| draft-ietf-dnsext-rfc2672bis-dname-11.txt | draft-ietf-dnsext-rfc2672bis-dname-12.txt | |||
|---|---|---|---|---|
| DNS Extensions Working Group S. Rose | DNS Extensions Working Group S. Rose | |||
| Internet-Draft NIST | Internet-Draft NIST | |||
| Updates: 2672,3363,4294 W. Wijngaards | Obsoletes: 2672 (if approved) W. Wijngaards | |||
| (if approved) NLnet Labs | Updates: 3363,4294 NLnet Labs | |||
| Intended status: Standards Track March 25, 2008 | (if approved) April 21, 2008 | |||
| Expires: September 26, 2008 | Intended status: Standards Track | |||
| Expires: October 23, 2008 | ||||
| Update to DNAME Redirection in the DNS | Update to DNAME Redirection in the DNS | |||
| draft-ietf-dnsext-rfc2672bis-dname-11 | draft-ietf-dnsext-rfc2672bis-dname-12 | |||
| Status of This Memo | Status of This Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 37 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on September 26, 2008. | This Internet-Draft will expire on October 23, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| Abstract | Abstract | |||
| The DNAME record provides redirection for a sub-tree of the domain | The DNAME record provides redirection for a sub-tree of the domain | |||
| name tree in the DNS system. That is, all names that end with a | name tree in the DNS system. That is, all names that end with a | |||
| particular suffix are redirected to another part of the DNS. This is | particular suffix are redirected to another part of the DNS. This is | |||
| skipping to change at page 2, line 19 | skipping to change at page 2, line 19 | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 3 | 2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 4 | 2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 4 | |||
| 2.3. DNAME Apex not Redirected itself . . . . . . . . . . . . . 5 | 2.3. DNAME Apex not Redirected itself . . . . . . . . . . . . . 5 | |||
| 2.4. Names Next to and Below a DNAME Record . . . . . . . . . . 5 | 2.4. Names Next to and Below a DNAME Record . . . . . . . . . . 6 | |||
| 2.5. Compression of the DNAME record. . . . . . . . . . . . . . 6 | 2.5. Compression of the DNAME record. . . . . . . . . . . . . . 6 | |||
| 3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.1. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.1. Server algorithm . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.2. CNAME synthesis . . . . . . . . . . . . . . . . . . . . . 7 | 3.2. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.3. Acceptance and Intermediate Storage . . . . . . . . . . . 7 | 3.3. CNAME synthesis and UD bit . . . . . . . . . . . . . . . . 9 | |||
| 3.4. Server algorithm . . . . . . . . . . . . . . . . . . . . . 8 | 3.4. Acceptance and Intermediate Storage . . . . . . . . . . . 10 | |||
| 4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 10 | 4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 10 | |||
| 5. Other Issues with DNAME . . . . . . . . . . . . . . . . . . . 11 | 5. Other Issues with DNAME . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.1. MX, NS and PTR Records Must Point to Target of DNAME . . . 11 | 5.1. Canonical hostnames cannot be below DNAME owners . . . . . 12 | |||
| 5.2. Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 11 | 5.2. Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 12 | |||
| 5.3. DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 11 | 5.3. DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.3.1. DNAME bit in NSEC type map . . . . . . . . . . . . . . 11 | 5.3.1. DNAME bit in NSEC type map . . . . . . . . . . . . . . 12 | |||
| 5.3.2. Validators Must Understand DNAME . . . . . . . . . . . 12 | 5.3.2. Validators Must Understand DNAME . . . . . . . . . . . 12 | |||
| 5.3.2.1. DNAME in Bitmap Causes Invalid Name Error . . . . 12 | 5.3.2.1. DNAME in Bitmap Causes Invalid Name Error . . . . 13 | |||
| 5.3.2.2. Valid Name Error Response Involving DNAME in | 5.3.2.2. Valid Name Error Response Involving DNAME in | |||
| Bitmap . . . . . . . . . . . . . . . . . . . . . . 12 | Bitmap . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.3.2.3. Response With Synthesized CNAME . . . . . . . . . 12 | 5.3.2.3. Response With Synthesized CNAME . . . . . . . . . 13 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 14 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| DNAME is a DNS Resource Record type. DNAME provides redirection from | DNAME is a DNS Resource Record type defined in RFC 2672 [RFC2672]. | |||
| a part of the DNS name tree to another part of the DNS name tree. | DNAME provides redirection from a part of the DNS name tree to | |||
| another part of the DNS name tree. | ||||
| The DNAME RR and the CNAME RR [RFC1034] cause a lookup to | ||||
| (potentially) return data corresponding to a domain name different | ||||
