draft-ietf-dnsext-rfc2672bis-dname-15.txt   draft-ietf-dnsext-rfc2672bis-dname-16.txt 
DNS Extensions Working Group S. Rose DNS Extensions Working Group S. Rose
Internet-Draft NIST Internet-Draft NIST
Obsoletes: 2672 (if approved) W. Wijngaards Obsoletes: 2672 (if approved) W. Wijngaards
Updates: 3363,4294 NLnet Labs Updates: 3363,4294 NLnet Labs
(if approved) March 6, 2009 (if approved) June 29, 2009
Intended status: Standards Track Intended status: Standards Track
Expires: September 7, 2009 Expires: December 31, 2009
Update to DNAME Redirection in the DNS Update to DNAME Redirection in the DNS
draft-ietf-dnsext-rfc2672bis-dname-15 draft-ietf-dnsext-rfc2672bis-dname-16
Status of This Memo Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 1, line 45 skipping to change at page 1, line 45
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 7, 2009. This Internet-Draft will expire on December 31, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 17 skipping to change at page 3, line 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 4 2. The DNAME Resource Record . . . . . . . . . . . . . . . . . . 4
2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 5 2.2. The DNAME Substitution . . . . . . . . . . . . . . . . . . 5
2.3. DNAME Apex not Redirected itself . . . . . . . . . . . . . 6 2.3. DNAME Apex not Redirected itself . . . . . . . . . . . . . 6
2.4. Names Next to and Below a DNAME Record . . . . . . . . . . 7 2.4. Names Next to and Below a DNAME Record . . . . . . . . . . 7
2.5. Compression of the DNAME record. . . . . . . . . . . . . . 7 2.5. Compression of the DNAME record. . . . . . . . . . . . . . 7
3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. CNAME synthesis and UD bit . . . . . . . . . . . . . . . . 8 3.1. CNAME synthesis . . . . . . . . . . . . . . . . . . . . . 8
3.2. Server algorithm . . . . . . . . . . . . . . . . . . . . . 9 3.2. Server algorithm . . . . . . . . . . . . . . . . . . . . . 8
3.3. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 11 3.3. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 10
3.4. Acceptance and Intermediate Storage . . . . . . . . . . . 11 3.4. Acceptance and Intermediate Storage . . . . . . . . . . . 10
4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 12 4. DNAME Discussions in Other Documents . . . . . . . . . . . . . 11
5. Other Issues with DNAME . . . . . . . . . . . . . . . . . . . 13 5. Other Issues with DNAME . . . . . . . . . . . . . . . . . . . 12
5.1. Canonical hostnames cannot be below DNAME owners . . . . . 13 5.1. Canonical hostnames cannot be below DNAME owners . . . . . 12
5.2. Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 13 5.2. Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 12
5.3. DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 13 5.3. DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 13
5.3.1. Signed DNAME, Unsigned Synthesized CNAME . . . . . . . 14 5.3.1. Signed DNAME, Unsigned Synthesized CNAME . . . . . . . 13
5.3.2. DNAME Bit in NSEC Type Map . . . . . . . . . . . . . . 14 5.3.2. DNAME Bit in NSEC Type Map . . . . . . . . . . . . . . 13
5.3.3. DNAME Chains as Strong as the Weakest Link . . . . . . 14 5.3.3. DNAME Chains as Strong as the Weakest Link . . . . . . 13
5.3.4. Validators Must Understand DNAME . . . . . . . . . . . 14 5.3.4. Validators Must Understand DNAME . . . . . . . . . . . 13
5.3.4.1. DNAME in Bitmap Causes Invalid Name Error . . . . 14 5.3.4.1. DNAME in Bitmap Causes Invalid Name Error . . . . 13
5.3.4.2. Valid Name Error Response Involving DNAME in 5.3.4.2. Valid Name Error Response Involving DNAME in
Bitmap . . . . . . . . . . . . . . . . . . . . . . 15 Bitmap . . . . . . . . . . . . . . . . . . . . . . 14
5.3.4.3. Response With Synthesized CNAME . . . . . . . . . 15 5.3.4.3. Response With Synthesized CNAME . . . . . . . . . 14
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . . 16 9.1. Normative References . . . . . . . . . . . . . . . . . . . 15
9.2. Informative References . . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
DNAME is a DNS Resource Record type originally defined in RFC 2672 DNAME is a DNS Resource Record type originally defined in RFC 2672
[RFC2672]. DNAME provides redirection from a part of the DNS name [RFC2672]. DNAME provides redirection from a part of the DNS name
tree to another part of the DNS name tree. tree to another part of the DNS name tree.
