draft-ietf-dnsext-rfc2672bis-dname-11.txt   draft-ietf-dnsext-rfc2672bis-dname-12.txt 
DNS Extensions Working Group S. Rose DNS Extensions Working Group S. Rose
Internet-Draft NIST Internet-Draft NIST
Updates: 2672,3363,4294 W. Wijngaards Obsoletes: 2672 (if approved) W. Wijngaards
(if approved) NLnet Labs Updates: 3363,4294 NLnet Labs
Intended status: Standards Track March 25, 2008 (if approved) April 21, 2008
Expires: September 26, 2008 Intended status: Standards Track
Expires: October 23, 2008
Update to DNAME Redirection in the DNS Update to DNAME Redirection in the DNS
draft-ietf-dnsext-rfc2672bis-dname-11 draft-ietf-dnsext-rfc2672bis-dname-12
Status of This Memo Status of This Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 26, 2008. This Internet-Draft will expire on October 23, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
The DNAME record provides redirection for a sub-tree of the domain The DNAME record provides redirection for a sub-tree of the domain
name tree in the DNS system. That is, all names that end with a name tree in the DNS system. That is, all names that end with a
particular suffix are redirected to another part of the DNS. This is particular suffix are redirected to another part of the DNS. This is
skipping to change at page 2, line 19 skipping to change at page 2, line 19
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 3 2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 3
2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 4 2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 4
2.3. DNAME Apex not Redirected itself . . . . . . . . . . . . . 5 2.3. DNAME Apex not Redirected itself . . . . . . . . . . . . . 5
2.4. Names Next to and Below a DNAME Record . . . . . . . . . . 5 2.4. Names Next to and Below a DNAME Record . . . . . . . . . . 6
2.5. Compression of the DNAME record. . . . . . . . . . . . . . 6 2.5. Compression of the DNAME record. . . . . . . . . . . . . . 6
3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Server algorithm . . . . . . . . . . . . . . . . . . . . . 7
3.2. CNAME synthesis . . . . . . . . . . . . . . . . . . . . . 7 3.2. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3. Acceptance and Intermediate Storage . . . . . . . . . . . 7 3.3. CNAME synthesis and UD bit . . . . . . . . . . . . . . . . 9
3.4. Server algorithm . . . . . . . . . . . . . . . . . . . . . 8 3.4. Acceptance and Intermediate Storage . . . . . . . . . . . 10
4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 10 4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 10
5. Other Issues with DNAME . . . . . . . . . . . . . . . . . . . 11 5. Other Issues with DNAME . . . . . . . . . . . . . . . . . . . 12
5.1. MX, NS and PTR Records Must Point to Target of DNAME . . . 11 5.1. Canonical hostnames cannot be below DNAME owners . . . . . 12
5.2. Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 11 5.2. Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 12
5.3. DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 11 5.3. DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 12
5.3.1. DNAME bit in NSEC type map . . . . . . . . . . . . . . 11 5.3.1. DNAME bit in NSEC type map . . . . . . . . . . . . . . 12
5.3.2. Validators Must Understand DNAME . . . . . . . . . . . 12 5.3.2. Validators Must Understand DNAME . . . . . . . . . . . 12
5.3.2.1. DNAME in Bitmap Causes Invalid Name Error . . . . 12 5.3.2.1. DNAME in Bitmap Causes Invalid Name Error . . . . 13
5.3.2.2. Valid Name Error Response Involving DNAME in 5.3.2.2. Valid Name Error Response Involving DNAME in
Bitmap . . . . . . . . . . . . . . . . . . . . . . 12 Bitmap . . . . . . . . . . . . . . . . . . . . . . 13
5.3.2.3. Response With Synthesized CNAME . . . . . . . . . 12 5.3.2.3. Response With Synthesized CNAME . . . . . . . . . 13
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
9.1. Normative References . . . . . . . . . . . . . . . . . . . 14 9.1. Normative References . . . . . . . . . . . . . . . . . . . 14
9.2. Informative References . . . . . . . . . . . . . . . . . . 14 9.2. Informative References . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
DNAME is a DNS Resource Record type. DNAME provides redirection from DNAME is a DNS Resource Record type defined in RFC 2672 [RFC2672].
a part of the DNS name tree to another part of the DNS name tree. DNAME provides redirection from a part of the DNS name tree to
another part of the DNS name tree.