| from the queried domain name. The difference between the two | ||||
| resource records is that the CNAME RR directs the lookup of data at | ||||
| its owner to another single name, a DNAME RR directs lookups for data | ||||
| at descendents of its owner's name to corresponding names under a | ||||
| different (single) node of the tree. | ||||
| Take for example, looking through a zone (see RFC 1034 [RFC1034], | Take for example, looking through a zone (see RFC 1034 [RFC1034], | |||
| section 4.3.2, step 3) for the domain name "foo.example.com" and a | section 4.3.2, step 3) for the domain name "foo.example.com" and a | |||
| DNAME resource record is found at "example.com" indicating that all | DNAME resource record is found at "example.com" indicating that all | |||
| queries under "example.com" be directed to "example.net". The lookup | queries under "example.com" be directed to "example.net". The lookup | |||
| process will return to step 1 with the new query name of | process will return to step 1 with the new query name of | |||
| "foo.example.net". Had the query name been "www.foo.example.com" the | "foo.example.net". Had the query name been "www.foo.example.com" the | |||
| new query name would be "www.foo.example.net". | new query name would be "www.foo.example.net". | |||
| The DNAME RR is similar to the CNAME RR in that it provides | ||||
| redirection. The CNAME RR only provides redirection for exactly one | ||||
| name while the DNAME RR provides redirection for all names in a sub- | ||||
| tree of the DNS name tree. | ||||
| This document is an update to the original specification of DNAME in | This document is an update to the original specification of DNAME in | |||
| RFC 2672 [RFC2672]. DNAME was conceived to help with the problem of | RFC 2672 [RFC2672]. DNAME was conceived to help with the problem of | |||
| maintaining address-to-name mappings in a context of network | maintaining address-to-name mappings in a context of network | |||
| renumbering. With a careful set-up, a renumbering event in the | renumbering. With a careful set-up, a renumbering event in the | |||
| network causes no change to the authoritative server that has the | network causes no change to the authoritative server that has the | |||
| address-to-name mappings. Examples in practice are classless reverse | address-to-name mappings. Examples in practice are classless reverse | |||
| address space delegations and punycode alternates for domain spaces. | address space delegations and punycode alternates for domain spaces. | |||
| Another usage of DNAME lies in redirection of name spaces. For | Another usage of DNAME lies in redirection of name spaces. For | |||
| example, a zone administrator may want sub-trees of the DNS to | example, a zone administrator may want sub-trees of the DNS to | |||
| skipping to change at page 3, line 46 | skipping to change at page 3, line 50 | |||
| This update to DNAME does not change the wire format or the handling | This update to DNAME does not change the wire format or the handling | |||
| of DNAME Resource Records by existing software. A new UD (Understand | of DNAME Resource Records by existing software. A new UD (Understand | |||
| Dname) bit in the EDNS flags field can be used to signal that CNAME | Dname) bit in the EDNS flags field can be used to signal that CNAME | |||
| synthesis is not needed. Discussion is added on problems that may be | synthesis is not needed. Discussion is added on problems that may be | |||
| encountered when using DNAME. | encountered when using DNAME. | |||
| 2. The DNAME Resource Record | 2. The DNAME Resource Record | |||
| 2.1. Format | 2.1. Format | |||
| The DNAME RR has mnemonic DNAME and type code 39 (decimal). | The DNAME RR has mnemonic DNAME and type code 39 (decimal). It is | |||
| not class-sensitive. | ||||
| The format of the DNAME record has not changed from the original | Its RDATA is comprised of a single field, <target>, which contains a | |||
| specification in RFC 2672. DNAME has the following format: | fully qualified domain name that must be sent in uncompressed form | |||
| [RFC1035], [RFC3597]. The <target> field MUST be present. The | ||||
| presentation format of <target> is that of a domain name [RFC1035]. | ||||
| <owner> <ttl> <class> DNAME <target> | <owner> <ttl> <class> DNAME <target> | |||
| The format is not class-sensitive. All fields are required. The | The effect of the DNAME RR is the substitution of the record's | |||
| RDATA field target is a domain name. The RDATA field target name | <target> for its owner name, as a suffix of a domain name. This | |||
| MUST be sent uncompressed [RFC3597]. | substitution has to be applied for every DNAME RR found in the | |||
