draft-ietf-dnsext-wcard-clarify-02.txt   draft-ietf-dnsext-wcard-clarify-03.txt 
dnsext Working Group B. Halley DNSEXT Working Group E. Lewis
Internet Draft Nominum INTERNET DRAFT NeuStar
Expiration Date: March 2004 Expiration Date: April 2005 October 2004
E. Lewis
ARIN
September 2003
Clarifying the Role of Wild Card Domains Clarifying the Role of Wild Card Domains
in the Domain Name System in the Domain Name System
draft-ietf-dnsext-wcard-clarify-02.txt draft-ietf-dnsext-wcard-clarify-03.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions By submitting this Internet-Draft, each author represents that any
of Section 10 of RFC2026. applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt
To view the list Internet-Draft Shadow Directories, see The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html
This Internet-Draft will expire on April 11, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract Abstract
The definition of wild cards is recast from the original in RFC 1034, The definition of wild cards is recast from the original in RFC 1034,
in words that are more specific and in line with RFC 2119. This in words that are more specific and in line with RFC 2119. This
document is meant to supplement the definition in RFC 1034 and to document is meant to supplement the definition in RFC 1034 and not to
alter neither the spirit nor intent of that definition. significantly alter the spirit or intent of that definition.
Table of Contents 1 Introduction
Abstract ................................................ 1 In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the synthesis
1 Introduction ............................................ 2 of answers from special records called wildcards. The original
1.1 Document Limits ......................................... 3 definitions are incomplete. This document clarifies and describes
1.2 Existence ............................................... 4 the wildcard synthesis by adding to the discussion and making
1.3 An Example .............................................. 4 limited modifications. Modifications are made only where necessary
1.4 Empty Non-terminals ..................................... 5 to close inconsistencies that have led to interoperability issues.
1.5 Terminology ............................................. 6
2 Defining the Wild Card Domain Name ...................... 7
3 Defining Existence ...................................... 8
4 Impact of a Wild Card In a Query or in RDATA ............ 8
5 Impact of a Wild Card Domain On a Response .............. 9
6 Considerations with Special Types ....................... 12
6.1 SOA RR's at a Wild Card Domain Name ..................... 12
6.2 NS RR's at a Wild Card Domain Name ...................... 12
6.3 CNAME RR's at a Wild Card Domain Name ................... 13
6.4 DNAME RR's at a Wild Card Domain Name ................... 13
7 Security Considerations ................................. 14
8 References .............................................. 14
9 Others Contributing to This Document .................... 14
10 Editors ................................................. 15
Appendix A: Subdomains of Wild Card Domain Names ........ 16
Full Copyright Statement ................................ 18
Acknowledgement ......................................... 18
1. Introduction 1.1 Motivation
The first section of this document will give a crisp overview of what Over time many implementations have diverged in different ways from
is begin defined, as well as the motivation rewording of an original the original definition, or at least what had been intended. Although
document and making a change to bring the specification in line with there is clearly a need to clarify the original documents in light
implementations. Examples are included to help orient the reader. of this, the impetus for this document lay in the engineering of
the DNS security extensions [RFC TBD]. With an unclear definition
of wildcards the design of authenticated denial became entangled.
Wild card domain names are defined in Section 4.3.3. of RFC 1034 as Although this document is motivated by DNSSEC and the need to
"instructions for synthesizing RRs." [RFC1034]. The meaning of this have a separate document passed for the sake of DNSSEC, other
is that a specific, special domain name is used to construct motivations have risen. The renewed understanding of wildcards gained
responses in instances in which the query name is not otherwise is worthy of being documented.
represented in a zone.
A wild card domain name has a specific range of influence on query 1.2 The Original Definition
names (QNAMEs) within a given class, which is rooted at the domain
name containing the wild card label, and is limited by explicit
entries, zone cuts and empty non-terminal domains (see section 1.3 of
this document).
Note that a wild card domain name has no special impact on the search This document is intended to not make changes. To reinforce
for a query type (QTYPE). If a domain name is found that matches the this, sections of RFC 1034 are repeated verbatim for convenience
QNAME (exact or a wild card) but the QTYPE is not found at that of the reader, to help in comparison of old and new text.
point, the proper response is that there is no data available. The
search does not continue on to seek other wild cards that might match
the QTYPE. To illustrate, a wild card owning an MX RR does not
'cover' other names in the zone that own an A RR. There are certain
special case RR types that will be singled out for discussion, the
SOA RR, NS RR, CNAME RR, and DNAME RR.
Why is this document needed? Empirical evidence suggests that the There are a few passages which are changed. This may seem to
words in RFC 1034 are not clear enough. There exist a number of contradict the goal of not changing the original specification,
implementations that have strayed (each differently) from that but the changes herein are required because of inconsistencies
definition. There also exists a misconception of operators that the with the wording in RFC 1034.
wild card can be used to add a specific RR type to all names, such as
the MX RR example cited above. This document is also needed as input
to efforts to extend DNS, such as the DNS Security Extensions [RFC
2535]. Lack of a clear base specification has proven to result in
extension documents that have unpredictable consequences. (This is
true in general, not just for DNS.)
Another reason this clarification is needed is to answer questions The beginning of the discussion ought to start with the definition
regarding authenticated denial of existence, a service introduced in of the term "wildcard" as it appears in RFC 1034, section 4.3.3.
the DNS Security Extensions [RFC 2535]. Prior to the work leading up
to this document, it had been feared that a large number of proof
records (NXTs) might be needed in each reply because of the unknown
number of potential wild card domains that were thought to be
applicable. One outcome of this fear is a now discontinued document
solving a problem that is now known not to exist. I.e., this
clarification has the impact of defending against unwarranted
protocol surgery. It is not "yet another" effort to just rewrite the
early specifications for the sake of purity.
Although the effort to define the DNS Security Extensions has # In the previous algorithm, special treatment was given to RRs with owner
prompted this document, the clarifications herein relate to basic DNS # names starting with the label "*". Such RRs are called wildcards.
only. No DNS Security Extensions considerations are mentioned in the # Wildcard RRs can be thought of as instructions for synthesizing RRs.
document. # When the appropriate conditions are met, the name server creates RRs
# with an owner name equal to the query name and contents taken from the
# wildcard RRs.
1.1. Document Limits This passage appears after the algorithm in which they are used is
presented. The terminology is not consistent, the word "wildcard"
is clearly defined to be a resource record. In the next sentence
the term is shifted to be an adjective, the first step on the
path to overloading the term. Wildcard has also been used to
refer to domain names that begin with a "*".
