summaryrefslogtreecommitdiffstats
path: root/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt')
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt1010
1 files changed, 1010 insertions, 0 deletions
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
new file mode 100644
index 0000000..d65fa71
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
@@ -0,0 +1,1010 @@
+
+
+
+
+
+
+dnsext Working Group B. Halley
+Internet Draft Nominum
+Expiration Date: March 2004
+ E. Lewis
+ ARIN
+
+ September 2003
+
+
+ Clarifying the Role of Wild Card Domains
+ in the Domain Name System
+
+
+ draft-ietf-dnsext-wcard-clarify-02.txt
+
+Status of this Memo
+
+ This document is an Internet-Draft and is subject to all provisions
+ of Section 10 of RFC2026.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ To view the list Internet-Draft Shadow Directories, see
+ http://www.ietf.org/shadow.html.
+
+Abstract
+
+ The definition of wild cards is recast from the original in RFC 1034,
+ in words that are more specific and in line with RFC 2119. This
+ document is meant to supplement the definition in RFC 1034 and to
+ alter neither the spirit nor intent of that definition.
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 1]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+Table of Contents
+
+ Abstract ................................................ 1
+ 1 Introduction ............................................ 2
+ 1.1 Document Limits ......................................... 3
+ 1.2 Existence ............................................... 4
+ 1.3 An Example .............................................. 4
+ 1.4 Empty Non-terminals ..................................... 5
+ 1.5 Terminology ............................................. 6
+ 2 Defining the Wild Card Domain Name ...................... 7
+ 3 Defining Existence ...................................... 8
+ 4 Impact of a Wild Card In a Query or in RDATA ............ 8
+ 5 Impact of a Wild Card Domain On a Response .............. 9
+ 6 Considerations with Special Types ....................... 12
+ 6.1 SOA RR's at a Wild Card Domain Name ..................... 12
+ 6.2 NS RR's at a Wild Card Domain Name ...................... 12
+ 6.3 CNAME RR's at a Wild Card Domain Name ................... 13
+ 6.4 DNAME RR's at a Wild Card Domain Name ................... 13
+ 7 Security Considerations ................................. 14
+ 8 References .............................................. 14
+ 9 Others Contributing to This Document .................... 14
+ 10 Editors ................................................. 15
+ Appendix A: Subdomains of Wild Card Domain Names ........ 16
+ Full Copyright Statement ................................ 18
+ Acknowledgement ......................................... 18
+
+
+
+
+1. Introduction
+
+ The first section of this document will give a crisp overview of what
+ is begin defined, as well as the motivation rewording of an original
+ document and making a change to bring the specification in line with
+ implementations. Examples are included to help orient the reader.
+
+ Wild card domain names are defined in Section 4.3.3. of RFC 1034 as
+ "instructions for synthesizing RRs." [RFC1034]. The meaning of this
+ is that a specific, special domain name is used to construct
+ responses in instances in which the query name is not otherwise
+ represented in a zone.
+
+ A wild card domain name has a specific range of influence on query
+ names (QNAMEs) within a given class, which is rooted at the domain
+ name containing the wild card label, and is limited by explicit
+ entries, zone cuts and empty non-terminal domains (see section 1.3 of
+ this document).
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 2]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ Note that a wild card domain name has no special impact on the search
+ for a query type (QTYPE). If a domain name is found that matches the
+ QNAME (exact or a wild card) but the QTYPE is not found at that
+ point, the proper response is that there is no data available. The
+ search does not continue on to seek other wild cards that might match
+ the QTYPE. To illustrate, a wild card owning an MX RR does not
+ 'cover' other names in the zone that own an A RR. There are certain
+ special case RR types that will be singled out for discussion, the
+ SOA RR, NS RR, CNAME RR, and DNAME RR.
+
+ Why is this document needed? Empirical evidence suggests that the
+ words in RFC 1034 are not clear enough. There exist a number of
+ implementations that have strayed (each differently) from that
+ definition. There also exists a misconception of operators that the
+ wild card can be used to add a specific RR type to all names, such as
+ the MX RR example cited above. This document is also needed as input
+ to efforts to extend DNS, such as the DNS Security Extensions [RFC
+ 2535]. Lack of a clear base specification has proven to result in
+ extension documents that have unpredictable consequences. (This is
+ true in general, not just for DNS.)
