draft-ietf-dnsext-wcard-clarify-04.txt   draft-ietf-dnsext-wcard-clarify-05.txt 
DNSEXT Working Group E. Lewis DNSEXT Working Group E. Lewis
INTERNET DRAFT NeuStar INTERNET DRAFT NeuStar
Expiration Date: July 20, 2005 January 2005 Expiration Date: August 10, 2005 February 2005
Clarifying the Role of Wild Card Domains The Role of Wildcard Domains
in the Domain Name System in the Domain Name System
draft-ietf-dnsext-wcard-clarify-04.txt draft-ietf-dnsext-wcard-clarify-05.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of RFC 3668. aware will be disclosed, in accordance with Section 6 of RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at line 34 skipping to change at line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 20, 2005. This Internet-Draft will expire on August 10, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004, 2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
The definition of wild cards is recast from the original in RFC 1034, This is an update to the wildcard definition of RFC 1034. The
in words that are more specific and in line with RFC 2119. This interaction with wildcards and CNAME is changed, an error
document is meant to supplement the definition in RFC 1034 and not to condition removed, and the words defining some concepts central to
significantly alter the spirit or intent of that definition. wildcards are changed. The overall goal is not to change wildcards,
but to refine the definition of RFC 1034.
1 Introduction 1 Introduction
In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the synthesis In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the synthesis
of answers from special records called wildcards. The original of answers from special resource records called wildcards. The definition
definitions are incomplete. This document clarifies and describes in RFC 1034 is incomplete and has proven to be confusing. This document
the wildcard synthesis by adding to the discussion and making describes the wildcard synthesis by adding to the discussion and making
limited modifications. Modifications are made only where necessary limited modifications. Modifications are made to close inconsistencies
to close inconsistencies that have led to interoperability issues. that have led to interoperability issues. This description does not
expand the service intended by the original definition.
1.1 Motivation Staying within the spirit and style of the original documents, this
document avoids specifying rules for DNS implementations regarding
wildcards. The intention is to only describe what is needed for
interoperability, not restrict implementation choices. In addition,
consideration has been given to minimize any backwards compatibility
with implementations that have complied with RFC 1034's definition.
Over time many implementations have diverged in different ways from This document is focused on the concept of wildcards as defined in RFC
the original definition, or at from least what had been intended. Although 1034. Nothing is implied regarding alternative approaches, nor are
there is clearly a need to clarify the original documents in light alternatives discussed.
of this, the impetus for this document lay in the engineering of
the DNS security extensions [RFC TBD]. With an unclear definition
of wildcards the design of authenticated denial became entangled.
Although this document is motivated by DNSSEC and the need to have a [Note to the WG - this draft is not complete, it is presented as fodder
separate document passed for the sake of DNSSEC, other motivations have for the upcoming meeting. Sections 4.2.3, 4.6, 3.7, and 4.8 are
arisen. The renewed understanding of wildcards gained is worthy of being particularly incomplete. I wanted to make sure there was something
documented. recent in the draft repository before setting out on more travel.
1.2 The Original Definition For 4.2.3, refer to the threads for the most recent discussions...
http://ops.ietf.org/lists/namedroppers/namedroppers.2004/msg01601.html
http://ops.ietf.org/lists/namedroppers/namedroppers.2004/msg01603.html
This document is intended to make just one change, based on And you might want to check out the minutes from the last IETF meeting
as well as http://www.ietf.org/proceedings/03nov/131.htm.]
1.1 Motivation
Many DNS implementations have diverged with respect to wildcards in
different ways from the original definition, or at from least what
had been intended. Although there is clearly a need to clarify the
original documents in light of this alone, the impetus for this document
lay in the engineering of the DNS security extensions [RFC TBD]. With
an unclear definition of wildcards the design of authenticated denial
became entangled.
This document is intended to limit changes, only those based on
implementation experience, and to remain as close to the original implementation experience, and to remain as close to the original
document as possible. To reinforce this, relevant sections of RFC document as possible. To reinforce this, relevant sections of RFC
1034 are repeated verbatim to help compare the old and new text. 1034 are repeated verbatim to help compare the old and new text.
There are a few passages which are changed. This may seem to 1.2 The Original Definition
contradict the goal of not changing the original specification,
but the changes herein are required because of inconsistencies The context of the wildcard concept involves the algorithm by which
with the wording in RFC 1034. a name server prepares a response (in RFC 1034's section 4.3.2) and
the way in which a resource record (set) is identified as being a
source of synthetic data (section 4.3.3).
The beginning of the discussion ought to start with the definition The beginning of the discussion ought to start with the definition
of the term "wildcard" as it appears in RFC 1034, section 4.3.3. of the term "wildcard" as it appears in RFC 1034, section 4.3.3.
# In the previous algorithm, special treatment was given to RRs with owner # In the previous algorithm, special treatment was given to RRs with owner
# names starting with the label "*". Such RRs are called wildcards. # names starting with the label "*". Such RRs are called wildcards.
# Wildcard RRs can be thought of as instructions for synthesizing RRs. # Wildcard RRs can be thought of as instructions for synthesizing RRs.
# When the appropriate conditions are met, the name server creates RRs # When the appropriate conditions are met, the name server creates RRs
# with an owner name equal to the query name and contents taken from the # with an owner name equal to the query name and contents taken from the
# wildcard RRs. # wildcard RRs.
This passage appears after the algorithm in which they are used is This passage appears after the algorithm in which the term wildcard
presented. The terminology is not consistent, the word "wildcard" is first used. In this definition, wildcard refers to resource
is clearly defined to be a resource record. Wildcard has also been records. In other usage, wildcard has referred to domain names, and
used to refer to domain names whose first (i.e., left most or least it has been used to describe the operational practice of relying on
significant) label consists of an asterisk. wildcards to generate answers. It is clear from this that there is
a need to define clear and unambiguous terminology in the process of
1.3 The Clarification discussing wildcards.
The clarification effort can be divided into three sections:
o The introduction of new terminology for clarity of the discussion
o Changes to the wording of passages of RFC 1034 prompted by discoveries of
conflicting concepts
o Descriptions of special resource record types in the context of wildcards.