The DNAME RR and the CNAME RR [RFC1034] cause a lookup to The DNAME RR and the CNAME RR [RFC1034] cause a lookup to
(potentially) return data corresponding to a domain name different (potentially) return data corresponding to a domain name different
from the queried domain name. The difference between the two from the queried domain name. The difference between the two
skipping to change at page 4, line 41 skipping to change at page 4, line 41
network causes no change to the authoritative server that has the network causes no change to the authoritative server that has the
address-to-name mappings. Examples in practice are classless reverse address-to-name mappings. Examples in practice are classless reverse
address space delegations. address space delegations.
Another usage of DNAME lies in aliasing of name spaces. For example, Another usage of DNAME lies in aliasing of name spaces. For example,
a zone administrator may want sub-trees of the DNS to contain the a zone administrator may want sub-trees of the DNS to contain the
same information. Examples include punycode alternates for domain same information. Examples include punycode alternates for domain
spaces. spaces.
This revision to DNAME does not change the wire format or the This revision to DNAME does not change the wire format or the
handling of DNAME Resource Records by existing software. A new UD handling of DNAME Resource Records. Discussion is added on problems
(Understand DNAME) bit in the EDNS flags field can be used to signal
that CNAME synthesis is not needed. Discussion is added on problems
that may be encountered when using DNAME. that may be encountered when using DNAME.
2. The DNAME Resource Record 2. The DNAME Resource Record
2.1. Format 2.1. Format
The DNAME RR has mnemonic DNAME and type code 39 (decimal). It is The DNAME RR has mnemonic DNAME and type code 39 (decimal). It is
not class-sensitive. not class-sensitive.
Its RDATA is comprised of a single field, <target>, which contains a Its RDATA is comprised of a single field, <target>, which contains a
skipping to change at page 6, line 11 skipping to change at page 6, line 11
labels end with the root label in all cases. Only whole labels are labels end with the root label in all cases. Only whole labels are
replaced. See the table of examples for common cases and corner replaced. See the table of examples for common cases and corner
cases. cases.
In the table below, the QNAME refers to the query name. The owner is In the table below, the QNAME refers to the query name. The owner is
the DNAME owner domain name, and the target refers to the target of the DNAME owner domain name, and the target refers to the target of
the DNAME record. The result is the resulting name after performing the DNAME record. The result is the resulting name after performing
the DNAME substitution on the query name. "no match" means that the the DNAME substitution on the query name. "no match" means that the
query did not match the DNAME and thus no substitution is performed query did not match the DNAME and thus no substitution is performed
and a possible error message is returned (if no other result is and a possible error message is returned (if no other result is
possible). In the examples below, 'cyc' and 'shortloop' contain possible). Thus every line contains one example substitution. In
loops. the examples below, 'cyc' and 'shortloop' contain loops.
QNAME owner DNAME target result QNAME owner DNAME target result
---------------- -------------- -------------- ----------------- ---------------- -------------- -------------- -----------------
com. example.com. example.net. <no match> com. example.com. example.net. <no match>
example.com. example.com. example.net. <no match> example.com. example.com. example.net. <no match>
a.example.com. example.com. example.net. a.example.net. a.example.com. example.com. example.net. a.example.net.
a.b.example.com. example.com. example.net. a.b.example.net. a.b.example.com. example.com. example.net. a.b.example.net.
ab.example.com. b.example.com. example.net. <no match> ab.example.com. b.example.com. example.net. <no match>
foo.example.com. example.com. example.net. foo.example.net. foo.example.com. example.com. example.net. foo.example.net.
a.x.example.com. x.example.com. example.net. a.example.net. a.x.example.com. x.example.com. example.net. a.example.net.
skipping to change at page 7, line 50 skipping to change at page 7, line 50
Although the previous DNAME specification [RFC2672] (that is Although the previous DNAME specification [RFC2672] (that is
obsoleted by this specification) talked about signaling to allow obsoleted by this specification) talked about signaling to allow
compression of the target name, such signaling has never been compression of the target name, such signaling has never been
specified and this document also does not specify this signaling specified and this document also does not specify this signaling
behavior. behavior.
RFC 2672 (obsoleted by this document) stated that the EDNS version RFC 2672 (obsoleted by this document) stated that the EDNS version
had a meaning for understanding of DNAME and DNAME target name had a meaning for understanding of DNAME and DNAME target name
compression. This document revises RFC 2672, in that there is no compression. This document revises RFC 2672, in that there is no
EDNS version signaling for DNAME. However, the flags section of EDNS version signaling for DNAME.
