draft-ietf-dnsext-wcard-clarify-07.txt   draft-ietf-dnsext-wcard-clarify-08.txt 
DNSEXT Working Group E. Lewis DNSEXT Working Group E. Lewis
INTERNET DRAFT NeuStar INTERNET DRAFT NeuStar
Expiration Date: November 16, 2005 May 16, 2005 Expiration Date: January 6, 2006 July 6, 2005
Updates RFC 1034, RFC 2672
The Role of Wildcards The Role of Wildcards
in the Domain Name System in the Domain Name System
draft-ietf-dnsext-wcard-clarify-07.txt draft-ietf-dnsext-wcard-clarify-08.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that By submitting this Internet-Draft, each author represents that
any applicable patent or other IPR claims of which he or she is any applicable patent or other IPR claims of which he or she is
aware have been or will be disclosed, and any of which he or she aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of becomes aware will be disclosed, in accordance with Section 6 of
BCP 79. BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at line 34 skipping to change at line 35
documents at any time. It is inappropriate to use Internet-Drafts documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on November 16, 2005. This Internet-Draft will expire on January 6, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This is an update to the wildcard definition of RFC 1034. The This is an update to the wildcard definition of RFC 1034. The
interaction with wildcards and CNAME is changed, an error interaction with wildcards and CNAME is changed, an error
condition removed, and the words defining some concepts central condition removed, and the words defining some concepts central
to wildcards are changed. The overall goal is not to change to wildcards are changed. The overall goal is not to change
wildcards, but to refine the definition of RFC 1034. wildcards, but to refine the definition of RFC 1034.
1 Introduction Table of Contents
1. Introduction
1.1 Motivation
1.2 The Original Definition
1.3 Roadmap to This Document
1.3.1 New Terms
1.3.2 Changed Text
1.3.3 Considerations with Special Types
1.4 Standards Terminology
2. Wildcard Syntax
2.1 Identifying a Wildcard
2.1.1 Wild Card Domain Name and Asterisk Label
2.1.2 Asterisks and Other Characters
2.1.3 Non-terminal Wild Card Domain Names
2.2 Existence Rules
2.2.1 An Example
2.2.2 Empty Non-terminals
2.2.3 Yet Another Definition of Existence
2.3 When is a Wild Card Domain Name Not Special
3. Impact of a Wild Card Domain Name On a Response
3.1 Step 2
3.2 Step 3
3.3 Part 'c'
3.3.1 Closest Encloser and the Source of Synthesis
3.3.2 Closest Encloser and Source of Synthesis Examples
3.3.3 Type Matching
4. Considerations with Special Types
4.1 SOA RRSet at a Wild Card Domain Name
4.2 NS RRSet at a Wild Card Domain Name
4.2.1 Discarded Notions
4.3 CNAME RRSet at a Wild Card Domain Name
4.4 DNAME RRSet at a Wild Card Domain Name
4.5 SRV RRSet at a Wild Card Domain Name
4.6 DS RRSet at a Wild Card Domain Name
4.7 NSEC RRSet at a Wild Card Domain Name
4.8 RRSIG at a Wild Card Domain Name
4.9 Empty Non-terminal Wild Card Domain Name
5. Security Considerations
6. IANA Considerations
7. References
8. Editor
9. Others Contributing to the Document
10. Trailing Boilerplate
1. Introduction
In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
synthesis of answers from special resource records called synthesis of answers from special resource records called
wildcards. The definition in RFC 1034 is incomplete and has wildcards. The definition in RFC 1034 is incomplete and has
proven to be confusing. This document describes the wildcard proven to be confusing. This document describes the wildcard
synthesis by adding to the discussion and making limited synthesis by adding to the discussion and making limited
modifications. Modifications are made to close inconsistencies modifications. Modifications are made to close inconsistencies
that have led to interoperability issues. This description that have led to interoperability issues. This description
does not expand the service intended by the original definition. does not expand the service intended by the original definition.
Staying within the spirit and style of the original documents, Staying within the spirit and style of the original documents,
this document avoids specifying rules for DNS implementations this document avoids specifying rules for DNS implementations
regarding wildcards. The intention is to only describe what is regarding wildcards. The intention is to only describe what is
needed for interoperability, not restrict implementation choices. needed for interoperability, not restrict implementation choices.
In addition, consideration has been given to minimize any In addition, consideration is given to minimize any backwards
backwards compatibility with implementations that have complied compatibility issues with implementations that comply with RFC
with RFC 1034's definition. 1034's definition.
This document is focused on the concept of wildcards as defined This document is focused on the concept of wildcards as defined
in RFC 1034. Nothing is implied regarding alternative approaches, in RFC 1034. Nothing is implied regarding alternative means of
nor are alternatives discussed. synthesizing resource record sets, nor are alternatives discussed.
1.1 Motivation 1.1 Motivation
Many DNS implementations have diverged with respect to wildcards Many DNS implementations diverge, in different ways, from the
in different ways from the original definition, or at from least original definition of wildcards. Although there is clearly a
what had been intended. Although there is clearly a need to need to clarify the original documents in light of this alone,
clarify the original documents in light of this alone, the impetus the impetus for this document lay in the engineering of the DNS
for this document lay in the engineering of the DNS security security extensions [RFC4033]. With an unclear definition of
extensions [RFC4033]. With an unclear definition of wildcards wildcards the design of authenticated denial became entangled.
the design of authenticated denial became entangled.
