSet. single RRSet.
Almost all DNS query traffic is carried over UDP, where a DNS message Almost all DNS query traffic is carried over UDP, where a DNS message
must fit within a single UDP packet. DNS response messages are must fit within a single UDP packet. DNS response messages are
almost always larger than DNS query messages, so message size issues almost always larger than DNS query messages, so message size issues
are almost always about responses, not queries. The base DNS are almost always about responses, not queries. The base DNS
specification limits DNS messages over UDP to 512 octets; EDNS0 specification limits DNS messages over UDP to 512 octets; EDNS0
[RFC2671] specifies a mechanism by which a client can signal its [RFC2671] specifies a mechanism by which a client can signal its
willingness to receive larger responses, but deployment of EDNS0 is willingness to receive larger responses, but deployment of EDNS0 is
not universal, in part because of firewalls that block fragmented UDP not universal, in part because of firewalls that block fragmented UDP
packets or EDNS0. If a response message won't fit in a single packets or EDNS0. If a response message won't fit in a single
packet, the name server returns a truncated response, at which point packet, the name server returns a truncated response, at which point
the client may retry using TCP. DNS queries over TCP are not subject the client may retry using TCP. DNS queries over TCP are not subject
to this length limitation, but TCP imposes significantly higher per- to this length limitation, but TCP imposes significantly higher per-
query overhead on name servers than UDP. It is also the case that query overhead on name servers than UDP. It is also the case that
the policies in deployed firewalls far too often is such that it the policies in deployed firewalls far too often are such that it
blocks DNS over TCP, so using TCP might not in reality be an option. blocks DNS over TCP, so using TCP might not in reality be an option.
There are also risks (although possibly small) that a change of There are also risks (although possibly small) that a change of
routing while a TCP flow is open create problems when the DNS servers routing while a TCP flow is open creates problems when the DNS
are deployed in an anycast environment. servers are deployed in an anycast environment.
3. Extension mechanisms 3. Extension mechanisms
The DNS protocol is intended to be extensible to support new kinds of The DNS protocol is intended to be extensible to support new kinds of
data. This section examines the various ways in which this sort of data. This section examines the various ways in which this sort of
extension can be accomplished. extension can be accomplished.
3.1. Place selectors inside the RDATA of existing Resource Record Types 3.1. Place selectors inside the RDATA of existing Resource Record Types
For a given query name, one might choose to have a single RRSet (all For a given query name, one might choose to have a single RRSet (all
Resource Records sharing the same name, type, and class) shared by Resource Records sharing the same name, type, and class) shared by
multiple applications, and have the different applications use multiple applications, and have the different applications use
selectors within the Resource Record data (RDATA) to determine which selectors within the Resource Record data (RDATA) to determine which
records are intended for which applications. This sort of selector records are intended for which applications. This sort of selector
mechanism is usually referred to "subtyping", because it is in effect mechanism is usually referred to "subtyping", because it is in effect
creating an additional type subsystem within a single DNS Resource creating an additional type subsystem within a single DNS Resource
Record Type. Record Type.
Examples of subtyping include NAPTR Resource Records (see [RFC3761]) Examples of subtyping include NAPTR Resource Records [RFC3761] and
and the original DNSSEC KEY Resource Record Type ([RFC2535]) (before the original DNSSEC KEY Resource Record Type [RFC2535] (which was
it was updated by [RFC3445]). later updated by RFC 3445 [RFC3445]).
All DNS subtyping schemes share a common weakness: With subtyping All DNS subtyping schemes share a common weakness: With subtyping
schemes it is impossible for a client to query for just the data it schemes it is impossible for a client to query for just the data it
wants. Instead, the client must fetch the entire RRSet, then select wants. Instead, the client must fetch the entire RRSet, then select
the Resource Records in which it is interested. Furthermore, since the Resource Records in which it is interested. Furthermore, since
DNSSEC signatures operate on complete RRSets, the entire RRSet must DNSSEC signatures operate on complete RRSets, the entire RRSet must
be re-signed if any Resource Record in it changes. As a result, each be re-signed if any Resource Record in it changes. As a result, each
application that uses a subtyped Resource Record incurs higher application that uses a subtyped Resource Record incurs higher
overhead than any of the applications would have incurred had they overhead than any of the applications would have incurred had they
not been using a subtyping scheme. The fact the RRSet is always not been using a subtyping scheme. The fact the RRSet is always
skipping to change at page 6, line 16 skipping to change at page 6, line 26
if one has records like if one has records like
*.example.com. IN MX 1 mail.example.com. *.example.com. IN MX 1 mail.example.com.
and one wants records tied to those names. Suppose one creates the and one wants records tied to those names. Suppose one creates the
prefix "_mail". One would then have to say something like prefix "_mail". One would then have to say something like
_mail.*.example.com. IN X-FOO A B C D _mail.*.example.com. IN X-FOO A B C D
but DNS wildcards only work with the "*" as the leftmost token in the but DNS wildcards only work with the "*" as the leftmost token in the
domain name (see also [RFC4592]). domain name (see also RFC 4592 [RFC4592]).
