Remove from the vendor branch files that are no longer
present in BIND 9.4.1.
This commit is contained in:
parent
141cfa5029
commit
d6a1012ea9
@ -1,252 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 1999-2002 Internet Software Consortium.
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: aclconf.c,v 1.27.12.7 2006/03/02 00:37:20 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <isc/mem.h>
|
||||
#include <isc/string.h> /* Required for HP/UX (and others?) */
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <isccfg/namedconf.h>
|
||||
|
||||
#include <dns/acl.h>
|
||||
#include <dns/fixedname.h>
|
||||
#include <dns/log.h>
|
||||
|
||||
#include <named/aclconf.h>
|
||||
|
||||
#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
|
||||
|
||||
void
|
||||
ns_aclconfctx_init(ns_aclconfctx_t *ctx) {
|
||||
ISC_LIST_INIT(ctx->named_acl_cache);
|
||||
}
|
||||
|
||||
void
|
||||
ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) {
|
||||
dns_acl_t *dacl, *next;
|
||||
for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
|
||||
dacl != NULL;
|
||||
dacl = next)
|
||||
{
|
||||
next = ISC_LIST_NEXT(dacl, nextincache);
|
||||
dns_acl_detach(&dacl);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Find the definition of the named acl whose name is "name".
|
||||
*/
|
||||
static isc_result_t
|
||||
get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
|
||||
isc_result_t result;
|
||||
const cfg_obj_t *acls = NULL;
|
||||
const cfg_listelt_t *elt;
|
||||
|
||||
result = cfg_map_get(cctx, "acl", &acls);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return (result);
|
||||
for (elt = cfg_list_first(acls);
|
||||
elt != NULL;
|
||||
elt = cfg_list_next(elt)) {
|
||||
const cfg_obj_t *acl = cfg_listelt_value(elt);
|
||||
const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
|
||||
if (strcasecmp(aclname, name) == 0) {
|
||||
*ret = cfg_tuple_get(acl, "value");
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
}
|
||||
return (ISC_R_NOTFOUND);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
|
||||
ns_aclconfctx_t *ctx, isc_mem_t *mctx,
|
||||
dns_acl_t **target)
|
||||
{
|
||||
isc_result_t result;
|
||||
const cfg_obj_t *cacl = NULL;
|
||||
dns_acl_t *dacl;
|
||||
dns_acl_t loop;
|
||||
const char *aclname = cfg_obj_asstring(nameobj);
|
||||
|
||||
/* Look for an already-converted version. */
|
||||
for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
|
||||
dacl != NULL;
|
||||
dacl = ISC_LIST_NEXT(dacl, nextincache))
|
||||
{
|
||||
if (strcasecmp(aclname, dacl->name) == 0) {
|
||||
if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
|
||||
cfg_obj_log(nameobj, dns_lctx, ISC_LOG_ERROR,
|
||||
"acl loop detected: %s", aclname);
|
||||
return (ISC_R_FAILURE);
|
||||
}
|
||||
dns_acl_attach(dacl, target);
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
}
|
||||
/* Not yet converted. Convert now. */
|
||||
result = get_acl_def(cctx, aclname, &cacl);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
cfg_obj_log(nameobj, dns_lctx, ISC_LOG_WARNING,
|
||||
"undefined ACL '%s'", aclname);
|
||||
return (result);
|
||||
}
|
||||
/*
|
||||
* Add a loop detection element.