This document is intended to limit changes, only those based on This document is intended to limit its changes, documenting only
implementation experience, and to remain as close to the original those based on implementation experience, and to remain as close
document as possible. To reinforce this, relevant sections of RFC to the original document as possible. To reinforce that this
1034 are repeated verbatim to help compare the old and new text. document is meant to clarify and adjust and not redefine wildcards,
relevant sections of RFC 1034 are repeated verbatim to facilitate
comparison of the old and new text.
1.2 The Original Definition 1.2 The Original Definition
The context of the wildcard concept involves the algorithm by The defintion of the wildcard concept is comprised by the
which a name server prepares a response (in RFC 1034's section documentation of the algorithm by which a name server prepares
4.3.2) and the way in which a resource record (set) is identified a response (in RFC 1034's section 4.3.2) and the way in which
as being a source of synthetic data (section 4.3.3). a resource record (set) is identified as being a source of
synthetic data (section 4.3.3).
The beginning of the discussion ought to start with the definition This is the definition of the term "wildcard" as it appears in
of the term "wildcard" as it appears in RFC 1034, section 4.3.3. RFC 1034, section 4.3.3.
# In the previous algorithm, special treatment was given to RRs with # In the previous algorithm, special treatment was given to RRs with
# owner names starting with the label "*". Such RRs are called # owner names starting with the label "*". Such RRs are called
# wildcards. Wildcard RRs can be thought of as instructions for # wildcards. Wildcard RRs can be thought of as instructions for
# synthesizing RRs. When the appropriate conditions are met, the name # synthesizing RRs. When the appropriate conditions are met, the name
# server creates RRs with an owner name equal to the query name and # server creates RRs with an owner name equal to the query name and
# contents taken from the wildcard RRs. # contents taken from the wildcard RRs.
This passage appears after the algorithm in which the term wildcard This passage follows the algorithm in which the term wildcard
is first used. In this definition, wildcard refers to resource is first used. In this definition, wildcard refers to resource
records. In other usage, wildcard has referred to domain names, records. In other usage, wildcard has referred to domain names,
and it has been used to describe the operational practice of and it has been used to describe the operational practice of
relying on wildcards to generate answers. It is clear from this relying on wildcards to generate answers. It is clear from this
that there is a need to define clear and unambiguous terminology that there is a need to define clear and unambiguous terminology
in the process of discussing wildcards. in the process of discussing wildcards.
The mention of the use of wildcards in the preparation of a The mention of the use of wildcards in the preparation of a
response is contained in step 3c of RFC 1034's section 4.3.2 response is contained in step 3c of RFC 1034's section 4.3.2
entitled "Algorithm." Note that "wildcard" does not appear in entitled "Algorithm." Note that "wildcard" does not appear in
the algorithm, instead references are made to the "*" label. the algorithm, instead references are made to the "*" label.
The portion of the algorithm relating to wildcards is The portion of the algorithm relating to wildcards is
deconstructed in detail in section 3 of this document, this is deconstructed in detail in section 3 of this document, this is
the beginning of the passage. the beginning of the relevant portion of the "Algorithm."
# c. If at some label, a match is impossible (i.e., the # c. If at some label, a match is impossible (i.e., the
# corresponding label does not exist), look to see if [...] # corresponding label does not exist), look to see if [...]
# the "*" label exists. # the "*" label exists.
The scope of this document is the RFC 1034 definition of The scope of this document is the RFC 1034 definition of
wildcards and the implications of updates to those documents, wildcards and the implications of updates to those documents,
such as DNSSEC. Alternate schemes for synthesizing answers are such as DNSSEC. Alternate schemes for synthesizing answers are
not considered. (Note that there is no reference listed. No not considered. (Note that there is no reference listed. No
document is known to describe any alternate schemes, although document is known to describe any alternate schemes, although
there has been some mention of them in mailing lists.) there has been some mention of them in mailing lists.)
1.3 This Document 1.3 Roadmap to This Document
This document accomplishes these three items. This document accomplishes these three items.
o Defines new terms o Defines new terms
o Makes minor changes to avoid conflicting concepts o Makes minor changes to avoid conflicting concepts
o Describes the actions of certain resource records as wildcards o Describes the actions of certain resource records as wildcards
1.3.1 New Terms 1.3.1 New Terms
To help in discussing what resource records are wildcards, two To help in discussing what resource records are wildcards, two
terms will be defined - "asterisk label" and "wild card domain terms will be defined - "asterisk label" and "wild card domain
name". These are defined in section 2.1.1. name". These are defined in section 2.1.1.
To assist in clarifying the role of wildcards in the name server To assist in clarifying the role of wildcards in the name server
algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest
encloser" are defined. These definitions are in section 3.3.2. encloser" are defined. These definitions are in section 3.3.2.
"Label match" is defined in section 3.2. "Label match" is defined in section 3.2.
The introduction of new terms ought not have an impact on any The new terms are used to make discussions of wildcards clearer.
existing implementations. The new terms are used only to make Terminology doesn't directly have an impact on implementations.
discussions of wildcards clearer.
1.3.2 Changed Text 1.3.2 Changed Text
The definition of "existence" is changed, superficially. This The definition of "existence" is changed superficially. This
change will not be apparent to implementations; it is needed to change will not be apparent to implementations; it is needed to
make descriptions more precise. The change appears in section make descriptions more precise. The change appears in section
2.2.3. 2.2.3.
