draft-ietf-dnsext-rfc2672bis-dname-01.txt   draft-ietf-dnsext-rfc2672bis-dname-02.txt 
DNS Extensions Working Group S. Rose DNS Extensions Working Group S. Rose
Internet-Draft NIST Internet-Draft NIST
Intended status: Standards Track W. Wijngaards Intended status: Standards Track W. Wijngaards
Expires: July 26, 2007 NLnet Labs Expires: October 26, 2007 NLnet Labs
January 22, 2007 April 24, 2007
Update to DNAME Redirection in the DNS Update to DNAME Redirection in the DNS
draft-ietf-dnsext-rfc2672bis-dname-01 draft-ietf-dnsext-rfc2672bis-dname-02
Status of This Memo Status of This Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 26, 2007. This Internet-Draft will expire on October 26, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
The DNAME record provides redirection for a sub-tree of the domain The DNAME record provides redirection for a sub-tree of the domain
name tree in the DNS system. That is, all names that end with a name tree in the DNS system. That is, all names that end with a
particular suffix are redirected to another part of the DNS. This is particular suffix are redirected to another part of the DNS. This is
skipping to change at page 2, line 18 skipping to change at page 2, line 18
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 3 2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 3
2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 4 2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 4
2.3. Names next-to and below a DNAME record . . . . . . . . . . 5 2.3. DNAME Apex not Redirected itself . . . . . . . . . . . . . 5
2.4. Compression of the DNAME record. . . . . . . . . . . . . . 5 2.4. Names Next to and Below a DNAME Record . . . . . . . . . . 5
2.5. Compression of the DNAME record. . . . . . . . . . . . . . 6
3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. DNAME bit in NSEC type map . . . . . . . . . . . . . . . . 6
3.3. CNAME synthesis . . . . . . . . . . . . . . . . . . . . . 6
3.4. Processing . . . . . . . . . . . . . . . . . . . . . . . . 6
4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 7 3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. CNAME synthesis . . . . . . . . . . . . . . . . . . . . . 6
3.3. Acceptance and Intermediate Storage . . . . . . . . . . . 7
3.4. Server algorithm . . . . . . . . . . . . . . . . . . . . . 7
5. Issues with DNAME . . . . . . . . . . . . . . . . . . . . . . 7 4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 9
5.1. DNAME Apex not Redirected itself . . . . . . . . . . . . . 8
5.2. MX, NS and PTR Records Must Point to Target of DNAME . . . 8
5.3. NSEC3 and DNAME . . . . . . . . . . . . . . . . . . . . . 8
5.4. Validators Must Understand DNAME . . . . . . . . . . . . . 9
5.4.1. DNAME in Bitmap Causes Invalid Name Error . . . . . . 9
5.4.2. Valid Name Error Response Involving DNAME in Bitmap . 9
5.4.3. Response With Synthesized CNAME . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. Other Issues with DNAME . . . . . . . . . . . . . . . . . . . 10
5.1. MX, NS and PTR Records Must Point to Target of DNAME . . . 10
5.2. Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 10
5.3. DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 11
5.3.1. DNAME bit in NSEC/NSEC3 type map . . . . . . . . . . . 11
5.3.2. Other issues with NSEC3 and DNAME . . . . . . . . . . 11
5.3.3. Validators Must Understand DNAME . . . . . . . . . . . 11
5.3.3.1. DNAME in Bitmap Causes Invalid Name Error . . . . 11
5.3.3.2. Valid Name Error Response Involving DNAME in
Bitmap . . . . . . . . . . . . . . . . . . . . . . 12
5.3.3.3. Response With Synthesized CNAME . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Document History . . . . . . . . . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
10. Normative References . . . . . . . . . . . . . . . . . . . . . 11 9. Normative References . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
DNAME is a DNS Resource Record type. DNAME provides redirection from DNAME is a DNS Resource Record type. DNAME provides redirection from
a part of the DNS name tree to another part of the DNS name tree. a part of the DNS name tree to another part of the DNS name tree.
For example, given a query for foo.example.com and a DNAME from For example, given a query for foo.example.com and a DNAME from
example.com to example.net, the query would be redirected to example.com to example.net, the query would be redirected to
foo.example.net. With the same DNAME a query for foo.bar.example.com foo.example.net. With the same DNAME a query for foo.bar.example.com
is redirected to foo.bar.example.net. would be redirected to foo.bar.example.net.
The DNAME RR is similar to the CNAME RR in that it provides The DNAME RR is similar to the CNAME RR in that it provides
redirection. But where the CNAME RR only provides redirection for redirection. The CNAME RR only provides redirection for exactly one
exactly one name, the DNAME RR provides redirection for all names in name while the DNAME RR provides redirection for all names in a sub-
a sub-tree of the DNS name tree. tree of the DNS name tree.