+
+ Another reason this clarification is needed is to answer questions
+ regarding authenticated denial of existence, a service introduced in
+ the DNS Security Extensions [RFC 2535]. Prior to the work leading up
+ to this document, it had been feared that a large number of proof
+ records (NXTs) might be needed in each reply because of the unknown
+ number of potential wild card domains that were thought to be
+ applicable. One outcome of this fear is a now discontinued document
+ solving a problem that is now known not to exist. I.e., this
+ clarification has the impact of defending against unwarranted
+ protocol surgery. It is not "yet another" effort to just rewrite the
+ early specifications for the sake of purity.
+
+ Although the effort to define the DNS Security Extensions has
+ prompted this document, the clarifications herein relate to basic DNS
+ only. No DNS Security Extensions considerations are mentioned in the
+ document.
+
+1.1. Document Limits
+
+ This document limits itself to reinforcing the concepts in RFC 1034.
+ In the effort to do this, a few issues have been discussed that
+ change parts of what is in RFC 1034. The discussions have been held
+ within the DNS Extensions Working Group.
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 3]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ Briefly, the issues raised include:
+ - The lack of clarity in the definition of domain name existence
+ - Implications of a wild card domain name owning any of the
+ following resource record sets: DNAME [RFC 2672], CNAME, NS, and
+ SOA
+ - Whether RFC 1034 meant to allow special processing of CNAME RR's
+ owned by wild card domain names
+
+1.2. Existence
+
+ The notion that a domain name 'exists' will arise numerous times in
+ this discussion. RFC 1034 raises the issue of existence in a number
+ of places, usually in reference to non-existence and often in
+ reference to processing involving wild card domain names. RFC 1034
+ contains algorithms that describe how domain names impact the
+ preparation of an answer and does define wild cards as a means of
+ synthesizing answers. Because of this a discussion on wild card
+ domain names has to start with the issue of existence.
+
+ To help clarify the topic of wild cards, a positive definition of
+ existence is needed. Complicating matters, though, is the
+ realization that existence is relative. To an authoritative server,
+ a domain name exists if the domain name plays a role following the
+ algorithms of preparing a response. To a resolver, a domain name
+ exists if there is any data available corresponding to the name. The
+ difference between the two is the synthesis of records according to a
+ wild card.
+
+ For the purposes of this document, the point of view of an
+ authoritative server is adopted. A domain name is said to exist if
+ it plays a role in the execution of the algorithms in RFC 1034.
+
+1.3. An Example
+
+ For example, consider this wild card domain name: *.example. Any
+ query name under example. is a candidate to be matched (answered) by
+ this wild card, i.e., to have an response returned that is
+ synthesized from the wild card's RR sets. Although any name is a
+ candidate, not all queries will match.
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 4]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ To further illustrate this, consider this zone:
+
+ $ORIGIN example.
+ @ IN SOA
+ NS
+ NS
+ * TXT "this is a wild card"
+ MX 10 mailhost.example.
+ host1 A 10.0.0.1
+ _ssh._tcp.host1 SRV
+ _ssh._tcp.host2 SRV
+ subdel NS
+
+
+ The following queries would be synthesized from the wild card:
+
+ QNAME=host3.example. QTYPE=MX, QCLASS=IN
+ the answer will be a "host3.example. IN MX ..."
+ QNAME=host3.example. QTYPE=A, QCLASS=IN
+ the answer will reflect "no error, but no data"
+ because there is no A RR set at '*'
+
+ The following queries would not be synthesized from the wild card:
+
+ QNAME=host1.example., QTYPE=MX, QCLASS=IN
+ because host1.example. exists
+ QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
+ because _tcp.host1.example. exists (without data)
+ QNAME=_telnet._tcp.host2.example., QTYPE=SRV, QCLASS=IN
+ because host2.example. exists (without data)
+ QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
+ because subdel.example. exists and is a zone cut
+
+ To the server, the following domains are considered to exist in the
+ zone: *, host1, _tcp.host1, _ssh._tcp.host1, host2, _tcp.host2,
+ _ssh._tcp.host2, and subdel. To a resolver, many more domains appear
+ to exist via the synthesis of the wild card.