1.3.1 New Terms The mention of the use of wildcards in the preparation of a response
is contained in step 3c of RFC 1034's section 4.3.2 entitled "Algorithm."
Note that "wildcard" does not appear in the algorithm, instead references
are made to the "*" label. The portion of the algorithm relating to
wildcards is deconstructed in detail in section 3 of this document,
this is the beginning of the passage.
The term "wildcard" has become so overloaded it is virtually useless # c. If at some label, a match is impossible (i.e., the
as a description. A few new terms will be introduced to be more # corresponding label does not exist), look to see if a
descriptive. The new terms that will be introduced are: # the "*" label exists.
Asterisk Label - a label consisting of an asterisk ("*") and no The scope of this document is the RFC 1034 definition of wildcards and
other characters. the implications of updates to those documents, such as DNSSEC. Alternate
schemes for synthesizing answers are not considered. (Note that there
is no reference listed. No document is known to describe any alternate
schemes, although there has been some mention of them in mailing lists.)
Wild Card Domain Name - a domain name whose least significant 1.3 This Document
label (first when reading left to right) is an asterisk label.
Other labels might also be asterisk labels.
Source of Synthesis - a wild card domain name when it is consulted in This document accomplishes these three items.
the final paragraph of step 3, part c of RFC 1034's 4.3.2 algorithm. o Defines new terms
o Makes minor changes to avoid conflicting concepts
o Describe the actions of certain resource records as wildcards
Closest Encloser - in RFC 1034's 4.3.2 algorithm, the name at which 1.3.1 New Terms
the last match was possible in step 3, part c. This is the longest
sequence of exactly matching labels from the root downward in both the
query name (QNAME) and in the zone being examined.
Label Match - two labels are equivalent if the label type and label To help in discussing what resource records are wildcards, two terms
length are both the same and if the labels are case-independent will be defined - "asterisk label" and "wild card domain name". These
equivalent strings. Pattern matching is not involved. are defined in section 2.1.1.
These terms will be more fully described as needed later. These To assist in clarifying the role of wildcards in the name server algorithm
terms will be used to describe a few changes to the words in RFC in RFC 1034, 4.3.2, "source of synthesis" and "closest encloser" are
1034. A summary of the changes appear next and will be fully defined. These definitions are in section 3.3.2. "Label match" is
covered in later sections. defined in section 3.2.
Note that labels other than the asterisk label which contain The introduction of new terms ought not have an impact on any existing
asterisks have no special significance or terminology in this implementations. The new terms are used only to make discussions of
document; thus the fact that a domain names starts with an wildcards clearer.
asterisk is also of no special significance (and has no special
terminology) unless its first label is the asterisk label, e.g.,
"*foo.example." has no special significance).
1.3.2 Changed Text 1.3.2 Changed Text
The definition of "existence" is changed, superficially, to exclude The definition of "existence" is changed, superficially. This
empty domains that have no subdomains with resource records. This
change will not be apparent to implementations; it is needed to change will not be apparent to implementations; it is needed to
make descriptions more concise. make descriptions more precise. The change appears in section 2.2.3.
In RFC 1034, there is text that seems to prohibit having two asterisk RFC 1034, section 4.3.3., seems to prohibit having two asterisk
labels in a wild card domain name. There is no further discussion, labels in a wildcard owner name. With this document the restriction
no prescribed error handling, nor enforcement described. With this is removed entirely. This change and its implications are in
document implementations will have to account for such a name's use. section 2.1.3.
The actions when a source of synthesis owns a CNAME RR are changed to The actions when a source of synthesis owns a CNAME RR are changed to
mirror the actions if an exact match name owns a CNAME RR. This mirror the actions if an exact match name owns a CNAME RR. This
is an addition to the words in RFC 1034, section 4.3.2, step 3, is an addition to the words in RFC 1034, section 4.3.2, step 3,
part c. part c. The discussion of this is in section 3.3.3.
Only the latter change represents an impact to implementations. The
definition of existence is not a protocol impact. The change to the
restriction on names is unlikely to have an impact, as there was no
discussion of how to enforce the restriction.
1.3.3 Considerations with Special Types 1.3.3 Considerations with Special Types
This clarification will describe in some detail the semantics of This document describes semantics of wildcard CNAME RRSets [RFC2181],
wildcard CNAME RRSets, wildcard NS RRSets, wildcard SOA RRSets, wildcard NS RRSets, wildcard SOA RRSets, wildcard DNAME RRSets
wildcard DNAME RRSets [RFC 2672], and empty non-terminal wildcards. [RFC2672], wildcard DS RRSets [RFC TBD], and empty non-terminal
Understanding these types in the context of wildcards has been wildcards. Understanding these types in the context of wildcards
clouded because these types incur special processing if they has been clouded because these types incur special processing if they
are the result of an exact match. are the result of an exact match. This discussion is in section 4.
By the definition in RFC 1034, there can be no empty non-terminal These discussions do not have an implementation impact, they cover
"wildcards" ("RRs are called wildcards"). However, in the algorithm, existing knowledge of the types, but to a greater level of detail.
it is possible that an empty non-terminal is sought as the potential
owner of a "wildcard." This is one example of why the ordering of the
discussion in RFC 1034 is confusing.
1.4 Standards Terminology 1.4 Standards Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", This document does not use terms as defined in "Key words for use in
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this RFCs to Indicate Requirement Levels." [RFC2119]
document are to be interpreted as described in the document entitled
"Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]
Quotations of RFC 1034 (as has already been done once above) are
denoted by a '#' in the leftmost column.
2 "Wildcard" Quotations of RFC 1034 are denoted by a '#' in the leftmost column.
The context of the wildcard concept involves the algorithm by which 2 Wildcard Syntax
a name server prepares a response (in RFC 1034's section 4.3.2) and
the way in which a resource record (set) is identified as being a
source of synthetic data (section 4.3.3).