EDNS(0) is updated with a Understand-DNAME flag by this document (See
Section 3.3).
3. Processing 3. Processing
The DNAME RR causes type NS additional section processing. This The DNAME RR causes type NS additional section processing. This
refers to action at step 6 of the server algorithm outlined in refers to action at step 6 of the server algorithm outlined in
section 3.2. section 3.2.
3.1. CNAME synthesis and UD bit 3.1. CNAME synthesis
When preparing an response, a server performing a DNAME substitution When preparing an response, a server performing a DNAME substitution
will in all cases include the relevant DNAME RR in the answer will in all cases include the relevant DNAME RR in the answer
section. A CNAME RR with TTL equal to the corresponding DNAME RR is section. A CNAME RR with TTL equal to the corresponding DNAME RR is
synthesized and included in the answer section for resolvers that did synthesized and included in the answer section for resolvers that did
not indicate understanding of DNAME in queries. The owner name of not indicate understanding of DNAME in queries. The owner name of
the CNAME is the QNAME of the query. The DNSSEC specification the CNAME is the QNAME of the query. The DNSSEC specification
[RFC4033], [RFC4034], [RFC4035] says that the synthesized CNAME does [RFC4033], [RFC4034], [RFC4035] says that the synthesized CNAME does
not have to be signed. The DNAME has an RRSIG and a validating not have to be signed. The DNAME has an RRSIG and a validating
resolver can check the CNAME against the DNAME record and validate resolver can check the CNAME against the DNAME record and validate
the signature over the DNAME RR. the signature over the DNAME RR.
Resolvers MUST be able to handle a synthesized CNAME TTL of zero or Resolvers MUST be able to handle a synthesized CNAME TTL of zero or
equal to the TTL of the corresponding DNAME record. A TTL of zero equal to the TTL of the corresponding DNAME record. A TTL of zero
means that the CNAME can be discarded immediately after processing means that the CNAME can be discarded immediately after processing
the answer. DNAME aware resolvers can set the Understand-DNAME (UD the answer.
bit) to indicate that they can handle a response with only a DNAME RR
and no synthesized CNAMEs.
The UD bit is part of the EDNS [RFC2671] extended RCODE and Flags
field. It is used to omit server processing, transmission and
resolver processing of unsigned synthesized CNAMEs. Resolvers can
set this in a query to request omission of the synthesized CNAMEs.
Servers copy the UD bit to the response, and can omit synthesized
CNAMEs from the answer. Resolvers that do not implement this
specification, do not set the UD bit, and servers that do not
implement this specification do not copy the UD bit to the answer,
and will not omit synthesized CNAMEs.
Updated EDNS extended RCODE and Flags field.
+0 (MSB) +1 (LSB)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
0: | EXTENDED-RCODE | VERSION |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
2: |DO|UD| Z |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Servers MUST be able to answer a query for a synthesized CNAME. Like Servers MUST be able to answer a query for a synthesized CNAME. Like
other query types this invokes the DNAME, and synthesizes the CNAME other query types this invokes the DNAME, and synthesizes the CNAME
into the answer. into the answer.
3.2. Server algorithm 3.2. Server algorithm
Below is the server algorithm, which appeared in RFC 2672 Section Below is the server algorithm, which appeared in RFC 2672 Section
4.1, it is expanded to handle the UD (Understand-DNAME) bit. 4.1.
1. Set or clear the value of recursion available in the response 1. Set or clear the value of recursion available in the response
depending on whether the name server is willing to provide depending on whether the name server is willing to provide
recursive service. If recursive service is available and recursive service. If recursive service is available and
requested via the RD bit in the query, go to step 5, otherwise requested via the RD bit in the query, go to step 5, otherwise
step 2. step 2.
2. Search the available zones for the zone which is the nearest 2. Search the available zones for the zone which is the nearest
ancestor to QNAME. If such a zone is found, go to step 3, ancestor to QNAME. If such a zone is found, go to step 3,
otherwise step 4. otherwise step 4.
skipping to change at page 10, line 19 skipping to change at page 9, line 33
4. 4.
C. If at some label, a match is impossible (i.e., the C. If at some label, a match is impossible (i.e., the
corresponding label does not exist), look to see whether the corresponding label does not exist), look to see whether the
last label matched has a DNAME record. last label matched has a DNAME record.