RFC 1034, section 4.3.3., seems to prohibit having two asterisk RFC 1034, section 4.3.3., seems to prohibit having two asterisk
labels in a wildcard owner name. With this document the labels in a wildcard owner name. With this document the
restriction is removed entirely. This change and its implications restriction is removed entirely. This change and its implications
are in section 2.1.3. are in section 2.1.3.
The actions when a source of synthesis owns a CNAME RR are The actions when a source of synthesis owns a CNAME RR are
changed to mirror the actions if an exact match name owns a changed to mirror the actions if an exact match name owns a
CNAME RR. This is an addition to the words in RFC 1034, CNAME RR. This is an addition to the words in RFC 1034,
section 4.3.2, step 3, part c. The discussion of this is in section 4.3.2, step 3, part c. The discussion of this is in
section 3.3.3. section 3.3.3.
Only the latter change represents an impact to implementations. Only the latter change represents an impact to implementations.
The definition of existence is not a protocol impact. The change The definition of existence is not a protocol impact. The change
to the restriction on names is unlikely to have an impact, as to the restriction on names is unlikely to have an impact, as
there was no discussion of how to enforce the restriction. RFC 1034 contained no specification on when and how to enforce the
restriction.
1.3.3 Considerations with Special Types 1.3.3 Considerations with Special Types
This document describes semantics of wildcard CNAME RRSets This document describes semantics of wildcard RRSets for
[RFC2181], wildcard NS RRSets, wildcard SOA RRSets, wildcard "interesting" types as well as empty non-terminal wildcards.
DNAME RRSets [RFC2672], wildcard DS RRSets [RFC TBD], and empty Understanding these situations in the context of wildcards has
non-terminal wildcards. Understanding these types in the context been clouded because these types incur special processing if
of wildcards has been clouded because these types incur special they are the result of an exact match. This discussion is in
processing if they are the result of an exact match. This section 4.
discussion is in section 4.
These discussions do not have an implementation impact, they cover These discussions do not have an implementation impact, they cover
existing knowledge of the types, but to a greater level of detail. existing knowledge of the types, but to a greater level of detail.
1.4 Standards Terminology 1.4 Standards Terminology
This document does not use terms as defined in "Key words for use This document does not use terms as defined in "Key words for use
in RFCs to Indicate Requirement Levels." [RFC2119] in RFCs to Indicate Requirement Levels." [RFC2119]
Quotations of RFC 1034 are denoted by a '#' in the leftmost Quotations of RFC 1034 are denoted by a '#' in the leftmost
column. column. References to section "4.3.2" are assumed to refer
to RFC 1034's section 4.3.2, simply titled "Algorithm."
2 Wildcard Syntax 2. Wildcard Syntax
The syntax of a wildcard is the same as any other DNS resource The syntax of a wildcard is the same as any other DNS resource
record, across all classes and types. The only significant record, across all classes and types. The only significant
feature is the owner name. feature is the owner name.
Because wildcards are encoded as resource records with special Because wildcards are encoded as resource records with special
names, they are included in zone transfers and incremental zone names, they are included in zone transfers and incremental zone
transfers[RFC1995]. This feature has been underappreciated until transfers[RFC1995] just as non-wildcard resource records are.
discussions on alternative approaches to wildcards appeared on This feature has been underappreciated until discussions on
mailing lists. alternative approaches to wildcards appeared on mailing lists.
2.1 Identifying a Wildcard 2.1 Identifying a Wildcard
To provide a more accurate description of "wildcards", the To provide a more accurate description of wildcards, the
definition has to start with a discussion of the domain names definition has to start with a discussion of the domain names
that appear as owners. Two new terms are needed, "Asterisk that appear as owners. Two new terms are needed, "Asterisk
Label" and "Wild Card Domain Name." Label" and "Wild Card Domain Name."
2.1.1 Wild Card Domain Name and Asterisk Label 2.1.1 Wild Card Domain Name and Asterisk Label
A "wild card domain name" is defined by having its initial A "wild card domain name" is defined by having its initial
(i.e., left-most or least significant) label be, in binary format: (i.e., left-most or least significant) label be, in binary format:
0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal) 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
skipping to change at line 237 skipping to change at line 285
label." label."
RFC 1034's definition of wildcard would be "a resource record RFC 1034's definition of wildcard would be "a resource record
owned by a wild card domain name." owned by a wild card domain name."
2.1.2 Asterisks and Other Characters 2.1.2 Asterisks and Other Characters
No label values other than that in section 2.1.1 are asterisk No label values other than that in section 2.1.1 are asterisk
labels, hence names beginning with other labels are never wild labels, hence names beginning with other labels are never wild
card domain names. Labels such as 'the*' and '**' are not card domain names. Labels such as 'the*' and '**' are not
asterisk labels, they do not start wild card domain names. asterisk labels so these labels do not start wild card domain
names.
2.1.3 Non-terminal Wild Card Domain Names 2.1.3 Non-terminal Wild Card Domain Names
In section 4.3.3, the following is stated: In section 4.3.3, the following is stated:
# .......................... The owner name of the wildcard RRs is of # .......................... The owner name of the wildcard RRs is of
# the form "*.<anydomain>", where <anydomain> is any domain name. # the form "*.<anydomain>", where <anydomain> is any domain name.
# <anydomain> should not contain other * labels...................... # <anydomain> should not contain other * labels......................