The DNAME RR and the CNAME RR [RFC1034] cause a lookup to
(potentially) return data corresponding to a domain name different
from the queried domain name. The difference between the two
resource records is that the CNAME RR directs the lookup of data at
its owner to another single name, a DNAME RR directs lookups for data
at descendents of its owner's name to corresponding names under a
different (single) node of the tree.
Take for example, looking through a zone (see RFC 1034 [RFC1034], Take for example, looking through a zone (see RFC 1034 [RFC1034],
section 4.3.2, step 3) for the domain name "foo.example.com" and a section 4.3.2, step 3) for the domain name "foo.example.com" and a
DNAME resource record is found at "example.com" indicating that all DNAME resource record is found at "example.com" indicating that all
queries under "example.com" be directed to "example.net". The lookup queries under "example.com" be directed to "example.net". The lookup
process will return to step 1 with the new query name of process will return to step 1 with the new query name of
"foo.example.net". Had the query name been "www.foo.example.com" the "foo.example.net". Had the query name been "www.foo.example.com" the
new query name would be "www.foo.example.net". new query name would be "www.foo.example.net".
The DNAME RR is similar to the CNAME RR in that it provides
redirection. The CNAME RR only provides redirection for exactly one
name while the DNAME RR provides redirection for all names in a sub-
tree of the DNS name tree.
This document is an update to the original specification of DNAME in This document is an update to the original specification of DNAME in
RFC 2672 [RFC2672]. DNAME was conceived to help with the problem of RFC 2672 [RFC2672]. DNAME was conceived to help with the problem of
maintaining address-to-name mappings in a context of network maintaining address-to-name mappings in a context of network
renumbering. With a careful set-up, a renumbering event in the renumbering. With a careful set-up, a renumbering event in the
network causes no change to the authoritative server that has the network causes no change to the authoritative server that has the
address-to-name mappings. Examples in practice are classless reverse address-to-name mappings. Examples in practice are classless reverse
address space delegations and punycode alternates for domain spaces. address space delegations and punycode alternates for domain spaces.
Another usage of DNAME lies in redirection of name spaces. For Another usage of DNAME lies in redirection of name spaces. For
example, a zone administrator may want sub-trees of the DNS to example, a zone administrator may want sub-trees of the DNS to
skipping to change at page 3, line 46 skipping to change at page 3, line 50
This update to DNAME does not change the wire format or the handling This update to DNAME does not change the wire format or the handling
of DNAME Resource Records by existing software. A new UD (Understand of DNAME Resource Records by existing software. A new UD (Understand
Dname) bit in the EDNS flags field can be used to signal that CNAME Dname) bit in the EDNS flags field can be used to signal that CNAME
synthesis is not needed. Discussion is added on problems that may be synthesis is not needed. Discussion is added on problems that may be
encountered when using DNAME. encountered when using DNAME.
2. The DNAME Resource Record 2. The DNAME Resource Record
2.1. Format 2.1. Format
The DNAME RR has mnemonic DNAME and type code 39 (decimal). The DNAME RR has mnemonic DNAME and type code 39 (decimal). It is
not class-sensitive.
The format of the DNAME record has not changed from the original Its RDATA is comprised of a single field, <target>, which contains a
specification in RFC 2672. DNAME has the following format: fully qualified domain name that must be sent in uncompressed form
[RFC1035], [RFC3597]. The <target> field MUST be present. The
presentation format of <target> is that of a domain name [RFC1035].
<owner> <ttl> <class> DNAME <target> <owner> <ttl> <class> DNAME <target>
The format is not class-sensitive. All fields are required. The The effect of the DNAME RR is the substitution of the record's
RDATA field target is a domain name. The RDATA field target name <target> for its owner name, as a suffix of a domain name. This
MUST be sent uncompressed [RFC3597]. substitution has to be applied for every DNAME RR found in the
resolution process, which allows fairly lengthy valid chains of DNAME
RRs.
The DNAME RR causes type NS additional section processing. Details of the substitution process, methods to avoid conflicting
resource records, and rules for specific corner cases are given in
the following subsections.