This document is an update to the original specification of DNAME in This document is an update to the original specification of DNAME in
RFC 2672 [RFC2672], by Matt Crawford. DNAME was conceived to help RFC 2672 [RFC2672]. DNAME was conceived to help with the problem of
with the problem of maintaining address-to-name mappings in a context maintaining address-to-name mappings in a context of network
of network renumbering. So that with a careful set-up a renumbering renumbering. So that with a careful set-up a renumbering event in
event in the network causes no change to the authoritative server the network causes no change to the authoritative server that has the
that has the address-to-name mappings. address-to-name mappings. Examples in practice are classless reverse
address space delegations and punycode alternates for domain spaces.
Other usage of DNAME lies in redirection of name spaces. Where a Other usage of DNAME lies in redirection of name spaces. For
zone administrator want subtrees of the DNS to contain the same example, a zone administrator may want subtrees of the DNS to contain
information. Examples in practice are classless reverse address the same information. DNAME is also used for redirection of ENUM
space delegations and punycode alternates for domain spaces. DNAME domains to another maintaining party.
is also used for redirection of ENUM domains to another maintaining
party.
This update to DNAME does not change the wire format, or the handling This update to DNAME does not change the wire format or the handling
of DNAME Resource Records by existing software. Discussion is added of DNAME Resource Records by existing software. Discussion is added
on the problems that can be encountered when using DNAME. on problems that may be encountered when using DNAME.
2. The DNAME Resource Record 2. The DNAME Resource Record
2.1. Format 2.1. Format
The DNAME RR has mnemonic DNAME and type code 39 (decimal). The DNAME RR has mnemonic DNAME and type code 39 (decimal).
The format of the DNAME record has not changed compared to RFC 2672. The format of the DNAME record has not changed from the original
DNAME has the following format: specification in RFC 2672. DNAME has the following format:
<owner> <ttl> <class> DNAME <target> <owner> <ttl> <class> DNAME <target>
The format is not class-sensitive. All fields are required. The The format is not class-sensitive. All fields are required. The
RDATA field target is a domain-name. The RDATA field target name RDATA field target is a domain name. The RDATA field target name
MUST be sent uncompressed [RFC3597]. MUST be sent uncompressed [RFC3597].
The DNAME RR causes type NS additional section processing. The DNAME RR causes type NS additional section processing.
2.2. The DNAME Substitution 2.2. The DNAME Substitution
DNAMEs cause a name substitution to happen to query names. This is DNAMEs cause a name substitution to happen to query names. This is
called The DNAME Substitution. The suffix ownername of the DNAME is called the DNAME substitution. The suffix ownername of the DNAME is
replaced by the target of the DNAME. The owner name of the DNAME is replaced by the target of the DNAME. The owner name of the DNAME is
not itself redirected, only domain names below the owner name are not itself redirected, only domain names below the owner name are
redirected. Only whole labels are replaced. A name is considered redirected. Only whole labels are replaced. A name is considered
below the owner name if it has more labels than the owner name, and below the owner name if it has more labels than the owner name, and
the labels of the owner name appear at the end of the name. See the the labels of the owner name appear as the suffix of the name. See
table of examples for common cases and corner cases. the table of examples for common cases and corner cases.
In the table below, the QNAME refers to the query name. The owner is In the table below, the QNAME refers to the query name. The owner is
the DNAME owner domain name, and the target refers to the target of the DNAME owner domain name, and the target refers to the target of
the DNAME record. The result is the resulting name of performing the the DNAME record. The result is the resulting name after performing
DNAME Substitution on the query name. "no match" means that the query the DNAME substitution on the query name. "no match" means that the
did not match the DNAME and thus no substitution is performed, the query did not match the DNAME and thus no substitution is performed
QNAME did not change. The examples 'cyc' and 'shortloop' contain and a possible error message is returned (if no other result is
possible). In the examples below, 'cyc' and 'shortloop' contain
loops. loops.
QNAME owner DNAME target result QNAME owner DNAME target result
---------------- -------------- -------------- ----------------- ---------------- -------------- -------------- -----------------
com. example.com. example.net. <no match> com. example.com. example.net. <no match>
example.com. example.com. example.net. <no match> example.com. example.com. example.net. <no match>
a.example.com. example.com. example.net. a.example.net. a.example.com. example.com. example.net. a.example.net.
a.b.example.com. example.com. example.net. a.b.example.net. a.b.example.com. example.com. example.net. a.b.example.net.
ab.example.com. b.example.com. example.net. <no match> ab.example.com. b.example.com. example.net. <no match>
foo.example.com. example.com. example.net. foo.example.net. foo.example.com. example.com. example.net. foo.example.net.
a.x.example.com. x.example.com. example.net. a.example.net. a.x.example.com. x.example.com. example.net. a.example.net.
a.example.com. example.com. y.example.net. a.y.example.net. a.example.com. example.com. y.example.net. a.y.example.net.
cyc.example.com. example.com. example.com. cyc.example.com. cyc.example.com. example.com. example.com. cyc.example.com.
cyc.example.com. example.com. c.example.com. cyc.c.example.com. cyc.example.com. example.com. c.example.com. cyc.c.example.com.
shortloop.x.x. x. . shortloop.x. shortloop.x.x. x. . shortloop.x.
shortloop.x. x. . shortloop. shortloop.x. x. . shortloop.