This restriction is lifted because the original documentation of it The restriction is now removed. The original documentation of it
is incomplete and the restriction does not serve any purpose given is incomplete and the restriction does not serve any purpose given
years of operational experience. years of operational experience.
Indirectly, the above passage raises questions about wild card There are three possible reasons for putting the restriction in
domain names having subdomains and possibly being an empty place, but none of the three has held up over time. One is
non-terminal. By thinking of domain names such as that the restriction meant that there would never be subdomains
"*.example.*.example." and "*.*.example." and focusing on the of wild card domain names, but the restriciton as stated still
right-most asterisk label in each, the issues become apparent. permits "example.*.example." for instance. Another is that
wild card domain names are not intended to be empty non-terminals,
Although those example names have been restricted per RFC 1034, but this situation does not disrupt the algorithm in 4.3.2.
a name such as "example.*.example." illustrates the same problems. Finally, "nested" wild card domain names are not ambiguous once
The sticky issue of subdomains and empty non-terminals is not the concept of the closest encloser had been documented.
removed by the restriction. With that conclusion, the restriction
appears to be meaningless, worse yet, it implies that an
implementation would have to perform checks that do little more
than waste CPU cycles.
A wild card domain name can have subdomains. There is no need A wild card domain name can have subdomains. There is no need
to inspect the subdomains to see if there is another asterisk to inspect the subdomains to see if there is another asterisk
label in any subdomain. label in any subdomain.
A wild card domain name can be an empty non-terminal. (See the A wild card domain name can be an empty non-terminal. (See the
upcoming sections on empty non-terminals.) In this case, any upcoming sections on empty non-terminals.) In this case, any
lookup encountering it will terminate as would any empty lookup encountering it will terminate as would any empty
non-terminal match. non-terminal match.
skipping to change at line 285 skipping to change at line 330
The notion that a domain name 'exists' is mentioned in the The notion that a domain name 'exists' is mentioned in the
definition of wildcards. In section 4.3.3 of RFC 1034: definition of wildcards. In section 4.3.3 of RFC 1034:
# Wildcard RRs do not apply: # Wildcard RRs do not apply:
# #
... ...
# - When the query name or a name between the wildcard domain and # - When the query name or a name between the wildcard domain and
# the query name is know[n] to exist. For example, if a wildcard # the query name is know[n] to exist. For example, if a wildcard
RFC 1034 also refers to non-existence in the process of generating "Existence" is therefore an important concept in the understanding
a response that results in a return code of "name error." of wildcards. Unfortunately, the definition of what exists, in RFC
NXDOMAIN is introduced in RFC 2308, section 2.1 says "In this 1034, is unlcear. So, in sections 2.2.2. and 2.2.3, another look is
case the domain ... does not exist." The overloading of the term taken at the definition of existence.
"existence" is confusing.
For the purposes of this document, a domain name is said to
exist if it plays a role in the execution of the algorithms in
RFC 1034. This document avoids discussion determining when an
authoritative name error has occurred.
2.2.1 An Example 2.2.1 An Example
To illustrate what is meant by existence consider this complete To illustrate what is meant by existence consider this complete
zone: zone:
$ORIGIN example. $ORIGIN example.
example. 3600 IN SOA <SOA RDATA> example. 3600 IN SOA <SOA RDATA>
example. 3600 NS ns.example.com. example. 3600 NS ns.example.com.
example. 3600 NS ns.example.net. example. 3600 NS ns.example.net.
skipping to change at line 329 skipping to change at line 368
/ / \ \ / / \ \
/ / \ \ / / \ \
* host1 host2 subdel * host1 host2 subdel
| | | | | |
| | | | | |
sub _tcp _tcp sub _tcp _tcp
| | | |
| | | |
_ssh _ssh _ssh _ssh
The following queries would be synthesized from one of the The following responses would be synthesized from one of the
wildcards: wildcards in the zone:
QNAME=host3.example. QTYPE=MX, QCLASS=IN QNAME=host3.example. QTYPE=MX, QCLASS=IN
the answer will be a "host3.example. IN MX ..." the answer will be a "host3.example. IN MX ..."
QNAME=host3.example. QTYPE=A, QCLASS=IN QNAME=host3.example. QTYPE=A, QCLASS=IN
the answer will reflect "no error, but no data" the answer will reflect "no error, but no data"
because there is no A RR set at '*.example.' because there is no A RR set at '*.example.'
QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
the answer will be "foo.bar.example. IN TXT ..." the answer will be "foo.bar.example. IN TXT ..."
because bar.example. does not exist, but the wildcard because bar.example. does not exist, but the wildcard
does. does.
The following queries would not be synthesized from any of the The following responses would not be synthesized from any of the
wildcards: wildcards in the zone:
QNAME=host1.example., QTYPE=MX, QCLASS=IN QNAME=host1.example., QTYPE=MX, QCLASS=IN
because host1.example. exists because host1.example. exists
QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
because *.example. exists
QNAME=sub.*.example., QTYPE=MX, QCLASS=IN QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
because sub.*.example. exists because sub.*.example. exists
QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
because _tcp.host1.example. exists (without data) because _tcp.host1.example. exists (without data)
QNAME=host.subdel.example., QTYPE=A, QCLASS=IN QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
because subdel.example. exists (and is a zone cut) because subdel.example. exists (and is a zone cut)
QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
because *.example. exists
The final example highlights one common misconception about
wildcards. A wildcard "blocks itself" in the sense that a
wildcard does not match its own subdomains. I.e. "*.example."
does not match all names in the "example." zone, it fails to
match the names below "*.example." To cover names under
"*.example.", another wild card domain name is needed -
"*.*.example." - which covers all but it's own subdomains.