This document limits itself to reinforcing the concepts in RFC 1034. 1.3 The Clarification
In the effort to do this, a few issues have been discussed that
change parts of what is in RFC 1034. The discussions have been held
within the DNS Extensions Working Group.
Briefly, the issues raised include: The clarification effort can be divided into three sections. One
- The lack of clarity in the definition of domain name existence is the use of new terminology to better describe wildcards. Changes
- Implications of a wild card domain name owning any of the to words in RFC 1034 that have resulted by discovering conflicting
following resource record sets: DNAME [RFC 2672], CNAME, NS, and concepts are presented. Descriptions of special type records in the
SOA context of being wildcards is discussed.
- Whether RFC 1034 meant to allow special processing of CNAME RR's
owned by wild card domain names
1.2. Existence 1.3.1 New Terms
The notion that a domain name 'exists' will arise numerous times in The term "wildcard" has become so overloaded it is virtually useless
this discussion. RFC 1034 raises the issue of existence in a number as a description. A few new terms will be introduced to be more
of places, usually in reference to non-existence and often in descriptive. The new terms that will be introduced are:
reference to processing involving wild card domain names. RFC 1034
contains algorithms that describe how domain names impact the Asterisk Label - a label consisting of an asterisk ("*") and no
preparation of an answer and does define wild cards as a means of other characters.
synthesizing answers. Because of this a discussion on wild card
domain names has to start with the issue of existence. Wild Card Domain Name - a domain name whose least significant
label (first when reading left to right) is an asterisk label.
Other labels might also be asterisk labels.
Source of Synthesis - a Wild Card Domain Name when it is consulted in
the final paragraph of step 3, part c of RFC 1034's 4.3.2 algorithm.
Closest Encloser - in RFC 1034's 4.3.2 algorithm, the name at which
the last match was possible in step 3, part c. This is the longest
sequence of exactly matching labels from the root downward in both the
sought name (QNAME) and in the zone being examined.
Label Match - two labels are equivalent if the label type and label
length are the same bit sequence and if the name is the label is
equivalent bit wise after down casing all of the ASCII characters.
[Ed note: do we still call them ASCII?]
These terms will be more fully described as needed later. These
terms will be used to describe a few changes to the words in RFC
1034. A summary of the changes appear next and will be fully
covered in later sections.
1.3.2 Changed Text
The definition of "existence" is changed, superficially, to exclude
empty domains that have no subdomains with resource records. This
change will not be apparent to implementations, it is needed to
make descriptions more concise.
In RFC 1034, there is text that seems to bar having two Asterisk
Labels in a Wild Card Domain Name. There is no further discussion,
no prescribed error handling, nor enforcement described. In this
document, the use of such names will be discouraged, but implementations
will have to account for the possibility of such a name's use.
The actions when a Source of Synthesis owns a CNAME RR are changed to
mirror the actions if an exact match name owns a CNAME RR. This
is an addition to the words in RFC 1034, section 4.3.2, step 3,
part c.
1.3.3 Considerations with Special Types
This clarification will describe in some detail the semantics of
wildcard CNAME RRs, wildcard NS RRs, wildcard SOA RR's,
wildcard DNAME RRs [RFC wxyz], and empty, non-terminal wildcards.
Understanding these types in the context of wildcards has been
clouded because these types incur special processing if they
are the result of an exact match.
By the definition in RFC 1034, there can be no empty, non-terminal
"wildcards", but in the algorithm, it is possible that an empty
non-terminal is sought as the potential owner of a "wildcard." This
is one example of why the ordering of the discussion in RFC 1034 is
confusing.
1.4 Standards Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in the document entitled
"Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]
Quotations of RFC 1034 (as has already been done once above) are
denoted by a '#' in the leftmost column.
2 "Wildcard"
The context of the wildcard concept involves the algorithm by which
a name server prepares a response (in RFC 1034's section 4.3.2) and
the way in which a resource record (set) is identified as being a
source of synthetic data (section 4.3.3).
Tackling the latter first, there are two objectives in defining a
means to identify a resource record set as a source of synthesis.
First is the desire to maintain all DNS data in a consistent manner.
Avoiding the need for implementations to have many internal data
structures is a good thing. Not that this means limiting quantity,
but rather types of data. The second objective impacts interoperability,
that is a master server of one implementation has to be able to
send the synthesis instructions to the slaves. Although there are
alternatives to the use of zone transfers via port 53, a truly
interoperable record synthesis approach has to be able to insert the
synthesis instructions into a zone transfer.
The objectives in describing the synthesis of records in the context
of the name server algorithm include knowing when to employ the
process of synthesis and how the synthesis is carried out.
2.1 Identifying a wildcard
To provide a more accurate description of "wildcards", the definition
has to start with a discussion of the domain names that appear as
owners.
2.1.1 Wild Card Domain Name and Asterisk Label
A "Wild Card Domain Name" is defined by having its initial label be:
0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
The first octet is the normal label type and length for a 1 octet
long label, the second octet is the ASCII representation [RFC 20] for
the '*' character. In RFC 1034, ASCII encoding is assumed to be the
character encoding.
A descriptive name of a label equaling that value is an "Asterisk
Label."
RFC 1034's definition of wildcard would be "a resource record owned
by a Wild Card Domain Name." This is mentioned to help maintain some
orientation between this clarification and RFC 1034. Keep in mind,
that in "Clarifications to the DNS Specification" [RFC 2181] the name
of the basic unit of DNS data became the resource record set (RRSet) and
not the resource record.
2.1.2 Variations on Wild Card Domain Names
RFC 1034 and RFC 1035 do not explicitly mention the case in which a
domain name might be something like "the*.example.com." The
interpretation is that this domain name in a zone would only match
queries for "the*.example.com" and not have any other role. An
asterisk ('*') occurring other than as the sole character in
a label is simply a character forming part of the label and has no
special meaning. This is not an Asterisk Label, simply a label
an asterisk in it. The same is true for "**.example.com." and
"*the.example.com."
[Ed note: the above paragraph reads too strong. The intent ought to
be that such names do not fall under the rules of wildcards. The
intent is not to bar any future attempts to define other forms of
synthesis - nor is the intent to encourage them.]