There have been proposals to deal with the problem that DNS wild-
cards are always terminal records. These proposals introduce an
additional set of trade-offs that would need to be taken into account
when assessing which extension mechanism to choose. Aspects of extra
response time needed to perform the extra queries, costs of pre-
calculation of possible answers, or the costs induced to the system
as a whole come to mind. At the time of writing none of these
proposals has been published as standards tracks RFCs.
Even when a specific prefix is chosen, the data will still have to be Even when a specific prefix is chosen, the data will still have to be
stored in some Resource Record Type. This Resource Record Type can stored in some Resource Record Type. This Resource Record Type can
either be a record Type that has an appropriate format to store the either be an existing Resource Record Type that has an appropriate
data or a new Resource Record Type. This implies that some other format to store the data or a new Resource Record Type. One also
selection mechanism has to be applied as well, such as ability to might nee some other selection mechanism, such as ability to
distinguish between the records in an RRSet given they have the same distinguish between the records in an RRSet given they have the same
Resource Record Type. Because of this, one needs to both register a Resource Record Type. Because of this, one needs to both register a
unique prefix and define what Resource Record Type is to be used for unique prefix and define what Resource Record Type is to be used for
this specific service. this specific service.
If the record has some relationship with another record in the zone, If the record has some relationship with another record in the zone,
the fact that the two records can be in different zones might have the fact that the two records can be in different zones might have
implications on the trust the application has in the records. For implications on the trust the application has in the records. For
example: example:
example.com. IN MX 10 mail.example.com. example.com. IN MX 10 mail.example.com.
_foo.example.com. IN X-BAR "metadata for the mail service" _foo.example.com. IN X-BAR "metadata for the mail service"
In this example, the two records might be in two different zones, and In this example, the two records might be in two different zones, and
because of this might be signed by two different organizations when because of this might be administered by two different organisations,
using DNSSEC. and signed by two different entities when using DNSSEC. Prefix has
lately because of these two reasons been a very interesting solution
for many protocol designers. In some cases when using TXT records
(add reference to DKIM), in other cases when adding new Resource
Record Types (SRV).
3.3. Add a suffix to the owner name 3.3. Add a suffix to the owner name
Adding a suffix to a domain name changes the name/class/type triple, Adding a suffix to a domain name changes the name/class/type triple,
and therefore the RRSet. In this case, since the query name can be and therefore the RRSet. In this case, since the query name can be
set to exactly the data one wants the size of the RRSet is minimized. set to exactly the data one wants the size of the RRSet is minimized.
The problem with adding a suffix is that it creates a parallel tree The problem with adding a suffix is that it creates a parallel tree
within the IN class. Further, there is no technical mechanism to within the IN class. Further, there is no technical mechanism to
ensure that the delegation for "example.com" and "example.com._bar" ensure that the delegation for "example.com" and "example.com._bar"
are made to the same organization. Furthermore, data associated with are made to the same organization. Furthermore, data associated with
a single entity will now be stored in two different zones, such as a single entity will now be stored in two different zones, such as
"example.com" and "example.com._bar", which, depending on who "example.com" and "example.com._bar", which, depending on who
controls "_bar", can create new synchronization and update controls "_bar", can create new synchronization and update
authorization issues. authorization issues.
One way of solving the administrative issues is by using the DNAME One way of solving the administrative issues is by using the DNAME
Resource Record Type specified in [RFC2672]. Resource Record Type specified in RFC 2672 [RFC2672].
Even when using a different name, the data will still have to be Even when using a different name, the data will still have to be
stored in some Resource Record Type. This Resource Record Type can stored in some Resource Record Type that has an appropriate format to
either be a "kitchen-sink record" or a new Resource Record Type. store the data. This implies that one might have to mix the prefix
This implies that some other mechanism has to be applied as well, based selection mechanism with some other mechanism so that the right
with implications detailed in other parts of this note. Resource Record can be found out of many in a potential larger RRSet.
In [RFC2163] an infix token is inserted directly below the TLD, but In RFC 2163 [RFC2163] an infix token is inserted directly below the
the result is equivalent to adding a suffix to the owner name TLD, but the result is equivalent to adding a suffix to the owner
(instead of creating a TLD one is creating a second level domain). name (instead of creating a TLD one is creating a second level
domain).
3.4. Add a new Class 3.4. Add a new Class
DNS zones are class-specific in the sense that all the records in DNS zones are class-specific in the sense that all the records in
that zone share the same class as the zone's SOA record and the that zone share the same class as the zone's SOA record and the
existence of a zone in one class does not guarantee the existence of existence of a zone in one class does not guarantee the existence of
the zone in any other class. In practice, only the IN class has ever the zone in any other class. In practice, only the IN class has ever
seen widespread deployment, and the administrative overhead of seen widespread deployment, and the administrative overhead of
deploying an additional class would almost certainly be prohibitive. deploying an additional class would almost certainly be prohibitive.