Tackling the latter first, there are two objectives in defining a The syntax of a wildcard is the same as any other DNS resource record,
means to identify a resource record set as a source of synthesis. across all classes and types. The only significant feature is the
First, to simplify implementations, one objective is to encode synthesis owner name.
rules into the domain tree, i.e., avoiding a special data store for
synthesis is desirable. The second objective impacts interoperability,
that is a master server of one implementation has to be able to
send the synthesis instructions to the slaves. Although there are
alternatives to the use of zone transfers via port 53, a truly
interoperable record synthesis approach has to be able to insert the
synthesis instructions into a zone transfer.
The objectives in describing the synthesis of records in the context Because wildcards are encoded as resource records with special names,
of the name server algorithm include knowing when to employ the they are included in zone transfers and incremental zone transfers.
process of synthesis and how the synthesis is carried out. [RFC1995]. This feature has been underappreciated until discussions
on alternative approaches to wildcards appeared on mailing lists.
2.1 Identifying a wildcard 2.1 Identifying a wildcard
To provide a more accurate description of "wildcards", the definition To provide a more accurate description of "wildcards", the definition
has to start with a discussion of the domain names that appear as has to start with a discussion of the domain names that appear as
owners. owners. Two new terms are needed, "Asterisk Label" and "Wild Card
Domain Name."
2.1.1 Wild Card Domain Name and Asterisk Label 2.1.1 Wild Card Domain Name and Asterisk Label
A "wild card domain name" is defined by having its initial A "wild card domain name" is defined by having its initial
(i.e., left-most or least significant) label be, in binary format: (i.e., left-most or least significant) label be, in binary format:
0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal) 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
This is "*" in presentation format.
The first octet is the normal label type and length for a 1 octet The first octet is the normal label type and length for a 1 octet
long label, the second octet is the ASCII representation [RFC 20] for long label, the second octet is the ASCII representation [RFC 20] for
the '*' character. In RFC 1034, ASCII encoding is assumed to be the the '*' character.
character encoding.
A descriptive name of a label equaling that value is an "asterisk A descriptive name of a label equaling that value is an "asterisk
label." label."
RFC 1034's definition of wildcard would be "a resource record owned RFC 1034's definition of wildcard would be "a resource record owned
by a wild card domain name." This is mentioned to help maintain some by a wild card domain name."
orientation between this clarification and RFC 1034. Keep in mind,
that in "Clarifications to the DNS Specification" [RFC 2181] the name
of the basic unit of DNS data became the resource record set (RRSet) and
not the resource record.
2.1.2 Variations on Wild Card Domain Names
Labels other than the asterisk label which contain the ASCII
representation of the asterisk (0x2a) have no significance for the
purposes of this document.
RFC 1034 and RFC 1035 do not explicitly mention the case in which a
domain name might be something like "the*.example." The
interpretation is that this domain name in a zone would only match
queries for "the*.example." and not have any other role. An
asterisk ('*') occurring other than as the sole character in
a label is simply a character forming part of the label and has no
special meaning. This is not an asterisk label, simply a label
an asterisk in it. The same is true for "**.example." and
"*the.example."
The interpretation of a wild card domain specification which is not a 2.1.2 Asterisks and Other Characters
leaf domain is not clearly defined in RFC 1034. E.g., sub.*.example.,
is not discussed, not barred. In wanting to minimize changes from
the original specification, such names are permitted. Although
"sub.*.example." is not a wild card domain name, "*.example." is.
RRSets used to synthesize records can be owned by a wild card domain No label values other than that in section 2.1.1 are asterisk labels,
name that has subdomains. hence names beginning with other labels are never wild card domain
names. Labels such as 'the*' and '**' are not asterisk labels,
they do not start wild card domain names.
2.1.3 Non-terminal Wild Card Domain Names 2.1.3 Non-terminal Wild Card Domain Names
In section 4.3.3, the following is stated: In section 4.3.3, the following is stated:
# .......................... The owner name of the wildcard RRs is of # .......................... The owner name of the wildcard RRs is of
# the form "*.<anydomain>", where <anydomain> is any domain name. # the form "*.<anydomain>", where <anydomain> is any domain name.
# <anydomain> should not contain other * labels...................... # <anydomain> should not contain other * labels......................
This covers names like "*.foo.*.example." The pre-RFC2119 wording uses This restriction is lifted because the original documentation of it
"should not" which has an ambiguous meaning. The specification does not is incomplete and the restriction does not serve any purpose given
proscribe actions upon seeing such a name, such as whether or not a years of operational experience.
zone containing the name should fail to be served. What if a dynamic
update (RFC2136) requested to add the name to the zone? The failure
semantics are not defined.
The recommendation is that implementations ought to anticipate the Indirectly, the above passage raises questions about wild card domain
appearance of such names but generally discourage their use in names having subdomains and possibly being an empty non-terminal. By
operations. No standards statement, such as "MUST NOT" nor "SHOULD NOT" thinking of domain names such as "*.example.*.example." and
is made here. "*.*.example." and focusing on the right-most asterisk label in each,
the issues become apparent.
The interpretation of this is, when seeking a wild card domain name Although those example names have been restricted per RFC 1034, a name
for the purposes of record synthesis, an implementation need not to such as "example.*.example." illustrates the same problems. The
check the domain name for subdomains. sticky issue of subdomains and empty non-terminals is not removed by
the restriction. With that conclusion, the restriction appears to
be meaningless, worse yet, it implies that an implementation would have
to perform checks that do little more than waste CPU cycles.
It is possible that a wild card domain name is an empty non-terminal. A wild card domain name can have subdomains. There is no need to
(See the upcoming sections on empty non-terminals.) In this case, inspect the subdomains to see if there is another asterisk label in
the lookup will terminate as would any empty non-terminal match. any subdomain.
A wild card domain name can be an empty non-terminal. (See the upcoming
sections on empty non-terminals.) In this case, any lookup encountering
it will terminate as would any empty non-terminal match.
2.2 Existence Rules 2.2 Existence Rules
The notion that a domain name 'exists' arises numerous times in The notion that a domain name 'exists' is mentioned in the definition
discussions about the wildcard concept. RFC 1034 raises the issue of wildcards. In section 4.3.3 of RFC 1034:
of existence in a number of places, usually in reference to
non-existence and in reference to processing involving wildcards.
RFC 1034 contains algorithms that describe how domain names impact
the preparation of an answer and does define wildcards as a means of
synthesizing answers. Because of this a discussion on wildcards
needs to cover a definition of existence.