If a DNAME record exists at that point, copy that record into If a DNAME record exists at that point, copy that record into
the answer section. If substitution of its <target> for its the answer section. If substitution of its <target> for its
<owner> in QNAME would overflow the legal size for a <domain- <owner> in QNAME would overflow the legal size for a <domain-
name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise
perform the substitution and continue. If the EDNS OPT perform the substitution and continue. The server MUST
record is present in the query and the UD bit is set, the synthesize a CNAME record as described above and include it
server MAY copy the UD bit to the answer EDNS OPT record, and in the answer section. Go back to step 1.
omit CNAME synthesis. Else the server MUST synthesize a
CNAME record as described above and include it in the answer
section. Go back to step 1.
If there was no DNAME record, look to see if the "*" label If there was no DNAME record, look to see if the "*" label
exists. exists.
If the "*" label does not exist, check whether the name we If the "*" label does not exist, check whether the name we
are looking for is the original QNAME in the query or a name are looking for is the original QNAME in the query or a name
we have followed due to a CNAME or DNAME. If the name is we have followed due to a CNAME or DNAME. If the name is
original, set an authoritative name error in the response and original, set an authoritative name error in the response and
exit. Otherwise just exit. exit. Otherwise just exit.
skipping to change at page 11, line 38 skipping to change at page 11, line 4
A server MAY give a warning that the behavior is unspecified if such A server MAY give a warning that the behavior is unspecified if such
a wildcarded DNAME is loaded. The server MAY refuse it, refuse to a wildcarded DNAME is loaded. The server MAY refuse it, refuse to
load the zone or refuse dynamic updates. load the zone or refuse dynamic updates.
3.4. Acceptance and Intermediate Storage 3.4. Acceptance and Intermediate Storage
Recursive caching name servers can encounter data at names below the Recursive caching name servers can encounter data at names below the
owner name of a DNAME RR, due to a change at the authoritative server owner name of a DNAME RR, due to a change at the authoritative server
where data from before and after the change resides in the cache. where data from before and after the change resides in the cache.
This conflict situation is a transitional phase, that ends when the This conflict situation is a transitional phase, that ends when the
old data times out. The caching name server can opt to store both old data times out. The caching name server can opt to store both
old and new data and treat each as if the other did not exist, or old and new data and treat each as if the other did not exist, or
drop the old data, or drop the longer domain name. In any approach, drop the old data, or drop the longer domain name. In any approach,
consistency returns after the older data TTL times out. consistency returns after the older data TTL times out.
Recursive caching name servers MUST perform CNAME synthesis on behalf Recursive caching name servers MUST perform CNAME synthesis on behalf
of DNAME-ignorant clients. A recursive caching name server that of clients.
understands DNAMEs can send out queries on behalf of clients with the
UD bit set (See Section 3.1). After receiving the answers the
recursive caching name server sends replies to DNAME ignorant clients
that include DNAMEs and synthesized CNAMEs.
If a recursive caching name server encounters a DNAME RR which If a recursive caching name server encounters a DNAME RR which
contradicts information already in the cache (excluding CNAME contradicts information already in the cache (excluding CNAME
records), it SHOULD NOT cache the DNAME RR, but it MAY cache the records), it SHOULD NOT cache the DNAME RR, but it MAY cache the
CNAME record received along with it or synthesized from the DNAME CNAME record received along with it or synthesized from the DNAME
record, subject to the rules for CNAME caching. record, subject to the rules for CNAME caching.
4. DNAME Discussions in Other Documents 4. DNAME Discussions in Other Documents
In [RFC2181], in Section 10.3., the discussion on MX and NS records In [RFC2181], in Section 10.3., the discussion on MX and NS records
skipping to change at page 13, line 50 skipping to change at page 13, line 12
DNAME records can be added, changed and removed in a zone using DNAME records can be added, changed and removed in a zone using
dynamic update transactions. Adding a DNAME RR to a zone occludes dynamic update transactions. Adding a DNAME RR to a zone occludes
any domain names that may exist under the added DNAME. any domain names that may exist under the added DNAME.
A server MUST reject a dynamic update message that attempts to add a A server MUST reject a dynamic update message that attempts to add a
DNAME RR at a name that already has a CNAME RR or another DNAME RR DNAME RR at a name that already has a CNAME RR or another DNAME RR
associated with that name. associated with that name.
5.3. DNSSEC and DNAME 5.3. DNSSEC and DNAME
The following is for implementations that understand both DNSSEC and The following subsections specify the behavior of implementations
DNAME (synthesis). that understand both DNSSEC and DNAME (synthesis).