2.2. The DNAME Substitution 2.2. The DNAME Substitution
DNAMEs cause a name substitution to happen to query names. This is When following RFC 1034 [RFC1034], section 4.3.2's algorithm's third
called the DNAME substitution. The portion of the QNAME ending with step, "start matching down, label by label, in the zone" and a node
the root label that matches the owner name of the DNAME RR is is found to own a DNAME resource record a DNAME substitution occurs.
replaced with the contents of the DNAME RR's RDATA. The owner name The name being sought may be the original query name or a name that
of the DNAME is not itself redirected, only domain names below the is the result of a CNAME resource record being followed or a
owner name are redirected. Only whole labels are replaced. A name previously encountered DNAME. As is the case of finding a CNAME
is considered below the owner name if it has more labels than the resource record or NS resource record set, the processing of a DNAME
owner name, and the labels of the owner name appear at the end of the will happen prior to finding the desired domain name.
query name. See the table of examples for common cases and corner
A DNAME substitution is performed by replacing the suffix labels of
the name being sought matching the owner name of the DNAME resource
record with the string of labels in the RDATA field. The matching
labels end with the root label in all cases. Only whole labels are
replaced. See the table of examples for common cases and corner
cases. cases.
In the table below, the QNAME refers to the query name. The owner is In the table below, the QNAME refers to the query name. The owner is
the DNAME owner domain name, and the target refers to the target of the DNAME owner domain name, and the target refers to the target of
the DNAME record. The result is the resulting name after performing the DNAME record. The result is the resulting name after performing
the DNAME substitution on the query name. "no match" means that the the DNAME substitution on the query name. "no match" means that the
query did not match the DNAME and thus no substitution is performed query did not match the DNAME and thus no substitution is performed
and a possible error message is returned (if no other result is and a possible error message is returned (if no other result is
possible). In the examples below, 'cyc' and 'shortloop' contain possible). In the examples below, 'cyc' and 'shortloop' contain
loops. loops.
skipping to change at page 5, line 26 skipping to change at page 5, line 50
suppose the target name of the DNAME RR is 250 octets in length suppose the target name of the DNAME RR is 250 octets in length
(multiple labels), if an incoming QNAME that has a first label over 5 (multiple labels), if an incoming QNAME that has a first label over 5
octets in length, the result of the result would be a name over 255 octets in length, the result of the result would be a name over 255
octets. If this occurs the server returns an RCODE of YXDOMAIN octets. If this occurs the server returns an RCODE of YXDOMAIN
[RFC2136]. The DNAME record and its signature (if the zone is [RFC2136]. The DNAME record and its signature (if the zone is
signed) are included in the answer as proof for the YXDOMAIN (value signed) are included in the answer as proof for the YXDOMAIN (value
6) RCODE. 6) RCODE.
2.3. DNAME Apex not Redirected itself 2.3. DNAME Apex not Redirected itself
The owner name of a DNAME is not redirected itself. The reason for Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its
the original decision was that one can have a DNAME at the zone apex owner name; the owner name of a DNAME is not redirected itself. The
without problem. Then use this DNAME at the zone apex to point domain name that owns a DNAME record is allowed to have other
queries to the target zone. There still is a need to have the resource record types at that domain name, except DNAMEs or CNAMEs.
customary SOA and NS resource records at the zone apex. This means
that DNAME does not mirror a zone completely, as it does not mirror
the zone apex.
Another reason for excluding the DNAME owner from the DNAME
substitution is that one can then query for the DNAME through RFC
1034 [RFC1034] caches.
This means that DNAME RRs are not allowed at the parent side of a This means that DNAME RRs are not allowed at the parent side of a
delegation point but are allowed at a zone apex. delegation point but are allowed at a zone apex.
The reason for this decision was that one can have a DNAME at the
zone apex. There still is a need to have the customary SOA and NS
resource records at the zone apex. This means that DNAME does not
mirror a zone completely, as it does not mirror the zone apex.
These rules also allow DNAME records to be queried through RFC 1034
[RFC1034] compliant, DNAME-unaware caches.