The interpretation of a wild card domain specification which is not a
leaf domain is not clearly defined in RFC 1034. E.g., sub.*.example.,
is not discussed, not barred. In wanting to minimize changes from
the original specification, such names are permitted. Although
"sub.*.example." is not a Wild Card Domain Name, "*.example." is.
RRSets used to synthesize records can be owned by a Wild Card Domain
Name that has subdomains.
2.1.3 Non-terminal Wild Card Domain Names
In section 4.3.3, the following is stated:
# .......................... The owner name of the wildcard RRs is of
# the form "*.<anydomain>", where <anydomain> is any domain name.
# <anydomain> should not contain other * labels......................
This covers names like "*.foo.*.example." The pre-RFC2119 wording uses
"should not" which has an ambiguous meaning. The specification does not
proscribe actions upon seeing such a name, such as whether or not a
zone containing the name should fail to be served. What if a dynamic
update (RFC2136) requested to add the name to the zone? The failure
semantics are not defined.
The recommendation is that implementations ought to anticipate the
appearance of such names but generally discourage their use in
operations. No standards statement, such as "MAY NOT" or "SHOULD NOT"
is made here.
The interpretation of this is, when seeking a Wild Card Domain Name
for the purposes of record synthesis, an implementation ought not to
check the domain name for subdomains.
It is possible that a Wild Card Domain Name is an empty non-terminal.
(See the upcoming sections on empty non-terminals.) In this case,
the lookup will terminate as would any empty non-terminal match.
2.2 Existence Rules
The notion that a domain name 'exists' arises numerous times in
discussions about the wildcard concept. RFC 1034 raises the issue
of existence in a number of places, usually in reference to
non-existence and in reference to processing involving wildcards.
RFC 1034 contains algorithms that describe how domain names impact
the preparation of an answer and does define wildcards as a means of
synthesizing answers. Because of this a discussion on wildcards
needs to cover a definition of existence.
To help clarify the topic of wild cards, a positive definition of To help clarify the topic of wild cards, a positive definition of
existence is needed. Complicating matters, though, is the existence is needed. Complicating matters, though, is the
realization that existence is relative. To an authoritative server, realization that existence is relative. To an authoritative server,
a domain name exists if the domain name plays a role following the a domain name exists if the domain name plays a role following the
algorithms of preparing a response. To a resolver, a domain name algorithms of preparing a response. To a resolver, a domain name
exists if there is any data available corresponding to the name. The exists if there is any data available corresponding to the name. The
difference between the two is the synthesis of records according to a difference between the two is the synthesis of records according to a
wild card. wild card.
For the purposes of this document, the point of view of an For the purposes of this document, the point of view of an
authoritative server is adopted. A domain name is said to exist if authoritative server is more interesting. A domain name is said to
it plays a role in the execution of the algorithms in RFC 1034. exist if it plays a role in the execution of the algorithms in RFC 1034.
1.3. An Example
For example, consider this wild card domain name: *.example. Any 2.2.1. An Example
query name under example. is a candidate to be matched (answered) by
this wild card, i.e., to have an response returned that is
synthesized from the wild card's RR sets. Although any name is a
candidate, not all queries will match.
To further illustrate this, consider this zone: To illustrate what is meant by existence consider this complete zone:
$ORIGIN example. $ORIGIN example.
@ IN SOA example. 3600 IN SOA <SOA RDATA>
NS example. 3600 NS ns.example.com.
NS example. 3600 NS ns.example.net.
* TXT "this is a wild card" *.example. 3600 TXT "this is a wild card"
MX 10 mailhost.example. *.example. 3600 MX 10 host1.example.
host1 A 10.0.0.1 host1.example. 3600 A 192.0.4.1
_ssh._tcp.host1 SRV _ssh._tcp.host1.example. 3600 SRV <SRV RDATA>
_ssh._tcp.host2 SRV _ssh._tcp.host2.example. 3600 SRV <SRV RDATA>
subdel NS subdel.example. 3600 NS ns.example.com.
subdel.example. 3600 NS ns.example.net.
A look at the domain names in a tree structure is helpful:
|
-------------example------------
/ / \ \
/ / \ \
/ / \ \
* host1 host2 subdel
| |
| |
_tcp _tcp
| |
| |
_ssh _ssh
The following queries would be synthesized from the wild card: The following queries would be synthesized from the wild card:
QNAME=host3.example. QTYPE=MX, QCLASS=IN QNAME=host3.example. QTYPE=MX, QCLASS=IN
the answer will be a "host3.example. IN MX ..." the answer will be a "host3.example. IN MX ..."
QNAME=host3.example. QTYPE=A, QCLASS=IN QNAME=host3.example. QTYPE=A, QCLASS=IN
the answer will reflect "no error, but no data" the answer will reflect "no error, but no data"
because there is no A RR set at '*' because there is no A RR set at '*.example.'
QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
the answer will be "foo.bar.example. IN TXT ..."
because bar.example. does not exist, but the wildcard does.
The following queries would not be synthesized from the wild card: The following queries would not be synthesized from the wild card:
QNAME=host1.example., QTYPE=MX, QCLASS=IN QNAME=host1.example., QTYPE=MX, QCLASS=IN
because host1.example. exists because host1.example. exists
QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
because *.example. exists
QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
because _tcp.host1.example. exists (without data) because _tcp.host1.example. exists (without data)
QNAME=_telnet._tcp.host2.example., QTYPE=SRV, QCLASS=IN QNAME=_telnet._tcp.host2.example., QTYPE=SRV, QCLASS=IN
because host2.example. exists (without data) because host2.example. exists (without data)
QNAME=host.subdel.example., QTYPE=A, QCLASS=IN QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
because subdel.example. exists and is a zone cut because subdel.example. exists (and is a zone cut)
To the server, the following domains are considered to exist in the To the server, all of the domains in the tree exist. The resolver will
zone: *, host1, _tcp.host1, _ssh._tcp.host1, host2, _tcp.host2, get answers to some names off the tree, thanks to synthesis.
_ssh._tcp.host2, and subdel. To a resolver, many more domains appear
to exist via the synthesis of the wild card.
