draft-ietf-dnsext-wcard-clarify-11.txt   rfc4592.txt 
DNSEXT Working Group E. Lewis Network Working Group E. Lewis
INTERNET DRAFT NeuStar Request for Comments: 4592 NeuStar
Expiration Date: September 13, 2006 March 13, 2006
Updates RFC 1034, RFC 2672 Category: Standards Track
The Role of Wildcards The Role of Wildcards
in the Domain Name System in the Domain Name System
draft-ietf-dnsext-wcard-clarify-11.txt
Status of this Memo Status of This Memo
By submitting this Internet-Draft, each author represents that
any applicable patent or other IPR claims of which he or she is
aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of
BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on September 13, 2006. This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This is an update to the wildcard definition of RFC 1034. The This is an update to the wildcard definition of RFC 1034. The
interaction with wildcards and CNAME is changed, an error interaction with wildcards and CNAME is changed, an error condition
condition removed, and the words defining some concepts central is removed, and the words defining some concepts central to wildcards
to wildcards are changed. The overall goal is not to change are changed. The overall goal is not to change wildcards, but to
wildcards, but to refine the definition of RFC 1034. refine the definition of RFC 1034.
DNSEXT Working Group Expires September 13, 2006 [Page 1]
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................3
1 1 Motivation 3 1.1. Motivation .................................................3
1 2 The Original Definition 3 1.2. The Original Definition ....................................3
1 3 Roadmap to This Document 4 1.3. Roadmap to This Document ...................................4
1 3 1 New Terms 4 1.3.1. New Terms ...........................................5
1.3.2 Changed Text 5 1.3.2. Changed Text ........................................5
1.3.3 Considerations with Special Types 5 1.3.3. Considerations with Special Types ...................5
1.4 Standards Terminology 5 1.4. Standards Terminology ......................................6
2. Wildcard Syntax . . . . . . . . . . . . . . . 6 2. Wildcard Syntax .................................................6
2.1 Identifying a Wildcard 6 2.1. Identifying a Wildcard .....................................6
2.1.1 Wildcard Domain Name and Asterisk Label 6 2.1.1. Wildcard Domain Name and Asterisk Label .............6
2.1.2 Asterisks and Other Characters 6 2.1.2. Asterisks and Other Characters ......................7
2.1.3 Non-terminal Wildcard Domain Names 6 2.1.3. Non-terminal Wildcard Domain Names ..................7
2.2 Existence Rules 7 2.2. Existence Rules ............................................7
2.2.1 An Example 7 2.2.1. An Example ..........................................8
2.2.2 Empty Non-terminals 9 2.2.2. Empty Non-terminals .................................9
2.2.3 Yet Another Definition of Existence 10 2.2.3. Yet Another Definition of Existence ................10
2.3 When is a Wildcard Domain Name Not Special 10 2.3. When Is a Wildcard Domain Name Not Special? ...............10
3. Impact of a Wildcard Domain Name On a Response . . . . . 10 3. Impact of a Wildcard Domain Name on a Response .................10
3.1 Step 2 10 3.1. Step 2 ....................................................11
3.2 Step 3 11 3.2. Step 3 ....................................................11
3.3 Part 'c' 11 3.3. Part 'c' ..................................................12
3.3.1 Closest Encloser and the Source of Synthesis 12 3.3.1. Closest Encloser and the Source of Synthesis .......12
3.3.2 Closest Encloser and Source of Synthesis Examples 12 3.3.2. Closest Encloser and Source of Synthesis Examples ..13
3.3.3 Type Matching 13 3.3.3. Type Matching ......................................13
4. Considerations with Special Types . . . . . . . . . 13 4. Considerations with Special Types ..............................14
4.1 SOA RRSet at a Wildcard Domain Name 13 4.1. SOA RRSet at a Wildcard Domain Name .......................14
4.2 NS RRSet at a Wildcard Domain Name 14 4.2. NS RRSet at a Wildcard Domain Name ........................14
4.2.1 Discarded Notions 14 4.2.1. Discarded Notions ..................................15
4.3 CNAME RRSet at a Wildcard Domain Name 15 4.3. CNAME RRSet at a Wildcard Domain Name .....................16
4.4 DNAME RRSet at a Wildcard Domain Name 15 4.4. DNAME RRSet at a Wildcard Domain Name .....................16
4.5 SRV RRSet at a Wildcard Domain Name 16 4.5. SRV RRSet at a Wildcard Domain Name .......................17
4.6 DS RRSet at a Wildcard Domain Name 17 4.6. DS RRSet at a Wildcard Domain Name ........................17
4.7 NSEC RRSet at a Wildcard Domain Name 17 4.7. NSEC RRSet at a Wildcard Domain Name ......................18
4.8 RRSIG at a Wildcard Domain Name 17 4.8. RRSIG at a Wildcard Domain Name ...........................18
4.9 Empty Non-terminal Wildcard Domain Name 17 4.9. Empty Non-terminal Wildcard Domain Name ...................18
5. Security Considerations . . . . . . . . . . . . . 17 5. Security Considerations ........................................18
6. IANA Considerations . . . . . . . . . . . . . 17 6. References .....................................................18
7. References . . . . . . . . . . . . . 17 6.1. Normative References ......................................18
8. Editor . . . . . . . . . . . . . 18 6.2. Informative References ....................................19
9. Others Contributing to the Document . . . . . . . . 18 7. Others Contributing to the Document ............................19
10. Trailing Boilerplate . . . . . . . . . . . . . 19
DNSEXT Working Group Expires September 13, 2006 [Page 2]
1. Introduction 1. Introduction
In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
synthesis of answers from special resource records called synthesis of answers from special resource records (RRs) called
wildcards. The definition in RFC 1034 is incomplete and has wildcards. The definition in RFC 1034 is incomplete and has proven
proven to be confusing. This document describes the wildcard to be confusing. This document describes the wildcard synthesis by
synthesis by adding to the discussion and making limited adding to the discussion and making limited modifications.
modifications. Modifications are made to close inconsistencies Modifications are made to close inconsistencies that have led to
that have led to interoperability issues. This description interoperability issues. This description does not expand the
does not expand the service intended by the original definition. service intended by the original definition.
Staying within the spirit and style of the original documents, Staying within the spirit and style of the original documents, this
this document avoids specifying rules for DNS implementations document avoids specifying rules for DNS implementations regarding
regarding wildcards. The intention is to only describe what is wildcards. The intention is to only describe what is needed for
needed for interoperability, not restrict implementation choices. interoperability, not restrict implementation choices. In addition,
In addition, consideration is given to minimize any backwards consideration is given to minimize any backward-compatibility issues
compatibility issues with implementations that comply with RFC with implementations that comply with RFC 1034's definition.
1034's definition.
This document is focused on the concept of wildcards as defined This document is focused on the concept of wildcards as defined in
in RFC 1034. Nothing is implied regarding alternative means of RFC 1034. Nothing is implied regarding alternative means of
synthesizing resource record sets, nor are alternatives discussed. synthesizing resource record sets (RRSets), nor are alternatives
discussed.