| resolution process, which allows fairly lengthy valid chains of DNAME | ||||
| RRs. | ||||
| The DNAME RR causes type NS additional section processing. | Details of the substitution process, methods to avoid conflicting | |||
| resource records, and rules for specific corner cases are given in | ||||
| the following subsections. | ||||
| 2.2. The DNAME Substitution | 2.2. The DNAME Substitution | |||
| DNAMEs cause a name substitution to happen to query names. This is | When following RFC 1034 [RFC1034], section 4.3.2's algorithm's third | |||
| called the DNAME substitution. The portion of the QNAME ending with | step, "start matching down, label by label, in the zone" and a node | |||
| the root label that matches the owner name of the DNAME RR is | is found to own a DNAME resource record a DNAME substitution occurs. | |||
| replaced with the contents of the DNAME RR's RDATA. The owner name | The name being sought may be the original query name or a name that | |||
| of the DNAME is not itself redirected, only domain names below the | is the result of a CNAME resource record being followed or a | |||
| owner name are redirected. Only whole labels are replaced. A name | previously encountered DNAME. As is the case of finding a CNAME | |||
| is considered below the owner name if it has more labels than the | resource record or NS resource record set, the processing of a DNAME | |||
| owner name, and the labels of the owner name appear at the end of the | will happen prior to finding the desired domain name. | |||
| query name. See the table of examples for common cases and corner | ||||
| A DNAME substitution is performed by replacing the suffix labels of | ||||
| the name being sought matching the owner name of the DNAME resource | ||||
| record with the string of labels in the RDATA field. The matching | ||||
| labels end with the root label in all cases. Only whole labels are | ||||
| replaced. See the table of examples for common cases and corner | ||||
| cases. | cases. | |||
| In the table below, the QNAME refers to the query name. The owner is | In the table below, the QNAME refers to the query name. The owner is | |||
| the DNAME owner domain name, and the target refers to the target of | the DNAME owner domain name, and the target refers to the target of | |||
| the DNAME record. The result is the resulting name after performing | the DNAME record. The result is the resulting name after performing | |||
| the DNAME substitution on the query name. "no match" means that the | the DNAME substitution on the query name. "no match" means that the | |||
| query did not match the DNAME and thus no substitution is performed | query did not match the DNAME and thus no substitution is performed | |||
| and a possible error message is returned (if no other result is | and a possible error message is returned (if no other result is | |||
| possible). In the examples below, 'cyc' and 'shortloop' contain | possible). In the examples below, 'cyc' and 'shortloop' contain | |||
| loops. | loops. | |||
| skipping to change at page 5, line 26 | skipping to change at page 5, line 50 | |||
| suppose the target name of the DNAME RR is 250 octets in length | suppose the target name of the DNAME RR is 250 octets in length | |||
| (multiple labels), if an incoming QNAME that has a first label over 5 | (multiple labels), if an incoming QNAME that has a first label over 5 | |||
| octets in length, the result of the result would be a name over 255 | octets in length, the result of the result would be a name over 255 | |||
| octets. If this occurs the server returns an RCODE of YXDOMAIN | octets. If this occurs the server returns an RCODE of YXDOMAIN | |||
| [RFC2136]. The DNAME record and its signature (if the zone is | [RFC2136]. The DNAME record and its signature (if the zone is | |||
| signed) are included in the answer as proof for the YXDOMAIN (value | signed) are included in the answer as proof for the YXDOMAIN (value | |||
| 6) RCODE. | 6) RCODE. | |||
| 2.3. DNAME Apex not Redirected itself | 2.3. DNAME Apex not Redirected itself | |||
| The owner name of a DNAME is not redirected itself. The reason for | Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its | |||
| the original decision was that one can have a DNAME at the zone apex | owner name; the owner name of a DNAME is not redirected itself. The | |||
| without problem. Then use this DNAME at the zone apex to point | domain name that owns a DNAME record is allowed to have other | |||
| queries to the target zone. There still is a need to have the | resource record types at that domain name, except DNAMEs or CNAMEs. | |||
| customary SOA and NS resource records at the zone apex. This means | ||||
| that DNAME does not mirror a zone completely, as it does not mirror | ||||