1.4. Empty Non-terminals 2.2.2 Empty Non-terminals
Empty non-terminals are domain names that own no data but have Empty non-terminals are domain names that own no resource records but
subdomains. This is defined in section 3.1 of RFC 1034: have subdomains which do. This is defined in section 3.1 of RFC 1034:
# The domain name space is a tree structure. Each node and leaf on the # The domain name space is a tree structure. Each node and leaf on the
# tree corresponds to a resource set (which may be empty). The domain # tree corresponds to a resource set (which may be empty). The domain
# system makes no distinctions between the uses of the interior nodes and # system makes no distinctions between the uses of the interior nodes and
# leaves, and this memo uses the term "node" to refer to both. # leaves, and this memo uses the term "node" to refer to both.
The parenthesized "which may be empty" specifies that empty non- The parenthesized "which may be empty" specifies that empty non-
terminals are explicitly recognized. According to the definition of terminals are explicitly recognized. According to the definition of
existence in this document, empty non-terminals do exist at the existence in this document, empty non-terminals do exist at the
server. server.
Carefully reading the above paragraph can lead to an interpretation Pedantically reading the above paragraph can lead to an
that all possible domains exist - up to the suggested limit of 255 interpretation that all possible domains exist - up to the suggested
octets for a domain name [RFC 1035]. For example, www.example. may limit of 255 octets for a domain name [RFC 1035]. For example,
have an A RR, and as far as is practically concerned, is a leaf of www.example. may have an A RR, and as far as is practically
the domain tree. But the definition can be taken to mean that concerned, is a leaf of the domain tree. But the definition can be
sub.www.example. also exists, albeit with no data. By extension, all taken to mean that sub.www.example. also exists, albeit with no data.
possible domains exist, from the root on down. As RFC 1034 also By extension, all possible domains exist, from the root on down. As
defines "an authoritative name error indicating that the name does RFC 1034 also defines "an authoritative name error indicating that
not exist" in section 4.3.1, this is not the intent of the original the name does not exist" in section 4.3.1, this is not the intent of
document. the original document.
RFC1034's wording is to be clarified by adding the following 2.2.3 Yet Another Definition of Existence
paragraph:
RFC1034's wording is clarified by the following paragraph:
A node is considered to have an impact on the algorithms of A node is considered to have an impact on the algorithms of
4.3.2 if it is a leaf node with any resource sets or an interior 4.3.2 if it is a leaf node with any resource sets or an interior
node, with or without a resource set, that has a subdomain that node (with or without a resource set) that has a subdomain that
is a leaf node with a resource set. A QNAME and QCLASS matching is a leaf node with a resource set. A QNAME and QCLASS matching
an existing node never results in a response return code of an existing node never results in a response code of
authoritative name error. authoritative name error (RCODE==3).
The terminology in the above paragraph is chosen to remain as close The terminology in the above paragraph is chosen to remain as close
to that in the original document. The term "with" is a alternate to that in the original document. The term "with" is a alternate
form for "owning" in this case, hence "a leaf node owning resources form for "owning" in this case, hence "a leaf node owning resources
sets, or an interior node, owning or not owning any resource set, sets, or an interior node, owning or not owning any resource set,
that has a leaf node owning a resource set as a subdomain," is the that has a leaf node owning a resource set as a subdomain," is the
proper interpretation of the middle sentence. proper interpretation of the middle sentence.
As an aside, an "authoritative name error" has been called NXDOMAIN As an aside, an "authoritative name error", response code (RCODE) 3,
in some RFCs, such as RFC 2136 [RFC 2136]. NXDOMAIN is the mnemonic has been called NXDOMAIN in some RFCs, such as RFC 2136 [RFC 2136].
assigned to such an error by at least one implementation of DNS. As NXDOMAIN is the mnemonic assigned to such an error by at least one
this mnemonic is specific to implementations, it is avoided in the implementation of DNS.
remainder of this document.
1.5. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in the document entitled
"Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]
Requirements are denoted by paragraphs that begin with with the
following convention: 'R'<sect>.<count>.
Quotations of RFC 1034 (as has already been done once above) are
denoted by a '#' in the leftmost column.
2. Defining the Wild Card Domain Name
A wild card domain name is defined by having the initial label be:
0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
This defines domain names that may play a role in being a wild card,
that is, being a source for synthesized answers. Domain names
conforming to this definition that appear in queries and RDATA
sections do not have any special role. These cases will be described
in more detail in following sections.
R2.1 A domain name that is to be interpreted as a wild card MUST
begin with a label of '0000 0001 0010 1010' in binary.
The first octet is the normal label type and length for a 1 octet
long label, the second octet is the ASCII representation [RFC 20] for
the '*' character. In RFC 1034, ASCII encoding is assumed to be the
character encoding.
In the master file formats used in RFCs, a "*" is a legal
representation for the wild card label. Even if the "*" is escaped,
it is still interpreted as the wild card when it is the only
character in the label.
R2.2 A server MUST treat a wild card domain name as the basis of
synthesized answers regardless of any "escape" sequences in the
input format.
RFC 1034 and RFC 1035 ignore the case in which a domain name might be
"the*.example.com." The interpretation is that this domain name in a
zone would only match queries for "the*.example.com" and not have any
other role.
Note: By virtue of this definition, a wild card domain name may have
a subdomain. The subdomain (or sub-subdomain) itself may also be a
wild card. E.g., *.*.example. is a wild card, so is *.sub.*.example.
More discussion on this is given in Appendix A.
3. Defining Existence
As described in the Introduction, a precise definition of existence Summarizing the discussion on existence in non-RFC1034 words:
is needed.
R3.1 An authoritative server MUST treat a domain name as existing An authoritative server is to treat a domain name as existing
during the execution of the algorithms in RFC 1034 when the during the execution of the algorithms in RFC 1034 when the
domain name conforms to the following definition. A domain name domain name conforms to the following definition. A domain name
is defined to exist if the domain name owns data and/or has a is defined to exist if the domain name owns data or has a
subdomain that exists. subdomain that exists, or both.
Note that at a zone boundary, the domain name owns data, including Note that at a zone boundary, the domain name owns data, including
the NS RR set. At the delegating server, the NS RR set is not the NS RR set. At the delegating server, the NS RR set is not
authoritative, but that is of no consequence here. The domain name authoritative, but that is of no consequence here. The domain name
owns data, therefore, it exists. owns data, therefore, it exists.
R3.2 An authoritative server MUST treat a domain name that has 2.3 When does a Wild Card Domain Name not own a wildcard (record)
neither a resource record set nor an existing subdomain as non-
existent when executing the algorithm in section 4.3.2. of RFC
1034.