1.1 Motivation 1.1. Motivation
Many DNS implementations diverge, in different ways, from the Many DNS implementations diverge, in different ways, from the
original definition of wildcards. Although there is clearly a original definition of wildcards. Although there is clearly a need
need to clarify the original documents in light of this alone, to clarify the original documents in light of this alone, the impetus
the impetus for this document lay in the engineering of the DNS for this document lay in the engineering of the DNS security
security extensions [RFC4033]. With an unclear definition of extensions [RFC4033]. With an unclear definition of wildcards, the
wildcards the design of authenticated denial became entangled. design of authenticated denial became entangled.
This document is intended to limit its changes, documenting only This document is intended to limit its changes, documenting only
those based on implementation experience, and to remain as close those deemed necessary based on implementation experience, and to
to the original document as possible. To reinforce that this remain as close to the original document as possible. To reinforce
document is meant to clarify and adjust and not redefine that this document is meant to clarify and adjust and not redefine
wildcards, relevant sections of RFC 1034 are repeated verbatim wildcards, relevant sections of RFC 1034 are repeated verbatim to
to facilitate comparison of the old and new text. facilitate comparison of the old and new text.
1.2 The Original Definition 1.2. The Original Definition
The definition of the wildcard concept is comprised by the The definition of the wildcard concept is comprised by the
documentation of the algorithm by which a name server prepares documentation of the algorithm by which a name server prepares a
a response (in RFC 1034's section 4.3.2) and the way in which response (in RFC 1034's section 4.3.2) and the way in which a
a resource record (set) is identified as being a source of resource record (set) is identified as being a source of synthetic
synthetic data (section 4.3.3). data (section 4.3.3).
This is the definition of the term "wildcard" as it appears in
RFC 1034, section 4.3.3.
DNSEXT Working Group Expires September 13, 2006 [Page 3] This is the definition of the term "wildcard" as it appears in RFC
1034, section 4.3.3.
# In the previous algorithm, special treatment was given to RRs with # In the previous algorithm, special treatment was given to RRs with
# owner names starting with the label "*". Such RRs are called # owner names starting with the label "*". Such RRs are called
# wildcards. Wildcard RRs can be thought of as instructions for # wildcards. Wildcard RRs can be thought of as instructions for
# synthesizing RRs. When the appropriate conditions are met, the name # synthesizing RRs. When the appropriate conditions are met, the
# server creates RRs with an owner name equal to the query name and # name server creates RRs with an owner name equal to the query name
# contents taken from the wildcard RRs. # and contents taken from the wildcard RRs.
This passage follows the algorithm in which the term wildcard This passage follows the algorithm in which the term wildcard is
is first used. In this definition, wildcard refers to resource first used. In this definition, wildcard refers to resource records.
records. In other usage, wildcard has referred to domain names, In other usage, wildcard has referred to domain names, and it has
and it has been used to describe the operational practice of been used to describe the operational practice of relying on
relying on wildcards to generate answers. It is clear from this wildcards to generate answers. It is clear from this that there is a
that there is a need to define clear and unambiguous terminology need to define clear and unambiguous terminology in the process of
in the process of discussing wildcards. discussing wildcards.
The mention of the use of wildcards in the preparation of a The mention of the use of wildcards in the preparation of a response
response is contained in step 3c of RFC 1034's section 4.3.2 is contained in step 3, part 'c' of RFC 1034's section 4.3.2,
entitled "Algorithm." Note that "wildcard" does not appear in entitled "Algorithm". Note that "wildcard" does not appear in the
the algorithm, instead references are made to the "*" label. algorithm, instead references are made to the "*" label. The portion
The portion of the algorithm relating to wildcards is of the algorithm relating to wildcards is deconstructed in detail in
deconstructed in detail in section 3 of this document, this is section 3 of this document; this is the beginning of the relevant
the beginning of the relevant portion of the "Algorithm." portion of the "Algorithm".
# c. If at some label, a match is impossible (i.e., the # c. If at some label, a match is impossible (i.e., the
# corresponding label does not exist), look to see if [...] # corresponding label does not exist), look to see if [...]
# the "*" label exists. # the "*" label exists.
The scope of this document is the RFC 1034 definition of The scope of this document is the RFC 1034 definition of wildcards
wildcards and the implications of updates to those documents, and the implications of updates to those documents, such as DNS
such as DNSSEC. Alternate schemes for synthesizing answers are Security (DNSSEC). Alternate schemes for synthesizing answers are
not considered. (Note that there is no reference listed. No not considered. (Note that there is no reference listed. No
document is known to describe any alternate schemes, although document is known to describe any alternate schemes, although there
there has been some mention of them in mailing lists.) has been some mention of them in mailing lists.)
1.3 Roadmap to This Document 1.3. Roadmap to This Document
This document accomplishes these three tasks.
This document accomplishes these three items.
o Defines new terms o Defines new terms
o Makes minor changes to avoid conflicting concepts o Makes minor changes to avoid conflicting concepts
o Describes the actions of certain resource records as wildcards o Describes the actions of certain resource records as wildcards
1.3.1 New Terms 1.3.1. New Terms
To help in discussing what resource records are wildcards, two To help in discussing what resource records are wildcards, two terms
terms will be defined - "asterisk label" and "wildcard domain will be defined: "asterisk label" and "wildcard domain name". These
name". These are defined in section 2.1.1. are defined in section 2.1.1.
To assist in clarifying the role of wildcards in the name server To assist in clarifying the role of wildcards in the name server
algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest algorithm in RFC 1034, section 4.3.2, "source of synthesis" and
encloser" are defined. These definitions are in section 3.3.2. "closest encloser" are defined. These definitions are in section
"Label match" is defined in section 3.2. 3.3.1. "Label match" is defined in section 3.2.
DNSEXT Working Group Expires September 13, 2006 [Page 4]
The new terms are used to make discussions of wildcards clearer. The new terms are used to make discussions of wildcards clearer.
Terminology doesn't directly have an impact on implementations. Terminology does not directly have an impact on implementations.
1.3.2 Changed Text 1.3.2. Changed Text
The definition of "existence" is changed superficially. This The definition of "existence" is changed superficially. This change
change will not be apparent to implementations; it is needed to will not be apparent to implementations; it is needed to make
make descriptions more precise. The change appears in section descriptions more precise. The change appears in section 2.2.3.
2.2.3.
RFC 1034, section 4.3.3., seems to prohibit having two asterisk RFC 1034, section 4.3.3, seems to prohibit having two asterisk labels
labels in a wildcard owner name. With this document the in a wildcard owner name. With this document, the restriction is
restriction is removed entirely. This change and its implications removed entirely. This change and its implications are in section
are in section 2.1.3. 2.1.3.
The actions when a source of synthesis owns a CNAME RR are The actions when a source of synthesis owns a CNAME RR are changed to
changed to mirror the actions if an exact match name owns a mirror the actions if an exact match name owns a CNAME RR. This is
CNAME RR. This is an addition to the words in RFC 1034, an addition to the words in RFC 1034, section 4.3.2, step 3, part
section 4.3.2, step 3, part c. The discussion of this is in 'c'. The discussion of this is in section 3.3.3.
section 3.3.3.
Only the latter change represents an impact to implementations. Only the latter change represents an impact to implementations. The
The definition of existence is not a protocol impact. The change definition of existence is not a protocol impact. The change to the
to the restriction on names is unlikely to have an impact, as restriction on names is unlikely to have an impact, as RFC 1034
RFC 1034 contained no specification on when and how to enforce the contained no specification on when and how to enforce the
restriction. restriction.