Nevertheless, one could in theory use the DNS class mechanism to Nevertheless, one could in theory use the DNS class mechanism to
distinguish between different kinds of data. However, since the DNS distinguish between different kinds of data. However, since the DNS
delegation tree (represented by NS Resource Records) is itself tied delegation tree (represented by NS Resource Records) is itself tied
to a specific class, attempting to resolve a query by crossing a to a specific class, attempting to resolve a query by crossing a
class boundary may produce unexpected results because there is no class boundary may produce unexpected results because there is no
guarantee that the name servers for the zone in the new class will be guarantee that the name servers for the zone in the new class will be
the same as the name servers in the IN class. The MIT Hesiod system the same as the name servers in the IN class. The MIT Hesiod system
used a scheme like this for storing data in the HS class, but only on used a scheme like this for storing data in the HS class, but only on
a very small scale (within a single institution), and with an a very small scale (within a single institution), and with an
administrative fiat requiring that the delegation trees for the IN administrative fiat requiring that the delegation trees for the IN
and HS trees be identical. and HS trees be identical. The use of the HS class for such storage
of non-sensitive data was over time replaced by use of LDAP.
Even when using a different class, the data will still have to be Even when using a different class, the data will still have to be
stored in some Resource Record Type or another. This Resource Record stored in some Resource Record Type that has an appropriate format to
Type can either be a "kitchen-sink record" or a new Resource Record store the data. This implies that one might have to mix the prefix
Type. This implies that some other mechanism has to be applied as based selection mechanism with some other mechanism so that the right
well, with implications detailed in other parts of this note. Resource Record can be found out of many in a potential larger RRSet.
3.5. Add a new Resource Record Type 3.5. Add a new Resource Record Type
When adding a new Resource Record Type to the system, entities in When adding a new Resource Record Type to the system, entities in
four different roles have to be able to handle the new Type: four different roles have to be able to handle the new Type:
1. There must be a way to insert the new Resource Records into the 1. There must be a way to insert the new Resource Records into the
zone of the Primary Master name server. For some server zone of the Primary Master name server. For some server
implementations, the user interface only accepts record Types implementations, the user interface only accepts Resource Record
which it understands (perhaps so that the implementation can Types which it understands (perhaps so that the implementation
attempt to validate the data). Other implementations allow the can attempt to validate the data). Other implementations allow
zone administrator to enter an integer for the Resource Record the zone administrator to enter an integer for the Resource
Type code and the RDATA in Base64 or hexadecimal encoding (or Record Type code and the RDATA in Base64 or hexadecimal encoding
even as raw data). [RFC3597] specifies a standard generic (or even as raw data). RFC 3597 [RFC3597] specifies a standard
encoding for this purpose. generic encoding for this purpose.
2. A slave authoritative name server must be able to do a zone 2. A slave authoritative name server must be able to do a zone
transfer, receive the data from some other authoritative name transfer, receive the data from some other authoritative name
server, and serve data from the zone even though the zone server, and serve data from the zone even though the zone
includes records of unknown Types. Historically, some includes records of unknown Types. Historically, some
implementations have had problems parsing stored copies of the implementations have had problems parsing stored copies of the
zone file after restarting, but those problems have not been seen zone file after restarting, but those problems have not been seen
for a few years. for a few years.
3. A caching resolver (most commonly a recursive name server) will 3. A caching resolver (most commonly a recursive name server) will
cache the records which are responses to queries. As mentioned cache the records which are responses to queries. As mentioned
in [RFC3597],there are various pitfalls where a recursive name in RFC 3597 [RFC3597],there are various pitfalls where a
server might end up having problems. recursive name server might end up having problems.
4. The application must be able to get the RRSet with a new Resource 4. The application must be able to get the RRSet with a new Resource
Record Type. The application itself may understand the RDATA, Record Type. The application itself may understand the RDATA,
but the resolver library might not. Support for a generic but the resolver library might not. Support for a generic
interface for retrieving arbitrary DNS Resource Record Types has interface for retrieving arbitrary DNS Resource Record Types has
been a requirement since 1989 (see [RFC1123] Section 6.1.4.2). been a requirement since 1989 (see RFC 1123 [RFC1123] Section
Some stub resolver library implementations neglect to provide 6.1.4.2). Some stub resolver library implementations neglect to
this functionality and cannot handle unknown Resource Record provide this functionality and cannot handle unknown Resource
Types, but implementation of a new stub resolver library is not Record Types, but implementation of a new stub resolver library
particularly difficult, and open source libraries that already is not particularly difficult, and open source libraries that
provide this functionality are available. already provide this functionality are available.
Historically adding a new Resource Record Type as been very
problematic. Review process has been cumbersome, DNS servers have
not been able to handle new Resource Record Types, and firewalls has
dropped queries or responses with for the firewall unknown Resource
Record Types. This is for example one of the reasons the ENUM
standard reuse the NAPTR Resource Record. A choice that today might
have been wrong, and a new resource record type could have been a
better choice.
Today, there is a requirement that DNS software can handle unknown
Resource Record Types, and investigations have shown that software
that is deployed in general do support it. Also the approval process
for new Resource Record Types has been updated so it is more
predictable on what effort is needed for various Resource Record
Types.
4. Zone boundaries are invisible to applications 4. Zone boundaries are invisible to applications
Regardless of the possible choices above we have seen a number of Regardless of the possible choices above we have seen a number of
cases where the application made assumptions about the structure of cases where the application made assumptions about the structure of
the namespace and the location where specific information resides. the namespace and the location where specific information resides.
We take a small sidestep to argue against such approaches. We take a small sidestep to argue against such approaches.