A note on terminology. A domain transcends zones, i.e., all DNS data
is in the root domain but segmented into zones of control. In this
document, there are references to a "domain name" in the context of
existing "in a zone." In this usage, a domain name is the root of a
domain, not the entire domain. The domain's root point is said to
"exist in a zone" if the zone is authoritative for the name. RR sets
existing in a domain need not be owned by the domain's root domain
name, but are owned by other domain names in the domain.
4. Impact of a Wild Card In a Query or in RDATA
When a wild card domain name appears in a question, e.g., the query
name is "*.example.", the response in no way differs from any other
query. In other words, the wild card label in a QNAME has no special
meaning, and query processing will proceed using '*' as a literal
query name.
R4.1 A wild card domain name acting as a QNAME MUST be treated as any
other QNAME, there MUST be no special processing accorded it.
If a wild card domain name appears in the RDATA of a CNAME RR or any When a Wild Card Domain Name appears in a message's query section,
other RR that has a domain name in it, the same rule applies. In the no special processing occurs. Asterisk Labels in such a context
instance of a CNAME RR, the wild card domain name is used in the same only Label Matches other Asterisk Labels in the existing zone tree
manner of as being the original QNAME. For other RR's, rules vary when the 4.3.2 algorithm is being followed.
regarding what is done with the domain name(s) appearing in them, in
no case does the wild card hold special meaning.
R4.2 A wild card domain name appearing in any RR's RDATA MUST be When a Wild Card Domain Name appears in the resource data of a
treated as any other domain name in that situation, there MUST record, no special processing occurs. An Asterisk Label in that
be no special processing accorded it. context literally means just an asterisk.
5. Impact of a Wild Card Domain On a Response 3. Impact of a Wild Card Domain On a Response
The description of how wild cards impact response generation is in The description of how wild cards impact response generation is in
RFC 1034, section 4.3.2. That passage contains the algorithm RFC 1034, section 4.3.2. That passage contains the algorithm
followed by a server in constructing a response. Within that followed by a server in constructing a response. Within that
algorithm, step 3, part 'c' defines the behavior of the wild card. algorithm, step 3, part 'c' defines the behavior of the wild card.
The algorithm is directly quoted in lines that begin with a '#' sign. The algorithm is directly quoted in lines that begin with a '#' sign.
Commentary is interleaved. Commentary is interleaved.
There is a documentation issue deserving some explanation. The There is a documentation issue deserving some explanation. The
algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
skipping to change at page 9, line 35 skipping to change at line 471
standard. There is another RFC, RFC 2672, which makes, or proposes standard. There is another RFC, RFC 2672, which makes, or proposes
an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME
RR. RFC 2672 is a proposed standard. The dilemma in writing these RR. RFC 2672 is a proposed standard. The dilemma in writing these
clarifications is knowing which document is the one being clarified. clarifications is knowing which document is the one being clarified.
Fortunately, the difference between RFC 1034 and RFC 2672 is not Fortunately, the difference between RFC 1034 and RFC 2672 is not
significant with respect to wild card synthesis, so this document significant with respect to wild card synthesis, so this document
will continue to state that it is clarifying RFC 1034. If RFC 2672 will continue to state that it is clarifying RFC 1034. If RFC 2672
progresses along the standards track, it will need to refer to progresses along the standards track, it will need to refer to
modifying RFC 1034's algorithm as amended here. modifying RFC 1034's algorithm as amended here.
The context of part 'c' is that the search is progressing label by 3.1 Step 2
label through the QNAME. (Note that the data being searched is the
authoritative data in the server, the cache is searched in step 4.)
Step 3's part 'a' covers the case that the QNAME has been matched in
full, regardless of the presence of a CNAME RR. Step 'b' covers
crossing a cut point, resulting in a referral. All that is left is
to look for the wild card.
Step 3 of the algorithm also assumes that the search is looking in Step 2 of the RFC 1034's section 4.3.2 reads:
the zone closest to the answer, i.e., in the same class as QCLASS and
as close to the authority as possible on this server. If the zone is # 2. Search the available zones for the zone which is the nearest
not the authority, then a referral is given, possibly one indicating # ancestor to QNAME. If such a zone is found, go to step 3,
lameness. # otherwise step 4.
In this step, the most appropriate zone for the response is chosen.
There are two reasons to repeat this. One is that this means all
of step 3 is done within the context of a zone, which will constrain
the discussion. The other is the though behind synthesizing entire
zones and the use of Wild Card Domain Names to do so.
3.2 Step 3
Step 3 is dominated by three parts, labelled a, b, and c. But the
beginning of the Step is important and needs explanation.
# 3. Start matching down, label by label, in the zone. The
# matching process can terminate several ways:
The word matching in this care refers to Label Matching. The concept
is based in the view of the zone as the tree of existing names. The
Query Name is considered to be an ordered sequence of labels - as
if the name were a path from the root to the owner of the desired
data.
The process of Label Matching ends in one of three choices, the parts
a, b, and c. Once one of the parts is chosen, the other parts are
not considered. (E.g., do not execute part c and then change the
execution path to finish in part b.) The process of Label Matching
is also done independent of the Query Type.
Parts a and b are not an issue for this clarification as they do not
relate to record synthesis. Part a generally covers a situation in
which all of the labels in the search (query) name have been matched
down the tree, e.g., the sought name exists as an exact Label Match.
Part b generally covers a situation in which any label in the sought
name Label Matches a tree label and the tree label has a NS RRSet.
3.3 Part 'c'
The context of part 'c' is that the process of Label Matching the
labels in the sought name has resulted in a situation in which there
is nothing corresponding in the tree. It is as if the lookup has
"fallen off the tree."
# c. If at some label, a match is impossible (i.e., the # c. If at some label, a match is impossible (i.e., the
# corresponding label does not exist), look to see if a # corresponding label does not exist), look to see if a
# the "*" label exists. # the "*" label exists.
The above paragraph refers to finding the domain name that exists in To help describe the process of looking "to see is a the [sic]
the zone and that most encloses the QNAME. Such a domain name will label exists" a term has been coined to describe the last label
mark the boundary of candidate wild card domain names that might be matched. The term is "Closest Encloser."
used to synthesize an answer. (Remember that at this point, if the
most enclosing name is the same as the QNAME, part 'a' would have
recorded an exact match.) The existence of the enclosing name means
that no wild card name higher in the tree is a candidate to answer
the query.