+
+1.4. Empty Non-terminals
+
+ Empty non-terminals are domain names that own no data but have
+ subdomains. This is defined in section 3.1 of RFC 1034:
+
+# The domain name space is a tree structure. Each node and leaf on the
+# tree corresponds to a resource set (which may be empty). The domain
+# system makes no distinctions between the uses of the interior nodes and
+# leaves, and this memo uses the term "node" to refer to both.
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 5]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ The parenthesized "which may be empty" specifies that empty non-
+ terminals are explicitly recognized. According to the definition of
+ existence in this document, empty non-terminals do exist at the
+ server.
+
+ Carefully reading the above paragraph can lead to an interpretation
+ that all possible domains exist - up to the suggested limit of 255
+ octets for a domain name [RFC 1035]. For example, www.example. may
+ have an A RR, and as far as is practically concerned, is a leaf of
+ the domain tree. But the definition can be taken to mean that
+ sub.www.example. also exists, albeit with no data. By extension, all
+ possible domains exist, from the root on down. As RFC 1034 also
+ defines "an authoritative name error indicating that the name does
+ not exist" in section 4.3.1, this is not the intent of the original
+ document.
+
+ RFC1034's wording is to be clarified by adding the following
+ paragraph:
+
+ A node is considered to have an impact on the algorithms of
+ 4.3.2 if it is a leaf node with any resource sets or an interior
+ node, with or without a resource set, that has a subdomain that
+ is a leaf node with a resource set. A QNAME and QCLASS matching
+ an existing node never results in a response return code of
+ authoritative name error.
+
+ The terminology in the above paragraph is chosen to remain as close
+ to that in the original document. The term "with" is a alternate
+ form for "owning" in this case, hence "a leaf node owning resources
+ sets, or an interior node, owning or not owning any resource set,
+ that has a leaf node owning a resource set as a subdomain," is the
+ proper interpretation of the middle sentence.
+
+ As an aside, an "authoritative name error" has been called NXDOMAIN
+ in some RFCs, such as RFC 2136 [RFC 2136]. NXDOMAIN is the mnemonic
+ assigned to such an error by at least one implementation of DNS. As
+ this mnemonic is specific to implementations, it is avoided in the
+ remainder of this document.
+
+1.5. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in the document entitled
+ "Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]
+
+ Requirements are denoted by paragraphs that begin with with the
+ following convention: 'R'<sect>.<count>.
+
+
+
+Halley & Lewis [Expires March 2004] [Page 6]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ Quotations of RFC 1034 (as has already been done once above) are
+ denoted by a '#' in the leftmost column.
+
+2. Defining the Wild Card Domain Name
+
+ A wild card domain name is defined by having the initial label be:
+
+ 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
+
+ This defines domain names that may play a role in being a wild card,
+ that is, being a source for synthesized answers. Domain names
+ conforming to this definition that appear in queries and RDATA
+ sections do not have any special role. These cases will be described
+ in more detail in following sections.
+
+ R2.1 A domain name that is to be interpreted as a wild card MUST
+ begin with a label of '0000 0001 0010 1010' in binary.
+
+ The first octet is the normal label type and length for a 1 octet
+ long label, the second octet is the ASCII representation [RFC 20] for
+ the '*' character. In RFC 1034, ASCII encoding is assumed to be the
+ character encoding.
+
+ In the master file formats used in RFCs, a "*" is a legal
+ representation for the wild card label. Even if the "*" is escaped,
+ it is still interpreted as the wild card when it is the only
+ character in the label.
+
+ R2.2 A server MUST treat a wild card domain name as the basis of
+ synthesized answers regardless of any "escape" sequences in the
+ input format.
+
+ RFC 1034 and RFC 1035 ignore the case in which a domain name might be
+ "the*.example.com." The interpretation is that this domain name in a
+ zone would only match queries for "the*.example.com" and not have any
+ other role.
+
+ Note: By virtue of this definition, a wild card domain name may have
+ a subdomain. The subdomain (or sub-subdomain) itself may also be a
+ wild card. E.g., *.*.example. is a wild card, so is *.sub.*.example.
+ More discussion on this is given in Appendix A.