5.3.1. Signed DNAME, Unsigned Synthesized CNAME 5.3.1. Signed DNAME, Unsigned Synthesized CNAME
In any response, a signed DNAME RR indicates a non-terminal In any response, a signed DNAME RR indicates a non-terminal
redirection of the query. There might or might not be a server redirection of the query. There might or might not be a server
synthesized CNAME in the answer section, if there is, the CNAME will synthesized CNAME in the answer section; if there is, the CNAME will
never be signed. For a DNSSEC validator, verification of the DNAME never be signed. For a DNSSEC validator, verification of the DNAME
RR and then checking that the CNAME was properly synthesized is RR and then checking that the CNAME was properly synthesized is
sufficient proof. sufficient proof.
5.3.2. DNAME Bit in NSEC Type Map 5.3.2. DNAME Bit in NSEC Type Map
In any negative response, the NSEC or NSEC3 [RFC5155] record type bit In any negative response, the NSEC or NSEC3 [RFC5155] record type bit
map SHOULD be checked to see that there was no DNAME that could have map SHOULD be checked to see that there was no DNAME that could have
been applied. If the DNAME bit in the type bit map is set and the been applied. If the DNAME bit in the type bit map is set and the
query name is a subdomain of the closest encloser that is asserted, query name is a subdomain of the closest encloser that is asserted,
skipping to change at page 15, line 46 skipping to change at page 15, line 11
change. The validator must verify the DNAME signature and then change. The validator must verify the DNAME signature and then
recursively resolve further to query for the foo.bar.example.net A recursively resolve further to query for the foo.bar.example.net A
record. record.
6. IANA Considerations 6. IANA Considerations
The DNAME Resource Record type code 39 (decimal) originally has been The DNAME Resource Record type code 39 (decimal) originally has been
registered by [RFC2672]. IANA should update the DNS resource record registered by [RFC2672]. IANA should update the DNS resource record
registry to point to this document for RR type 39. registry to point to this document for RR type 39.
This draft requests the second highest bit in the EDNS flags field
for the Understand-DNAME (UD) flag as described in Section 3.1.
7. Security Considerations 7. Security Considerations
DNAME redirects queries elsewhere, which may impact security based on DNAME redirects queries elsewhere, which may impact security based on
policy and the security status of the zone with the DNAME and the policy and the security status of the zone with the DNAME and the
redirection zone's security status. For validating resolvers, the redirection zone's security status. For validating resolvers, the
lowest security status of the links in the chain of CNAME and DNAME lowest security status of the links in the chain of CNAME and DNAME
redirections is applied to the result. redirections is applied to the result.
If a validating resolver accepts wildcarded DNAMEs, this creates If a validating resolver accepts wildcarded DNAMEs, this creates
security issues. Since the processing of a wildcarded DNAME is non- security issues. Since the processing of a wildcarded DNAME is non-
deterministic and the CNAME that was substituted by the server has no deterministic and the CNAME that was substituted by the server has no
signature, the resolver may choose a different result than what the signature, the resolver may choose a different result than what the
server meant, and consequently end up at the wrong destination. Use server meant, and consequently end up at the wrong destination. Use
of wildcarded DNAMEs is discouraged in any case [RFC4592]. of wildcarded DNAMEs is discouraged in any case [RFC4592].
A validating resolver MUST understand DNAME, according to [RFC4034]. A validating resolver MUST understand DNAME, according to [RFC4034].
In RFC 4034 Section 5.3.4 examples are given that illustrate this The examples in Section 5.3.4 illustrate this need.
need.
8. Acknowledgments 8. Acknowledgments
The authors of this draft would like to acknowledge Matt Larson for The authors of this draft would like to acknowledge Matt Larson for
beginning this effort to address the issues related to the DNAME RR beginning this effort to address the issues related to the DNAME RR
type. The authors would also like to acknowledge Paul Vixie, Ed type. The authors would also like to acknowledge Paul Vixie, Ed
Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly, Sam Weiler, Alfred Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly, Sam Weiler, Alfred
Hoenes and Kevin Darcy for their review and comments on this Hoenes and Kevin Darcy for their review and comments on this
document. document.
skipping to change at page 16, line 48 skipping to change at page 16, line 9
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, April 1997. RFC 2136, April 1997.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003. (RR) Types", RFC 3597, September 2003.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005. RFC 4033, March 2005.
 End of changes. 25 change blocks. 
77 lines changed or deleted 39 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/