| the zone apex. | ||||
| Another reason for excluding the DNAME owner from the DNAME | ||||
| substitution is that one can then query for the DNAME through RFC | ||||
| 1034 [RFC1034] caches. | ||||
| This means that DNAME RRs are not allowed at the parent side of a | This means that DNAME RRs are not allowed at the parent side of a | |||
| delegation point but are allowed at a zone apex. | delegation point but are allowed at a zone apex. | |||
| The reason for this decision was that one can have a DNAME at the | ||||
| zone apex. There still is a need to have the customary SOA and NS | ||||
| resource records at the zone apex. This means that DNAME does not | ||||
| mirror a zone completely, as it does not mirror the zone apex. | ||||
| These rules also allow DNAME records to be queried through RFC 1034 | ||||
| [RFC1034] compliant, DNAME-unaware caches. | ||||
| 2.4. Names Next to and Below a DNAME Record | 2.4. Names Next to and Below a DNAME Record | |||
| Other resource records MUST NOT exist at a domain name subordinate to | Resource records MUST NOT exist at any domain name subordinate to the | |||
| the owner of a DNAME RR. To get the contents for names subordinate | owner of a DNAME RR. To get the contents for names subordinate to | |||
| to that owner, the DNAME redirection must be invoked and the | that owner, the DNAME redirection must be invoked and the resulting | |||
| resulting target queried. A server MAY refuse to load a zone that | target queried. A server MAY refuse to load a zone that has data at | |||
| has data at a domain name subordinate to a domain name owning a DNAME | a domain name subordinate to a domain name owning a DNAME RR. If the | |||
| RR. If the server does load the zone, those names below the DNAME RR | server does load the zone, those names below the DNAME RR will be | |||
| will be occluded. Also a server SHOULD refuse to load a zone | occluded, RFC 2136 [RFC2136], section 7.18. Also a server SHOULD | |||
| subordinate to the owner of a DNAME record in the ancestor zone. See | refuse to load a zone subordinate to the owner of a DNAME record in | |||
| Section 5.2 for further discussion related to dynamic update. | the ancestor zone. See Section 5.2 for further discussion related to | |||
| dynamic update. | ||||
| DNAME is a singleton type, meaning only one DNAME is allowed per | DNAME is a singleton type, meaning only one DNAME is allowed per | |||
| name. The owner name of a DNAME can only have one DNAME RR, and no | name. The owner name of a DNAME can only have one DNAME RR, and no | |||
| CNAME RRs can exist at that name. These rules make sure that for a | CNAME RRs can exist at that name. These rules make sure that for a | |||
| single domain name only one redirection exists, and thus no confusion | single domain name only one redirection exists, and thus no confusion | |||
| which one to follow. A server SHOULD refuse to load a zone that | which one to follow. A server SHOULD refuse to load a zone that | |||
| violates these rules. | violates these rules. | |||
| The domain name that owns a DNAME record is allowed to have other | ||||
| resource record types at that domain name, except DNAMEs or CNAMEs. | ||||
| These rules allow DNAME records to be queried through DNAME unaware | ||||
| caches. | ||||
| 2.5. Compression of the DNAME record. | 2.5. Compression of the DNAME record. | |||
| The DNAME owner name can be compressed like any other owner name. | The DNAME owner name can be compressed like any other owner name. | |||
| The DNAME RDATA target name MUST NOT be sent out in compressed form, | The DNAME RDATA target name MUST NOT be sent out in compressed form, | |||
| so that a DNAME RR can be treated as an unknown type. | so that a DNAME RR can be treated as an unknown type [RFC3597]. | |||
| Although the previous specification [RFC2672] talked about signaling | Although the previous DNAME specification [RFC2672] (that is | |||
| to allow compression of the target name, no such signaling is | obsoleted by this specification) talked about signaling to allow | |||
| explicitly specified. | compression of the target name, such signaling is not specified. | |||
| RFC 2672 stated that the EDNS version had a meaning for understanding | RFC 2672 stated that the EDNS version had a meaning for understanding | |||
| of DNAME and DNAME target name compression. This document updates | of DNAME and DNAME target name compression. This document updates | |||
| RFC 2672, in that there is no EDNS version signaling for DNAME as of | RFC 2672, in that there is no EDNS version signaling for DNAME as of | |||
| yet. However, the flags section of EDNS(0) is updated with a | yet. However, the flags section of EDNS(0) is updated with a | |||