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 7]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+3. Defining Existence
+
+ As described in the Introduction, a precise definition of existence
+ is needed.
+
+ R3.1 An authoritative server MUST treat a domain name as existing
+ during the execution of the algorithms in RFC 1034 when the
+ domain name conforms to the following definition. A domain name
+ is defined to exist if the domain name owns data and/or has a
+ subdomain that exists.
+
+ Note that at a zone boundary, the domain name owns data, including
+ the NS RR set. At the delegating server, the NS RR set is not
+ authoritative, but that is of no consequence here. The domain name
+ owns data, therefore, it exists.
+
+ R3.2 An authoritative server MUST treat a domain name that has
+ neither a resource record set nor an existing subdomain as non-
+ existent when executing the algorithm in section 4.3.2. of RFC
+ 1034.
+
+ A note on terminology. A domain transcends zones, i.e., all DNS data
+ is in the root domain but segmented into zones of control. In this
+ document, there are references to a "domain name" in the context of
+ existing "in a zone." In this usage, a domain name is the root of a
+ domain, not the entire domain. The domain's root point is said to
+ "exist in a zone" if the zone is authoritative for the name. RR sets
+ existing in a domain need not be owned by the domain's root domain
+ name, but are owned by other domain names in the domain.
+
+4. Impact of a Wild Card In a Query or in RDATA
+
+ When a wild card domain name appears in a question, e.g., the query
+ name is "*.example.", the response in no way differs from any other
+ query. In other words, the wild card label in a QNAME has no special
+ meaning, and query processing will proceed using '*' as a literal
+ query name.
+
+ R4.1 A wild card domain name acting as a QNAME MUST be treated as any
+ other QNAME, there MUST be no special processing accorded it.
+
+ If a wild card domain name appears in the RDATA of a CNAME RR or any
+ other RR that has a domain name in it, the same rule applies. In the
+ instance of a CNAME RR, the wild card domain name is used in the same
+ manner of as being the original QNAME. For other RR's, rules vary
+ regarding what is done with the domain name(s) appearing in them, in
+ no case does the wild card hold special meaning.
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 8]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ R4.2 A wild card domain name appearing in any RR's RDATA MUST be
+ treated as any other domain name in that situation, there MUST
+ be no special processing accorded it.
+
+5. Impact of a Wild Card Domain On a Response
+
+ The description of how wild cards impact response generation is in
+ RFC 1034, section 4.3.2. That passage contains the algorithm
+ followed by a server in constructing a response. Within that
+ algorithm, step 3, part 'c' defines the behavior of the wild card.
+ The algorithm is directly quoted in lines that begin with a '#' sign.
+ Commentary is interleaved.
+
+ There is a documentation issue deserving some explanation. The
+ algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
+ code, i.e., it's steps are not intended to be followed in strict
+ order. The "algorithm" is a suggestion. As such, in step 3, parts
+ a, b, and c, do not have to be implemented in that order.
+
+ Another issue needing explanation is that RFC 1034 is a full
+ standard. There is another RFC, RFC 2672, which makes, or proposes
+ an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME
+ RR. RFC 2672 is a proposed standard. The dilemma in writing these
+ clarifications is knowing which document is the one being clarified.
+ Fortunately, the difference between RFC 1034 and RFC 2672 is not
+ significant with respect to wild card synthesis, so this document
+ will continue to state that it is clarifying RFC 1034. If RFC 2672
+ progresses along the standards track, it will need to refer to
+ modifying RFC 1034's algorithm as amended here.
+
+ The context of part 'c' is that the search is progressing label by
+ label through the QNAME. (Note that the data being searched is the
+ authoritative data in the server, the cache is searched in step 4.)
+ Step 3's part 'a' covers the case that the QNAME has been matched in
+ full, regardless of the presence of a CNAME RR. Step 'b' covers
+ crossing a cut point, resulting in a referral. All that is left is
+ to look for the wild card.
+
+ Step 3 of the algorithm also assumes that the search is looking in
+ the zone closest to the answer, i.e., in the same class as QCLASS and
+ as close to the authority as possible on this server. If the zone is
+ not the authority, then a referral is given, possibly one indicating
+ lameness.
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 9]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+# c. If at some label, a match is impossible (i.e., the
+# corresponding label does not exist), look to see if a
+# the "*" label exists.