To help clarify the topic of wild cards, a positive definition of # Wildcard RRs do not apply:
existence is needed. Complicating matters, though, is the #
realization that existence is relative. To an authoritative server, ...
a domain name exists if the domain name plays a role following the # - When the query name or a name between the wildcard domain and
algorithms of preparing a response. To a resolver, a domain name # the query name is know[n] to exist. For example, if a wildcard
exists if there is any data available corresponding to the name. The
difference between the two is the synthesis of records according to a
wildcard.
For the purposes of this document, the point of view of an RFC 1034 also refers to non-existence in the process of generating
authoritative server is more interesting. A domain name is said to a response that results in a return code of "name error." NXDOMAIN
exist if it plays a role in the execution of the algorithms in RFC 1034. is introduced in RFC 2308, section 2.1 says "In this case the domain
... does not exist." The overloading of the term "existence" is
confusing.
2.2.1. An Example For the purposes of this document, a domain name is said to exist if
it plays a role in the execution of the algorithms in RFC 1034. This
document avoids discussion determining when an authoritative name
error has occurred.
2.2.1 An Example
To illustrate what is meant by existence consider this complete zone: To illustrate what is meant by existence consider this complete zone:
$ORIGIN example. $ORIGIN example.
example. 3600 IN SOA <SOA RDATA> example. 3600 IN SOA <SOA RDATA>
example. 3600 NS ns.example.com. example. 3600 NS ns.example.com.
example. 3600 NS ns.example.net. example. 3600 NS ns.example.net.
*.example. 3600 TXT "this is a wild card" *.example. 3600 TXT "this is a wild card"
*.example. 3600 MX 10 host1.example. *.example. 3600 MX 10 host1.example.
sub.*.example. 3600 TXT "this is not a wild card"
host1.example. 3600 A 192.0.4.1 host1.example. 3600 A 192.0.4.1
_ssh._tcp.host1.example. 3600 SRV <SRV RDATA> _ssh._tcp.host1.example. 3600 SRV <SRV RDATA>
_ssh._tcp.host2.example. 3600 SRV <SRV RDATA> _ssh._tcp.host2.example. 3600 SRV <SRV RDATA>
subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.com.
subdel.example. 3600 NS ns.example.net. subdel.example. 3600 NS ns.example.net.
A look at the domain names in a tree structure is helpful: A look at the domain names in a tree structure is helpful:
| |
-------------example------------ -------------example------------
/ / \ \ / / \ \
/ / \ \ / / \ \
/ / \ \ / / \ \
* host1 host2 subdel * host1 host2 subdel
| | | | |
| | | | |
_tcp _tcp sub _tcp _tcp
| | | |
| | | |
_ssh _ssh _ssh _ssh
The following queries would be synthesized from one of the wildcards: The following queries would be synthesized from one of the wildcards:
QNAME=host3.example. QTYPE=MX, QCLASS=IN QNAME=host3.example. QTYPE=MX, QCLASS=IN
the answer will be a "host3.example. IN MX ..." the answer will be a "host3.example. IN MX ..."
QNAME=host3.example. QTYPE=A, QCLASS=IN QNAME=host3.example. QTYPE=A, QCLASS=IN
skipping to change at line 367 skipping to change at line 350
because bar.example. does not exist, but the wildcard does. because bar.example. does not exist, but the wildcard does.
The following queries would not be synthesized from any of the wildcards: The following queries would not be synthesized from any of the wildcards:
QNAME=host1.example., QTYPE=MX, QCLASS=IN QNAME=host1.example., QTYPE=MX, QCLASS=IN
because host1.example. exists because host1.example. exists
QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
because *.example. exists because *.example. exists
QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
because sub.*.example. exists
QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
because _tcp.host1.example. exists (without data) because _tcp.host1.example. exists (without data)
QNAME=host.subdel.example., QTYPE=A, QCLASS=IN QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
because subdel.example. exists (and is a zone cut) because subdel.example. exists (and is a zone cut)
To the server, all of the domains in the tree exist. The resolver will
get answers to some names off the tree, thanks to synthesis.
2.2.2 Empty Non-terminals 2.2.2 Empty Non-terminals
Empty non-terminals are domain names that own no resource records but Empty non-terminals [RFC2136, Section 7.16] are domain names that own
have subdomains that do. This is defined in section 3.1 of RFC 1034: no resource records but have subdomains that do. In section 2.2.1,
"_tcp.host1.example." is an example of a empty non-terminal name.
Empty non-terminals are introduced by this text in section 3.1 of RFC
1034:
# The domain name space is a tree structure. Each node and leaf on the # The domain name space is a tree structure. Each node and leaf on the
# tree corresponds to a resource set (which may be empty). The domain # tree corresponds to a resource set (which may be empty). The domain
# system makes no distinctions between the uses of the interior nodes and # system makes no distinctions between the uses of the interior nodes and
# leaves, and this memo uses the term "node" to refer to both. # leaves, and this memo uses the term "node" to refer to both.
The parenthesized "which may be empty" specifies that empty non- The parenthesized "which may be empty" specifies that empty non-
terminals are explicitly recognized. According to the definition of terminals are explicitly recognized, and that empty non-terminals
existence in this document, empty non-terminals do exist at the "exist."
server.
Pedantically reading the above paragraph can lead to an Pedantically reading the above paragraph can lead to an
interpretation that all possible domains exist - up to the suggested interpretation that all possible domains exist - up to the suggested
limit of 255 octets for a domain name [RFC 1035]. For example, limit of 255 octets for a domain name [RFC 1035]. For example,
www.example. may have an A RR, and as far as is practically www.example. may have an A RR, and as far as is practically
concerned, is a leaf of the domain tree. But the definition can be concerned, is a leaf of the domain tree. But the definition can be
taken to mean that sub.www.example. also exists, albeit with no data. taken to mean that sub.www.example. also exists, albeit with no data.
By extension, all possible domains exist, from the root on down. As By extension, all possible domains exist, from the root on down. As
RFC 1034 also defines "an authoritative name error indicating that RFC 1034 also defines "an authoritative name error indicating that
the name does not exist" in section 4.3.1, this is not the intent of the name does not exist" in section 4.3.1, this is not the intent of
the original document. the original document.