2.2.2 Empty Non-terminals 2.2.2 Empty Non-terminals
Empty non-terminals [RFC2136, Section 7.16] are domain names Empty non-terminals [RFC2136, Section 7.16] are domain names
that own no resource records but have subdomains that do. In that own no resource records but have subdomains that do. In
section 2.2.1, "_tcp.host1.example." is an example of a empty section 2.2.1, "_tcp.host1.example." is an example of a empty
non-terminal name. Empty non-terminals are introduced by this non-terminal name. Empty non-terminals are introduced by this
text in section 3.1 of RFC 1034: text in section 3.1 of RFC 1034:
# The domain name space is a tree structure. Each node and leaf on # The domain name space is a tree structure. Each node and leaf on
# the tree corresponds to a resource set (which may be empty). The # the tree corresponds to a resource set (which may be empty). The
skipping to change at line 387 skipping to change at line 434
terminals are explicitly recognized, and that empty non-terminals terminals are explicitly recognized, and that empty non-terminals
"exist." "exist."
Pedantically reading the above paragraph can lead to an Pedantically reading the above paragraph can lead to an
interpretation that all possible domains exist - up to the interpretation that all possible domains exist - up to the
suggested limit of 255 octets for a domain name [RFC1035]. suggested limit of 255 octets for a domain name [RFC1035].
For example, www.example. may have an A RR, and as far as is For example, www.example. may have an A RR, and as far as is
practically concerned, is a leaf of the domain tree. But the practically concerned, is a leaf of the domain tree. But the
definition can be taken to mean that sub.www.example. also definition can be taken to mean that sub.www.example. also
exists, albeit with no data. By extension, all possible domains exists, albeit with no data. By extension, all possible domains
exist, from the root on down. As RFC 1034 also defines "an exist, from the root on down.
authoritative name error indicating that the name does not exist"
in section 4.3.1, this is not the intent of the original document. As RFC 1034 also defines "an authoritative name error indicating
that the name does not exist" in section 4.3.1, so this apparently
is not the intent of the original definition, justifying the
need for an updated definition in the next section.
2.2.3 Yet Another Definition of Existence 2.2.3 Yet Another Definition of Existence
RFC1034's wording is fixed by the following paragraph: RFC1034's wording is fixed by the following paragraph:
The domain name space is a tree structure. Nodes in the tree The domain name space is a tree structure. Nodes in the tree
either own at least one RRSet and/or have descendants that either own at least one RRSet and/or have descendants that
collectively own at least on RRSet. A node may have no RRSets collectively own at least one RRSet. A node may exist with no
if it has descendents that do, this node is a empty non-terminal. RRSets only if it has descendents that do, this node is an empty
A node may have its own RRSets and have descendants with RRSets non-terminal.
too.
A node with no descendants is a leaf node. Empty leaf nodes do A node with no descendants is a leaf node. Empty leaf nodes do
not exist. not exist.
Note that at a zone boundary, the domain name owns data, Note that at a zone boundary, the domain name owns data,
including the NS RR set. At the delegating server, the NS RR including the NS RR set. In the delegating zone, the NS RR
set is not authoritative, but that is of no consequence here. set is not authoritative, but that is of no consequence here.
The domain name owns data, therefore, it exists. The domain name owns data, therefore, it exists.
2.3 When does a Wild Card Domain Name is not Special 2.3 When is a Wild Card Domain Name Not Special
When a wild card domain name appears in a message's query section, When a wild card domain name appears in a message's query section,
no special processing occurs. An asterisk label in a query name no special processing occurs. An asterisk label in a query name
only (label) matches an asterisk label in the existing zone tree only matches a single, corresponding asterisk label in the
when the 4.3.2 algorithm is being followed. existing zone tree when the 4.3.2 algorithm is being followed.
When a wild card domain name appears in the resource data of a When a wild card domain name appears in the resource data of a
record, no special processing occurs. An asterisk label in that record, no special processing occurs. An asterisk label in that
context literally means just an asterisk. context literally means just an asterisk.
3. Impact of a Wild Card Domain Name On a Response 3. Impact of a Wild Card Domain Name On a Response
The description of how wildcards impact response generation is in RFC 1034's description of how wildcards impact response
RFC 1034, section 4.3.2. That passage contains the algorithm generation is in its section 4.3.2. That passage contains the
followed by a server in constructing a response. Within that algorithm followed by a server in constructing a response.
algorithm, step 3, part 'c' defines the behavior of the wild card. Within that algorithm, step 3, part 'c' defines the behavior of
the wildcard.
The algorithm in RFC 1034, section 4.3.2. is not intended to be The algorithm in section 4.3.2. is not intended to be pseudo-code,
pseudo code, i.e., its steps are not intended to be followed in i.e., its steps are not intended to be followed in strict order.
strict order. The "algorithm" is a suggestion. As such, in The "algorithm" is a suggested means of implementing the
step 3, parts a, b, and c, do not have to be implemented in requirements. As such, in step 3, parts a, b, and c, do not have
that order. to be implemented in that order, provided that the result of the
implemented code is compliant with the protocol's specification.