|
||||
*/
|
||||
memset(&loop, 0, sizeof(loop));
|
||||
ISC_LINK_INIT(&loop, nextincache);
|
||||
DE_CONST(aclname, loop.name);
|
||||
loop.magic = LOOP_MAGIC;
|
||||
ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
|
||||
result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl);
|
||||
ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
|
||||
loop.magic = 0;
|
||||
loop.name = NULL;
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return (result);
|
||||
dacl->name = isc_mem_strdup(dacl->mctx, aclname);
|
||||
if (dacl->name == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
|
||||
dns_acl_attach(dacl, target);
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
convert_keyname(const cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
|
||||
isc_result_t result;
|
||||
isc_buffer_t buf;
|
||||
dns_fixedname_t fixname;
|
||||
unsigned int keylen;
|
||||
const char *txtname = cfg_obj_asstring(keyobj);
|
||||
|
||||
keylen = strlen(txtname);
|
||||
isc_buffer_init(&buf, txtname, keylen);
|
||||
isc_buffer_add(&buf, keylen);
|
||||
dns_fixedname_init(&fixname);
|
||||
result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
|
||||
dns_rootname, ISC_FALSE, NULL);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
cfg_obj_log(keyobj, dns_lctx, ISC_LOG_WARNING,
|
||||
"key name '%s' is not a valid domain name",
|
||||
txtname);
|
||||
return (result);
|
||||
}
|
||||
return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
ns_acl_fromconfig(const cfg_obj_t *caml,
|
||||
const cfg_obj_t *cctx,
|
||||
ns_aclconfctx_t *ctx,
|
||||
isc_mem_t *mctx,
|
||||
dns_acl_t **target)
|
||||
{
|
||||
isc_result_t result;
|
||||
unsigned int count;
|
||||
dns_acl_t *dacl = NULL;
|
||||
dns_aclelement_t *de;
|
||||
const cfg_listelt_t *elt;
|
||||
|
||||
REQUIRE(target != NULL && *target == NULL);
|
||||
|
||||
count = 0;
|
||||
for (elt = cfg_list_first(caml);
|
||||
elt != NULL;
|
||||
elt = cfg_list_next(elt))
|
||||
count++;
|
||||
|
||||
result = dns_acl_create(mctx, count, &dacl);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return (result);
|
||||
|
||||
de = dacl->elements;
|
||||
for (elt = cfg_list_first(caml);
|
||||
elt != NULL;
|
||||
elt = cfg_list_next(elt))
|
||||
{
|
||||
const cfg_obj_t *ce = cfg_listelt_value(elt);
|
||||
if (cfg_obj_istuple(ce)) {
|
||||
/* This must be a negated element. */
|
||||
ce = cfg_tuple_get(ce, "value");
|
||||
de->negative = ISC_TRUE;
|
||||
} else {
|
||||
de->negative = ISC_FALSE;
|
||||
}
|
||||
|
||||
if (cfg_obj_isnetprefix(ce)) {
|
||||
/* Network prefix */
|
||||
de->type = dns_aclelementtype_ipprefix;
|
||||
|
||||
cfg_obj_asnetprefix(ce,
|
||||
&de->u.ip_prefix.address,
|
||||
&de->u.ip_prefix.prefixlen);
|
||||
} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
|
||||
/* Key name */
|
||||
de->type = dns_aclelementtype_keyname;
|
||||
dns_name_init(&de->u.keyname, NULL);
|
||||
result = convert_keyname(ce, mctx, &de->u.keyname);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
} else if (cfg_obj_islist(ce)) {
|
||||
/* Nested ACL */
|
||||
de->type = dns_aclelementtype_nestedacl;
|
||||
result = ns_acl_fromconfig(ce, cctx, ctx, mctx,
|
||||
&de->u.nestedacl);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
} else if (cfg_obj_isstring(ce)) {
|
||||
/* ACL name */
|
||||
const char *name = cfg_obj_asstring(ce);
|
||||
if (strcasecmp(name, "localhost") == 0) {
|
||||
de->type = dns_aclelementtype_localhost;
|
||||
} else if (strcasecmp(name, "localnets") == 0) {
|
||||
de->type = dns_aclelementtype_localnets;
|
||||
} else if (strcasecmp(name, "any") == 0) {
|
||||
de->type = dns_aclelementtype_any;
|
||||
} else if (strcasecmp(name, "none") == 0) {
|
||||
de->type = dns_aclelementtype_any;
|
||||
de->negative = ISC_TF(! de->negative);
|
||||
} else {
|
||||
de->type = dns_aclelementtype_nestedacl;
|
||||
result = convert_named_acl(ce, cctx, ctx, mctx,
|
||||
&de->u.nestedacl);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
}
|
||||
} else {
|
||||
cfg_obj_log(ce, dns_lctx, ISC_LOG_WARNING,
|
||||
"address match list contains "
|
||||
"unsupported element type");
|
||||
result = ISC_R_FAILURE;
|
||||
goto cleanup;
|
||||
}
|
||||
de++;
|
||||
dacl->length++;
|
||||
}
|
||||
|
||||
*target = dacl;
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
cleanup:
|
||||
dns_acl_detach(&dacl);
|
||||
return (result);
|
||||
}
|
@ -1,72 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 1999-2001 Internet Software Consortium.