2.4. Names Next to and Below a DNAME Record 2.4. Names Next to and Below a DNAME Record
Other resource records MUST NOT exist at a domain name subordinate to Resource records MUST NOT exist at any domain name subordinate to the
the owner of a DNAME RR. To get the contents for names subordinate owner of a DNAME RR. To get the contents for names subordinate to
to that owner, the DNAME redirection must be invoked and the that owner, the DNAME redirection must be invoked and the resulting
resulting target queried. A server MAY refuse to load a zone that target queried. A server MAY refuse to load a zone that has data at
has data at a domain name subordinate to a domain name owning a DNAME a domain name subordinate to a domain name owning a DNAME RR. If the
RR. If the server does load the zone, those names below the DNAME RR server does load the zone, those names below the DNAME RR will be
will be occluded. Also a server SHOULD refuse to load a zone occluded, RFC 2136 [RFC2136], section 7.18. Also a server SHOULD
subordinate to the owner of a DNAME record in the ancestor zone. See refuse to load a zone subordinate to the owner of a DNAME record in
Section 5.2 for further discussion related to dynamic update. the ancestor zone. See Section 5.2 for further discussion related to
dynamic update.
DNAME is a singleton type, meaning only one DNAME is allowed per DNAME is a singleton type, meaning only one DNAME is allowed per
name. The owner name of a DNAME can only have one DNAME RR, and no name. The owner name of a DNAME can only have one DNAME RR, and no
CNAME RRs can exist at that name. These rules make sure that for a CNAME RRs can exist at that name. These rules make sure that for a
single domain name only one redirection exists, and thus no confusion single domain name only one redirection exists, and thus no confusion
which one to follow. A server SHOULD refuse to load a zone that which one to follow. A server SHOULD refuse to load a zone that
violates these rules. violates these rules.
The domain name that owns a DNAME record is allowed to have other
resource record types at that domain name, except DNAMEs or CNAMEs.
These rules allow DNAME records to be queried through DNAME unaware
caches.
2.5. Compression of the DNAME record. 2.5. Compression of the DNAME record.
The DNAME owner name can be compressed like any other owner name. The DNAME owner name can be compressed like any other owner name.
The DNAME RDATA target name MUST NOT be sent out in compressed form, The DNAME RDATA target name MUST NOT be sent out in compressed form,
so that a DNAME RR can be treated as an unknown type. so that a DNAME RR can be treated as an unknown type [RFC3597].
Although the previous specification [RFC2672] talked about signaling Although the previous DNAME specification [RFC2672] (that is
to allow compression of the target name, no such signaling is obsoleted by this specification) talked about signaling to allow
explicitly specified. compression of the target name, such signaling is not specified.
RFC 2672 stated that the EDNS version had a meaning for understanding RFC 2672 stated that the EDNS version had a meaning for understanding
of DNAME and DNAME target name compression. This document updates of DNAME and DNAME target name compression. This document updates
RFC 2672, in that there is no EDNS version signaling for DNAME as of RFC 2672, in that there is no EDNS version signaling for DNAME as of
yet. However, the flags section of EDNS(0) is updated with a yet. However, the flags section of EDNS(0) is updated with a
Understand-DNAME flag by this document (See Section 3.2). Understand-DNAME flag by this document (See Section 3.3).
3. Processing 3. Processing
3.1. Wildcards The DNAME RR causes type NS additional section processing.
The use of DNAME in conjunction with wildcards is discouraged
[RFC4592]. Thus records of the form "*.example.com DNAME
example.net" SHOULD NOT be used.
The interaction between the expansion of the wildcard and the
redirection of the DNAME is non-deterministic. Because the
processing is non-deterministic, DNSSEC validating resolvers may not
be able to validate a wildcarded DNAME.
A server MAY give a warning that the behavior is unspecified if such
a wildcarded DNAME is loaded. The server MAY refuse it, refuse to
load or refuse dynamic update.
3.2. CNAME synthesis
On the server side, the DNAME RR record is always included in the
answer section of a query, when one is encountered. A CNAME RR
record with TTL equal to the corresponding DNAME RR is synthesized
for old resolvers, specifically for the QNAME in the query. DNSSEC
[RFC4033], [RFC4034], [RFC4035] says that the synthesized CNAME does
not have to be signed. The DNAME has an RRSIG and a validating
resolver can check the CNAME against the DNAME record and validate
the DNAME record.
Resolvers MUST be able to handle a synthesized CNAME TTL of zero or
equal to the TTL of the corresponding DNAME record. A TTL of zero
means that the CNAME can be discarded immediately after processing
the answer. DNAME aware resolvers can set the Understand-DNAME (UD
bit) to receive a response with only the DNAME RR and no synthesized
CNAMEs.