3.1 Step 2 3.1 Step 2
Step 2 of the RFC 1034's section 4.3.2 reads: Step 2 of the section 4.3.2 reads:
# 2. Search the available zones for the zone which is the nearest # 2. Search the available zones for the zone which is the nearest
# ancestor to QNAME. If such a zone is found, go to step 3, # ancestor to QNAME. If such a zone is found, go to step 3,
# otherwise step 4. # otherwise step 4.
In this step, the most appropriate zone for the response is In this step, the most appropriate zone for the response is
chosen. The significance of this step is that it means all of chosen. The significance of this step is that it means all of
step 3 is being performed within one zone. This has significance step 3 is being performed within one zone. This has significance
when considering whether or not an SOA RR can be ever be used for when considering whether or not an SOA RR can be ever be used for
synthesis. synthesis.
skipping to change at line 474 skipping to change at line 525
three choices, the parts 'a', 'b', and 'c'. Either the name is three choices, the parts 'a', 'b', and 'c'. Either the name is
found, the name is below a cut point, or the name is not found. found, the name is below a cut point, or the name is not found.
Once one of the parts is chosen, the other parts are not Once one of the parts is chosen, the other parts are not
considered. (E.g., do not execute part 'c' and then change considered. (E.g., do not execute part 'c' and then change
the execution path to finish in part 'b'.) The process of label the execution path to finish in part 'b'.) The process of label
matching is also done independent of the query type (QTYPE). matching is also done independent of the query type (QTYPE).
Parts 'a' and 'b' are not an issue for this clarification as they Parts 'a' and 'b' are not an issue for this clarification as they
do not relate to record synthesis. Part 'a' is an exact match do not relate to record synthesis. Part 'a' is an exact match
that results in an answer, part 'b' is a referral. It is that results in an answer, part 'b' is a referral.
possible, from the description given, that a query might fit
into both part a and part b, this is not within the scope of
this document.
3.3 Part 'c' 3.3 Part 'c'
The context of part 'c' is that the process of label matching the The context of part 'c' is that the process of label matching the
labels of the query name has resulted in a situation in which labels of the query name has resulted in a situation in which
there is no corresponding label in the tree. It is as if the there is no corresponding label in the tree. It is as if the
lookup has "fallen off the tree." lookup has "fallen off the tree."
# c. If at some label, a match is impossible (i.e., the # c. If at some label, a match is impossible (i.e., the
# corresponding label does not exist), look to see if [...] # corresponding label does not exist), look to see if [...]
skipping to change at line 561 skipping to change at line 609
# against QTYPE. If any match, copy them into the answer # against QTYPE. If any match, copy them into the answer
# section, but set the owner of the RR to be QNAME, and # section, but set the owner of the RR to be QNAME, and
# not the node with the "*" label. Go to step 6. # not the node with the "*" label. Go to step 6.
The final paragraph covers the role of the QTYPE in the lookup The final paragraph covers the role of the QTYPE in the lookup
process. process.
Based on implementation feedback and similarities between step Based on implementation feedback and similarities between step
'a' and step 'c' a change to this passage has been made. 'a' and step 'c' a change to this passage has been made.
The change is to add the following text to step 'c': The change is to add the following text to step 'c' prior to the
instructions to "go to step 6":
If the data at the source of synthesis is a CNAME, and If the data at the source of synthesis is a CNAME, and
QTYPE doesn't match CNAME, copy the CNAME RR into the QTYPE doesn't match CNAME, copy the CNAME RR into the
answer section of the response changing the owner name answer section of the response changing the owner name
to the QNAME, change QNAME to the canonical name in the to the QNAME, change QNAME to the canonical name in the
CNAME RR, and go back to step 1. CNAME RR, and go back to step 1.
This is essentially the same text in step a covering the This is essentially the same text in step a covering the
processing of CNAME RRSets. processing of CNAME RRSets.
skipping to change at line 603 skipping to change at line 652
E.g., given this zone: E.g., given this zone:
$ORIGIN *.example. $ORIGIN *.example.
@ 3600 IN SOA <SOA RDATA> @ 3600 IN SOA <SOA RDATA>
3600 NS ns1.example.com. 3600 NS ns1.example.com.
3600 NS ns1.example.net. 3600 NS ns1.example.net.
www 3600 TXT "the www txt record" www 3600 TXT "the www txt record"
A query for www.*.example.'s TXT record would still find the A query for www.*.example.'s TXT record would still find the
"the www txt record" answer. The reason is that the asterisk "the www txt record" answer. The reason is that the asterisk
label only becomes significant when RFC 1034's 4.3.2, step 3 label only becomes significant when section's 4.3.2, step 3
part 'c' in in effect. part 'c' in in effect.
Of course, there would need to be a delegation in the parent Of course, there would need to be a delegation in the parent
zone, "example." for this to work too. This is covered in the zone, "example." for this to work too. This is covered in the
next section. next section.
4.2 NS RRSet at a Wild Card Domain Name 4.2 NS RRSet at a Wild Card Domain Name
With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now
in place, the semantics of a wild card domain name owning an in place, the semantics of a wild card domain name owning an
NS RR has come to be poorly defined. The dilemma relates to NS RRSet has come to be poorly defined. The dilemma relates to
a conflict between the rules for synthesis in part 'c' and the a conflict between the rules for synthesis in part 'c' and the
fact that the resulting synthesis generates a record for which fact that the resulting synthesis generates a record for which
the zone is not authoritative. In a DNSSEC signed zone, the the zone is not authoritative. In a DNSSEC signed zone, the
mechanics of signature management (generation and inclusion mechanics of signature management (generation and inclusion
in a message) become unclear. in a message) become unclear.