Table. DNAME Substitution Examples. Table 1. DNAME Substitution Examples.
It is possible for DNAMEs to form loops. Just like CNAMEs can form It is possible for DNAMEs to form loops. Just like CNAMEs can form
loops. DNAMEs and CNAMEs can chain together to form loops. A single loops. DNAMEs and CNAMEs can chain together to form loops. A single
corner case DNAME can form a loop. Resolvers and servers should be corner case DNAME can form a loop. Resolvers and servers should be
cautious in devoting resources to a query, but be aware that fairly cautious in devoting resources to a query, but be aware that fairly
long chains of DNAMEs may be valid. long chains of DNAMEs may be valid. Zone content administrators
should take care to insure that there are no loops that could occur
when using DNAME or DNAME/CNAME redirection.
The domain name can get too long during substitution. If this occurs The domain name can get too long during substitution. For example,
the server returns an RCODE of YXDOMAIN [RFC2136]. The DNAME record suppose the target name of the DNAME RR is 250 octets in length
and its signature are included in the answer as proof for the (multiple labels), if an incoming QNAME that has a first label over 5
YXDOMAIN (value 6) RCODE. octets in length, the result of the result would be a name over 255
octets. If this occurs the server returns an RCODE of YXDOMAIN
[RFC2136]. The DNAME record and its signature (if the zone is
signed) are included in the answer as proof for the YXDOMAIN (value
6) RCODE.
2.3. Names next-to and below a DNAME record 2.3. DNAME Apex not Redirected itself
Other resource records MUST NOT exist below a DNAME. To get the The owner name of a DNAME is not redirected itself. The reason for
contents for names below a DNAME, the DNAME redirection must be the original decision was that one can have a DNAME at the zone apex
invoked and the resulting target queried. A server SHOULD refuse to without problem. Then use this DNAME at the zone apex to point
load a zone that has data below a domain with a DNAME resource queries to the target zone. There still is a need to have the
record. Also a server SHOULD refuse to load a zone beneath a DNAME customary SOA and NS resource records at the zone apex. This means
record from another zone. that DNAME does not mirror a zone completely, as it does not mirror
the zone apex.
DNAME is a singleton type, only one DNAME is allowed per name. The Another reason for excluding the DNAME owner from the DNAME
owner name that has a DNAME, can only have one DNAME RR, and no CNAME substitution is that one can then query for the DNAME through RFC
RRs can exist at that name. These rules make sure that for a single 1034 [RFC1034] caches.
domain name only one redirection exists, and thus no confusion which
one to follow. A server SHOULD refuse to load a zone that violates This means that a DNAME RR is not allowed at the same domain name as
these rules. NS records unless there is also a SOA record present. DNAME RRs are
not allowed at the parent side of a delegation point but are allowed
at a zone apex.
2.4. Names Next to and Below a DNAME Record
Other resource records MUST NOT exist below the owner of a DNAME RR.
To get the contents for names subordinate to that owner, the DNAME
redirection must be invoked and the resulting target queried. A
server SHOULD refuse to load a zone that has data below a domain name
owning a DNAME RR. Also a server SHOULD refuse to load a zone
subordinate to the owner of a DNAME record in the ancestor zone.
DNAME is a singleton type, meaning only one DNAME is allowed per
name. The owner name of a DNAME can only have one DNAME RR, and no
CNAME RRs can exist at that name. These rules make sure that for a
single domain name only one redirection exists, and thus no confusion
which one to follow. A server SHOULD refuse to load a zone that
violates these rules.
The domain name that owns a DNAME record is allowed to have other
resource record types at that domain name, except DNAMEs or CNAMEs.
These rules allow DNAME records to be queried through DNAME unaware These rules allow DNAME records to be queried through DNAME unaware
caches. caches.
2.4. Compression of the DNAME record. 2.5. Compression of the DNAME record.
The DNAME owner name can be compressed like any other owner name. The DNAME owner name can be compressed like any other owner name.
The target DNAME RDATA name of MUST NOT be sent out in compressed The DNAME RDATA target name MUST NOT be sent out in compressed form,
form, so that DNAME can be treated as an unknown type. so that a DNAME RR can be treated as an unknown type.