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: aclconf.h,v 1.12.208.3 2006/03/02 00:37:20 marka Exp $ */
|
||||
|
||||
#ifndef NS_ACLCONF_H
|
||||
#define NS_ACLCONF_H 1
|
||||
|
||||
#include <isc/lang.h>
|
||||
|
||||
#include <isccfg/cfg.h>
|
||||
|
||||
#include <dns/types.h>
|
||||
|
||||
typedef struct ns_aclconfctx {
|
||||
ISC_LIST(dns_acl_t) named_acl_cache;
|
||||
} ns_aclconfctx_t;
|
||||
|
||||
/***
|
||||
*** Functions
|
||||
***/
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
void
|
||||
ns_aclconfctx_init(ns_aclconfctx_t *ctx);
|
||||
/*
|
||||
* Initialize an ACL configuration context.
|
||||
*/
|
||||
|
||||
void
|
||||
ns_aclconfctx_destroy(ns_aclconfctx_t *ctx);
|
||||
/*
|
||||
* Destroy an ACL configuration context.
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
ns_acl_fromconfig(const cfg_obj_t *caml,
|
||||
const cfg_obj_t *cctx,
|
||||
ns_aclconfctx_t *ctx,
|
||||
isc_mem_t *mctx,
|
||||
dns_acl_t **target);
|
||||
/*
|
||||
* Construct a new dns_acl_t from configuration data in 'caml' and
|
||||
* 'cctx'. Memory is allocated through 'mctx'.
|
||||
*
|
||||
* Any named ACLs referred to within 'caml' will be be converted
|
||||
* inte nested dns_acl_t objects. Multiple references to the same
|
||||
* named ACLs will be converted into shared references to a single
|
||||
* nested dns_acl_t object when the referring objects were created
|
||||
* passing the same ACL configuration context 'ctx'.
|
||||
*
|
||||
* On success, attach '*target' to the new dns_acl_t object.
|
||||
*/
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
|
||||
#endif /* NS_ACLCONF_H */
|
@ -1,562 +0,0 @@
|
||||
|
||||
|
||||
|
||||
|
||||
DNSEXT M. Stapp
|
||||
Internet-Draft Cisco Systems, Inc.
|
||||
Expires: August 13, 2005 T. Lemon
|
||||
A. Gustafsson
|
||||
Nominum, Inc.
|
||||
February 9, 2005
|
||||
|
||||
|
||||
A DNS RR for Encoding DHCP Information (DHCID RR)
|
||||
<draft-ietf-dnsext-dhcid-rr-09.txt>
|
||||
|
||||
Status of this Memo
|
||||
|
||||
This document is an Internet-Draft and is subject to all provisions
|
||||
of Section 3 of RFC 3667. By submitting this Internet-Draft, each
|
||||
author represents that any applicable patent or other IPR claims of
|
||||
which he or she is aware have been or will be disclosed, and any of
|
||||
which he or she become aware will be disclosed, in accordance with
|
||||
RFC 3668.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as
|
||||
Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on August 13, 2005.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2005).
|
||||
|
||||
Abstract
|
||||
|
||||
It is possible for multiple DHCP clients to attempt to update the
|
||||
same DNS FQDN as they obtain DHCP leases. Whether the DHCP server or
|
||||
the clients themselves perform the DNS updates, conflicts can arise.
|
||||
To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 1]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
proposes storing client identifiers in the DNS to unambiguously
|
||||
associate domain names with the DHCP clients to which they refer.
|
||||
This memo defines a distinct RR type for this purpose for use by DHCP
|
||||
clients and servers, the "DHCID" RR.
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
3.1 DHCID RDATA format . . . . . . . . . . . . . . . . . . . . 4
|
||||
3.2 DHCID Presentation Format . . . . . . . . . . . . . . . . 4
|
||||
3.3 The DHCID RR Type Codes . . . . . . . . . . . . . . . . . 4
|
||||
3.4 Computation of the RDATA . . . . . . . . . . . . . . . . . 4
|
||||
3.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||
3.5.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
3.5.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 6
|
||||
5. Updater Behavior . . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
|
||||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
|
||||
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||||
9.1 Normative References . . . . . . . . . . . . . . . . . . . 8
|
||||
9.2 Informative References . . . . . . . . . . . . . . . . . . 8
|
||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 9
|
||||
Intellectual Property and Copyright Statements . . . . . . . . 10
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 2]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
1. Terminology
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||||
document are to be interpreted as described in RFC 2119 [2].