1.3.3 Considerations with Special Types 1.3.3. Considerations with Special Types
This document describes semantics of wildcard RRSets for This document describes semantics of wildcard RRSets for
"interesting" types as well as empty non-terminal wildcards. "interesting" types as well as empty non-terminal wildcards.
Understanding these situations in the context of wildcards has Understanding these situations in the context of wildcards has been
been clouded because these types incur special processing if clouded because these types incur special processing if they are the
they are the result of an exact match. This discussion is in result of an exact match. This discussion is in section 4.
section 4.
These discussions do not have an implementation impact, they cover These discussions do not have an implementation impact; they cover
existing knowledge of the types, but to a greater level of detail. existing knowledge of the types, but to a greater level of detail.
1.4 Standards Terminology 1.4. Standards Terminology
This document does not use terms as defined in "Key words for use
in RFCs to Indicate Requirement Levels." [RFC2119]
Quotations of RFC 1034 are denoted by a '#' in the leftmost This document does not use terms as defined in "Key words for use in
column. References to section "4.3.2" are assumed to refer RFCs to Indicate Requirement Levels" [RFC2119].
to RFC 1034's section 4.3.2, simply titled "Algorithm."
DNSEXT Working Group Expires September 13, 2006 [Page 5] Quotations of RFC 1034 are denoted by a '#' at the start of the line.
References to section "4.3.2" are assumed to refer to RFC 1034's
section 4.3.2, simply titled "Algorithm".
2. Wildcard Syntax 2. Wildcard Syntax
The syntax of a wildcard is the same as any other DNS resource The syntax of a wildcard is the same as any other DNS resource
record, across all classes and types. The only significant record, across all classes and types. The only significant feature
feature is the owner name. is the owner name.
Because wildcards are encoded as resource records with special Because wildcards are encoded as resource records with special names,
names, they are included in zone transfers and incremental zone they are included in zone transfers and incremental zone transfers
transfers[RFC1995] just as non-wildcard resource records are. [RFC1995] just as non-wildcard resource records are. This feature
This feature has been under appreciated until discussions on has been under appreciated until discussions on alternative
alternative approaches to wildcards appeared on mailing lists. approaches to wildcards appeared on mailing lists.
2.1 Identifying a Wildcard 2.1. Identifying a Wildcard
To provide a more accurate description of wildcards, the To provide a more accurate description of wildcards, the definition
definition has to start with a discussion of the domain names has to start with a discussion of the domain names that appear as
that appear as owners. Two new terms are needed, "Asterisk owners. Two new terms are needed, "asterisk label" and "wildcard
Label" and "Wildcard Domain Name." domain name".
2.1.1 Wildcard Domain Name and Asterisk Label 2.1.1. Wildcard Domain Name and Asterisk Label
A "wildcard domain name" is defined by having its initial A "wildcard domain name" is defined by having its initial (i.e.,
(i.e., left-most or least significant) label be, in binary format: leftmost or least significant) label be, in binary format:
0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal) 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
The first octet is the normal label type and length for a 1 octet The first octet is the normal label type and length for a 1-octet-
long label, the second octet is the ASCII representation [RFC20] long label, and the second octet is the ASCII representation [RFC20]
for the '*' character. for the '*' character.
A descriptive name of a label equaling that value is an "asterisk A descriptive name of a label equaling that value is an "asterisk
label." label".
RFC 1034's definition of wildcard would be "a resource record RFC 1034's definition of wildcard would be "a resource record owned
owned by a wildcard domain name." by a wildcard domain name".
2.1.2 Asterisks and Other Characters 2.1.2. Asterisks and Other Characters
No label values other than that in section 2.1.1 are asterisk No label values other than that in section 2.1.1 are asterisk labels,
labels, hence names beginning with other labels are never wildcard hence names beginning with other labels are never wildcard domain
domain names. Labels such as 'the*' and '**' are not asterisk names. Labels such as 'the*' and '**' are not asterisk labels, so
labels so these labels do not start wildcard domain names. these labels do not start wildcard domain names.
2.1.3 Non-terminal Wildcard Domain Names 2.1.3. Non-terminal Wildcard Domain Names
In section 4.3.3, the following is stated: In section 4.3.3, the following is stated:
# .......................... The owner name of the wildcard RRs is of # .......................... The owner name of the wildcard RRs is
# the form "*.<anydomain>", where <anydomain> is any domain name. # of the form "*.<anydomain>", where <anydomain> is any domain name.
# <anydomain> should not contain other * labels...................... # <anydomain> should not contain other * labels......................
DNSEXT Working Group Expires September 13, 2006 [Page 6] The restriction is now removed. The original documentation of it is
The restriction is now removed. The original documentation of it incomplete and the restriction does not serve any purpose given years
is incomplete and the restriction does not serve any purpose of operational experience.
given years of operational experience.
There are three possible reasons for putting the restriction in There are three possible reasons for putting the restriction in
place, but none of the three has held up over time. One is place, but none of the three has held up over time. One is that the
that the restriction meant that there would never be subdomains restriction meant that there would never be subdomains of wildcard
of wildcard domain names, but the restriction as stated still domain names, but the restriction as stated still permits
permits "example.*.example." for instance. Another is that "example.*.example." for instance. Another is that wildcard domain
wildcard domain names are not intended to be empty non-terminals, names are not intended to be empty non-terminals, but this situation
but this situation does not disrupt the algorithm in 4.3.2. does not disrupt the algorithm in 4.3.2. Finally, "nested" wildcard
Finally, "nested" wildcard domain names are not ambiguous once domain names are not ambiguous once the concept of the closest
the concept of the closest encloser had been documented. encloser had been documented.
A wildcard domain name can have subdomains. There is no need A wildcard domain name can have subdomains. There is no need to
to inspect the subdomains to see if there is another asterisk inspect the subdomains to see if there is another asterisk label in
label in any subdomain. any subdomain.
A wildcard domain name can be an empty non-terminal. (See the A wildcard domain name can be an empty non-terminal. (See the
upcoming sections on empty non-terminals.) In this case, any upcoming sections on empty non-terminals.) In this case, any lookup
lookup encountering it will terminate as would any empty encountering it will terminate as would any empty non-terminal match.
non-terminal match.
2.2 Existence Rules 2.2. Existence Rules
The notion that a domain name 'exists' is mentioned in the The notion that a domain name 'exists' is mentioned in the definition
definition of wildcards. In section 4.3.3 of RFC 1034: of wildcards. In section 4.3.3 of RFC 1034:
# Wildcard RRs do not apply: # Wildcard RRs do not apply:
# #
... ...
# - When the query name or a name between the wildcard domain and # - When the query name or a name between the wildcard domain and
# the query name is know[n] to exist. For example, if a wildcard # the query name is know[n] to exist. . . .
"Existence" is therefore an important concept in the understanding "Existence" is therefore an important concept in the understanding of
of wildcards. Unfortunately, the definition of what exists, in wildcards. Unfortunately, the definition of what exists, in RFC
RFC 1034, is unclear. So, in sections 2.2.2. and 2.2.3, another 1034, is unclear. So, in sections 2.2.2. and 2.2.3, another look is
look is taken at the definition of existence. taken at the definition of existence.