2.2.3 Yet Another Definition of Existence 2.2.3 Yet Another Definition of Existence
RFC1034's wording is clarified by the following paragraph: RFC1034's wording is fixed by the following paragraph:
A node is considered to have an impact on the algorithms of
4.3.2 if it is a leaf node with any resource sets or an interior
node (with or without a resource set) that has a subdomain that
is a leaf node with a resource set. A QNAME and QCLASS matching
an existing node never results in a response code of
authoritative name error (RCODE==3).
The terminology in the above paragraph is chosen to remain as close
to that in the original document. The term "with" is a alternate
form for "owning" in this case, hence "a leaf node owning resources
sets, or an interior node, owning or not owning any resource set,
that has a leaf node owning a resource set as a subdomain," is the
proper interpretation of the middle sentence. The phrase "resource
set" appears in the original text of RFC 1034, this would now be
replaced by "RRSet."
As an aside, an "authoritative name error", response code (RCODE) 3,
has been called NXDOMAIN in some RFCs, such as RFC 2136 [RFC 2136].
NXDOMAIN is the mnemonic assigned to such an error by at least one
implementation of DNS.
Summarizing the discussion on existence in non-RFC1034 words: The domain name space is a tree structure. Nodes in the tree either
own at least one RRSet and/or have descendants that collectively own at
least on RRSet. A node may have no RRSets if it has descendents that
do, this node is a empty non-terminal. A node may have its own RRSets
and have descendants with RRSets too.
An authoritative server is to treat a domain name as existing A node with no descendants is a leaf node. Empty leaf nodes do not
during the execution of the algorithms in RFC 1034 when the exist.
domain name conforms to the following definition. A domain name
is defined to exist if the domain name is on the domain tree and
either owns data or has a subdomain that exists.
Note that at a zone boundary, the domain name owns data, including Note that at a zone boundary, the domain name owns data, including
the NS RR set. At the delegating server, the NS RR set is not the NS RR set. At the delegating server, the NS RR set is not
authoritative, but that is of no consequence here. The domain name authoritative, but that is of no consequence here. The domain name
owns data, therefore, it exists. owns data, therefore, it exists.
2.3 When does a Wild Card Domain Name not own a wildcard (record) 2.3 When does a Wild Card Domain Name is not Special
When a wild card domain name appears in a message's query section, When a wild card domain name appears in a message's query section,
no special processing occurs. An asterisk label in a query name no special processing occurs. An asterisk label in a query name
only (label) matches an asterisk label in the existing zone tree only (label) matches an asterisk label in the existing zone tree
when the 4.3.2 algorithm is being followed. when the 4.3.2 algorithm is being followed.
When a wild card domain name appears in the resource data of a When a wild card domain name appears in the resource data of a
record, no special processing occurs. An asterisk label in that record, no special processing occurs. An asterisk label in that
context literally means just an asterisk. context literally means just an asterisk.
3. Impact of a Wild Card Domain On a Response 3. Impact of a Wild Card Domain Name On a Response
The description of how wild cards impact response generation is in The description of how wild cards impact response generation is in
RFC 1034, section 4.3.2. That passage contains the algorithm RFC 1034, section 4.3.2. That passage contains the algorithm
followed by a server in constructing a response. Within that followed by a server in constructing a response. Within that
algorithm, step 3, part 'c' defines the behavior of the wild card. algorithm, step 3, part 'c' defines the behavior of the wild card.
The algorithm is directly quoted in lines that begin with a '#' sign.
Commentary is interleaved.
There is a documentation issue deserving some explanation. The The algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
code, i.e., its steps are not intended to be followed in strict code, i.e., its steps are not intended to be followed in strict
order. The "algorithm" is a suggestion. As such, in step 3, parts order. The "algorithm" is a suggestion. As such, in step 3, parts
a, b, and c, do not have to be implemented in that order. a, b, and c, do not have to be implemented in that order.
Another issue needing explanation is that RFC 1034 is a full
standard. There is another RFC, RFC 2672, which makes, or proposes
an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME
RR. RFC 2672 is a proposed standard. The dilemma in writing these
clarifications is knowing which document is the one being clarified.
Fortunately, the difference between RFC 1034 and RFC 2672 is not
significant with respect to wild card synthesis, so this document
will continue to state that it is clarifying RFC 1034. If RFC 2672
progresses along the standards track, it will need to refer to
modifying RFC 1034's algorithm as amended here.
3.1 Step 2 3.1 Step 2
Step 2 of the RFC 1034's section 4.3.2 reads: Step 2 of the RFC 1034's section 4.3.2 reads:
# 2. Search the available zones for the zone which is the nearest # 2. Search the available zones for the zone which is the nearest
# ancestor to QNAME. If such a zone is found, go to step 3, # ancestor to QNAME. If such a zone is found, go to step 3,
# otherwise step 4. # otherwise step 4.
In this step, the most appropriate zone for the response is chosen. In this step, the most appropriate zone for the response is chosen.
The significance of this step is that it means all of Step 3 is being The significance of this step is that it means all of step 3 is being
performed within one zone. This has significance when considering performed within one zone. This has significance when considering
whether or not an SOA RR can be ever be used for synthesis. whether or not an SOA RR can be ever be used for synthesis.
If an implementation were to attempt to synthesize zones, this would be
the step to do this. Note though that each name server listed in the NS
RRSet for the synthesized zone would have to coherently synthesize the
zone.
3.2 Step 3 3.2 Step 3
Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'. But the Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'. But the
beginning of the Step is important and needs explanation. beginning of the step is important and needs explanation.
# 3. Start matching down, label by label, in the zone. The # 3. Start matching down, label by label, in the zone. The
# matching process can terminate several ways: # matching process can terminate several ways:
The word 'matching' refers to label matching. The concept The word 'matching' refers to label matching. The concept
is based in the view of the zone as the tree of existing names. The is based in the view of the zone as the tree of existing names. The
query name is considered to be an ordered sequence of labels - as query name is considered to be an ordered sequence of labels - as
if the name were a path from the root to the owner of the desired if the name were a path from the root to the owner of the desired
data. (Which it is.) data. (Which it is - 3rd paragraph of RFC 1034, section 3.1.)