+
+ The above paragraph refers to finding the domain name that exists in
+ the zone and that most encloses the QNAME. Such a domain name will
+ mark the boundary of candidate wild card domain names that might be
+ used to synthesize an answer. (Remember that at this point, if the
+ most enclosing name is the same as the QNAME, part 'a' would have
+ recorded an exact match.) The existence of the enclosing name means
+ that no wild card name higher in the tree is a candidate to answer
+ the query.
+
+ Once the closest enclosing node is identified, there's the matter of
+ what exists below it. It may have subdomains, but none will be
+ closer to the QNAME. One of the subdomains just might be a wild
+ card. If it exists, this is the only wild card eligible to be used
+ to synthesize an answer for the query. Even if the closest enclosing
+ node conforms to the syntax rule in section 2 for being a wild card
+ domain name, the closest enclosing node is not eligible to be a
+ source of a synthesized answer.
+
+ The only wild card domain name that is a candidate to synthesize an
+ answer will be the "*" subdomain of the closest enclosing domain
+ name. Three possibilities can happen. The "*" subdomain does not
+ exist, the "*" subdomain does but does not have an RR set of the same
+ type as the QTYPE, or it exists and has the desired RR set.
+
+ For the sake of brevity, the closest enclosing node can be referred
+ to as the "closest encloser." The closest encloser is the most
+ important concept in this clarification. Describing the closest
+ encloser is a bit tricky, but it is an easy concept.
+
+ To find the closest encloser, you have to first locate the zone that
+ is the authority for the query name. This eliminates the need to be
+ concerned that the closest encloser is a cut point. In addition, we
+ can assume too that the query name does not exist, hence the closest
+ encloser is not equal to the query name. We can assume away these
+ two cases because they are handled in steps 2, 3a and 3b of section
+ 4.3.2.'s algorithm.
+
+ What is left is to identify the existing domain name that would have
+ been up the tree (closer to the root) from the query name. Knowing
+ that an exact match is impossible, if there is a "*" label descending
+ from the unique closest encloser, this is the one and only wild card
+ from which an answer can be synthesized for the query.
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 10]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ To illustrate, using the example in section 1.2 of this document, the
+ following chart shows QNAMEs and the closest enclosers. In
+ Appendix A there is another chart showing unusual cases.
+
+ QNAME Closest Encloser Wild Card Source
+ host3.example. example. *.example.
+ _telnet._tcp.host1.example. _tcp.host1.example. no wild card
+ _telnet._tcp.host2.example. host2.example. no wild card
+ _telnet._tcp.host3.example. example. *.example.
+ _chat._udp.host3.example. example. *.example.
+
+ Note that host1.subdel.example. is in a subzone, so the search for it
+ ends in a referral in part 'b', thus does not enter into finding a
+ closest encloser.
+
+ The fact that a closest encloser will be the only superdomain that
+ can have a candidate wild card will have an impact when it comes to
+ designing authenticated denial of existence proofs.
+
+# If the "*" label does not exist, check whether the name
+# we are looking for is the original QNAME in the query
+# or a name we have followed due to a CNAME. If the name
+# is original, set an authoritative name error in the
+# response and exit. Otherwise just exit.
+
+ The above passage says that if there is not even a wild card domain
+ name to match at this point (failing to find an explicit answer
+ elsewhere), we are to return an authoritative name error at this
+ point. If we were following a CNAME, the specification is unclear,
+ but seems to imply that a no error return code is appropriate, with
+ just the CNAME RR (or sequence of CNAME RRs) in the answer section.
+
+# If the "*" label does exist, match RRs at that node
+# against QTYPE. If any match, copy them into the answer
+# section, but set the owner of the RR to be QNAME, and
+# not the node with the "*" label. Go to step 6.
+
+ This final paragraph covers the role of the QTYPE in the process.
+ Note that if no resource record set matches the QTYPE the result is
+ that no data is copied, but the search still ceases ("Go to step
+ 6."). In the following section, a suggested change is made to this,
+ under the heading "CNAME RRs at a Wild Card Domain Name."