| Understand-DNAME flag by this document (See Section 3.2). | Understand-DNAME flag by this document (See Section 3.3). | |||
| 3. Processing | 3. Processing | |||
| 3.1. Wildcards | The DNAME RR causes type NS additional section processing. | |||
| The use of DNAME in conjunction with wildcards is discouraged | ||||
| [RFC4592]. Thus records of the form "*.example.com DNAME | ||||
| example.net" SHOULD NOT be used. | ||||
| The interaction between the expansion of the wildcard and the | ||||
| redirection of the DNAME is non-deterministic. Because the | ||||
| processing is non-deterministic, DNSSEC validating resolvers may not | ||||
| be able to validate a wildcarded DNAME. | ||||
| A server MAY give a warning that the behavior is unspecified if such | ||||
| a wildcarded DNAME is loaded. The server MAY refuse it, refuse to | ||||
| load or refuse dynamic update. | ||||
| 3.2. CNAME synthesis | ||||
| On the server side, the DNAME RR record is always included in the | ||||
| answer section of a query, when one is encountered. A CNAME RR | ||||
| record with TTL equal to the corresponding DNAME RR is synthesized | ||||
| for old resolvers, specifically for the QNAME in the query. DNSSEC | ||||
| [RFC4033], [RFC4034], [RFC4035] says that the synthesized CNAME does | ||||
| not have to be signed. The DNAME has an RRSIG and a validating | ||||
| resolver can check the CNAME against the DNAME record and validate | ||||
| the DNAME record. | ||||
| Resolvers MUST be able to handle a synthesized CNAME TTL of zero or | ||||
| equal to the TTL of the corresponding DNAME record. A TTL of zero | ||||
| means that the CNAME can be discarded immediately after processing | ||||
| the answer. DNAME aware resolvers can set the Understand-DNAME (UD | ||||
| bit) to receive a response with only the DNAME RR and no synthesized | ||||
| CNAMEs. | ||||
| The UD bit is part of the EDNS extended RCODE and Flags field. It is | ||||
| used to omit server processing, transmission and resolver processing | ||||
| of unsigned synthesized CNAMEs. Resolvers can set this in a query to | ||||
| request omission of the synthesized CNAMEs. Servers copy the UD bit | ||||
| to the response, and can omit synthesized CNAMEs from the answer. | ||||
| Older resolvers do not set the UD bit, and older servers do not copy | ||||
| the UD bit to the answer, and will not omit synthesized CNAMEs. | ||||
| Updated EDNS extended RCODE and Flags field. | ||||
| +0 (MSB) +1 (LSB) | ||||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||||
| 0: | EXTENDED-RCODE | VERSION | | ||||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||||
| 2: |DO|UD| Z | | ||||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||||
| Servers MUST be able to answer a query for a synthesized CNAME. Like | ||||
| other query types this invokes the DNAME, and synthesizes the CNAME | ||||
| into the answer. | ||||
| 3.3. Acceptance and Intermediate Storage | ||||
| DNS caches can encounter data at names below the owner name of a | ||||
| DNAME RR, due to a change at the authoritative server where data from | ||||
| before and after the change resides in the cache. This conflict | ||||
| situation is a transitional phase, that ends when the old data times | ||||
| out. The cache can opt to store both old and new data and treat each | ||||
| as if the other did not exist, or drop the old data, or drop the | ||||
| longer domain name. In any approach, consistency returns after the | ||||
| older data TTL times out. | ||||
| DNS caches MUST perform CNAME synthesis on behalf of DNAME-ignorant | ||||
| clients. A DNS cache that understands DNAMEs can send out queries on | ||||
| behalf of clients with the UD bit set. After receiving the answers | ||||
| the DNS cache sends replies to DNAME ignorant clients that include | ||||
| DNAMEs and synthesized CNAMEs. | ||||
| 3.4. Server algorithm | 3.1. Server algorithm | |||
| Below the server algorithm, which appeared in RFC 2672 Section 4.1, | Below the server algorithm, which appeared in RFC 2672 Section 4.1, | |||
| is expanded to handle the UD bit. | is expanded to handle the UD (Understand Dname) bit. | |||
| 1. Set or clear the value of recursion available in the response | 1. Set or clear the value of recursion available in the response | |||
| depending on whether the name server is willing to provide | depending on whether the name server is willing to provide | |||
| recursive service. If recursive service is available and | recursive service. If recursive service is available and | |||
| requested via the RD bit in the query, go to step 5, otherwise | requested via the RD bit in the query, go to step 5, otherwise | |||
| step 2. | step 2. | |||