The DNS namespace is a hierarchy, technically speaking. However, The DNS namespace is a hierarchy, technically speaking. However,
this only refers to the way names are built from multiple labels. this only refers to the way names are built from multiple labels.
skipping to change at page 9, line 12 skipping to change at page 10, line 9
requested RRSet was missing or the name did not exist) is retried by requested RRSet was missing or the name did not exist) is retried by
repeatedly stripping off the leftmost label (climbing towards the repeatedly stripping off the leftmost label (climbing towards the
root) until the root domain is reached. Sometimes these proposals root) until the root domain is reached. Sometimes these proposals
try to avoid the query for the root or the TLD level, but still this try to avoid the query for the root or the TLD level, but still this
approach has severe drawbacks: approach has severe drawbacks:
o Technically, the DNS was built as a query - response tool without o Technically, the DNS was built as a query - response tool without
any search capability [RFC3467]. Adding the search mechanism any search capability [RFC3467]. Adding the search mechanism
imposes additional burden on the technical infrastructure, in the imposes additional burden on the technical infrastructure, in the
worst case on TLD and root name servers. worst case on TLD and root name servers.
o For reasons similar to those outlined in RFC 1535, querying for o For reasons similar to those outlined in RFC 1535 [RFC1535],
information in a domain outside the control of the intended entity querying for information in a domain outside the control of the
may lead to incorrect results and may also put security at risk. intended entity may lead to incorrect results and may also put
Finding the exact policy boundary is impossible without an security at risk. Finding the exact policy boundary is impossible
explicit marker which does not exist at present. At best, without an explicit marker which does not exist at present. At
software can detect zone boundaries (e.g., by looking for SOA best, software can detect zone boundaries (e.g., by looking for
Resource Records), but some TLD registries register names starting SOA Resource Records), but some TLD registries register names
at the second level (e.g., CO.UK), and there are various other starting at the second level (e.g., CO.UK), and there are various
"registry" types at second, third or other level domains that other "registry" types at second, third or other level domains
cannot be identified as such without policy knowledge external to that cannot be identified as such without policy knowledge
the DNS. external to the DNS.
To restate, the zone boundary is purely a boundary that exists in the To restate, the zone boundary is purely a boundary that exists in the
DNS for administrative purposes, and applications should be careful DNS for administrative purposes, and applications should be careful
not to draw unwarranted conclusions from zone boundaries. A not to draw unwarranted conclusions from zone boundaries. A
different way of stating this is that the DNS does not support different way of stating this is that the DNS does not support
inheritance, e.g. a wildcard MX RRSet for a TLD will not be valid for inheritance, e.g. a wildcard MX RRSet for a TLD will not be valid for
any subdomain of that particular TLD. any subdomain of that particular TLD.
5. Why adding a new Resource Record Type is the preferred solution 5. Why adding a new Resource Record Type is the preferred solution
By now, the astute reader might be be wondering what conclusions to By now, the astute reader might be wondering what conclusions to draw
draw from all the issues presented so far. We will now attempt to from the issues presented so far. We will now attempt to clear up
clear up the reader's confusion by following the thought processes of the reader's confusion by following the thought processes of a
a typical application designer who wishes to store data in the DNS, typical application designer who wishes to store data in the DNS,
showing how such a designer almost inevitably hits upon the idea of showing how such a designer almost inevitably hits upon the idea of
just using TXT Resource Record, why this is a bad thing, and why a just using a TXT Resource Records, why this is a bad thing, and why a
new Resource Record Type should be allocated instead. new Resource Record Type should be allocated instead, but also
explain how to reuse an existing resource record, including TXT, can
be made less harmful.
The overall problem with most solutions has to do with two main The overall problem with most solutions has to do with two main
issues: issues:
o No semantics to prevent collision with other use o No semantics to prevent collision with other use
o Space considerations in the DNS message o Space considerations in the DNS message
A typical application designer is not interested in the DNS for its A typical application designer is not interested in the DNS for its
own sake, but rather as a distributed database in which application own sake, but rather regards it as a distributed database in which
data can be stored. As a result, the designer of a new application application data can be stored. As a result, the designer of a new
is usually looking for the easiest way to add whatever new data the application is usually looking for the easiest way to add whatever
application needs to the DNS in a way that naturally associates the new data the application needs to the DNS in a way that naturally
data with a DNS name. associates the data with a DNS name.
As explained in Section 3.4, using the DNS class system as an As explained in Section 3.4, using the DNS class system as an
extension mechanism is not really an option, and in fact most users extension mechanism is not really an option, and in fact most users
of the system don't even realize that the mechanism exists. As a of the system don't even realize that the mechanism exists. As a
practical matter, therefore any extension is likely to be within the practical matter, therefore any extension is likely to be within the
IN class. IN class.
Adding a new Resource Record Type is the technically correct answer Adding a new Resource Record Type is the technically correct answer
from the DNS protocol standpoint (more on this below), but doing so from the DNS protocol standpoint (more on this below), but doing so
requires some DNS expertise, due to the issues listed in Section 3.5. requires some DNS expertise, due to the issues listed in Section 3.5.