2.2.1 An Example 2.2.1. An Example
To illustrate what is meant by existence consider this complete To illustrate what is meant by existence consider this complete zone:
zone:
DNSEXT Working Group Expires September 13, 2006 [Page 7]
$ORIGIN example. $ORIGIN example.
example. 3600 IN SOA <SOA RDATA> example. 3600 IN SOA <SOA RDATA>
example. 3600 NS ns.example.com. example. 3600 NS ns.example.com.
example. 3600 NS ns.example.net. example. 3600 NS ns.example.net.
*.example. 3600 TXT "this is a wildcard" *.example. 3600 TXT "this is a wildcard"
*.example. 3600 MX 10 host1.example. *.example. 3600 MX 10 host1.example.
sub.*.example. 3600 TXT "this is not a wildcard" sub.*.example. 3600 TXT "this is not a wildcard"
host1.example. 3600 A 192.0.2.1 host1.example. 3600 A 192.0.2.1
_ssh._tcp.host1.example. 3600 SRV <SRV RDATA> _ssh._tcp.host1.example. 3600 SRV <SRV RDATA>
_ssh._tcp.host2.example. 3600 SRV <SRV RDATA> _ssh._tcp.host2.example. 3600 SRV <SRV RDATA>
skipping to change at page 10, line ? skipping to change at page 9, line 18
The following responses would not be synthesized from any of the The following responses would not be synthesized from any of the
wildcards in the zone: wildcards in the zone:
QNAME=host1.example., QTYPE=MX, QCLASS=IN QNAME=host1.example., QTYPE=MX, QCLASS=IN
because host1.example. exists because host1.example. exists
QNAME=sub.*.example., QTYPE=MX, QCLASS=IN QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
because sub.*.example. exists because sub.*.example. exists
DNSEXT Working Group Expires September 13, 2006 [Page 8]
QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
because _tcp.host1.example. exists (without data) because _tcp.host1.example. exists (without data)
QNAME=host.subdel.example., QTYPE=A, QCLASS=IN QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
because subdel.example. exists (and is a zone cut) because subdel.example. exists (and is a zone cut)
QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
because *.example. exists because *.example. exists
The final example highlights one common misconception about The final example highlights one common misconception about
wildcards. A wildcard "blocks itself" in the sense that a wildcards. A wildcard "blocks itself" in the sense that a wildcard
wildcard does not match its own subdomains. I.e. "*.example." does not match its own subdomains. That is, "*.example." does not
does not match all names in the "example." zone, it fails to match all names in the "example." zone; it fails to match the names
match the names below "*.example." To cover names under below "*.example.". To cover names under "*.example.", another
"*.example.", another wildcard domain name is needed - wildcard domain name is needed--"*.*.example."--which covers all but
"*.*.example." - which covers all but its own subdomains. its own subdomains.
2.2.2 Empty Non-terminals 2.2.2. Empty Non-terminals
Empty non-terminals [RFC2136, Section 7.16] are domain names Empty non-terminals [RFC2136, section 7.16] are domain names that own
that own no resource records but have subdomains that do. In no resource records but have subdomains that do. In section 2.2.1,
section 2.2.1, "_tcp.host1.example." is an example of a empty "_tcp.host1.example." is an example of an empty non-terminal name.
non-terminal name. Empty non-terminals are introduced by this Empty non-terminals are introduced by this text in section 3.1 of RFC
text in section 3.1 of RFC 1034: 1034:
# The domain name space is a tree structure. Each node and leaf on # The domain name space is a tree structure. Each node and leaf on
# the tree corresponds to a resource set (which may be empty). The # the tree corresponds to a resource set (which may be empty). The
# domain system makes no distinctions between the uses of the # domain system makes no distinctions between the uses of the
# interior nodes and leaves, and this memo uses the term "node" to # interior nodes and leaves, and this memo uses the term "node" to
# refer to both. # refer to both.
The parenthesized "which may be empty" specifies that empty non- The parenthesized "which may be empty" specifies that empty non-
terminals are explicitly recognized, and that empty non-terminals terminals are explicitly recognized and that empty non-terminals
"exist." "exist".
Pedantically reading the above paragraph can lead to an Pedantically reading the above paragraph can lead to an
interpretation that all possible domains exist - up to the interpretation that all possible domains exist--up to the suggested
suggested limit of 255 octets for a domain name [RFC1035]. limit of 255 octets for a domain name [RFC1035]. For example,
For example, www.example. may have an A RR, and as far as is www.example. may have an A RR, and as far as is practically
practically concerned, is a leaf of the domain tree. But the concerned, is a leaf of the domain tree. But the definition can be
definition can be taken to mean that sub.www.example. also taken to mean that sub.www.example. also exists, albeit with no data.
exists, albeit with no data. By extension, all possible domains By extension, all possible domains exist, from the root on down.
exist, from the root on down.
As RFC 1034 also defines "an authoritative name error indicating
that the name does not exist" in section 4.3.1, so this apparently
is not the intent of the original definition, justifying the
need for an updated definition in the next section.
DNSEXT Working Group Expires September 13, 2006 [Page 9] As RFC 1034 also defines "an authoritative name error indicating that
the name does not exist" in section 4.3.1, so this apparently is not
the intent of the original definition, justifying the need for an
updated definition in the next section.
2.2.3 Yet Another Definition of Existence 2.2.3. Yet Another Definition of Existence
RFC1034's wording is fixed by the following paragraph: RFC1034's wording is fixed by the following paragraph:
The domain name space is a tree structure. Nodes in the tree The domain name space is a tree structure. Nodes in the tree either
either own at least one RRSet and/or have descendants that own at least one RRSet and/or have descendants that collectively own
collectively own at least one RRSet. A node may exist with no at least one RRSet. A node may exist with no RRSets only if it has
RRSets only if it has descendants that do; this node is an empty descendants that do; this node is an empty non-terminal.
non-terminal.
A node with no descendants is a leaf node. Empty leaf nodes do A node with no descendants is a leaf node. Empty leaf nodes do not
not exist. exist.
Note that at a zone boundary, the domain name owns data, Note that at a zone boundary, the domain name owns data, including
including the NS RR set. In the delegating zone, the NS RR the NS RR set. In the delegating zone, the NS RR set is not
set is not authoritative, but that is of no consequence here. authoritative, but that is of no consequence here. The domain name
The domain name owns data, therefore, it exists. owns data; therefore, it exists.
2.3 When is a Wildcard Domain Name Not Special 2.3. When Is a Wildcard Domain Name Not Special?
When a wildcard domain name appears in a message's query section, When a wildcard domain name appears in a message's query section, no
no special processing occurs. An asterisk label in a query name special processing occurs. An asterisk label in a query name only
only matches a single, corresponding asterisk label in the matches a single, corresponding asterisk label in the existing zone
existing zone tree when the 4.3.2 algorithm is being followed. tree when the 4.3.2 algorithm is being followed.
When a wildcard domain name appears in the resource data of a When a wildcard domain name appears in the resource data of a record,
record, no special processing occurs. An asterisk label in that no special processing occurs. An asterisk label in that context
context literally means just an asterisk. literally means just an asterisk.