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 11]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+6. Considerations with Special Types
+
+ For the purposes of this section, "special" means that a record
+ induces processing at the server beyond simple lookup. The special
+ types in this section are SOA, NS, CNAME, and DNAME. SOA is special
+ because it is used as a zone marker and has an impact on step 2 of
+ the algorithm in 4.3.2. NS denotes a cut point and has an impact on
+ step 3b. CNAME redirects the query and is mentioned in steps 3a and
+ 3b. DNAME is a "CNAME generator."
+
+6.1. SOA RR's at a Wild Card Domain Name
+
+ If the owner of an SOA record conforms to the basic rules of owning
+ an SOA RR (meaning it is the apex of a zone) the impact on the search
+ algorithm is not in section 3c (where records are synthesized) as
+ would be expected. The impact is really in step 2 of the algorithm,
+ the choice of zone.
+
+ We are no longer talking about whether or not an SOA RR can be
+ synthesized in a response because we are shifting attention to step
+ 2. We are now talking about what it means for a name server to
+ synthesize a zone for a response. To date, no implementation has
+ done this. Thinking ahead though, anyone choosing to pursue this
+ would have to be aware that a server would have to be able to
+ distinguish between queries for data it will have to synthesize and
+ queries that ought to be treated as if they were prompted by a lame
+ delegation.
+
+ It is not a protocol error to have an SOA RR owned by a wild card
+ domain name, just as it is not an error to have zone name be
+ syntactically equivalent to a domain name. However, this situation
+ requires careful consideration of how a server chooses the
+ appropriate zone for an answer. And an SOA RR is not able to be
+ synthesized as in step 3c.
+
+6.2. NS RR's at a Wild Card Domain Name
+
+ Complimentary to the issue of an SOA RR owned by a wild card domain
+ name is the issue of NS RR's owned by a wild card domain name. In
+ this instance, each machine being referred to in the RDATA of the NS
+ RR has to be able to understand the impact of this on step 2, the
+ choosing of the authoritative zone.
+
+ Referring to the same machine in such a NS RR will probably not work
+ well. This is because the server may become confused as to whether
+ the query name ought to be answered by the zone owning the NS RR in
+ question or a synthesized zone. (It isn't known in advance that the
+ query name will invoke the wild card synthesis.)
+
+
+
+Halley & Lewis [Expires March 2004] [Page 12]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ The status of other RR's owned by a wild card domain name is the same
+ as if the owner name was not a wild card domain name. I.e., when
+ there is a NS RR at a wild card domain name, other records are
+ treated as being below the zone cut.
+
+ Is it not a protocol error to have a NS RR owned by a wild card
+ domian name, complimentary to the case of a SOA RR. However, for
+ this to work, an implementation has to know how to synthesize a zone.
+
+6.3. CNAME RR's at a Wild Card Domain Name
+
+ The issue of CNAME RR's owned by wild card domain names has prompted
+ a suggested change to the last paragraph of step 3c of the algorithm
+ in 4.3.2. The changed text is this:
+
+ If the "*" label does exist and if the data at the node is a
+ CNAME and QTYPE doesn't match CNAME, copy the CNAME RR into the
+ answer section of the response, set the owner of the CNAME RR to
+ be QNAME, and then change QNAME to the canonical name in the
+ CNAME RR, and go back to step 1.
+
+ If the "*" label does exist and either QTYPE is CNAME or the
+ data at the node is not a CNAME, then match RRs at that node
+ against QTYPE. If any match, copy them into the answer section,
+ but set the owner of the RR to be QNAME, and not the node with
+ the "*" label. Go to step 6.
+
+ Apologies if the above isn't clear, but an attempt was made to stitch
+ together the passage using just the phrases in section 3a and 3c of
+ the algorithm so as to preserve the original flavor.
+
+ In case the passage as suggested isn't clear enough, the intent is to
+ make "landing" at a wild card name and finding a CNAME the same as if
+ this happened as a result of a direct match. I.e., Finding a CNAME
+ at the name matched in step 3c is supposed to have the same impact as
+ finding the CNAME in step 3a.
+
+6.4. DNAME RR's at a Wild Card Domain Name
+
+ The specification of the DNAME RR, which is at the proposed level of
+ standardization, is not as mature as the full standard in RFC 1034.