After some lengthy discussions, there has been no clear "best After some lengthy discussions, there has been no clear "best
answer" on how to document the semantics of such a situation. answer" on how to document the semantics of such a situation.
Barring such records from the DNS would require definition of Barring such records from the DNS would require definition of
rules for that, as well as introducing a restriction on records rules for that, as well as introducing a restriction on records
that were once legal. Allowing such records and amending the that were once legal. Allowing such records and amending the
process of signature management would entail complicating the process of signature management would entail complicating the
DNSSEC definition. DNSSEC definition.
Combining these observations with thought that a wild card There is one more ingredient to the discussion, that being the
domain name owning an NS record is an operationally uninteresting utility of a wild card domain name owned NS RRSet. Although
scenario, i.e., it won't happen in the normal course of events, there are cases of this use, it is an operational rarity.
accomodating this situation in the specification would also be Expending effort to close this topic has proven to be an
categorized as "needless complication." Further, expending more exercise in diminishing returns.
effort on this topic has proven to be an exercise in diminishing
returns.
In summary, there is no definition given for wild card domain In summary, there is no definition given for wild card domain
names owning an NS RRSet. The semantics are left undefined until names owning an NS RRSet. The semantics are left undefined until
there is a clear need to have a set defined, and until there is there is a clear need to have a set defined, and until there is
a clear direction to proceed. Operationally, inclusion of wild a clear direction to proceed. Operationally, inclusion of wild
card NS RRSets in a zone is discouraged, but not barred. card NS RRSets in a zone is discouraged, but not barred.
4.2.1 Discarded Notions
Prior to DNSSEC, a wild card domain name owning a NS RRSet
appeared to be workable, and there are some instances in which
it is found in deployments using implementations that support
this. Continuing to allow this in the specificaion is not
tenable with DNSSEC. The reason is that the synthesis of the
NS RRSet is being done in a zone that has delegated away the
responsibility for the name. This "unauthorized" synthesis is
not a problem for the base DNS protocol, but DNSSEC, in affirming
the authorization model for DNS exposes the problem.
Outright banning of wildcards of type NS is also untenable as
the DNS protocol does not define how to handle "illegal" data.
Implementations may choose not to load a zone, but there is no
protocol definition. The lack of the definition is complicated
by having to cover dynamic update [RFC 2136], zone transfers,
as well as loading at the master server. The case of a client
(resolver, cacheing server) getting a wildcard of type NS in
a reply would also have to be considered.
Given the daunting challenge of a complete definition of how to
ban such records, dealing with existing implementations that
permit the records today is a further complication. There are
uses of wild card domain name owning NS RRSets.
One compromise proposed would have redefined wildcards of type
NS to not be used in synthesis, this compromise fell apart
because it would have required significant edits to the DNSSEC
signing and validation work. (Again, DNSSEC catches
unauthorized data.)
With no clear consensus forming on the solution to this dilemma,
and the realization that wildcards of type NS are a rarity in
operations, the best course of action is to leave this open-ended
until "it matters."
4.3 CNAME RRSet at a Wild Card Domain Name 4.3 CNAME RRSet at a Wild Card Domain Name
The issue of a CNAME RRSet owned by a wild card domain name has The issue of a CNAME RRSet owned by a wild card domain name has
prompted a suggested change to the last paragraph of step 3c of prompted a suggested change to the last paragraph of step 3c of
the algorithm in 4.3.2. The changed text appears in section the algorithm in 4.3.2. The changed text appears in section
3.3.3 of this document. 3.3.3 of this document.
4.4 DNAME RRSet at a Wild Card Domain Name 4.4 DNAME RRSet at a Wild Card Domain Name
Ownership of a DNAME RRSet by a wild card domain name Ownership of a DNAME [RFC2672] RRSet by a wild card domain name
represents a threat to the coherency of the DNS and is to be represents a threat to the coherency of the DNS and is to be
avoided or outright rejected. Such a DNAME RRSet represents avoided or outright rejected. Such a DNAME RRSet represents
non-deterministic synthesis of rules fed to different caches. non-deterministic synthesis of rules fed to different caches.
As caches are fed the different rules (in an unpredictable As caches are fed the different rules (in an unpredictable
manner) the caches will cease to be coherent. ("As caches manner) the caches will cease to be coherent. ("As caches
are fed" refers to the storage in a cache of records obtained are fed" refers to the storage in a cache of records obtained
in responses by recursive or iterative servers.) in responses by recursive or iterative servers.)
For example, assume one cache, responding to a recursive request, For example, assume one cache, responding to a recursive
obtains the record "a.b.example. DNAME foo.bar.tld." and another request, obtains the record:
cache obtains "b.example. DNAME foo.bar.tld.", both generated "a.b.example. DNAME foo.bar.example.net."
from the record "*.example. DNAME foo.bar.tld." by an and another cache obtains:
authoritative server. "b.example. DNAME foo.bar.example.net."
both generated from the record:
"*.example. DNAME foo.bar.example.net."
by an authoritative server.