As a result, this option is usually not considered. Note that Consequently, this option is usually not considered. Note that
according to [RFC2929], some Types require IETF Consensus, while according to RFC 2929 [RFC2929], some Types require IETF Consensus,
others only require a specification. while others only require a specification.
There is a drawback to defining new RR types that is worth
mentioning. The RRTYPE is a 16 bit value and hence a a limited
resource. In order to prevent herding the registry has a review
based allocation policy [RFC2929], however this may not be sufficient
if extension of the DNS by addition of new RR types takes up
significantly and the registry starts nearing completion. In that
case the trade-offs with respect to choosing an extension mechanism
may need to change.
The application designer is thus left with the prospect of reusing The application designer is thus left with the prospect of reusing
some existing DNS Type within the IN class, but when the designer some existing DNS Type within the IN class, but when the designer
looks at the existing Types, almost all of them have well-defined looks at the existing Types, almost all of them have well-defined
semantics, none of which quite match the needs of the new semantics, none of which quite match the needs of the new
application. This has not completely prevented proposals from application. This has not completely prevented proposals from
reusing existing Resource Record Types in ways incompatible with reusing existing Resource Record Types in ways incompatible with
their defined semantics, but it does tend to steer application their defined semantics, but it does tend to steer application
designers away from this approach. designers away from this approach.
For example, Resource Record Type 40 was registered for the SINK For example, Resource Record Type 40 was registered for the SINK
record Type. This Resource Record Type was discussed in the DNSIND Resource Record Type. This Resource Record Type was discussed in the
working group of the IETF, and it was decided at the 46th IETF to not DNSIND working group of the IETF, and it was decided at the 46th IETF
move the I-D forward to become an RFC because of the risk of to not move the I-D forward to become an RFC because of the risk of
encouraging application designers to use the SINK Resource Record encouraging application designers to use the SINK Resource Record
Type instead of registering a new Resource Record Type, which would Type instead of registering a new Resource Record Type, which would
result in infeasibly large SINK RRsets. result in infeasibly large SINK RRsets.
Eliminating all of the above leaves the TXT Resource Record Type in Eliminating all of the above leaves the TXT Resource Record Type in
the IN class. The TXT RDATA format is free form text, and there are the IN class. The TXT RDATA format is free form text, and there are
no existing semantics to get in the way. Furthermore, the TXT no existing semantics to get in the way. Some attempts have been
Resource Record can obviously just be used as a bucket in which to made, for example in draft-cheshire-dnsext-dns-sd
carry around data to be used by some higher level parser, perhaps in [I-D.cheshire-dnsext-dns-sd], to specify a structured format for TXT
some human readable programming or markup language. Thus, for many Resource Record Types, but no such attempt has reached RFC status.
applications, TXT Resource Records are the "obvious" choice. Furthermore, the TXT Resource Record can obviously just be used as a
Unfortunately, this conclusion, while understandable, is also wrong, bucket in which to carry around data to be used by some higher level
for several reasons. parser, perhaps in some human readable programming or markup
language. Thus, for many applications, TXT Resource Records are the
"obvious" choice. Unfortunately, this conclusion, while
understandable, is also wrong, for several reasons.
The first reason why TXT Resource Records are not well suited to such The first reason why TXT Resource Records are not well suited to such
use is precisely the lack of defined semantics that make them so use is precisely the lack of defined semantics that make them so
attractive. Arguably, the TXT Resource Record is misnamed, and attractive. Arguably, the TXT Resource Record is misnamed, and
should have been called the Local Container record, because the lack should have been called the Local Container record, because the lack
of defined semantics means that a TXT Resource Record means precisely of defined semantics means that a TXT Resource Record means precisely
what the data producer says it means. This is fine, so long as TXT what the data producer says it means. This is fine, so long as TXT
Resource Records are being used by human beings or by private Resource Records are being used by human beings or by private
agreement between data producer and data consumer. However, it agreement between data producer and data consumer. However, it
becomes a problem once one starts using them for standardized becomes a problem once one starts using them for standardized
protocols in which there is no prior relationship between data protocols in which there is no prior relationship between data
producer and data consumer. The reason for this is that there is producer and data consumer. The reason for this is that, if TXT
nothing to prevent collisions with some other incompatible use of TXT records are used without one of the naming modifications discussed
Resource Records. This is even worse than the general subtyping earlier (and in some cases even if one use such naming mechanisms),
problem described in Section 3.1, because TXT Resource Records don't there is nothing to prevent collisions with some other incompatible
even have a standardized selector field in which to store the use of TXT Resource Records. This is even worse than the general
subtype. [RFC1464] tried, but it was not a success. At best a subtyping problem described in Section 3.1, because TXT Resource
definition of a subtype is reduced to hoping that whatever scheme one Records don't even have a standardized selector field in which to
has come up with will not accidently conflict with somebody else's store the subtype. RFC 1464 [RFC1464] tried, but it was not a
subtyping scheme, and that it will not be possible to mis-parse one success. At best a definition of a subtype is reduced to hoping that
application's use of TXT Resource Records as data intended for a whatever scheme one has come up with will not accidently conflict
different application. Any attempt to impose a standardized format with somebody else's subtyping scheme, and that it will not be
within the TXT Resource Record format would be at least fifteen years possible to mis-parse one application's use of TXT Resource Records
too late even if it were put into effect immediately; at best, one as data intended for a different application. Any attempt to impose
can restrict the syntax that a particular application uses within a a standardized format within the TXT Resource Record format would be
TXT Resource Record and accept the risk that unrelated TXT Resource at least fifteen years too late even if it were put into effect
Record uses will collide with it. immediately; at best, one can restrict the syntax that a particular
application uses within a TXT Resource Record and accept the risk
that unrelated TXT Resource Record uses will collide with it.