+ Because of this, or the reason for this is, there appears to be a
+ host of issues with that definition and it's rewrite of the algorithm
+ in 4.3.2. For the time being, when it comes to wild card processing
+ issues, a DNAME can be considered to be a CNAME synthesizer. A DNAME
+ at a wild card domain name is effectively the same as a CNAME at a
+ wild card domain name.
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 13]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+7. Security Considerations
+
+ This document is refining the specifications to make it more likely
+ that security can be added to DNS. No functional additions are being
+ made, just refining what is considered proper to allow the DNS,
+ security of the DNS, and extending the DNS to be more predictable.
+
+8. References
+
+ Normative References
+
+ [RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969
+
+ [RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris,
+ Nov-01-1987
+
+ [RFC 1035] Domain Names - Implementation and Specification, P.V
+ Mockapetris, Nov-01-1987
+
+ [RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S
+ Bradner, March 1997
+
+ Informative References
+
+ [RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P. Vixie,
+ Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997
+
+ [RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999
+
+ [RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999
+
+9. Others Contributing to This Document
+
+ Others who have directly caused text to appear in the document: Paul
+ Vixie and Olaf Kolkman. Many others have indirect influences on the
+ content.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 14]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+10. Editors
+
+ Name: Bob Halley
+ Affiliation: Nominum, Inc.
+ Address: 2385 Bay Road, Redwood City, CA 94063 USA
+ Phone: +1-650-381-6016
+ EMail: Bob.Halley@nominum.com
+
+ Name: Edward Lewis
+ Affiliation: ARIN
+ Address: 3635 Concorde Pkwy, Suite 200, Chantilly, VA 20151 USA
+ Phone: +1-703-227-9854
+ Email: edlewis@arin.net
+
+ Comments on this document can be sent to the editors or the mailing
+ list for the DNSEXT WG, namedroppers@ops.ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 15]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+Appendix A: Subdomains of Wild Card Domain Names
+
+ In reading the definition of section 2 carefully, it is possible to
+ rationalize unusual names as legal. In the example given,
+ *.example. could have subdomains of *.sub.*.example. and even the
+ more direct *.*.example. (The implication here is that these domain
+ names own explicit resource records sets.) Although defining these
+ names is not easy to justify, it is important that implementions
+ account for the possibility. This section will give some further
+ guidence on handling these names.
+
+ The first thing to realize is that by all definitions, subdomains of
+ wild card domain names are legal. In analyzing them, one realizes
+ that they cause no harm by their existence. Because of this, they
+ are allowed to exist, i.e., there are no special case rules made to
+ disallow them. The reason for not preventing these names is that the
+ prevention would just introduce more code paths to put into
+ implementations.
+
+ The concept of "closest enclosing" existing names is important to
+ keep in mind. It is also important to realize that a wild card
+ domain name can be a closest encloser of a query name. For example,
+ if *.*.example. is defined in a zone, and the query name is
+ a.*.example., then the closest enclosing domain name is *.example.
+ Keep in mind that the closest encloser is not eligible to be a source
+ of synthesized answers, just the subdomain of it that has the first
+ label "*".
+
+ To illustrate this, the following chart shows some matches. Assume
+ that the names *.example., *.*.example., and *.sub.*.example. are
+ defined in the zone.
+
+ QNAME Closest Encloser Wild Card Source
+ a.example. example. *.example.
+ b.a.example. example. *.example.
+ a.*.example. *.example. *.*.example.
+ b.a.*.example. *.example. *.*.example.
+ b.a.*.*.example. *.*.example. no wild card
+ a.sub.*.example. sub.*.example. *.sub.*.example.
+ b.a.sub.*.example. sub.*.example. *.sub.*.example.
+ a.*.sub.*.example. *.sub.*.example. no wild card
+ *.a.example. example. *.example.
+ a.sub.b.example. example. *.example.
+
+ Recall that the closest encloser itself cannot be the wild card.
+ Therefore the match for b.a.*.*.example. has no applicable wild card.
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 16]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+ Finally, if a query name is sub.*.example., any answer available will
+ come from an exact name match for sub.*.example. No wild card
+ synthesis is performed in this case.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 17]
+
+Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society 2003. All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis [Expires March 2004] [Page 18]
OpenPOWER on IntegriCloud