3. Impact of a Wildcard Domain Name On a Response 3. Impact of a Wildcard Domain Name on a Response
RFC 1034's description of how wildcards impact response RFC 1034's description of how wildcards impact response generation is
generation is in its section 4.3.2. That passage contains the in its section 4.3.2. That passage contains the algorithm followed
algorithm followed by a server in constructing a response. by a server in constructing a response. Within that algorithm, step
Within that algorithm, step 3, part 'c' defines the behavior of 3, part 'c' defines the behavior of the wildcard.
the wildcard.
The algorithm in section 4.3.2. is not intended to be pseudo-code, The algorithm in section 4.3.2 is not intended to be pseudo-code;
i.e., its steps are not intended to be followed in strict order. that is, its steps are not intended to be followed in strict order.
The "algorithm" is a suggested means of implementing the The "algorithm" is a suggested means of implementing the
requirements. As such, in step 3, parts a, b, and c, do not have requirements. As such, in step 3, parts 'a', 'b', and 'c' do not
to be implemented in that order, provided that the result of the have to be implemented in that order, provided that the result of the
implemented code is compliant with the protocol's specification. implemented code is compliant with the protocol's specification.
3.1 Step 2 3.1. Step 2
Step 2 of section 4.3.2 reads: Step 2 of section 4.3.2 reads:
# 2. Search the available zones for the zone which is the nearest # 2. Search the available zones for the zone which is the nearest
# ancestor to QNAME. If such a zone is found, go to step 3, # ancestor to QNAME. If such a zone is found, go to step 3,
# otherwise step 4. # otherwise step 4.
In this step, the most appropriate zone for the response is In this step, the most appropriate zone for the response is chosen.
chosen. The significance of this step is that it means all of The significance of this step is that it means all of step 3 is being
step 3 is being performed within one zone. This has significance performed within one zone. This has significance when considering
when considering whether or not an SOA RR can be ever be used for whether or not an SOA RR can ever be used for synthesis.
synthesis.
3.2 Step 3 3.2. Step 3
Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'. Step 3 is dominated by three parts, labeled 'a', 'b', and 'c'. But
But the beginning of the step is important and needs explanation. the beginning of the step is important and needs explanation.
# 3. Start matching down, label by label, in the zone. The # 3. Start matching down, label by label, in the zone. The
# matching process can terminate several ways: # matching process can terminate several ways:
The word 'matching' refers to label matching. The concept The word 'matching' refers to label matching. The concept is based
is based in the view of the zone as the tree of existing names. in the view of the zone as the tree of existing names. The query
The query name is considered to be an ordered sequence of name is considered to be an ordered sequence of labels--as if the
labels - as if the name were a path from the root to the owner name were a path from the root to the owner of the desired data
of the desired data. (Which it is - 3rd paragraph of RFC 1034, (which it is--3rd paragraph of RFC 1034, section 3.1).
section 3.1.)
The process of label matching a query name ends in exactly one of The process of label matching a query name ends in exactly one of
three choices, the parts 'a', 'b', and 'c'. Either the name is three choices, the parts 'a', 'b', and 'c'. Either the name is
found, the name is below a cut point, or the name is not found. found, the name is below a cut point, or the name is not found.
Once one of the parts is chosen, the other parts are not Once one of the parts is chosen, the other parts are not considered
considered. (E.g., do not execute part 'c' and then change (e.g., do not execute part 'c' and then change the execution path to
the execution path to finish in part 'b'.) The process of label finish in part 'b'). The process of label matching is also done
matching is also done independent of the query type (QTYPE). independent of the query type (QTYPE).
Parts 'a' and 'b' are not an issue for this clarification as they Parts 'a' and 'b' are not an issue for this clarification as they do
do not relate to record synthesis. Part 'a' is an exact match not relate to record synthesis. Part 'a' is an exact match that
that results in an answer, part 'b' is a referral. results in an answer; part 'b' is a referral.
3.3 Part 'c' 3.3. Part 'c'
The context of part 'c' is that the process of label matching the The context of part 'c' is that the process of label matching the
labels of the query name has resulted in a situation in which labels of the query name has resulted in a situation in which there
there is no corresponding label in the tree. It is as if the is no corresponding label in the tree. It is as if the lookup has
lookup has "fallen off the tree." "fallen off the tree".
# c. If at some label, a match is impossible (i.e., the # c. If at some label, a match is impossible (i.e., the
# corresponding label does not exist), look to see if [...] # corresponding label does not exist), look to see if [...]
# the "*" label exists. # the "*" label exists.
To help describe the process of looking 'to see if [...] the "*" To help describe the process of looking 'to see if [...] the "*"
label exists' a term has been coined to describe the last domain label exists' a term has been coined to describe the last domain
(node) matched. The term is "closest encloser." (node) matched. The term is "closest encloser".
3.3.1 Closest Encloser and the Source of Synthesis 3.3.1. Closest Encloser and the Source of Synthesis
The closest encloser is the node in the zone's tree of existing The closest encloser is the node in the zone's tree of existing
domain names that has the most labels matching the query name domain names that has the most labels matching the query name
(consecutively, counting from the root label downward). Each match (consecutively, counting from the root label downward). Each match
is a "label match" and the order of the labels is the same. is a "label match" and the order of the labels is the same.
The closest encloser is, by definition, an existing name in the The closest encloser is, by definition, an existing name in the zone.
zone. The closest encloser might be an empty non-terminal or even The closest encloser might be an empty non-terminal or even be a
be a wildcard domain name itself. In no circumstances is the wildcard domain name itself. In no circumstances is the closest
closest encloser to be used to synthesize records for the current encloser to be used to synthesize records for the current query.
query.
The source of synthesis is defined in the context of a query process
as that wildcard domain name immediately descending from the closest
encloser, provided that this wildcard domain name exists.
"Immediately descending" means that the source of synthesis has a
name of the form:
The source of synthesis is defined in the context of a query
process as that wildcard domain name immediately descending
from the closest encloser, provided that this wildcard domain
name exists. "Immediately descending" means that the source
of synthesis has a name of the form:
<asterisk label>.<closest encloser>. <asterisk label>.<closest encloser>.
A source of synthesis does not guarantee having a RRSet to use
for synthesis. The source of synthesis could be an empty
non-terminal.
If the source of synthesis does not exist (not on the domain A source of synthesis does not guarantee having a RRSet to use for
tree), there will be no wildcard synthesis. There is no search synthesis. The source of synthesis could be an empty non-terminal.
for an alternate.
The important concept is that for any given lookup process, there If the source of synthesis does not exist (not on the domain tree),
is at most one place at which wildcard synthetic records can be there will be no wildcard synthesis. There is no search for an
alternate.
The important concept is that for any given lookup process, there is
at most one place at which wildcard synthetic records can be
obtained. If the source of synthesis does not exist, the lookup obtained. If the source of synthesis does not exist, the lookup
terminates, the lookup does not look for other wildcard records. terminates, and the lookup does not look for other wildcard records.
3.3.2 Closest Encloser and Source of Synthesis Examples 3.3.2. Closest Encloser and Source of Synthesis Examples
To illustrate, using the example zone in section 2.2.1 of this To illustrate, using the example zone in section 2.2.1 of this
document, the following chart shows QNAMEs and the closest document, the following chart shows QNAMEs and the closest enclosers.
enclosers.
QNAME Closest Encloser Source of Synthesis QNAME Closest Encloser Source of Synthesis
host3.example. example. *.example. host3.example. example. *.example.