The process of label matching a query name ends in exactly one of three The process of label matching a query name ends in exactly one of three
choices, the parts 'a', 'b', and 'c'. Once one of the parts is chosen, choices, the parts 'a', 'b', and 'c'. Either the name is found, the
the other parts are not considered. (E.g., do not execute part 'c' and name is below a cut point, or the name is not found.
then change the execution path to finish in part 'b'.) The process of
label matching is also done independent of the Query Type. Once one of the parts is chosen, the other parts are not considered.
(E.g., do not execute part 'c' and then change the execution path to
finish in part 'b'.) The process of label matching is also done
independent of the query type (QTYPE).
Parts 'a' and 'b' are not an issue for this clarification as they do not Parts 'a' and 'b' are not an issue for this clarification as they do not
relate to record synthesis. Part 'a' generally covers a situation in relate to record synthesis. Part 'a' is an exact match that results in
which all of the labels in the query name have a (label) match in the tree. an answer, part 'b' is a referral. It is possible, from the description
Part 'b' generally covers a situation in which any label in the query given, that a query might fit into both part a and part b, this is
name (label) matches a tree label and the tree label has a NS RRSet. not within the scope of this document.
3.3 Part 'c' 3.3 Part 'c'
The context of part 'c' is that the process of label matching the The context of part 'c' is that the process of label matching the
labels of the query name has resulted in a situation in which there labels of the query name has resulted in a situation in which there
is no corresponding label in the tree. It is as if the lookup has is no corresponding label in the tree. It is as if the lookup has
"fallen off the tree." "fallen off the tree."
# c. If at some label, a match is impossible (i.e., the # c. If at some label, a match is impossible (i.e., the
# corresponding label does not exist), look to see if a # corresponding label does not exist), look to see if a
skipping to change at line 564 skipping to change at line 513
synthesis could be an empty non-terminal. synthesis could be an empty non-terminal.
If the source of synthesis does not exist (not on the domain tree), If the source of synthesis does not exist (not on the domain tree),
there will be no wildcard synthesis. There is no search for an alternate. there will be no wildcard synthesis. There is no search for an alternate.
The important concept is that for any given lookup process, there The important concept is that for any given lookup process, there
is at most one place at which wildcard synthetic records can be is at most one place at which wildcard synthetic records can be
obtained. If the source of synthesis does not exist, the lookup obtained. If the source of synthesis does not exist, the lookup
terminates, the lookup does not look for other wildcard records. terminates, the lookup does not look for other wildcard records.
Other terms have been coined on the mailing list in the past. E.g.,
it has been said that existing names block the application of
wildcard records. This is still an appropriate viewpoint, but
replacing this notion with the closest encloser and source of
synthesis terminology depicts the wildcard process is more clearly.
3.3.2 Closest Encloser and Source of Synthesis Examples 3.3.2 Closest Encloser and Source of Synthesis Examples
To illustrate, using the example zone in section 2.2.1 of this document, To illustrate, using the example zone in section 2.2.1 of this document,
the following chart shows QNAMEs and the closest enclosers. the following chart shows QNAMEs and the closest enclosers.
QNAME Closest Encloser Source of Synthesis QNAME Closest Encloser Source of Synthesis
host3.example. example. *.example. host3.example. example. *.example.
_telnet._tcp.host1.example. _tcp.host1.example. no source _telnet._tcp.host1.example. _tcp.host1.example. no source
_telnet._tcp.host2.example. host2.example. no source _telnet._tcp.host2.example. host2.example. no source
_telnet._tcp.host3.example. example. *.example. _telnet._tcp.host3.example. example. *.example.
_chat._udp.host3.example. example. *.example. _chat._udp.host3.example. example. *.example.
foobar.*.example. *.example. no source
3.3.3 Non-existent Source of Synthesis 3.3.3 Type Matching
In RFC 1034: RFC 1034 concludes part 'c' with this:
# If the "*" label does not exist, check whether the name # If the "*" label does not exist, check whether the name
# we are looking for is the original QNAME in the query # we are looking for is the original QNAME in the query
# or a name we have followed due to a CNAME. If the name # or a name we have followed due to a CNAME. If the name
# is original, set an authoritative name error in the # is original, set an authoritative name error in the
# response and exit. Otherwise just exit. # response and exit. Otherwise just exit.
#
The above passage is clear, evidenced by the lack of discussion and
mis-implementation of it over the years. It is included for
completeness only. (No attempt is made to re-interpret it lest
a mistake in editing leads to confusion.)
3.3.4 Type Matching
RFC 1034 concludes part 'c' with this:
# If the "*" label does exist, match RRs at that node # If the "*" label does exist, match RRs at that node
# against QTYPE. If any match, copy them into the answer # against QTYPE. If any match, copy them into the answer
# section, but set the owner of the RR to be QNAME, and # section, but set the owner of the RR to be QNAME, and
# not the node with the "*" label. Go to step 6. # not the node with the "*" label. Go to step 6.
This final paragraph covers the role of the QTYPE in the lookup process. The final paragraph covers the role of the QTYPE in the lookup process.
Based on implementation feedback and similarities between step 'a' and Based on implementation feedback and similarities between step 'a' and
step 'c' a change to this passage a change has been made. step 'c' a change to this passage a change has been made.
The change is to add the following text: The change is to add the following text to step 'c':
If the data at the source of synthesis is a CNAME, and If the data at the source of synthesis is a CNAME, and
QTYPE doesn't match CNAME, copy the CNAME RR into the QTYPE doesn't match CNAME, copy the CNAME RR into the
answer section of the response changing the owner name answer section of the response changing the owner name
to the QNAME, change QNAME to the canonical name in the to the QNAME, change QNAME to the canonical name in the
CNAME RR, and go back to step 1. CNAME RR, and go back to step 1.
This is essentially the same text in step a covering the processing of This is essentially the same text in step a covering the processing of
CNAME RRSets. CNAME RRSets.