| 2. Search the available zones for the zone which is the nearest | 2. Search the available zones for the zone which is the nearest | |||
| ancestor to QNAME. If such a zone is found, go to step 3, | ancestor to QNAME. If such a zone is found, go to step 3, | |||
| otherwise step 4. | otherwise step 4. | |||
| skipping to change at page 10, line 11 | skipping to change at page 9, line 5 | |||
| 6. Using local data only, attempt to add other RRs which may be | 6. Using local data only, attempt to add other RRs which may be | |||
| useful to the additional section of the query. Exit. | useful to the additional section of the query. Exit. | |||
| Note that there will be at most one ancestor with a DNAME as | Note that there will be at most one ancestor with a DNAME as | |||
| described in step 4 unless some zone's data is in violation of the | described in step 4 unless some zone's data is in violation of the | |||
| no-descendants limitation in section 3. An implementation might take | no-descendants limitation in section 3. An implementation might take | |||
| advantage of this limitation by stopping the search of step 3c or | advantage of this limitation by stopping the search of step 3c or | |||
| step 4 when a DNAME record is encountered. | step 4 when a DNAME record is encountered. | |||
| 3.2. Wildcards | ||||
| The use of DNAME in conjunction with wildcards is discouraged | ||||
| [RFC4592]. Thus records of the form "*.example.com DNAME | ||||
| example.net" SHOULD NOT be used. | ||||
| The interaction between the expansion of the wildcard and the | ||||
| redirection of the DNAME is non-deterministic. Because the | ||||
| processing is non-deterministic, DNSSEC validating resolvers may not | ||||
| be able to validate a wildcarded DNAME. | ||||
| A server MAY give a warning that the behavior is unspecified if such | ||||
| a wildcarded DNAME is loaded. The server MAY refuse it, refuse to | ||||
| load or refuse dynamic update. | ||||
| 3.3. CNAME synthesis and UD bit | ||||
| When preparing an response, a server upon performing a DNAME | ||||
| substitution will in all cases include the DNAME RR used in the | ||||
| answer section. A CNAME RR record with TTL equal to the | ||||
| corresponding DNAME RR is synthesized and included in the answer | ||||
| section for old resolvers. The owner name of the CNAME is the QNAME | ||||
| of the query. DNSSEC [RFC4033], [RFC4034], [RFC4035] says that the | ||||
| synthesized CNAME does not have to be signed. The DNAME has an RRSIG | ||||
| and a validating resolver can check the CNAME against the DNAME | ||||
| record and validate the DNAME record. | ||||
| Resolvers MUST be able to handle a synthesized CNAME TTL of zero or | ||||
| equal to the TTL of the corresponding DNAME record. A TTL of zero | ||||
| means that the CNAME can be discarded immediately after processing | ||||
| the answer. DNAME aware resolvers can set the Understand-DNAME (UD | ||||
| bit) to receive a response with only the DNAME RR and no synthesized | ||||
| CNAMEs. | ||||
| The UD bit is part of the EDNS [RFC2671] extended RCODE and Flags | ||||
| field. It is used to omit server processing, transmission and | ||||
| resolver processing of unsigned synthesized CNAMEs. Resolvers can | ||||
| set this in a query to request omission of the synthesized CNAMEs. | ||||
| Servers copy the UD bit to the response, and can omit synthesized | ||||
| CNAMEs from the answer. Older resolvers do not set the UD bit, and | ||||
| older servers do not copy the UD bit to the answer, and will not omit | ||||
| synthesized CNAMEs. | ||||
| Updated EDNS extended RCODE and Flags field. | ||||
| +0 (MSB) +1 (LSB) | ||||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||||
| 0: | EXTENDED-RCODE | VERSION | | ||||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||||
| 2: |DO|UD| Z | | ||||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||||
| Servers MUST be able to answer a query for a synthesized CNAME. Like | ||||
| other query types this invokes the DNAME, and synthesizes the CNAME | ||||
| into the answer. | ||||
| 3.4. Acceptance and Intermediate Storage | ||||
| DNS caches can encounter data at names below the owner name of a | ||||
| DNAME RR, due to a change at the authoritative server where data from | ||||
| before and after the change resides in the cache. This conflict | ||||
| situation is a transitional phase, that ends when the old data times | ||||
| out. The cache can opt to store both old and new data and treat each | ||||
| as if the other did not exist, or drop the old data, or drop the | ||||
| longer domain name. In any approach, consistency returns after the | ||||
| older data TTL times out. | ||||
| DNS caches MUST perform CNAME synthesis on behalf of DNAME-ignorant | ||||
| clients. A DNS cache that understands DNAMEs can send out queries on | ||||