_telnet._tcp.host1.example. _tcp.host1.example. no source _telnet._tcp.host1.example. _tcp.host1.example. no source
_dns._udp.host2.example. host2.example. no source _dns._udp.host2.example. host2.example. no source
_telnet._tcp.host3.example. example. *.example. _telnet._tcp.host3.example. example. *.example.
_chat._udp.host3.example. example. *.example. _chat._udp.host3.example. example. *.example.
foobar.*.example. *.example. no source foobar.*.example. *.example. no source
3.3.3 Type Matching 3.3.3. Type Matching
RFC 1034 concludes part 'c' with this: RFC 1034 concludes part 'c' with this:
# If the "*" label does not exist, check whether the name # If the "*" label does not exist, check whether the name
# we are looking for is the original QNAME in the query # we are looking for is the original QNAME in the query
# or a name we have followed due to a CNAME. If the name # or a name we have followed due to a CNAME. If the name
# is original, set an authoritative name error in the # is original, set an authoritative name error in the
# response and exit. Otherwise just exit. # response and exit. Otherwise just exit.
# #
# If the "*" label does exist, match RRs at that node # If the "*" label does exist, match RRs at that node
# against QTYPE. If any match, copy them into the answer # against QTYPE. If any match, copy them into the answer
# section, but set the owner of the RR to be QNAME, and # section, but set the owner of the RR to be QNAME, and
# not the node with the "*" label. Go to step 6. # not the node with the "*" label. Go to step 6.
The final paragraph covers the role of the QTYPE in the lookup The final paragraph covers the role of the QTYPE in the lookup
process. process.
Based on implementation feedback and similarities between step Based on implementation feedback and similarities between part 'a'
'a' and step 'c' a change to this passage has been made. and part 'c', a change to this passage has been made.
The change is to add the following text to step 'c' prior to the The change is to add the following text to part 'c' prior to the
instructions to "go to step 6": instructions to "go to step 6":
If the data at the source of synthesis is a CNAME, and If the data at the source of synthesis is a CNAME, and QTYPE
QTYPE doesn't match CNAME, copy the CNAME RR into the doesn't match CNAME, copy the CNAME RR into the answer section of
answer section of the response changing the owner name the response changing the owner name to the QNAME, change QNAME to
to the QNAME, change QNAME to the canonical name in the the canonical name in the CNAME RR, and go back to step 1.
CNAME RR, and go back to step 1.
This is essentially the same text in step a covering the This is essentially the same text in part 'a' covering the processing
processing of CNAME RRSets. of CNAME RRSets.
4. Considerations with Special Types 4. Considerations with Special Types
Sections 2 and 3 of this document discuss wildcard synthesis Sections 2 and 3 of this document discuss wildcard synthesis with
with respect to names in the domain tree and ignore the impact respect to names in the domain tree and ignore the impact of types.
of types. In this section, the implication of wildcards of In this section, the implication of wildcards of specific types is
specific types are discussed. The types covered are those discussed. The types covered are those that have proven to be the
that have proven to be the most difficult to understand. The most difficult to understand. The types are SOA, NS, CNAME, DNAME,
types are SOA, NS, CNAME, DNAME, SRV, DS, NSEC, RRSIG and SRV, DS, NSEC, RRSIG, and "none", that is, empty non-terminal
"none," i.e., empty non-terminal wildcard domain names. wildcard domain names.
4.1 SOA RRSet at a Wildcard Domain Name 4.1. SOA RRSet at a Wildcard Domain Name
A wildcard domain name owning an SOA RRSet means that the A wildcard domain name owning an SOA RRSet means that the domain is
domain is at the root of the zone (apex). The domain can not at the root of the zone (apex). The domain cannot be a source of
be a source of synthesis because that is, by definition, a synthesis because that is, by definition, a descendant node (of the
descendent node (of the closest encloser) and a zone apex is closest encloser) and a zone apex is at the top of the zone.
at the top of the zone.
Although a wildcard domain name owning an SOA RRSet can never Although a wildcard domain name owning an SOA RRSet can never be a
be a source of synthesis, there is no reason to forbid the source of synthesis, there is no reason to forbid the ownership of an
ownership of an SOA RRSet. SOA RRSet.
For example, given this zone:
E.g., given this zone:
$ORIGIN *.example. $ORIGIN *.example.
@ 3600 IN SOA <SOA RDATA> @ 3600 IN SOA <SOA RDATA>
3600 NS ns1.example.com. 3600 NS ns1.example.com.
3600 NS ns1.example.net. 3600 NS ns1.example.net.
www 3600 TXT "the www txt record" www 3600 TXT "the www txt record"
A query for www.*.example.'s TXT record would still find the A query for www.*.example.'s TXT record would still find the "the www
"the www txt record" answer. The asterisk label only becomes txt record" answer. The asterisk label only becomes significant when
significant when section 4.3.2, step 3 part 'c' is in effect. section 4.3.2, step 3, part 'c' is in effect.
Of course, there would need to be a delegation in the parent Of course, there would need to be a delegation in the parent zone,
zone, "example." for this to work too. This is covered in the "example." for this to work too. This is covered in the next
next section. section.
4.2 NS RRSet at a Wildcard Domain Name 4.2. NS RRSet at a Wildcard Domain Name
With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now in
in place, the semantics of a wildcard domain name owning an place, the semantics of a wildcard domain name owning an NS RRSet has
NS RRSet has come to be poorly defined. The dilemma relates to come to be poorly defined. The dilemma relates to a conflict between
a conflict between the rules for synthesis in part 'c' and the the rules for synthesis in part 'c' and the fact that the resulting
fact that the resulting synthesis generates a record for which synthesis generates a record for which the zone is not authoritative.
the zone is not authoritative. In a DNSSEC signed zone, the In a DNSSEC signed zone, the mechanics of signature management
mechanics of signature management (generation and inclusion (generation and inclusion in a message) have become unclear.
in a message) have become unclear.
Salient points of the working group discussion on this topic is Salient points of the working group discussion on this topic are
summarized in section 4.2.1. summarized in section 4.2.1.
As a result of these discussion, there is no definition given for As a result of these discussions, there is no definition given for
wildcard domain names owning an NS RRSet. The semantics are wildcard domain names owning an NS RRSet. The semantics are left
left undefined until there is a clear need to have a set defined, undefined until there is a clear need to have a set defined, and
and until there is a clear direction to proceed. Operationally, until there is a clear direction to proceed. Operationally,
inclusion of wildcard NS RRSets in a zone is discouraged, but inclusion of wildcard NS RRSets in a zone is discouraged, but not
not barred. barred.
4.2.1 Discarded Notions 4.2.1. Discarded Notions
Prior to DNSSEC, a wildcard domain name owning a NS RRSet Prior to DNSSEC, a wildcard domain name owning a NS RRSet appeared to
appeared to be workable, and there are some instances in which be workable, and there are some instances in which it is found in
it is found in deployments using implementations that support deployments using implementations that support this. Continuing to
this. Continuing to allow this in the specification is not allow this in the specification is not tenable with DNSSEC. The
tenable with DNSSEC. The reason is that the synthesis of the reason is that the synthesis of the NS RRSet is being done in a zone
NS RRSet is being done in a zone that has delegated away the that has delegated away the responsibility for the name. This
responsibility for the name. This "unauthorized" synthesis is "unauthorized" synthesis is not a problem for the base DNS protocol,
not a problem for the base DNS protocol, but DNSSEC, in affirming but DNSSEC in affirming the authorization model for DNS exposes the
the authorization model for DNS exposes the problem. problem.