Once the closest enclosing node is identified, there's the matter of 3.3.1 Closest Encloser and the Source of Synthesis
what exists below it. It may have subdomains, but none will be
closer to the QNAME. One of the subdomains just might be a wild
card. If it exists, this is the only wild card eligible to be used
to synthesize an answer for the query. Even if the closest enclosing
node conforms to the syntax rule in section 2 for being a wild card
domain name, the closest enclosing node is not eligible to be a
source of a synthesized answer.
The only wild card domain name that is a candidate to synthesize an The "Closest Encloser" is the node in the zone's tree of existing
answer will be the "*" subdomain of the closest enclosing domain domain names that is has the most matching labels with the sought
name. Three possibilities can happen. The "*" subdomain does not name. Each match is a "Label Match" and the order of the labels
exist, the "*" subdomain does but does not have an RR set of the same is also the same. The Closest Encloser is an existing name in the
type as the QTYPE, or it exists and has the desired RR set. zone, it may be an empty non-terminal, it may even be a Wild Card
Domain Name itself. In no circumstances is the Closest Encloser
the used to synthesize records though.
For the sake of brevity, the closest enclosing node can be referred A "Source of Synthesis" is defined in the context of a lookup
to as the "closest encloser." The closest encloser is the most process as the Wild Card Domain Name immediately descending from
important concept in this clarification. Describing the closest the Closest Encloser provided the Wild Card Domain Name exists.
encloser is a bit tricky, but it is an easy concept. A Source of Synthesis does not guarantee having a RRSet to use
for synthesis, a Source of Synthesis may even be an empty
non-terminal.
To find the closest encloser, you have to first locate the zone that If a Source of Synthesis exists, it will be the Wild Card Domain Name
is the authority for the query name. This eliminates the need to be that is identified by an Asterisk Label below the Closest Encloser.
concerned that the closest encloser is a cut point. In addition, we E.g., "<Asterisk Label>.<Closest Encloser> or "*.<Closest Encloser>."
can assume too that the query name does not exist, hence the closest If the Source of Synthesis does not exist (not on the domain tree),
encloser is not equal to the query name. We can assume away these there will be no wildcard synthesis
two cases because they are handled in steps 2, 3a and 3b of section
4.3.2.'s algorithm.
What is left is to identify the existing domain name that would have The important concept is that for any given lookup process, there
been up the tree (closer to the root) from the query name. Knowing is at most one place at which wildcard synthetic records can be
that an exact match is impossible, if there is a "*" label descending obtained. If the Source of Synthesis does not exist, the lookup
from the unique closest encloser, this is the one and only wild card terminates, the lookup does not look for other wildcard records.
from which an answer can be synthesized for the query.
To illustrate, using the example in section 1.2 of this document, the Other terms have been coined on the mailing list in the past. E.g.,
following chart shows QNAMEs and the closest enclosers. In it has been said that existing names block the application of
Appendix A there is another chart showing unusual cases. wildcard records. This is still an appropriate viewpoint, but
replacing this notion with the Closest Encloser and Source of
Synthesis the depiction of the wildcard process is clearer.
QNAME Closest Encloser Wild Card Source 3.3.2 Closest Encloser and Source of Synthesis Examples
To illustrate, using the example zone in section 2.2.1 of this document,
the following chart shows QNAMEs and the closest enclosers.
QNAME Closest Encloser Source of Synthesis
host3.example. example. *.example. host3.example. example. *.example.
_telnet._tcp.host1.example. _tcp.host1.example. no wild card _telnet._tcp.host1.example. _tcp.host1.example. no source
_telnet._tcp.host2.example. host2.example. no wild card _telnet._tcp.host2.example. host2.example. no source
_telnet._tcp.host3.example. example. *.example. _telnet._tcp.host3.example. example. *.example.
_chat._udp.host3.example. example. *.example. _chat._udp.host3.example. example. *.example.
Note that host1.subdel.example. is in a subzone, so the search for it
ends in a referral in part 'b', thus does not enter into finding a
closest encloser.
The fact that a closest encloser will be the only superdomain that The fact that a closest encloser will be the only superdomain that
can have a candidate wild card will have an impact when it comes to can have a candidate wild card will have an impact when it comes to
designing authenticated denial of existence proofs. designing pre-calculated authenticated denial of existence proofs.
3.3.3 Non-existent Source of Synthesis
In RFC 1034:
# If the "*" label does not exist, check whether the name # If the "*" label does not exist, check whether the name
# we are looking for is the original QNAME in the query # we are looking for is the original QNAME in the query
# or a name we have followed due to a CNAME. If the name # or a name we have followed due to a CNAME. If the name
# is original, set an authoritative name error in the # is original, set an authoritative name error in the
# response and exit. Otherwise just exit. # response and exit. Otherwise just exit.
The above passage says that if there is not even a wild card domain The above passage is clear, evidenced by the lack of discussion and
name to match at this point (failing to find an explicit answer mis-implementation of it over the years. It is included for
elsewhere), we are to return an authoritative name error at this completeness only. (No attempt is made to re-interpret it lest
point. If we were following a CNAME, the specification is unclear, a mistake in editing leads to confusion.)
but seems to imply that a no error return code is appropriate, with
just the CNAME RR (or sequence of CNAME RRs) in the answer section. 3.3.4 Type Matching
RFC 1034 concludes part c with this:
# If the "*" label does exist, match RRs at that node # If the "*" label does exist, match RRs at that node
# against QTYPE. If any match, copy them into the answer # against QTYPE. If any match, copy them into the answer
# section, but set the owner of the RR to be QNAME, and # section, but set the owner of the RR to be QNAME, and
# not the node with the "*" label. Go to step 6. # not the node with the "*" label. Go to step 6.
This final paragraph covers the role of the QTYPE in the process. This final paragraph covers the role of the QTYPE in the lookup process.
Note that if no resource record set matches the QTYPE the result is
that no data is copied, but the search still ceases ("Go to step
6."). In the following section, a suggested change is made to this,
under the heading "CNAME RRs at a Wild Card Domain Name."
6. Considerations with Special Types Based on implementation feedback and similarities between step a and
step c a change to this passage a change has been made.