| behalf of clients with the UD bit set. After receiving the answers | ||||
| the DNS cache sends replies to DNAME ignorant clients that include | ||||
| DNAMEs and synthesized CNAMEs. | ||||
| 4. DNAME Discussions in Other Documents | 4. DNAME Discussions in Other Documents | |||
| In [RFC2181], in Section 10.3., the discussion on MX and NS records | In [RFC2181], in Section 10.3., the discussion on MX and NS records | |||
| touches on redirection by CNAMEs, but this also holds for DNAMEs. | touches on redirection by CNAMEs, but this also holds for DNAMEs. | |||
| Excerpt from 10.3. MX and NS records (in RFC 2181). | Excerpt from 10.3. MX and NS records (in RFC 2181). | |||
| The domain name used as the value of a NS resource record, | The domain name used as the value of a NS resource record, | |||
| or part of the value of a MX resource record must not be | or part of the value of a MX resource record must not be | |||
| an alias. Not only is the specification clear on this | an alias. Not only is the specification clear on this | |||
| skipping to change at page 11, line 20 | skipping to change at page 12, line 9 | |||
| is to be replaced by | is to be replaced by | |||
| "Those nodes are NOT RECOMMENDED to support the experimental | "Those nodes are NOT RECOMMENDED to support the experimental | |||
| A6 Resource Record [RFC3363]." | A6 Resource Record [RFC3363]." | |||
| 5. Other Issues with DNAME | 5. Other Issues with DNAME | |||
| There are several issues to be aware of about the use of DNAME. | There are several issues to be aware of about the use of DNAME. | |||
| 5.1. MX, NS and PTR Records Must Point to Target of DNAME | 5.1. Canonical hostnames cannot be below DNAME owners | |||
| The names listed as target names of MX, NS and PTR records must be | The names listed as target names of MX, NS, PTR and SRV [RFC2782] | |||
| canonical hostnames. This means no CNAME or DNAME redirection may be | records must be canonical hostnames. This means no CNAME or DNAME | |||
| present during DNS lookup of the address records for the host. This | redirection may be present during DNS lookup of the address records | |||
| is discussed in RFC 2181 [RFC2181], section 10.3, and RFC 1912 | for the host. This is discussed in RFC 2181 [RFC2181], section 10.3, | |||
| [RFC1912], section 2.4. | and RFC 1912 [RFC1912], section 2.4. For SRV see RFC 2782 [RFC2782] | |||
| page 4. | ||||
| The upshot of this is that although the lookup of a PTR record can | The upshot of this is that although the lookup of a PTR record can | |||
| involve DNAMEs, the name listed in the PTR record can not fall under | involve DNAMEs, the name listed in the PTR record can not fall under | |||
| a DNAME. The same holds for NS and MX records. For example, when | a DNAME. The same holds for NS, SRV and MX records. For example, | |||
| punycode alternates for a zone use DNAME then the NS, MX and PTR | when punycode alternates for a zone use DNAME then the NS, MX, SRV | |||
| records that point to that zone must use names without punycode in | and PTR records that point to that zone must use names without | |||
| their RDATA. What must be done then is to have the domain names with | punycode in their RDATA. What must be done then is to have the | |||
| DNAME substitution already applied to it as the MX, NS, PTR data. | domain names with DNAME substitution already applied to it as the MX, | |||
| These are valid canonical hostnames. | NS, PTR, SRV data. These are valid canonical hostnames. | |||
| 5.2. Dynamic Update and DNAME | 5.2. Dynamic Update and DNAME | |||
| DNAME records can be added, changed and removed in a zone using | DNAME records can be added, changed and removed in a zone using | |||
| dynamic update transactions. Adding a DNAME RR to a zone occludes | dynamic update transactions. Adding a DNAME RR to a zone occludes | |||
| any domain names that may exist under the added DNAME. | any domain names that may exist under the added DNAME. | |||
| A server MUST ignore a dynamic update message that attempts to add a | A server MUST ignore a dynamic update message that attempts to add a | |||
| DNAME RR at a name that already has a CNAME RR or another DNAME RR | DNAME RR at a name that already has a CNAME RR or another DNAME RR | |||
| associated with that name. | associated with that name. | |||
| skipping to change at page 13, line 23 | skipping to change at page 14, line 8 | |||
| the CNAME has no signature, since the server does not sign online. | the CNAME has no signature, since the server does not sign online. | |||
| So it cannot be trusted. It could be altered by an attacker to be | So it cannot be trusted. It could be altered by an attacker to be | |||