Outright banning of wildcards of type NS is also untenable as Outright banning of wildcards of type NS is also untenable as the DNS
the DNS protocol does not define how to handle "illegal" data. protocol does not define how to handle "illegal" data.
Implementations may choose not to load a zone, but there is no Implementations may choose not to load a zone, but there is no
protocol definition. The lack of the definition is complicated protocol definition. The lack of the definition is complicated by
by having to cover dynamic update [RFC 2136], zone transfers, having to cover dynamic update [RFC2136] and zone transfers, as well
as well as loading at the master server. The case of a client as loading at the master server. The case of a client (resolver,
(resolver, caching server) getting a wildcard of type NS in caching server) getting a wildcard of type NS in a reply would also
a reply would also have to be considered. have to be considered.
Given the daunting challenge of a complete definition of how to Given the daunting challenge of a complete definition of how to ban
ban such records, dealing with existing implementations that such records, dealing with existing implementations that permit the
permit the records today is a further complication. There are records today is a further complication. There are uses of wildcard
uses of wildcard domain name owning NS RRSets. domain name owning NS RRSets.
One compromise proposed would have redefined wildcards of type One compromise proposed would have redefined wildcards of type NS to
NS to not be used in synthesis, this compromise fell apart not be used in synthesis, this compromise fell apart because it would
because it would have required significant edits to the DNSSEC have required significant edits to the DNSSEC signing and validation
signing and validation work. (Again, DNSSEC catches work. (Again, DNSSEC catches unauthorized data.)
unauthorized data.)
With no clear consensus forming on the solution to this dilemma, With no clear consensus forming on the solution to this dilemma, and
and the realization that wildcards of type NS are a rarity in the realization that wildcards of type NS are a rarity in operations,
operations, the best course of action is to leave this open-ended the best course of action is to leave this open-ended until "it
until "it matters." matters".
4.3 CNAME RRSet at a Wildcard Domain Name 4.3. CNAME RRSet at a Wildcard Domain Name
The issue of a CNAME RRSet owned by a wildcard domain name has The issue of a CNAME RRSet owned by a wildcard domain name has
prompted a suggested change to the last paragraph of step 3c of prompted a suggested change to the last paragraph of step 3c of the
the algorithm in 4.3.2. The changed text appears in section algorithm in 4.3.2. The changed text appears in section 3.3.3 of
3.3.3 of this document. this document.
4.4 DNAME RRSet at a Wildcard Domain Name 4.4. DNAME RRSet at a Wildcard Domain Name
Ownership of a DNAME [RFC2672] RRSet by a wildcard domain name Ownership of a DNAME [RFC2672] RRSet by a wildcard domain name
represents a threat to the coherency of the DNS and is to be represents a threat to the coherency of the DNS and is to be avoided
avoided or outright rejected. Such a DNAME RRSet represents or outright rejected. Such a DNAME RRSet represents non-
non-deterministic synthesis of rules fed to different caches. deterministic synthesis of rules fed to different caches. As caches
As caches are fed the different rules (in an unpredictable are fed the different rules (in an unpredictable manner) the caches
manner) the caches will cease to be coherent. ("As caches will cease to be coherent. ("As caches are fed" refers to the
are fed" refers to the storage in a cache of records obtained storage in a cache of records obtained in responses by recursive or
in responses by recursive or iterative servers.) iterative servers.)
For example, assume one cache, responding to a recursive request,
obtains the following record:
For example, assume one cache, responding to a recursive
request, obtains the record:
"a.b.example. DNAME foo.bar.example.net." "a.b.example. DNAME foo.bar.example.net."
and another cache obtains: and another cache obtains:
"b.example. DNAME foo.bar.example.net." "b.example. DNAME foo.bar.example.net."
both generated from the record: both generated from the record:
"*.example. DNAME foo.bar.example.net." "*.example. DNAME foo.bar.example.net."
by an authoritative server. by an authoritative server.
The DNAME specification is not clear on whether DNAME records The DNAME specification is not clear on whether DNAME records in a
in a cache are used to rewrite queries. In some interpretations, cache are used to rewrite queries. In some interpretations, the
the rewrite occurs, in some, it is not. Allowing for the rewrite occurs; in others, it does not. Allowing for the occurrence
occurrence of rewriting, queries for "sub.a.b.example. A" may of rewriting, queries for "sub.a.b.example. A" may be rewritten as
be rewritten as "sub.foo.bar.tld. A" by the former caching "sub.foo.bar.tld. A" by the former caching server and may be
server and may be rewritten as "sub.a.foo.bar.tld. A" by the rewritten as "sub.a.foo.bar.tld. A" by the latter. Coherency is
latter. Coherency is lost, an operational nightmare ensues. lost, and an operational nightmare ensues.
Another justification for a recommendation to avoid the use of Another justification for a recommendation to avoid the use of
wildcard DNAME records is the observation that such a record wildcard DNAME records is the observation that such a record could
could synthesize a DNAME owned by "sub.foo.bar.example." and synthesize a DNAME owned by "sub.foo.bar.example." and
"foo.bar.example." There is a restriction in the DNAME "foo.bar.example.". There is a restriction in the DNAME definition
definition that no domain exist below a DNAME-owning domain, that no domain exist below a DNAME-owning domain; hence, the wildcard
hence, the wildcard DNAME is to be avoided. DNAME is to be avoided.
4.5 SRV RRSet at a Wildcard Domain Name 4.5. SRV RRSet at a Wildcard Domain Name
The definition of the SRV RRset is RFC 2782 [RFC2782]. In the The definition of the SRV RRset is RFC 2782 [RFC2782]. In the
definition of the record, there is some confusion over the term definition of the record, there is some confusion over the term
"Name." The definition reads as follows: "Name". The definition reads as follows:
# The format of the SRV RR # The format of the SRV RR
... ...
# _Service._Proto.Name TTL Class SRV Priority Weight Port Target # _Service._Proto.Name TTL Class SRV Priority Weight Port Target
... ...
# Name # Name
# The domain this RR refers to. The SRV RR is unique in that the # The domain this RR refers to. The SRV RR is unique in that the
# name one searches for is not this name; the example near the end # name one searches for is not this name; the example near the end
# shows this clearly. # shows this clearly.
Do not confuse the definition "Name" with the owner name. I.e., Do not confuse the definition "Name" with the owner name. That is,
once removing the _Service and _Proto labels from the owner name once removing the _Service and _Proto labels from the owner name of
of the SRV RRSet, what remains could be a wildcard domain name the SRV RRSet, what remains could be a wildcard domain name but this
but this is immaterial to the SRV RRSet. is immaterial to the SRV RRSet.
For example, if an SRV record is the following:
E.g., If an SRV record is:
_foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example. _foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
*.example is a wildcard domain name and although it is the Name *.example is a wildcard domain name and although it is the Name of
of the SRV RR, it is not the owner (domain name). The owner the SRV RR, it is not the owner (domain name). The owner domain name
domain name is "_foo._udp.*.example." which is not a wildcard is "_foo._udp.*.example.", which is not a wildcard domain name.
domain name.