For the purposes of this section, "special" means that a record The change is to add the following text:
induces processing at the server beyond simple lookup. The special
types in this section are SOA, NS, CNAME, and DNAME. SOA is special
because it is used as a zone marker and has an impact on step 2 of
the algorithm in 4.3.2. NS denotes a cut point and has an impact on
step 3b. CNAME redirects the query and is mentioned in steps 3a and
3b. DNAME is a "CNAME generator."
6.1. SOA RR's at a Wild Card Domain Name If the data at the source of synthesis is a CNAME, and
QTYPE doesn't match CNAME, copy the CNAME RR into the
answer section of the response changing the owner name
to the QNAME, change QNAME to the canonical name in the
CNAME RR, and go back to step 1.
If the owner of an SOA record conforms to the basic rules of owning This is essentially the same text in step a covering the processing of
an SOA RR (meaning it is the apex of a zone) the impact on the search CNAME RRSets.
algorithm is not in section 3c (where records are synthesized) as
would be expected. The impact is really in step 2 of the algorithm,
the choice of zone.
We are no longer talking about whether or not an SOA RR can be 4. Considerations with Special Types
synthesized in a response because we are shifting attention to step
2. We are now talking about what it means for a name server to
synthesize a zone for a response. To date, no implementation has
done this. Thinking ahead though, anyone choosing to pursue this
would have to be aware that a server would have to be able to
distinguish between queries for data it will have to synthesize and
queries that ought to be treated as if they were prompted by a lame
delegation.
It is not a protocol error to have an SOA RR owned by a wild card Five types of RRSets owned by a Wild Card Domain Name have caused
domain name, just as it is not an error to have zone name be confusion. Four explicit types causing confusion are SOA, NS, CNAME,
syntactically equivalent to a domain name. However, this situation DNAME, and the fifth type - "none."
requires careful consideration of how a server chooses the
appropriate zone for an answer. And an SOA RR is not able to be
synthesized as in step 3c.
6.2. NS RR's at a Wild Card Domain Name 4.1. SOA RR's at a Wild Card Domain Name
Complimentary to the issue of an SOA RR owned by a wild card domain A Wild Card Domain Name owning an SOA RRSet means that the domain
name is the issue of NS RR's owned by a wild card domain name. In is at the root of the zone (apex). The domain can not be a Source of
this instance, each machine being referred to in the RDATA of the NS Synthesis because that is, but definition, a descendent node (of
RR has to be able to understand the impact of this on step 2, the the Closest Encloser) and a zone apex is at the top of the zone.
choosing of the authoritative zone.
Referring to the same machine in such a NS RR will probably not work Although a Wild Card Domain Name can not be a Source of Synthesis,
well. This is because the server may become confused as to whether there is no reason to forbid the ownership of an SOA RRSet. This
the query name ought to be answered by the zone owning the NS RR in means that zones with names like "*.<Parent Zone>.", and even
question or a synthesized zone. (It isn't known in advance that the "*.<Parent Sublabels>.<Parent Zone>."
query name will invoke the wild card synthesis.)
The status of other RR's owned by a wild card domain name is the same
as if the owner name was not a wild card domain name. I.e., when
there is a NS RR at a wild card domain name, other records are
treated as being below the zone cut.
Is it not a protocol error to have a NS RR owned by a wild card Step 2 (section 3.1) does not provide a means to specify a means to
domian name, complimentary to the case of a SOA RR. However, for synthesize a zone. Therefore, according to the rules there, the
this to work, an implementation has to know how to synthesize a zone. only way in which a zone that has a name which is a Wild Card
Domain Name is if the QNAME is in a domain below the zone's name.
6.3. CNAME RR's at a Wild Card Domain Name E.g., if *.example. has an SOA record, then only a query like
QNAME=*.example., QTYPE=A, QCLASS=IN would see it. As another
example, a QNAME of www.*.example. would also result in passing
through the zone.
The issue of CNAME RR's owned by wild card domain names has prompted 4.2. NS RR's at a Wild Card Domain Name
a suggested change to the last paragraph of step 3c of the algorithm
in 4.3.2. The changed text is this:
If the "*" label does exist and if the data at the node is a The semantics of a Wild Card Domain Name ownership of a NS RRSet
CNAME and QTYPE doesn't match CNAME, copy the CNAME RR into the has been unclear. Looking through RFC 1034, the recommendation
answer section of the response, set the owner of the CNAME RR to is to have the NS RRSet act the same a any non-special type, e.g.,
be QNAME, and then change QNAME to the canonical name in the like an A RR.
CNAME RR, and go back to step 1.
If the "*" label does exist and either QTYPE is CNAME or the If the NS RRSet in question is at the top of the zone, i.e., the
data at the node is not a CNAME, then match RRs at that node name also owns an SOA RRSet, the QNAME equals the zone name. This
against QTYPE. If any match, copy them into the answer section, would trigger part 'a' of Step 3.
but set the owner of the RR to be QNAME, and not the node with
the "*" label. Go to step 6.
Apologies if the above isn't clear, but an attempt was made to stitch In any other case, the Wild Card Domain Name owned NS RRSet would
together the passage using just the phrases in section 3a and 3c of be the only RRSet (prior to changes instituted by DNSSEC) at the
the algorithm so as to preserve the original flavor. node by DNS rules. If the QNAME equals the Wild Card Domain Name
or is a subdomain of it, then the node would be considered in part
'b' of Step 3.
In case the passage as suggested isn't clear enough, the intent is to Note that there is no synthesis of records in the authority section
make "landing" at a wild card name and finding a CNAME the same as if because part 'b' does not account for synthesis. The referral
this happened as a result of a direct match. I.e., Finding a CNAME returned would have the Wild Card Domain Name in the authority section,
at the name matched in step 3c is supposed to have the same impact as unchanged.
finding the CNAME in step 3a.
6.4. DNAME RR's at a Wild Card Domain Name If the QNAME is not the same as the Wild Card Domain Name nor a
subdomain of it, then part 'c' of Step 3 has been triggered. Once
part 'c' is entered, there is no reverting to part 'b' - i.e.,
once an NS RRSet is synthesized it does not mean that the server has
to consider the name delegated away. I.e., the server is not
synthesizing a record (the NS RRSet) that means the server does not
have the right to synthesize.
4.3. CNAME RR's at a Wild Card Domain Name
The issue of CNAME RR's owned by wild card domain names has prompted
a suggested change to the last paragraph of step 3c of the algorithm
in 4.3.2. The changed text appears in section 3.3.4 of this document.