The DNAME specification is not clear on whether DNAME records The DNAME specification is not clear on whether DNAME records
in a cache are used to rewrite queries. In some interpretations, in a cache are used to rewrite queries. In some interpretations,
the rewrite occurs, in some, it is not. Allowing for the the rewrite occurs, in some, it is not. Allowing for the
occurrence of rewriting, queries for "sub.a.b.example. A" may occurrence of rewriting, queries for "sub.a.b.example. A" may
be rewritten as "sub.foo.bar.tld. A" by the former caching be rewritten as "sub.foo.bar.tld. A" by the former caching
server and may be rewritten as "sub.a.foo.bar.tld. A" by the server and may be rewritten as "sub.a.foo.bar.tld. A" by the
latter. Coherency is lost, an operational nightmare ensues. latter. Coherency is lost, an operational nightmare ensues.
Another justification for banning or avoiding wildcard DNAME Another justification for banning or avoiding wildcard DNAME
skipping to change at line 697 skipping to change at line 784
# The format of the SRV RR # The format of the SRV RR
... ...
# _Service._Proto.Name TTL Class SRV Priority Weight Port Target # _Service._Proto.Name TTL Class SRV Priority Weight Port Target
... ...
# Name # Name
# The domain this RR refers to. The SRV RR is unique in that the # The domain this RR refers to. The SRV RR is unique in that the
# name one searches for is not this name; the example near the end # name one searches for is not this name; the example near the end
# shows this clearly. # shows this clearly.
Do not confuse the definition "Name" with a domain name. I.e., Do not confuse the definition "Name" with the owner name. I.e.,
once removing the _Service and _Proto labels from the owner name once removing the _Service and _Proto labels from the owner name
of the SRV RRSet, what remains could be a wild card domain name of the SRV RRSet, what remains could be a wild card domain name
but this is immaterial to the SRV RRSet. but this is immaterial to the SRV RRSet.
E.g., If an SRV record is: E.g., If an SRV record is:
_foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example. _foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
*.example is a wild card domain name and although it it the Name *.example is a wild card domain name and although it it the Name
of the SRV RR, it is not the owner (domain name). The owner of the SRV RR, it is not the owner (domain name). The owner
domain name is "_foo._udp.*.example." which is not a wild card domain name is "_foo._udp.*.example." which is not a wild card
domain name. domain name.
The confusion is likely based on the mixture of the specification The confusion is likely based on the mixture of the specification
of the SRV RR and the description of a "use case." of the SRV RR and the description of a "use case."
4.6 DS RRSet at a Wild Card Domain Name 4.6 DS RRSet at a Wild Card Domain Name
A DS RRSet owned by a wild card domain name is meaningless and A DS RRSet owned by a wild card domain name is meaningless and
harmless. harmless. This statement is made in the context that an NS RRSet
at a wild card domain name is undefined. At a non-delegation
point, a DS RRSet has no value (no corresponding DNSKEY RRSet
will be used in DNSSEC validation). If there is a synthesized
DS RRSet, it alone will not be very useful as it exists in the
context of a delegation point.
4.7 NSEC RRSet at a Wild Card Domain Name 4.7 NSEC RRSet at a Wild Card Domain Name
Wild card domain names in DNSSEC signed zones will have an NSEC Wild card domain names in DNSSEC signed zones will have an NSEC
RRSet. Synthesis of these records will only occur when the RRSet. Synthesis of these records will only occur when the
query exactly matches the record. Synthesized NSEC RR's will not query exactly matches the record. Synthesized NSEC RR's will not
be harmful as they will never be used in negative caching or to be harmful as they will never be used in negative caching or to
generate a negative response. generate a negative response.
4.8 RRSIG at a Wild Card Domain Name 4.8 RRSIG at a Wild Card Domain Name
skipping to change at line 776 skipping to change at line 868
[RFC2119] Key Words for Use in RFCs to Indicate Requirement [RFC2119] Key Words for Use in RFCs to Indicate Requirement
Levels, S Bradner, March 1997 Levels, S Bradner, March 1997
[RFC2181] Clarifications to the DNS Specification, R. Elz and [RFC2181] Clarifications to the DNS Specification, R. Elz and
R. Bush, July 1997 R. Bush, July 1997
[RFC2308] Negative Caching of DNS Queries (DNS NCACHE), [RFC2308] Negative Caching of DNS Queries (DNS NCACHE),
M. Andrews, March 1998 M. Andrews, March 1998
[RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
August 1999.
[RFC2782] A DNS RR for specifying the location of services (DNS [RFC2782] A DNS RR for specifying the location of services (DNS
SRV), A. Gulbrandsen, et.al., February 2000 SRV), A. Gulbrandsen, et.al., February 2000
[RFC4033] DNS Security Introduction and Requirements, R. Arends, [RFC4033] DNS Security Introduction and Requirements, R. Arends,
et.al., March 2005 et.al., March 2005
[RFC4034] Resource Records for the DNS Security Extensions, [RFC4034] Resource Records for the DNS Security Extensions,
R. Arends, et.al., March 2005 R. Arends, et.al., March 2005
[RFC4035] Protocol Modifications for the DNS Security Extensions, [RFC4035] Protocol Modifications for the DNS Security Extensions,
skipping to change at line 861 skipping to change at line 956
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
Expiration Expiration
This document expires on or about November 16, 2005. This document expires on or about January 6, 2006.
 End of changes. 

This html diff was produced by rfcdiff 1.24, available from http://www.levkowetz.com/ietf/tools/rfcdiff/