The UD bit is part of the EDNS extended RCODE and Flags field. It is
used to omit server processing, transmission and resolver processing
of unsigned synthesized CNAMEs. Resolvers can set this in a query to
request omission of the synthesized CNAMEs. Servers copy the UD bit
to the response, and can omit synthesized CNAMEs from the answer.
Older resolvers do not set the UD bit, and older servers do not copy
the UD bit to the answer, and will not omit synthesized CNAMEs.
Updated EDNS extended RCODE and Flags field.
+0 (MSB) +1 (LSB)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
0: | EXTENDED-RCODE | VERSION |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
2: |DO|UD| Z |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Servers MUST be able to answer a query for a synthesized CNAME. Like
other query types this invokes the DNAME, and synthesizes the CNAME
into the answer.
3.3. Acceptance and Intermediate Storage
DNS caches can encounter data at names below the owner name of a
DNAME RR, due to a change at the authoritative server where data from
before and after the change resides in the cache. This conflict
situation is a transitional phase, that ends when the old data times
out. The cache can opt to store both old and new data and treat each
as if the other did not exist, or drop the old data, or drop the
longer domain name. In any approach, consistency returns after the
older data TTL times out.
DNS caches MUST perform CNAME synthesis on behalf of DNAME-ignorant
clients. A DNS cache that understands DNAMEs can send out queries on
behalf of clients with the UD bit set. After receiving the answers
the DNS cache sends replies to DNAME ignorant clients that include
DNAMEs and synthesized CNAMEs.
3.4. Server algorithm 3.1. Server algorithm
Below the server algorithm, which appeared in RFC 2672 Section 4.1, Below the server algorithm, which appeared in RFC 2672 Section 4.1,
is expanded to handle the UD bit. is expanded to handle the UD (Understand Dname) bit.
1. Set or clear the value of recursion available in the response 1. Set or clear the value of recursion available in the response
depending on whether the name server is willing to provide depending on whether the name server is willing to provide
recursive service. If recursive service is available and recursive service. If recursive service is available and
requested via the RD bit in the query, go to step 5, otherwise requested via the RD bit in the query, go to step 5, otherwise
step 2. step 2.
2. Search the available zones for the zone which is the nearest 2. Search the available zones for the zone which is the nearest
ancestor to QNAME. If such a zone is found, go to step 3, ancestor to QNAME. If such a zone is found, go to step 3,
otherwise step 4. otherwise step 4.
skipping to change at page 10, line 11 skipping to change at page 9, line 5
6. Using local data only, attempt to add other RRs which may be 6. Using local data only, attempt to add other RRs which may be
useful to the additional section of the query. Exit. useful to the additional section of the query. Exit.
Note that there will be at most one ancestor with a DNAME as Note that there will be at most one ancestor with a DNAME as
described in step 4 unless some zone's data is in violation of the described in step 4 unless some zone's data is in violation of the
no-descendants limitation in section 3. An implementation might take no-descendants limitation in section 3. An implementation might take
advantage of this limitation by stopping the search of step 3c or advantage of this limitation by stopping the search of step 3c or
step 4 when a DNAME record is encountered. step 4 when a DNAME record is encountered.
3.2. Wildcards
The use of DNAME in conjunction with wildcards is discouraged
[RFC4592]. Thus records of the form "*.example.com DNAME
example.net" SHOULD NOT be used.
The interaction between the expansion of the wildcard and the
redirection of the DNAME is non-deterministic. Because the
processing is non-deterministic, DNSSEC validating resolvers may not
be able to validate a wildcarded DNAME.
A server MAY give a warning that the behavior is unspecified if such
a wildcarded DNAME is loaded. The server MAY refuse it, refuse to
load or refuse dynamic update.
3.3. CNAME synthesis and UD bit
When preparing an response, a server upon performing a DNAME
substitution will in all cases include the DNAME RR used in the
answer section. A CNAME RR record with TTL equal to the
corresponding DNAME RR is synthesized and included in the answer
section for old resolvers. The owner name of the CNAME is the QNAME
of the query. DNSSEC [RFC4033], [RFC4034], [RFC4035] says that the
synthesized CNAME does not have to be signed. The DNAME has an RRSIG
and a validating resolver can check the CNAME against the DNAME
record and validate the DNAME record.