4.4. DNAME RR's at a Wild Card Domain Name
The specification of the DNAME RR, which is at the proposed level of The specification of the DNAME RR, which is at the proposed level of
standardization, is not as mature as the full standard in RFC 1034. standardization, is not as mature as the full standard in RFC 1034.
Because of this, or the reason for this is, there appears to be a Because of this, or the reason for this is, there appears to be a
host of issues with that definition and it's rewrite of the algorithm a number of issues with that definition and it's rewrite of the algorithm
in 4.3.2. For the time being, when it comes to wild card processing in 4.3.2. For the time being, when it comes to wild card processing
issues, a DNAME can be considered to be a CNAME synthesizer. A DNAME issues, a DNAME can be considered to be a CNAME synthesizer. A DNAME
at a wild card domain name is effectively the same as a CNAME at a at a wild card domain name is effectively the same as a CNAME at a
wild card domain name. wild card domain name.
7. Security Considerations 4.5 Empty Non-terminal Wild Card Domain Name
If a Source of Synthesis is an empty non-terminal, then the response
will be one of no error in the return code and no RRSet in the answer
section.
5. Security Considerations
This document is refining the specifications to make it more likely This document is refining the specifications to make it more likely
that security can be added to DNS. No functional additions are being that security can be added to DNS. No functional additions are being
made, just refining what is considered proper to allow the DNS, made, just refining what is considered proper to allow the DNS,
security of the DNS, and extending the DNS to be more predictable. security of the DNS, and extending the DNS to be more predictable.
8. References 6. References
Normative References Normative References
[RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969 [RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969
[RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris, [RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris,
Nov-01-1987 Nov-01-1987
[RFC 1035] Domain Names - Implementation and Specification, P.V [RFC 1035] Domain Names - Implementation and Specification, P.V
Mockapetris, Nov-01-1987 Mockapetris, Nov-01-1987
[RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S [RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S
Bradner, March 1997 Bradner, March 1997
Informative References Informative References
[RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P. Vixie, [RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P.
Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997 Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997
[RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999 [RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999
[RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999 [RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999
9. Others Contributing to This Document 7. Others Contributing to This Document
Others who have been editors of this document: Bob Halley and Robert Elz.
Others who have directly caused text to appear in the document: Paul Others who have directly caused text to appear in the document: Paul
Vixie and Olaf Kolkman. Many others have indirect influences on the Vixie and Olaf Kolkman. Many others have indirect influences on the
content. content.
10. Editors 8. Editor
Name: Bob Halley
Affiliation: Nominum, Inc.
Address: 2385 Bay Road, Redwood City, CA 94063 USA
Phone: +1-650-381-6016
EMail: Bob.Halley@nominum.com
Name: Edward Lewis Name: Edward Lewis
Affiliation: ARIN Affiliation: NeuStar
Address: 3635 Concorde Pkwy, Suite 200, Chantilly, VA 20151 USA Address: tbd
Phone: +1-703-227-9854 Phone: tbd
Email: edlewis@arin.net Email: tbd (please send comments to namedroppers)
Comments on this document can be sent to the editors or the mailing Comments on this document can be sent to the editors or the mailing
list for the DNSEXT WG, namedroppers@ops.ietf.org. list for the DNSEXT WG, namedroppers@ops.ietf.org.
Appendix A: Subdomains of Wild Card Domain Names 9. Trailing Boilerplate
In reading the definition of section 2 carefully, it is possible to
rationalize unusual names as legal. In the example given,
*.example. could have subdomains of *.sub.*.example. and even the
more direct *.*.example. (The implication here is that these domain
names own explicit resource records sets.) Although defining these
names is not easy to justify, it is important that implementions
account for the possibility. This section will give some further
guidence on handling these names.
The first thing to realize is that by all definitions, subdomains of
wild card domain names are legal. In analyzing them, one realizes
that they cause no harm by their existence. Because of this, they
are allowed to exist, i.e., there are no special case rules made to
disallow them. The reason for not preventing these names is that the
prevention would just introduce more code paths to put into
implementations.
The concept of "closest enclosing" existing names is important to
keep in mind. It is also important to realize that a wild card
domain name can be a closest encloser of a query name. For example,
if *.*.example. is defined in a zone, and the query name is
a.*.example., then the closest enclosing domain name is *.example.
Keep in mind that the closest encloser is not eligible to be a source
of synthesized answers, just the subdomain of it that has the first
label "*".
To illustrate this, the following chart shows some matches. Assume
that the names *.example., *.*.example., and *.sub.*.example. are
defined in the zone.
QNAME Closest Encloser Wild Card Source
a.example. example. *.example.
b.a.example. example. *.example.
a.*.example. *.example. *.*.example.
b.a.*.example. *.example. *.*.example.
b.a.*.*.example. *.*.example. no wild card
a.sub.*.example. sub.*.example. *.sub.*.example.
b.a.sub.*.example. sub.*.example. *.sub.*.example.
a.*.sub.*.example. *.sub.*.example. no wild card
*.a.example. example. *.example.
a.sub.b.example. example. *.example.
Recall that the closest encloser itself cannot be the wild card.
Therefore the match for b.a.*.*.example. has no applicable wild card.
Finally, if a query name is sub.*.example., any answer available will
come from an exact name match for sub.*.example. No wild card
synthesis is performed in this case.
Full Copyright Statement Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78 and
except as set forth therein, the authors retain all their rights.
Copyright (C) The Internet Society 2003. All Rights Reserved. This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
This document and translations of it may be copied and furnished to Intellectual Property
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be The IETF takes no position regarding the validity or scope of any
revoked by the Internet Society or its successors or assigns. Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
This document and the information contained herein is provided on an Copies of IPR disclosures made to the IETF Secretariat and any
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING assurances of licenses to be made available, or the result of an
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING attempt made to obtain a general license or permission for the use of
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION such proprietary rights by implementers or users of this
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF specification can be obtained from the IETF on-line IPR repository at
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. http://www.ietf.org/ipr. The IETF invites any interested party to
bring to its attention any copyrights, patents or patent
applications, or other proprietary rights that may cover technology
that may be required to implement this standard. Please address the
information to the IETF at ietf-ipr@ietf.org.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
Expiration
This document expires on or about 11 April 2005.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/