4. Considerations with Special Types 4. Considerations with Special Types
Five types of RRSets owned by a wild card domain name have caused Sections 2 and 3 of this document discuss wildcard synthesis with
confusion. Four explicit types causing confusion are SOA, NS, CNAME, respect to names in the domain tree and ignore the impact of types.
DNAME, and the fifth type - "none." In this section, the implication of wildcards of specific types are
discussed. The types covered are those that have proven to be the
most difficult to understand. The types are SOA, NS, CNAME, DNAME,
SRV, DS, NSEC, RRSIG and "none," i.e., empty non-terminal wild card
domain names.
4.1. SOA RRSet at a Wild Card Domain Name 4.1 SOA RRSet at a Wild Card Domain Name
A wild card domain name owning an SOA RRSet means that the domain A wild card domain name owning an SOA RRSet means that the domain
is at the root of the zone (apex). The domain can not be a source of is at the root of the zone (apex). The domain can not be a source of
synthesis because that is, by definition, a descendent node (of synthesis because that is, by definition, a descendent node (of
the closest encloser) and a zone apex is at the top of the zone. the closest encloser) and a zone apex is at the top of the zone.
Although a wild card domain name owning an SOA RRSet can never be a Although a wild card domain name owning an SOA RRSet can never be a
source of synthesis, there is no reason to forbid the ownership of source of synthesis, there is no reason to forbid the ownership of
an SOA RRSet. an SOA RRSet.
E.g., if *.example. has an SOA record, then only a query like E.g., given this zone:
QNAME=*.example., QTYPE=A, QCLASS=IN would see it. A query like $ORIGIN *.example.
QNAME=foo.example., QTYPE=A, QCLASS=IN would not see it - a different @ 3600 IN SOA <SOA RDATA>
zone would have been picked in Step 2. A QNAME of www.*.example. 3600 NS ns1.example.com.
would result in a query referencing the *.example zone. 3600 NS ns1.example.net.
www 3600 TXT "the www txt record"
4.2. NS RRSet at a Wild Card Domain Name A query for www.*.example.'s TXT record would still find the "the www txt
record" answer. The reason is that the asterisk label only becomes
significant when RFC 1034's 4.3.2, step 3 part 'c' in in effect.
Of course, there would need to be a delegation in the parent zone,
"example." for this to work too. This is covered in the next section.
4.2 NS RRSet at a Wild Card Domain Name
The semantics of a wild card domain name's ownership of a NS RRSet The semantics of a wild card domain name's ownership of a NS RRSet
has been unclear. Looking through RFC 1034, the recommendation has been unclear. There are three considerations to cover. One is
is to have the NS RRSet act the same a any non-special type, e.g., is that if the query processing lands in part 'a' or part 'b' of
like an A RRSet. RFC 1034's 4.3.2, step 3, the incidence of the wild card domain name
owning an NS RRset has no special meaning. Second, synthesized
records never appear in the authority section of a response, meaning
that referrals are never synthesized. And finally, DNSSEC validators
will have to be aware of a quirk in ownership rules.
4.2.1 NS, *, and answers
If the NS RRSet in question is at the top of the zone, i.e., the If the NS RRSet in question is at the top of the zone, i.e., the
name also owns an SOA RRSet, the QNAME equals the zone name. This name also owns an SOA RRSet, the QNAME equals the zone name. This
would trigger part 'a' of Step 3. would trigger part 'a' of step 3.
In any other case, the wild card domain name owned NS RRSet would 4.2.2 NS, *, and referrals
be the only RRSet (prior to changes instituted by DNSSEC) at the
node by DNS rules. If the QNAME equals the wild card domain name
or is a subdomain of it, then the node would be considered in part
'b' of Step 3. [should dnssec be left out of this?]
Note that there is no synthesis of records in the authority section If the NS RRset is not at the top of the zone and part 'b' is triggered,
because part 'b' does not specify synthesis. The referral returned this implies that the labels being matched are an asterisk label in
would have the wild card domain name in the authority section unchanged. the QNAME and the asterisk label owning the NS RRset. In either case,
what is copied to the response will have the asterisk label in it - no
synthesis, no name substitution.
E.g., consider the parent zone for the example in section 4.1.
$ORIGIN example.
@ 3600 IN SOA <SOA RDATA>
3600 NS ns0.example.com.
3600 NS ns0.example.net.
* 3600 NS ns1.example.com.
3600 NS ns1.example.net.
If the query for www.*.example.'s TXT set arrived here, the response
would be a referral as in part 'b'.
Response, non-authoritative, no error rcode
ANSWER: (empty)
AUTHORITY:
* 3600 NS ns1.example.com.
3600 NS ns1.example.net.
ADDITIIONAL: (empty, or with OPT RR)
The same response message would be sent to a query for *.example.'s NS
set. Note that the NS records in the response are not expanded, simply
copied verbatim. (Compare this the case where "*" is "star".)
There is no synthesis of records in the authority section because part
'b' does not specify synthesis. The referral returned would have the
wild card domain name in the authority section unchanged.
4.2.3 NS, *, and synthesis
If the QNAME is not the same as the wild card domain name nor a If the QNAME is not the same as the wild card domain name nor a
subdomain of it, then part 'c' of Step 3 has been triggered. Once subdomain of it, then part 'c' of step 3 has been triggered. Assuming
part 'c' is entered, there is no reverting to part 'b' - i.e., that "a match is impossible" a source of synthesis is sought. If
once an NS RRSet is synthesized it does not mean that the server has the source of synthesis owns an NS RRset and the QTYPE is NS, then
to consider the name delegated away. I.e., the server is not a NS RRset is synthesized and put into the answer section and marked
synthesizing a record (the NS RRSet) that means the server does not as an authoritative answer. If the QTYPE is not NS, then the NS RRset
have the right to synthesize. (Only an authoritative server can is ignored, as it would have been if it were an A RR and the QTYPE was
perform synthesis. By synthesizing an NS RRSet, it appears that the AAAA. An NS RRSet at a wild card domain name will not result in
authority for the name has been delegated to another authority.) the generation of referral messages for non-existent domains because
part 'c' does not write anything into the authority section.