Using one of the naming modifications discussed in Section 3.2 and Using one of the naming modifications discussed in Section 3.2 and
Section 3.3 would address the subtyping problem, but each of these Section 3.3 would address the subtyping problem, (and have been used
approaches brings in new problems of its own. The prefix approach in combinations with reuse of TXT record, such as for the dns/txt
(that for example SRV Resource Records use) does not work well with lookup mechanism in DKIM) but each of these approaches brings in new
wildcards, which is a particular problem for mail-related problems of its own. The prefix approach (that for example SRV
applications, since MX Resource Records are probably the most common Resource Records use) does not work well with wildcards, which is a
use of DNS wildcards. The suffix approach doesn't have wildcard particular problem for mail-related applications, since MX Resource
issues, but, as noted previously, it does have synchronization and Records are probably the most common use of DNS wildcards. The
update authorization issues, since it works by creating a second suffix approach doesn't have wildcard issues, but, as noted
subtree in a different part of the global DNS name space. previously, it does have synchronization and update authorization
issues, since it works by creating a second subtree in a different
part of the global DNS name space.
The next reason why TXT Resource Records are not well suited to The next reason why TXT Resource Records are not well suited to
protocol use has to do with the limited data space available in a DNS protocol use has to do with the limited data space available in a DNS
message. As alluded to briefly in Section 3.1, typical DNS query message. As alluded to briefly in Section 3.1, typical DNS query
traffic patterns involve a very large number of DNS clients sending traffic patterns involve a very large number of DNS clients sending
queries to a relatively small number of DNS servers. Normal path MTU queries to a relatively small number of DNS servers. Normal path MTU
discovery schemes do little good here because, from the server's discovery schemes do little good here because, from the server's
perspective, there isn't enough repeat traffic from any one client perspective, there isn't enough repeat traffic from any one client
for it to be worth retaining state. UDP-based DNS is an idempotent for it to be worth retaining state. UDP-based DNS is an idempotent
query, whereas TCP-based DNS requires the server to keep state (in query, whereas TCP-based DNS requires the server to keep state (in
skipping to change at page 12, line 19 skipping to change at page 13, line 33
make them fit comfortably into the DNS regardless of encoding, it is make them fit comfortably into the DNS regardless of encoding, it is
probably better to move the data somewhere else, and just use the DNS probably better to move the data somewhere else, and just use the DNS
as a pointer to the data, as with NAPTR. as a pointer to the data, as with NAPTR.
6. Conclusion and Recommendation 6. Conclusion and Recommendation
Given the problems detailed in Section 5, it is worth reexamining the Given the problems detailed in Section 5, it is worth reexamining the
oft-jumped-to conclusion that specifying a new Resource Record Type oft-jumped-to conclusion that specifying a new Resource Record Type
is hard. Historically, this was indeed the case, but recent surveys is hard. Historically, this was indeed the case, but recent surveys
suggest that support for unknown Resource Record Types [RFC3597] is suggest that support for unknown Resource Record Types [RFC3597] is
now widespread, and that lack of support for unknown Types is mostly now widespread, and because of that the DNS infrastructure can handle
an issue for relatively old software that would probably need to be new resource record types. The lack of support for unknown Types is
upgraded in any case as part of supporting a new application. One mostly an issue for relatively old provision software and
should also remember that deployed DNS software today should support applications that would probably need to be upgraded in any case as
DNSSEC, and software recent enough to do so will likely support both part of supporting a new feature (that require the new Resource
unknown Resource Record Types [RFC3597] and EDNS0 [RFC2671]. Record Type). One should also remember that deployed DNS software
today should support DNSSEC, and software recent enough to do so will
likely support both unknown Resource Record Types [RFC3597] and EDNS0
[RFC2671].
Of all the issues detailed in Section 3.5, provisioning the data is Of all the issues detailed in Section 3.5, provisioning the data is
in some respects the most difficult. The problem here is less in some respects the most difficult. The problems can be divided in
two, the ability to manage the zone on the master server, and the
ability for secondary servers to do zone transfers (AXFR or IXFR)
with the new data. Investigations show that the problem here is less
difficult for the authoritative name servers themselves than the difficult for the authoritative name servers themselves than the
front-end systems used to enter (and perhaps validate) the data. front-end systems used to enter (and perhaps validate) the data.