A query for the SRV RRSet of "_foo._udp.bar.example." (class IN), A query for the SRV RRSet of "_foo._udp.bar.example." (class IN),
will result in a match of the name "*.example." (assuming there will result in a match of the name "*.example." (assuming there is no
is no bar.example.) and not a match of the SRV record shown. If bar.example.) and not a match of the SRV record shown. If there is
there is no SRV RRSet at "*.example." the answer section will no SRV RRSet at "*.example.", the answer section will reflect that
reflect that (be empty or a CNAME RRset). (be empty or a CNAME RRset).
The confusion is likely based on the mixture of the specification The confusion is likely based on the mixture of the specification of
of the SRV RR and the description of a "use case." the SRV RR and the description of a "use case".
4.6 DS RRSet at a Wildcard Domain Name 4.6. DS RRSet at a Wildcard Domain Name
A DS RRSet owned by a wildcard domain name is meaningless and A DS RRSet owned by a wildcard domain name is meaningless and
harmless. This statement is made in the context that an NS RRSet harmless. This statement is made in the context that an NS RRSet at
at a wildcard domain name is undefined. At a non-delegation a wildcard domain name is undefined. At a non-delegation point, a DS
point, a DS RRSet has no value (no corresponding DNSKEY RRSet RRSet has no value (no corresponding DNSKEY RRSet will be used in
will be used in DNSSEC validation). If there is a synthesized DNSSEC validation). If there is a synthesized DS RRSet, it alone
DS RRSet, it alone will not be very useful as it exists in the will not be very useful as it exists in the context of a delegation
context of a delegation point. point.
4.7 NSEC RRSet at a Wildcard Domain Name 4.7. NSEC RRSet at a Wildcard Domain Name
Wildcard domain names in DNSSEC signed zones will have an NSEC Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
RRSet. Synthesis of these records will only occur when the Synthesis of these records will only occur when the query exactly
query exactly matches the record. Synthesized NSEC RR's will not matches the record. Synthesized NSEC RRs will not be harmful as they
be harmful as they will never be used in negative caching or to will never be used in negative caching or to generate a negative
generate a negative response. [RFC2308] response [RFC2308].
4.8 RRSIG at a Wildcard Domain Name 4.8. RRSIG at a Wildcard Domain Name
RRSIG records will be present at a wildcard domain name in a RRSIG records will be present at a wildcard domain name in a signed
signed zone, and will be synthesized along with data sought in a zone and will be synthesized along with data sought in a query. The
query. The fact that the owner name is synthesized is not a fact that the owner name is synthesized is not a problem as the label
problem as the label count in the RRSIG will instruct the count in the RRSIG will instruct the verifying code to ignore it.
verifying code to ignore it.
4.9 Empty Non-terminal Wildcard Domain Name 4.9. Empty Non-terminal Wildcard Domain Name
If a source of synthesis is an empty non-terminal, then the If a source of synthesis is an empty non-terminal, then the response
response will be one of no error in the return code and no RRSet will be one of no error in the return code and no RRSet in the answer
in the answer section. section.
5. Security Considerations 5. Security Considerations
This document is refining the specifications to make it more This document is refining the specifications to make it more likely
likely that security can be added to DNS. No functional that security can be added to DNS. No functional additions are being
additions are being made, just refining what is considered made, just refining what is considered proper to allow the DNS,
proper to allow the DNS, security of the DNS, and extending security of the DNS, and extending the DNS to be more predictable.
the DNS to be more predictable.
6. IANA Considerations 6. References
None. 6.1. Normative References
7. References [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20,
October 1969.
Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC20] ASCII Format for Network Interchange, V.G. Cerf, [RFC1035] Mockapetris, P., "Domain names - implementation and
Oct-16-1969 specification", STD 13, RFC 1035, November 1987.
[RFC1034] Domain Names - Concepts and Facilities,
P.V. Mockapetris, Nov-01-1987
[RFC1035] Domain Names - Implementation and Specification, P.V [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
Mockapetris, Nov-01-1987 August 1996.
[RFC1995] Incremental Zone Transfer in DNS, M. Ohta, August 1996 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119] Key Words for Use in RFCs to Indicate Requirement [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
[RFC2308] Negative Caching of DNS Queries (DNS NCACHE), NCACHE)", RFC 2308, March 1998.
[RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
August 1999.
[RFC2782] A DNS RR for specifying the location of services (DNS [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC
SRV), A. Gulbrandsen, et.al., February 2000 2672, August 1999.
[RFC4033] DNS Security Introduction and Requirements, R. Arends,
[RFC4034] Resource Records for the DNS Security Extensions,
[RFC4035] Protocol Modifications for the DNS Security Extensions,
Informative References
[RFC2136] Dynamic Updates in the Domain Name System (DNS UPDATE), [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound, specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
8. Editor [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.
Name: Edward Lewis [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Affiliation: NeuStar Rose, "Resource Records for the DNS Security Extensions",
Address: 46000 Center Oak Plaza, Sterling, VA, 20166, US RFC 4034, March 2005.
Phone: +1-571-434-5468
Email: ed.lewis@neustar.biz
As required by law, as stated in RFC 3978, Section 3.4, [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
subsection a [RFC3978], this section comprises an Rose, "Protocol Modifications for the DNS Security
"Authors Section." Extensions", RFC 4035, March 2005.
Comments on this document can be sent to the editor or the mailing 6.2. Informative References
list for the DNSEXT WG, namedroppers@ops.ietf.org.
9. Others Contributing to the Document [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
April 1997.
7. Others Contributing to the Document
This document represents the work of a large working group. The This document represents the work of a large working group. The
editor merely recorded its collective wisdom. editor merely recorded its collective wisdom.
As required by law, as stated in RFC 3978, Section 3.4, Comments on this document can be sent to the editor or the mailing
subsection a [RFC3978], this section comprises an list for the DNSEXT WG, namedroppers@ops.ietf.org.
"Acknowledgements Section."
10. Trailing Boilerplate Editor's Address
Edward Lewis
NeuStar
46000 Center Oak Plaza
Sterling, VA
20166, US
Phone: +1-571-434-5468
EMail: ed.lewis@neustar.biz
Full Copyright Statement
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided This document and the information contained herein are provided on an
on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of The IETF takes no position regarding the validity or scope of any
any Intellectual Property Rights or other rights that might Intellectual Property Rights or other rights that might be claimed to
be claimed to pertain to the implementation or use of the pertain to the implementation or use of the technology described in
technology described in this document or the extent to which this document or the extent to which any license under such rights
any license under such rights might or might not be available; might or might not be available; nor does it represent that it has
nor does it represent that it has made any independent effort made any independent effort to identify any such rights. Information
to identify any such rights. Information on the procedures on the procedures with respect to rights in RFC documents can be
with respect to rights in RFC documents can be found in BCP 78 found in BCP 78 and BCP 79.
and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the attempt made to obtain a general license or permission for the use of
use of such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR specification can be obtained from the IETF on-line IPR repository at
repository at http://www.ietf.org/ipr. The IETF invites any http://www.ietf.org/ipr.
interested party to bring to its attention any copyrights,
patents or patent applications, or other proprietary rights The IETF invites any interested party to bring to its attention any
that may cover technology that may be required to implement copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
Expiration
This document expires on or about September 13, 2006.
 End of changes. 173 change blocks. 
562 lines changed or deleted 528 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/