In summation, an NS RRSet at a wild card domain name will not result in (If we choose this, then we have to have a section 4.2.4 on DNSSEC
the generation of referral messages for non-existent domains. implications.)
4.3. CNAME RRSet at a Wild Card Domain Name OR
If the QNAME is not the same as the wild card domain name nor a
subdomain of it, then part 'c' of step 3 has been triggered. Assuming
that "a match is impossible" a source of synthesis is sought. If
the source of synthesis owns an NS RRset and the QTYPE is NS, then
no synthesis happens. A NS RRset is never synthesized. The proper
response is, what, no error/no data? Name error?
OR
If the QNAME is not the same as the wild card domain name nor a
subdomain of it, then part 'c' of step 3 has been triggered. Assuming
that "a match is impossible" a source of synthesis is sought. If
the source of synthesis owns an NS RRset then no synthesis happens.
A cut point is never a source of synthesis. The proper response is,
what, no error/no data? Name error?
4.3 CNAME RRSet at a Wild Card Domain Name
The issue of a CNAME RRSet owned by wild card domain names has prompted The issue of a CNAME RRSet owned by wild card domain names has prompted
a suggested change to the last paragraph of step 3c of the algorithm a suggested change to the last paragraph of step 3c of the algorithm
in 4.3.2. The changed text appears in section 3.3.4 of this document. in 4.3.2. The changed text appears in section 3.3.3 of this document.
4.4. DNAME RRSet at a Wild Card Domain Name 4.4 DNAME RRSet at a Wild Card Domain Name
The specification of the DNAME RR, which is at the proposed level of A DNAME RRset at a wild card domain name is effectively the same
standardization, is not as mature as the full standard in RFC 1034. as a CNAME at a wild card domain name.
Because of this, or the reason for this is, there appears to be a
a number of issues with that definition and it's rewrite of the algorithm
in 4.3.2. For the time being, when it comes to wild card processing
issues, a DNAME can be considered to be a CNAME synthesizer. A DNAME
at a wild card domain name is effectively the same as a CNAME at a
wild card domain name.
4.5 Empty Non-terminal Wild Card Domain Name 4.5 SRV RRSet at a Wild Card Domain Name
The definition of the SRV RRset is RFC 2782 [RFC2782]. In the
definition of the record, there is some confusion over the term
"Name." The definition reads as follows:
# The format of the SRV RR
...
# _Service._Proto.Name TTL Class SRV Priority Weight Port Target
...
# Name
# The domain this RR refers to. The SRV RR is unique in that the
# name one searches for is not this name; the example near the end
# shows this clearly.
Do not confuse the definition "Name" with a domain name. I.e., once
removing the _Service and _Proto labels from the owner name of the
SRV RRSet, what remains could be a wild card domain name but this is
immaterial to the SRV RRSet.
E.g., If an SRV record is:
_foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
*.example is a wild card domain name and although it it the Name of
the SRV RR, it is not the owner (domain name). The owner domain name
is "_foo._udp.*.example." which is not a wild card domain name.
The confusion is likely based on the mixture of the specification of
the SRV RR and the description of a "use case."
4.6 DS RRSet at a Wild Card Domain Name
...probably harmless...
4.7 NSEC RRSet at a Wild Card Domain Name
...will be present, don't know if it should be synthesized...
4.8 RRSIG at a Wild Card Domain Name
...need to cross check with DNSSECbis to see what is said about querying
for RRSIG...
4.9 Empty Non-terminal Wild Card Domain Name
If a source of synthesis is an empty non-terminal, then the response If a source of synthesis is an empty non-terminal, then the response
will be one of no error in the return code and no RRSet in the answer will be one of no error in the return code and no RRSet in the answer
section. section.
5. Security Considerations 5. Security Considerations
This document is refining the specifications to make it more likely This document is refining the specifications to make it more likely
that security can be added to DNS. No functional additions are being that security can be added to DNS. No functional additions are being
made, just refining what is considered proper to allow the DNS, made, just refining what is considered proper to allow the DNS,
skipping to change at line 721 skipping to change at line 756
Normative References Normative References
[RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969 [RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969
[RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris, [RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris,
Nov-01-1987 Nov-01-1987
[RFC 1035] Domain Names - Implementation and Specification, P.V [RFC 1035] Domain Names - Implementation and Specification, P.V
Mockapetris, Nov-01-1987 Mockapetris, Nov-01-1987
[RFC1995] IXFR ... Ohta
[RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S [RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S
Bradner, March 1997 Bradner, March 1997
[RFC 2181] Clarifications to the DNS Specification, R. Elz and R. Bush, [RFC 2181] Clarifications to the DNS Specification, R. Elz and R. Bush,
July 1997. July 1997.
[RFC2782] A DNS RR for specifying the location of services (DNS SRV),
A. Gulbrandsen, et.al., February 2000.
Informative References Informative References
[RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P. [RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P.
Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997 Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997
[RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999 [RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999
[RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999 [RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999
7. Others Contributing to This Document 7. Others Contributing to This Document
Others who have been editors of this document: Bob Halley. Others who have been editors of this document: Bob Halley.
Others who have directly caused text to appear in the document: Alex Others who have directly caused text to appear in the document: Alex
Bligh, Robert Elz, Paul Vixie and Olaf Kolkman. Bligh, Robert Elz, Paul Vixie, David Blacka and Olaf Kolkman.
Many others have indirect influences on the content. Many others have indirect influences on the content.
8. Editor 8. Editor
Name: Edward Lewis Name: Edward Lewis
Affiliation: NeuStar Affiliation: NeuStar
Address: 46000 Center Oak Plaza, Sterling, VA, 20166, US Address: 46000 Center Oak Plaza, Sterling, VA, 20166, US
Phone: +1-571-434-5468 Phone: +1-571-434-5468
Email: ed.lewis@neustar.biz Email: ed.lewis@neustar.biz
skipping to change at line 797 skipping to change at line 837
that may be required to implement this standard. Please address the that may be required to implement this standard. Please address the
information to the IETF at ietf-ipr@ietf.org. information to the IETF at ietf-ipr@ietf.org.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
Expiration Expiration
This document expires on or about July 20, 2005. This document expires on or about August 10, 2005.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/