Although the previous specification talked about signaling to allow Although the previous specification [RFC2672] talked about signaling
compression of the target name, no such signaling is done. Signaling to allow compression of the target name, no such signaling is
complicates the protocol unnecessarily. explicitly specified.
RFC2672 claimed that the EDNS version had a meaning for understanding RFC2672 stated that the EDNS version had a meaning for understanding
of DNAME and DNAME target name compression. This document updates of DNAME and DNAME target name compression. This document updates
RFC2672, there is no EDNS version signaling for DNAME. RFC2672, in that there is no EDNS version signaling for DNAME.
3. Processing 3. Processing
3.1. Wildcards 3.1. Wildcards
The use of DNAME in conjunction with wildcards is discouraged The use of DNAME in conjunction with wildcards is discouraged
[RFC4592]. Thus records of the form "*.example.com DNAME [RFC4592]. Thus records of the form "*.example.com DNAME
example.net" SHOULD NOT be used. example.net" SHOULD NOT be used.
The interaction between the expansion of the wildcard and the The interaction between the expansion of the wildcard and the
redirection of the DNAME is non-deterministic. Because the redirection of the DNAME is non-deterministic. Because the
processing is non-deterministic, DNSSEC validating resolvers may not processing is non-deterministic, DNSSEC validating resolvers may not
be able to validate a wildcarded DNAME. be able to validate a wildcarded DNAME.
A server MAY give a warning that the behaviour is unspecified if such A server MAY give a warning that the behaviour is unspecified if such
a wildcarded DNAME is loaded. a wildcarded DNAME is loaded.
3.2. DNAME bit in NSEC type map 3.2. CNAME synthesis
When a validator checks the NSEC RRs returned on a name error
response, it SHOULD check that the DNAME bit is not set. If the
DNAME bit is set then the DNAME substitution should have been done,
but has not. In the same vein, for a no error/no data response the
CNAME bit in the NSEC RR bitmap should not be set.
3.3. CNAME synthesis
On the server side, the DNAME RR record is always included in the On the server side, the DNAME RR record is always included in the
answer section of a query. A CNAME RR record with TTL 0 is answer section of a query. A CNAME RR record with TTL 0 is
synthesized for old resolvers, specifically for the QNAME in the synthesized for old resolvers, specifically for the QNAME in the
query. DNSSEC [RFC4033], [RFC4034], [RFC4035] says that the query. DNSSEC [RFC4033], [RFC4034], [RFC4035] says that the
synthesized CNAME does not have to be signed. The DNAME has an RRSIG synthesized CNAME does not have to be signed. The DNAME has an RRSIG
and a validating resolver can check the CNAME against the DNAME and a validating resolver can check the CNAME against the DNAME
record and validate the DNAME record. record and validate the DNAME record.
The TTL of the synthesized CNAME record MAY be set to the TTL of the
DNAME record. This enables older caches store the CNAMEs without a
need to re-query for them. This updates RFC2672 which stated the TTL
had to be zero.
It does not make sense for the authoritative server to follow the It does not make sense for the authoritative server to follow the
chain of DNAMEs, CNAMEs and wildcards outside of the zone of the chain of DNAMEs, CNAMEs and wildcards outside of the zone of the
query, as modern resolvers will remove out-of-zone information from query, as modern resolvers will remove out-of-zone information from
the answer. the answer.
The EDNS DNSSEC-OK bit signals understanding of the DNAME record The EDNS DNSSEC-OK bit signals understanding of the DNAME record
[RFC4034]. If set, the synthesized CNAME MAY be omitted, since it is [RFC4034]. If set, the synthesized CNAME MAY be omitted, since it is
not signed and therefore not useful for validation and a waste of not signed and therefore not useful for validation and consumes
bandwidth. This is a change from RFC2672, which specified CNAMEs had bandwidth. This is a change from RFC2672, which specified CNAMEs had
to be synthesized for all EDNS0, or non-extended queries. to be synthesized for all EDNS0, or non-extended queries.
Resolvers MUST be able to handle a synthesized CNAME TTL of zero or Resolvers MUST be able to handle a synthesized CNAME TTL of zero or
equal to the TTL of the corresponding DNAME record. The TTL of zero equal to the TTL of the corresponding DNAME record. The TTL of zero
means that the CNAME can be discarded immediately after processing means that the CNAME can be discarded immediately after processing
the answer. the answer. DNSSEC aware resolvers (setting the DNSSEC-OK bit) MUST
be able to handle responses with only the DNAME RR and no synthesized
CNAMEs.