Resolvers MUST be able to handle a synthesized CNAME TTL of zero or
equal to the TTL of the corresponding DNAME record. A TTL of zero
means that the CNAME can be discarded immediately after processing
the answer. DNAME aware resolvers can set the Understand-DNAME (UD
bit) to receive a response with only the DNAME RR and no synthesized
CNAMEs.
The UD bit is part of the EDNS [RFC2671] extended RCODE and Flags
field. It is used to omit server processing, transmission and
resolver processing of unsigned synthesized CNAMEs. Resolvers can
set this in a query to request omission of the synthesized CNAMEs.
Servers copy the UD bit to the response, and can omit synthesized
CNAMEs from the answer. Older resolvers do not set the UD bit, and
older servers do not copy the UD bit to the answer, and will not omit
synthesized CNAMEs.
Updated EDNS extended RCODE and Flags field.
+0 (MSB) +1 (LSB)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
0: | EXTENDED-RCODE | VERSION |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
2: |DO|UD| Z |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Servers MUST be able to answer a query for a synthesized CNAME. Like
other query types this invokes the DNAME, and synthesizes the CNAME
into the answer.
3.4. Acceptance and Intermediate Storage
DNS caches can encounter data at names below the owner name of a
DNAME RR, due to a change at the authoritative server where data from
before and after the change resides in the cache. This conflict
situation is a transitional phase, that ends when the old data times
out. The cache can opt to store both old and new data and treat each
as if the other did not exist, or drop the old data, or drop the
longer domain name. In any approach, consistency returns after the
older data TTL times out.
DNS caches MUST perform CNAME synthesis on behalf of DNAME-ignorant
clients. A DNS cache that understands DNAMEs can send out queries on
behalf of clients with the UD bit set. After receiving the answers
the DNS cache sends replies to DNAME ignorant clients that include
DNAMEs and synthesized CNAMEs.
4. DNAME Discussions in Other Documents 4. DNAME Discussions in Other Documents
In [RFC2181], in Section 10.3., the discussion on MX and NS records In [RFC2181], in Section 10.3., the discussion on MX and NS records
touches on redirection by CNAMEs, but this also holds for DNAMEs. touches on redirection by CNAMEs, but this also holds for DNAMEs.
Excerpt from 10.3. MX and NS records (in RFC 2181). Excerpt from 10.3. MX and NS records (in RFC 2181).
The domain name used as the value of a NS resource record, The domain name used as the value of a NS resource record,
or part of the value of a MX resource record must not be or part of the value of a MX resource record must not be
an alias. Not only is the specification clear on this an alias. Not only is the specification clear on this
skipping to change at page 11, line 20 skipping to change at page 12, line 9
is to be replaced by is to be replaced by
"Those nodes are NOT RECOMMENDED to support the experimental "Those nodes are NOT RECOMMENDED to support the experimental
A6 Resource Record [RFC3363]." A6 Resource Record [RFC3363]."
5. Other Issues with DNAME 5. Other Issues with DNAME
There are several issues to be aware of about the use of DNAME. There are several issues to be aware of about the use of DNAME.
5.1. MX, NS and PTR Records Must Point to Target of DNAME 5.1. Canonical hostnames cannot be below DNAME owners
The names listed as target names of MX, NS and PTR records must be The names listed as target names of MX, NS, PTR and SRV [RFC2782]
canonical hostnames. This means no CNAME or DNAME redirection may be records must be canonical hostnames. This means no CNAME or DNAME
present during DNS lookup of the address records for the host. This redirection may be present during DNS lookup of the address records
is discussed in RFC 2181 [RFC2181], section 10.3, and RFC 1912 for the host. This is discussed in RFC 2181 [RFC2181], section 10.3,
[RFC1912], section 2.4. and RFC 1912 [RFC1912], section 2.4. For SRV see RFC 2782 [RFC2782]
page 4.