| foo.bar.example.com CNAME bla.bla.example. The DNAME record does | foo.bar.example.com CNAME bla.bla.example. The DNAME record does | |||
| have its signature included, since it does not change for every query | have its signature included, since it does not change for every query | |||
| name. The validator must verify the DNAME signature and then | name. The validator must verify the DNAME signature and then | |||
| recursively resolve further to query for the foo.bar.example.net A | recursively resolve further to query for the foo.bar.example.net A | |||
| record. | record. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| The main purpose of this draft is to discuss issues related to the | The DNAME Resource Record type code 39 (decimal) originally has been | |||
| use of DNAME RRs in a DNS zone. The original document registered the | registered by [RFC2672]. IANA should update the DNS resource record | |||
| DNAME Resource Record type code 39 (decimal). IANA should update the | registry to point to this document for RR type 39. | |||
| DNS resource record registry by adding a pointer to this document for | ||||
| RR type 39. | ||||
| This draft requests the second highest bit in the EDNS flags field | This draft requests the second highest bit in the EDNS flags field | |||
| for the Understand-DNAME (UD) flag. | for the Understand-DNAME (UD) flag. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| DNAME redirects queries elsewhere, which may impact security based on | DNAME redirects queries elsewhere, which may impact security based on | |||
| policy and the security status of the zone with the DNAME and the | policy and the security status of the zone with the DNAME and the | |||
| redirection zone's security status. | redirection zone's security status. | |||
| skipping to change at page 14, line 5 | skipping to change at page 14, line 36 | |||
| of wildcarded DNAMEs is discouraged in any case [RFC4592]. | of wildcarded DNAMEs is discouraged in any case [RFC4592]. | |||
| A validating resolver MUST understand DNAME, according to [RFC4034]. | A validating resolver MUST understand DNAME, according to [RFC4034]. | |||
| In Section 5.3.2 examples are given that illustrate this need. | In Section 5.3.2 examples are given that illustrate this need. | |||
| 8. Acknowledgments | 8. Acknowledgments | |||
| The authors of this draft would like to acknowledge Matt Larson for | The authors of this draft would like to acknowledge Matt Larson for | |||
| beginning this effort to address the issues related to the DNAME RR | beginning this effort to address the issues related to the DNAME RR | |||
| type. The authors would also like to acknowledge Paul Vixie, Ed | type. The authors would also like to acknowledge Paul Vixie, Ed | |||
| Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly and Sam Weiler for | Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly, Sam Weiler, Alfred | |||
| their review and comments on this document. | Hoenes and Kevin Darcy for their review and comments on this | |||
| document. | ||||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, November 1987. | STD 13, RFC 1034, November 1987. | |||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | ||||
| specification", STD 13, RFC 1035, November 1987. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, | [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, | |||
| "Dynamic Updates in the Domain Name System (DNS UPDATE)", | "Dynamic Updates in the Domain Name System (DNS UPDATE)", | |||
| RFC 2136, April 1997. | RFC 2136, April 1997. | |||
| [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | |||
| Specification", RFC 2181, July 1997. | Specification", RFC 2181, July 1997. | |||
| [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | ||||
| RFC 2671, August 1999. | ||||
| [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", | [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", | |||
| RFC 2672, August 1999. | RFC 2672, August 1999. | |||
| [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | ||||
| specifying the location of services (DNS SRV)", RFC 2782, | ||||
| February 2000. | ||||
| [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record | [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record | |||
| (RR) Types", RFC 3597, September 2003. | (RR) Types", RFC 3597, September 2003. | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
| RFC 4033, March 2005. | RFC 4033, March 2005. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security Extensions", | Rose, "Resource Records for the DNS Security Extensions", | |||
| RFC 4034, March 2005. | RFC 4034, March 2005. | |||
| End of changes. 38 change blocks. | ||||
| 170 lines changed or deleted | 196 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||