Servers MUST be able to answer a query for a synthesized CNAME. An Servers MUST be able to answer a query for a synthesized CNAME. An
answer containing the synthesized CNAME cannot contain an error answer containing the synthesized CNAME cannot contain an error
(since a CNAME has been followed), as per RFC 1034 CNAME rules. (since a CNAME has been followed), as per RFC 1034 CNAME rules.
3.4. Processing 3.3. Acceptance and Intermediate Storage
TBD: An issue with some firewalls and middleboxes, and perhaps DNS Caches MUST NOT allow data to be cached below the owner of a
windows XP/2003 resolvers potentially responding badly to DNAME DNAME RR, except CNAME records or perhaps NSEC3 records and their
records (dropping packets), signatures. CNAME records below the owner of a DNAME MUST be re-
TBD: Is this useful to specify? Resolvers MUST be able to handle synthesized from the DNAME, or checked against the DNAME record
unsigned responses with only the CNAME, or with the DNAME only, or before sending them out. This improves consistency of the DNAME and
both CNAME and DNAME. Resolvers that query with DNSSEC_OK MUST be CNAME records below the owner of the DNAME.
able to handle signed responses with only the DNAME, or with the
unsigned synthesized CNAME included.
Caches MUST NOT allow data to be cached below a DNAME. Except CNAME 3.4. Server algorithm
records or perhaps NSEC3 records and their signatures. CNAME records
below a DNAME MUST be re-synthesized from the DNAME, or checked Below the server algorithm, which appeared in RFC 2672 Section 4.1,
against the DNAME record before sending them out. This improves is expanded to handle the DO bit.
consistency of the DNAME and CNAME records below it.
1. Set or clear the value of recursion available in the response
depending on whether the name server is willing to provide
recursive service. If recursive service is available and
requested via the RD bit in the query, go to step 5, otherwise
step 2.
2. Search the available zones for the zone which is the nearest
ancestor to QNAME. If such a zone is found, go to step 3,
otherwise step 4.
3. Start matching down, label by label, in the zone. The matching
process can terminate several ways:
A. If the whole of QNAME is matched, we have found the node.
If the data at the node is a CNAME, and QTYPE doesn't match
CNAME, copy the CNAME RR into the answer section of the
response, change QNAME to the canonical name in the CNAME RR,
and go back to step 1.
Otherwise, copy all RRs which match QTYPE into the answer
section and go to step 6.
B. If a match would take us out of the authoritative data, we
have a referral. This happens when we encounter a node with
NS RRs marking cuts along the bottom of a zone.
Copy the NS RRs for the subzone into the authority section of
the reply. Put whatever addresses are available into the
additional section, using glue RRs if the addresses are not
available from authoritative data or the cache. Go to step
4.
C. If at some label, a match is impossible (i.e., the
corresponding label does not exist), look to see whether the
last label matched has a DNAME record.
If a DNAME record exists at that point, copy that record into
the answer section. If substitution of its <target> for its
<owner> in QNAME would overflow the legal size for a <domain-
name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise
perform the substitution and continue. The server SHOULD
synthesize a CNAME record as described above and include it
in the answer section. The server MAY omit this CNAME
synthesis if the query has the EDNS DNSSEC-OK bit set. Go
back to step 1.
If there was no DNAME record, look to see if the "*" label
exists.
If the "*" label does not exist, check whether the name we
are looking for is the original QNAME in the query or a name
we have followed due to a CNAME or DNAME. If the name is
original, set an authoritative name error in the response and
exit. Otherwise just exit.
If the "*" label does exist, match RRs at that node against
QTYPE. If any match, copy them into the answer section, but
set the owner of the RR to be QNAME, and not the node with
the "*" label. Go to step 6.
4. Start matching down in the cache. If QNAME is found in the
cache, copy all RRs attached to it that match QTYPE into the
answer section. If QNAME is not found in the cache but a DNAME
record is present at an ancestor of QNAME, copy that DNAME record
into the answer section. If there was no delegation from
authoritative data, look for the best one from the cache, and put
it in the authority section. Go to step 6.
5. Use the local resolver or a copy of its algorithm to answer the
query. Store the results, including any intermediate CNAMEs and
DNAMEs, in the answer section of the response.
6. Using local data only, attempt to add other RRs which may be
useful to the additional section of the query. Exit.
Note that there will be at most one ancestor with a DNAME as
described in step 4 unless some zone's data is in violation of the
no-descendants limitation in section 3. An implementation might take
advantage of this limitation by stopping the search of step 3c or
step 4 when a DNAME record is encountered.
4. DNAME Discussions in Other Documents 4. DNAME Discussions in Other Documents
In [RFC2181], in Section 10.3., the discussion on MX and NS records In [RFC2181], in Section 10.3., the discussion on MX and NS records
touches on redirection by CNAMEs, but this also holds for DNAMEs. touches on redirection by CNAMEs, but this also holds for DNAMEs.