Hand editing does not work well for maintenance of large zones, so Hand editing does not work well for maintenance of large zones, so
some sort of tool is necessary, and the tool may not be tightly some sort of tool is necessary, and the tool may not be tightly
coupled to the name server implementation itself. Note, however, coupled to the name server implementation itself. Note, however,
that this provisioning problem exists to some degree with any new that this provisioning problem exists to some degree with any new
form of data to be stored in the DNS, regardless of data format, form of data to be stored in the DNS, regardless of data format,
Resource Record type, or naming scheme. Including the TXT Resource Resource Record type (even if TXT Resource Record Types are in use),
Record Type. Adapting front-end systems to support a new Resource or naming scheme. Adapting front-end systems to support a new
Record type may be a bit more difficult than reusing an existing Resource Record Type may be a bit more difficult than reusing an
type, but this appears to be a minor difference in degree rather than existing type, but this appears to be a minor difference in degree
a difference in kind. rather than a difference in kind.
Given the various issues described in this note, we believe that: Given the various issues described in this note, we believe that:
o there is no magic solution which allows a completely painless o there is no magic solution which allows a completely painless
addition of new data to the DNS, but addition of new data to the DNS, but
o on the whole, the best solution is still to use the DNS Resource o on the whole, the best solution is still to use the DNS Resource
Record Type mechanism designed for precisely this purpose, and Record Type mechanism designed for precisely this purpose, and
o of all the alternate solutions, the "obvious" approach of using o of all the alternate solutions, the "obvious" approach of using
TXT Resource Records is almost certainly the worst. TXT Resource Records is almost certainly the worst.
This especially for the two reasons outlined above (lack of semantics This especially for the two reasons outlined above (lack of semantics
and its implications, and size leading to the need to use TCP). and its implications, and size leading to the need to use TCP).
7. Creating A New Resource Record Type 7. Creating A New Resource Record Type
The process for creating a new Resource Record Type is specified in The process for creating a new Resource Record Type is specified in
[I-D.ietf-dnsext-2929bis]. draft-ietf-dnsext-2929bis [I-D.ietf-dnsext-2929bis].
8. IANA Considerations 8. IANA Considerations
This document does not require any IANA actions. This document does not require any IANA actions.
9. Security Considerations 9. Security Considerations
DNS RRSets can be signed using DNSSEC. DNSSEC is almost certainly DNS RRSets can be signed using DNSSEC. DNSSEC is almost certainly
necessary for any application mechanism that stores authorization necessary for any application mechanism that stores authorization
data in the DNS. DNSSEC signatures significantly increase the size data in the DNS. DNSSEC signatures significantly increase the size
of the messages transported, and because of this, the DNS message of the messages transported, and because of this, the DNS message
size issues discussed in Section 3.1 and Section 5 are more serious size issues discussed in Section 3.1 and Section 5 are more serious
than they might at first appear. than they might at first appear.
Adding new Resource Record Types (as discussed in Section 3.5) might Adding new Resource Record Types (as discussed in Section 3.5) can
conceivably trigger bugs and other bad behavior in software that is create two different kinds of problems. In DNS software and in
not compliant with [RFC3597], but most such software is old enough applications. In the DNS software, it might conceivably trigger bugs
and insecure enough that it should be updated for other reasons in and other bad behavior in software that is not compliant with RFC
any case. Basic API support for retrieving arbitrary Resource Record 3597 [RFC3597], but most such DNS software is old enough and insecure
Types has been a requirement since 1989 (see [RFC1123]). enough that it should be updated for other reasons in any case. In
applications and provisioning software, the changes for the new
features that need the new data in DNS can be updated to understand
the structure of the new data format (regardless of whether a new
Resource Record Type is used or some other mechanism is chosen.
Basic API support for retrieving arbitrary Resource Record Types has
been a requirement since 1989[RFC1123].
Any new protocol that proposes to use the DNS to store data used to Any new protocol that proposes to use the DNS to store data used to
make authorization decisions would be well advised not only to use make authorization decisions would be well advised not only to use
DNSSEC but also to encourage upgrades to DNS server software recent DNSSEC but also to encourage upgrades to DNS server software recent
enough not to be riddled with well-known exploitable bugs. Because enough not to be riddled with well-known exploitable bugs. Because
of this, support for new Resource Record Types will not be as hard as of this, support for new Resource Record Types will not be as hard as
people might think at first. people might think at first.