The upshot of this is that although the lookup of a PTR record can The upshot of this is that although the lookup of a PTR record can
involve DNAMEs, the name listed in the PTR record can not fall under involve DNAMEs, the name listed in the PTR record can not fall under
a DNAME. The same holds for NS and MX records. For example, when a DNAME. The same holds for NS, SRV and MX records. For example,
punycode alternates for a zone use DNAME then the NS, MX and PTR when punycode alternates for a zone use DNAME then the NS, MX, SRV
records that point to that zone must use names without punycode in and PTR records that point to that zone must use names without
their RDATA. What must be done then is to have the domain names with punycode in their RDATA. What must be done then is to have the
DNAME substitution already applied to it as the MX, NS, PTR data. domain names with DNAME substitution already applied to it as the MX,
These are valid canonical hostnames. NS, PTR, SRV data. These are valid canonical hostnames.
5.2. Dynamic Update and DNAME 5.2. Dynamic Update and DNAME
DNAME records can be added, changed and removed in a zone using DNAME records can be added, changed and removed in a zone using
dynamic update transactions. Adding a DNAME RR to a zone occludes dynamic update transactions. Adding a DNAME RR to a zone occludes
any domain names that may exist under the added DNAME. any domain names that may exist under the added DNAME.
A server MUST ignore a dynamic update message that attempts to add a A server MUST ignore a dynamic update message that attempts to add a
DNAME RR at a name that already has a CNAME RR or another DNAME RR DNAME RR at a name that already has a CNAME RR or another DNAME RR
associated with that name. associated with that name.
skipping to change at page 13, line 23 skipping to change at page 14, line 8
the CNAME has no signature, since the server does not sign online. the CNAME has no signature, since the server does not sign online.
So it cannot be trusted. It could be altered by an attacker to be So it cannot be trusted. It could be altered by an attacker to be
foo.bar.example.com CNAME bla.bla.example. The DNAME record does foo.bar.example.com CNAME bla.bla.example. The DNAME record does
have its signature included, since it does not change for every query have its signature included, since it does not change for every query
name. The validator must verify the DNAME signature and then name. The validator must verify the DNAME signature and then
recursively resolve further to query for the foo.bar.example.net A recursively resolve further to query for the foo.bar.example.net A
record. record.
6. IANA Considerations 6. IANA Considerations
The main purpose of this draft is to discuss issues related to the The DNAME Resource Record type code 39 (decimal) originally has been
use of DNAME RRs in a DNS zone. The original document registered the registered by [RFC2672]. IANA should update the DNS resource record
DNAME Resource Record type code 39 (decimal). IANA should update the registry to point to this document for RR type 39.
DNS resource record registry by adding a pointer to this document for
RR type 39.
This draft requests the second highest bit in the EDNS flags field This draft requests the second highest bit in the EDNS flags field
for the Understand-DNAME (UD) flag. for the Understand-DNAME (UD) flag.
7. Security Considerations 7. Security Considerations
DNAME redirects queries elsewhere, which may impact security based on DNAME redirects queries elsewhere, which may impact security based on
policy and the security status of the zone with the DNAME and the policy and the security status of the zone with the DNAME and the
redirection zone's security status. redirection zone's security status.
skipping to change at page 14, line 5 skipping to change at page 14, line 36
of wildcarded DNAMEs is discouraged in any case [RFC4592]. of wildcarded DNAMEs is discouraged in any case [RFC4592].
A validating resolver MUST understand DNAME, according to [RFC4034]. A validating resolver MUST understand DNAME, according to [RFC4034].
In Section 5.3.2 examples are given that illustrate this need. In Section 5.3.2 examples are given that illustrate this need.
8. Acknowledgments 8. Acknowledgments
The authors of this draft would like to acknowledge Matt Larson for The authors of this draft would like to acknowledge Matt Larson for
beginning this effort to address the issues related to the DNAME RR beginning this effort to address the issues related to the DNAME RR
type. The authors would also like to acknowledge Paul Vixie, Ed type. The authors would also like to acknowledge Paul Vixie, Ed
Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly and Sam Weiler for Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly, Sam Weiler, Alfred
their review and comments on this document. Hoenes and Kevin Darcy for their review and comments on this
document.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, April 1997. RFC 2136, April 1997.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999.
[RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
RFC 2672, August 1999. RFC 2672, August 1999.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003. (RR) Types", RFC 3597, September 2003.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005. RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005. RFC 4034, March 2005.
 End of changes. 38 change blocks. 
170 lines changed or deleted 196 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/