Excerpt from 10.3. MX and NS records (in RFC 2181). Excerpt from 10.3. MX and NS records (in RFC 2181).
The domain name used as the value of a NS resource record, The domain name used as the value of a NS resource record,
or part of the value of a MX resource record must not be or part of the value of a MX resource record must not be
an alias. Not only is the specification clear on this an alias. Not only is the specification clear on this
point, but using an alias in either of these positions point, but using an alias in either of these positions
neither works as well as might be hoped, nor well fulfills neither works as well as might be hoped, nor well fulfills
the ambition that may have led to this approach. This the ambition that may have led to this approach. This
domain name must have as its value one or more address domain name must have as its value one or more address
records. Currently those will be A records, however in records. Currently those will be A records, however in
the future other record types giving addressing the future other record types giving addressing
information may be acceptable. It can also have other information may be acceptable. It can also have other
RRs, but never a CNAME RR. RRs, but never a CNAME RR.
RFC 4592 [RFC4592] says that DNAMEs are discouraged at wildcards. The DNAME RR is discussed in RFC 3363, section 4, on A6 and DNAME.
DNAMEs and CNAMEs can form loops. [RFC3363] does NOT RECOMMENDED the use of DNAME in the IPv6 reverse
tree. (Hence, all references to DNAME should have been removed from
[RFC4294].) Based on the experience gained in the meantime, RFC 3363
should be revised, dropping all constraints on having DNAME RRs in
these zones. This would greatly improve the manageability of the
IPv6 reverse tree. These changes are made explicit below.
DNAME is discussed in RFC 3363, section 4, on A6 and DNAME. DNAME is In [RFC3363], section 4, DNAME is not recommended for the IPv6
NOT RECOMMENDED for use in the IPv66 reverse tree [RFC3363]. And reverse tree. The opening premise of this section is demonstrably
from [RFC4294], all references to DNAME should have been removed. wrong. Everything that follows from that premise is also invalid.
There needs to be a better clarification of the status of DNAME in
RFC 3363 which would be to drop all constraints on having DNAME RRs
in these zones.
5. Issues with DNAME In [RFC3363], the paragraph
There are several issues to be aware of about the use of DNAME. "The issues for DNAME in the reverse mapping tree appears to be
closely tied to the need to use fragmented A6 in the main tree: if
one is necessary, so is the other, and if one isn't necessary, the
other isn't either. Therefore, in moving RFC 2874 to experimental,
the intent of this document is that use of DNAME RRs in the reverse
tree be deprecated."
5.1. DNAME Apex not Redirected itself is to be replaced with the word "DELETED".
The owner name of a DNAME is not redirected itself. The reason for In [RFC4294], the reference to DNAME was left in as a editorial
the original decision was that in this way (without DNAME owner oversight. The paragraph
affected) one can have a DNAME at the zone apex, next to the SOA, NS
records, without problem. Then use this to point queries to this
zone to other zones. Hosting two identical zones for example, there
still is a need to duplicate the resource records at the zone apex.
Another reason for excluding the DNAME owner from the DNAME
substitution is that one can then query for the DNAME through RFC
1034 [RFC1034] caches.
This means that DNAME does not mirror a zone completely, as it does "Those nodes are NOT RECOMMENDED to support the experimental A6 and
not mirror the zone apex. It can be used if the zone apex records DNAME Resource Records [RFC3363]."
are duplicated to provide a summary of the rest of the zone.
The rules on DNAME RRs mean that it is not allowed at the same domain is to be replaced by
name as NS records unless there is also a SOA record there. This
means DNAME RRs are not allowed at the parent side of a delegation
point. DNAME is allowed at a zone apex.
5.2. MX, NS and PTR Records Must Point to Target of DNAME "Those nodes are NOT RECOMMENDED to support the experimental
A6 Resource Record [RFC3363]."
5. Other Issues with DNAME
There are several issues to be aware of about the use of DNAME.
5.1. MX, NS and PTR Records Must Point to Target of DNAME
The names listed as target names of MX, NS and PTR records must be The names listed as target names of MX, NS and PTR records must be
canonical hostnames. This means no CNAME or DNAME redirection may be canonical hostnames. This means no CNAME or DNAME redirection may be
present during DNS lookup of the address records for the host. This present during DNS lookup of the address records for the host. This
is discussed in RFC 2181 [RFC2181], section 10.3, and RFC 1912 is discussed in RFC 2181 [RFC2181], section 10.3, and RFC 1912
[RFC1912], section 2.4. [RFC1912], section 2.4.