10. Acknowledgements 10. Acknowledgements
skipping to change at page 14, line 8 skipping to change at page 15, line 34
People that have helped include: Dean Andersson, Loa Andersson, Mark People that have helped include: Dean Andersson, Loa Andersson, Mark
Andrews, John Angelmo, Roy Badami, Dan Bernstein, Alex Bligh, Andrews, John Angelmo, Roy Badami, Dan Bernstein, Alex Bligh,
Nathaniel Borenstein, Stephane Bortzmeyer, Brian Carpenter, Leslie Nathaniel Borenstein, Stephane Bortzmeyer, Brian Carpenter, Leslie
Daigle, Elwyn Davies, Mark Delany, Richard Draves, Martin Duerst, Daigle, Elwyn Davies, Mark Delany, Richard Draves, Martin Duerst,
Donald Eastlake, Robert Elz, Jim Fenton, Tony Finch, Jim Gilroy, Donald Eastlake, Robert Elz, Jim Fenton, Tony Finch, Jim Gilroy,
Olafur Gudmundsson, Eric Hall, Philip Hallam-Baker, Ted Hardie, Bob Olafur Gudmundsson, Eric Hall, Philip Hallam-Baker, Ted Hardie, Bob
Hinden, Paul Hoffman, Geoff Houston, Christian Huitema, Johan Ihren, Hinden, Paul Hoffman, Geoff Houston, Christian Huitema, Johan Ihren,
John Klensin, Olaf Kolkman, Ben Laurie, William Leibzon, John Levine, John Klensin, Olaf Kolkman, Ben Laurie, William Leibzon, John Levine,
Edward Lewis, David MacQuigg, Allison Manking, Bill Manning, Danny Edward Lewis, David MacQuigg, Allison Manking, Bill Manning, Danny
McPherson, David Meyer, Pekka Nikander, Masataka Ohta, Douglas Otis, McPherson, David Meyer, Pekka Nikander, Mans Nilsson, Masataka Ohta,
Michael Patton, Jonathan Rosenberg, Anders Rundgren, Miriam Sapiro, Douglas Otis, Michael Patton, Jonathan Rosenberg, Anders Rundgren,
Pekka Savola, Chip Sharp, James Snell, Dave Thaler, Michael Thomas, Miriam Sapiro, Pekka Savola, Chip Sharp, James Snell, Dave Thaler,
Paul Vixie, Sam Weiler, Florian Weimer, Bert Wijnen, and Dan Wing. Michael Thomas, Paul Vixie, Sam Weiler, Florian Weimer, Bert Wijnen,
and Dan Wing.
Members of the IAB when this document was made available were: Loa Members of the IAB when this document was made available were: Loa
Andersson, Leslie Daigle, Elwyn Davies, Kevin Fall, Russ Housley, Andersson, Gonzalo Camarillo, Stuart Cheshire Russ Housley, Olaf
Olaf Kolkman, Barry Leiba, Kurtis Lindqvist, Danny McPherson, David Kolkman, Gregory Lebovitz, Barry Leiba, Kurtis Lindqvist, Andrew
Oran, Eric Rescorla, Dave Thaler, and Lixia Zhang. Malis, Danny McPherson, David Oran, Dave Thaler, and Lixia Zhang.
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", RFC 1035, STD 13, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC1464] Rosenbaum, R., "Using the Domain Name System To Store [RFC1464] Rosenbaum, R., "Using the Domain Name System To Store
Arbitrary String Attributes", RFC 1464, May 1993. Arbitrary String Attributes", RFC 1464, May 1993.
[RFC2535] Eastlake 3rd, D., "Domain Name System Security [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
Extensions", RFC 2535, March 1999. RFC 2535, March 1999.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999. RFC 2671, August 1999.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003. (RR) Types", RFC 3597, September 2003.
11.2. Informative References 11.2. Informative References
[I-D.cheshire-dnsext-dns-sd]
Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", draft-ietf-dnsext-2929bis-06 (work in
progress), August 2006.
[I-D.ietf-dnsext-2929bis] [I-D.ietf-dnsext-2929bis]
3rd, D., "Domain Name System (DNS) IANA Considerations", Eastlake 3rd, D., "Domain Name System (DNS) IANA
draft-ietf-dnsext-2929bis-06 (work in progress), Considerations", draft-cheshire-dnsext-dns-sd-03 (work in
August 2007. progress), August 2007.
[RFC1123] Braden, R., "Requirements for Internet Hosts - Application [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
and Support", RFC 1123, STD 3, October 1989. and Support", STD 3, RFC 1123, October 1989.
[RFC1535] Gavron, E., "A Security Problem and Proposed Correction
With Widely Deployed DNS Software", RFC 1535,
October 1993.
[RFC2163] Allocchio, C., "Using the Internet DNS to Distribute MIXER [RFC2163] Allocchio, C., "Using the Internet DNS to Distribute MIXER
Conformant Global Address Mapping (MCGAM)", RFC 2163, Conformant Global Address Mapping (MCGAM)", RFC 2163,
January 1998. January 1998.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997.
[RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
RFC 2672, August 1999. RFC 2672, August 1999.
[RFC2929] Eastlake 3rd, D., Brunner-Williams, E., and B. Manning, [RFC2929] Eastlake, D., Brunner-Williams, E., and B. Manning,
"Domain Name System (DNS) IANA Considerations", RFC 2929, "Domain Name System (DNS) IANA Considerations", BCP 42,
BCP 42, September 2000. RFC 2929, September 2000.
[RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the KEY [RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the KEY
Resource Record (RR)", RFC 3445, December 2002. Resource Record (RR)", RFC 3445, December 2002.
[RFC3467] Klensin, J., "Role of the Domain Name System (DNS)", [RFC3467] Klensin, J., "Role of the Domain Name System (DNS)",
RFC 3467, February 2003. RFC 3467, February 2003.
[RFC3761] Faltstrom, P. and M. Mealling, "The E.164 to Uniform [RFC3761] Faltstrom, P. and M. Mealling, "The E.164 to Uniform
Resource Identifiers (URI) Dynamic Delegation Discovery Resource Identifiers (URI) Dynamic Delegation Discovery
System (DDDS) Application (ENUM)", RFC 3761, April 2004. System (DDDS) Application (ENUM)", RFC 3761, April 2004.
skipping to change at page 16, line 44 skipping to change at line 799
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 49 change blocks. 
184 lines changed or deleted 265 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/