The upshot of this is that although the lookup of a PTR record can The upshot of this is that although the lookup of a PTR record can
involve DNAMEs, the name listed in the PTR record can not fall under involve DNAMEs, the name listed in the PTR record can not fall under
a DNAME. The same holds for NS and MX records. For example, when a DNAME. The same holds for NS and MX records. For example, when
punycode alternates for a zone use DNAME then the NS, MX and PTR punycode alternates for a zone use DNAME then the NS, MX and PTR
records that point to that zone must use names without punycode in records that point to that zone must use names without punycode in
their RDATA. What must be done then is to have the domain names with their RDATA. What must be done then is to have the domain names with
DNAME substitution already applied to it as the MX, NS, PTR data. DNAME substitution already applied to it as the MX, NS, PTR data.
These are valid canonical hostnames. These are valid canonical hostnames.
5.3. NSEC3 and DNAME 5.2. Dynamic Update and DNAME
NSEC3 records and their signatures are allowed to exist below a Zones containing a DNAME RR MUST NOT accept a dynamic update message
DNAME. This is because of the nature of NSEC3 RRs in DNSSEC, which that would add a record or delegation with a name existing under a
creates hashed owner names that exist below the apex. This is an DNAME.
exception to the rule that there MUST NOT be any other RRs under a
DNAME RR, if the DNAME RR exists at the zone apex.
TBD: This is a new issue, but the same as the NSEC3 draft. A server MUST return an error message with RCODE=REFUSED [RFC2136] in
response to a dynamic update message that would add a resource record
under a DNAME in the zone.
5.3. DNSSEC and DNAME
5.3.1. DNAME bit in NSEC/NSEC3 type map
When a validator checks the NSEC/NSEC3 RRs returned on a name error
response, it SHOULD check that the DNAME bit is not set. If the
DNAME bit is set then the DNAME substitution should have been done,
but has not.
5.3.2. Other issues with NSEC3 and DNAME
NSEC3 records and their signatures are allowed to exist below the
owner name of a DNAME RR. This is because of the nature of NSEC3 RRs
in DNSSEC, which creates hashed owner names that exist below the apex
name of the zone. This is an exception to the rule that there MUST
NOT be any other RRs under the owner name of a DNAME RR, if the DNAME
RR is owned by the zone apex domain name.
Queries for NSEC3 owner names are redirected as if there were no such Queries for NSEC3 owner names are redirected as if there were no such
NSEC3 present. NSEC3 present.
There is no significant extra hashing cost for NSEC3 signed zones There is no significant extra hashing cost for NSEC3 signed zones
when answering queries with DNAME substitution. when answering queries with DNAME substitution.
5.4. Validators Must Understand DNAME 5.3.3. Validators Must Understand DNAME
Examples of why DNSSEC validators MUST understand DNAME. Examples of why DNSSEC validators MUST understand DNAME.
5.4.1. DNAME in Bitmap Causes Invalid Name Error 5.3.3.1. DNAME in Bitmap Causes Invalid Name Error
;; Header: QR AA DO RCODE=3(NXDOMAIN) ;; Header: QR AA DO RCODE=3(NXDOMAIN)
;; Question ;; Question
foo.bar.example.com. IN A foo.bar.example.com. IN A
;; Answer ;; Answer
bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. NSEC dub.example.com. A DNAME
bar.example.com. RRSIG NSEC [valid signature] bar.example.com. RRSIG NSEC [valid signature]
If you receive this answer, then only by understanding that the DNAME If this is the response, then only by understanding that the DNAME
bit means that foo.bar.example.com needed to have been redirected by bit means that foo.bar.example.com needed to have been redirected by
the DNAME, the validator can see that it is a BOGUS reply from an the DNAME, the validator can see that it is a BOGUS reply from an
attacker, that collated existing records from the DNS to create a attacker that collated existing records from the DNS to create a
confusing reply. confusing reply.
If the DNAME bit had not been set in the NSEC record above, then the If the DNAME bit had not been set in the NSEC record above then the
answer would have validated as a correct name error response. answer would have validated as a correct name error response.
5.4.2. Valid Name Error Response Involving DNAME in Bitmap 5.3.3.2. Valid Name Error Response Involving DNAME in Bitmap
;; Header: QR AA DO RCODE=3(NXDOMAIN) ;; Header: QR AA DO RCODE=3(NXDOMAIN)
;; Question ;; Question
cee.example.com. IN A cee.example.com. IN A
;; Answer ;; Answer
bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. NSEC dub.example.com. A DNAME
bar.example.com. RRSIG NSEC [valid signature] bar.example.com. RRSIG NSEC [valid signature]
If the query had been cee.example.com as shown above, then this If the query had been cee.example.com as shown above, then this
answer would have been validated, because 'cee' does not get answer would have been validated, because 'cee' does not get
redirected by the DNAME at 'bar'. redirected by the DNAME at 'bar'.
5.4.3. Response With Synthesized CNAME 5.3.3.3. Response With Synthesized CNAME
;; Header: QR AA DO RCODE=0(NOERROR) ;; Header: QR AA DO RCODE=0(NOERROR)
;; Question ;; Question
foo.bar.example.com. IN A foo.bar.example.com. IN A
;; Answer ;; Answer
bar.example.com. DNAME bar.example.net. bar.example.com. DNAME bar.example.net.
bar.example.com. RRSIG DNAME [valid signature] bar.example.com. RRSIG DNAME [valid signature]
foo.bar.example.com. CNAME foo.bar.example.net. foo.bar.example.com. CNAME foo.bar.example.net.
The answer shown above has the synthesized CNAME included. However, The answer shown above has the synthesized CNAME included. However,
the CNAME has no signature, since the server cannot sign the keys the CNAME has no signature, since the server does not sign online (it
online (it is a slow operation and exposes the signing key). So it is a slow operation and exposes the signing key). So it cannot be
cannot be trusted. It could be altered by an attacker to be trusted. It could be altered by an attacker to be
foo.bar.example.com CNAME bla.bla.example. The DNAME record does foo.bar.example.com CNAME bla.bla.example. The DNAME record does
have its signature included, since it does not change for every query have its signature included, since it does not change for every query
name. The validator must verify the DNAME signature and then name. The validator must verify the DNAME signature and then
recursively resolve further to query for the foo.bar.example.net A recursively resolve further to query for the foo.bar.example.net A
record. record.
6. IANA Considerations 6. IANA Considerations
The main purpose of this draft is to discuss issues related to the The main purpose of this draft is to discuss issues related to the
use of DNAME RRs in a DNS zone. The original document registered the use of DNAME RRs in a DNS zone. The original document registered the
DNAME Resource Record type code 39 (decimal). No further action is DNAME Resource Record type code 39 (decimal). IANA should update the
required on the part of IANA. DNS resource record registry by adding a pointer to this document for
RR type 39. No other action is required at this time.
7. Security Considerations 7. Security Considerations
DNAME redirects queries elsewhere, which may impact security based on DNAME redirects queries elsewhere, which may impact security based on
policy and the security status of the zone with the DNAME and the policy and the security status of the zone with the DNAME and the
redirection zone's security status. redirection zone's security status.
If a validating resolver accepts wildcarded DNAMEs, this creates If a validating resolver accepts wildcarded DNAMEs, this creates
security issues. Since the processing of a wildcarded DNAME is non- security issues. Since the processing of a wildcarded DNAME is non-
deterministic and the CNAME that was substituted by the server has no deterministic and the CNAME that was substituted by the server has no
signature, the resolver may choose a different result than what the signature, the resolver may choose a different result than what the
server meant, and consequently end up at the wrong destination. Use server meant, and consequently end up at the wrong destination. Use
of wildcarded DNAMEs is discouraged in any case [RFC4592]. of wildcarded DNAMEs is discouraged in any case [RFC4592].
A validating resolver MUST understand DNAME, according to [RFC4034]. A validating resolver MUST understand DNAME, according to [RFC4034].
In Section 5.4 examples are given that illustrate this need. These In Section 5.3.3 examples are given that illustrate this need. These
examples are shown with NSEC records, but similar cases exist for examples are shown with NSEC records, but similar cases exist for
NSEC3. NSEC3.
8. Document History 8. Acknowledgments
00-01. Small language issues. Removed wording of 'delegation' for
dname use to alias a whole zone from parent side (registration tool).
Names under a DNAME are not canonical. Synthesized CNAME is not
signed. Rewritten entirely as an update to the rfc.
9. Acknowledgments
The authors of this draft would like to acknowledge Matt Larson for The authors of this draft would like to acknowledge Matt Larson for
beginning this effort to address the issues related to the DNAME RR beginning this effort to address the issues related to the DNAME RR
type. type.
10. Normative References 9. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1912] Barr, D., "Common DNS Operational and Configuration [RFC1912] Barr, D., "Common DNS Operational and Configuration
Errors", RFC 1912, February 1996. Errors", RFC 1912, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
skipping to change at page 12, line 30 skipping to change at page 14, line 41
Fax: +1-301-975-6238 Fax: +1-301-975-6238
EMail: scottr@nist.gov EMail: scottr@nist.gov
Wouter Wijngaards Wouter Wijngaards
NLnet Labs NLnet Labs
Kruislaan 419 Kruislaan 419
Amsterdam 1098 VA Amsterdam 1098 VA
The Netherlands The Netherlands
Phone: +31-20-888-4551 Phone: +31-20-888-4551
Fax: +31-20-888-4462
EMail: wouter@nlnetlabs.nl EMail: wouter@nlnetlabs.nl
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
 End of changes. 65 change blocks. 
168 lines changed or deleted 275 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/