|
||||
|
||||
2. Introduction
|
||||
|
||||
A set of procedures to allow DHCP [7] clients and servers to
|
||||
automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
|
||||
in "Resolution of DNS Name Conflicts" [1].
|
||||
|
||||
Conflicts can arise if multiple DHCP clients wish to use the same DNS
|
||||
name. To resolve such conflicts, "Resolution of DNS Name Conflicts"
|
||||
[1] proposes storing client identifiers in the DNS to unambiguously
|
||||
associate domain names with the DHCP clients using them. In the
|
||||
interest of clarity, it is preferable for this DHCP information to
|
||||
use a distinct RR type. This memo defines a distinct RR for this
|
||||
purpose for use by DHCP clients or servers, the "DHCID" RR.
|
||||
|
||||
In order to avoid exposing potentially sensitive identifying
|
||||
information, the data stored is the result of a one-way MD5 [5] hash
|
||||
computation. The hash includes information from the DHCP client's
|
||||
REQUEST message as well as the domain name itself, so that the data
|
||||
stored in the DHCID RR will be dependent on both the client
|
||||
identification used in the DHCP protocol interaction and the domain
|
||||
name. This means that the DHCID RDATA will vary if a single client
|
||||
is associated over time with more than one name. This makes it
|
||||
difficult to 'track' a client as it is associated with various domain
|
||||
names.
|
||||
|
||||
The MD5 hash algorithm has been shown to be weaker than the SHA-1
|
||||
algorithm; it could therefore be argued that SHA-1 is a better
|
||||
choice. However, SHA-1 is significantly slower than MD5. A
|
||||
successful attack of MD5's weakness does not reveal the original data
|
||||
that was used to generate the signature, but rather provides a new
|
||||
set of input data that will produce the same signature. Because we
|
||||
are using the MD5 hash to conceal the original data, the fact that an
|
||||
attacker could produce a different plaintext resulting in the same
|
||||
MD5 output is not significant concern.
|
||||
|
||||
3. The DHCID RR
|
||||
|
||||
The DHCID RR is defined with mnemonic DHCID and type code [TBD]. The
|
||||
DHCID RR is only defined in the IN class. DHCID RRs cause no
|
||||
additional section processing. The DHCID RR is not a singleton type.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 3]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
3.1 DHCID RDATA format
|
||||
|
||||
The RDATA section of a DHCID RR in transmission contains RDLENGTH
|
||||
bytes of binary data. The format of this data and its interpretation
|
||||
by DHCP servers and clients are described below.
|
||||
|
||||
DNS software should consider the RDATA section to be opaque. DHCP
|
||||
clients or servers use the DHCID RR to associate a DHCP client's
|
||||
identity with a DNS name, so that multiple DHCP clients and servers
|
||||
may deterministically perform dynamic DNS updates to the same zone.
|
||||
From the updater's perspective, the DHCID resource record RDATA
|
||||
consists of a 16-bit identifier type, in network byte order, followed
|
||||
by one or more bytes representing the actual identifier:
|
||||
|
||||
< 16 bits > DHCP identifier used
|
||||
< n bytes > MD5 digest
|
||||
|
||||
|
||||
3.2 DHCID Presentation Format
|
||||
|
||||
In DNS master files, the RDATA is represented as a single block in
|
||||
base 64 encoding identical to that used for representing binary data
|
||||
in RFC 2535 [8]. The data may be divided up into any number of white
|
||||
space separated substrings, down to single base 64 digits, which are
|
||||
concatenated to form the complete RDATA. These substrings can span
|
||||
lines using the standard parentheses.
|
||||
|
||||
3.3 The DHCID RR Type Codes
|
||||
|
||||
The DHCID RR Type Code specifies what data from the DHCP client's
|
||||
request was used as input into the hash function. The type codes are
|
||||
defined in a registry maintained by IANA, as specified in Section 7.
|
||||
The initial list of assigned values for the type code is:
|
||||
|
||||
0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
|
||||
0x0001 = The data portion from a DHCPv4 client's Client Identifier
|
||||
option [9].
|
||||
0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
|
||||
client's Client Identifier option [10] or the DUID field from a
|
||||
DHCPv4 client's Client Identifier option [12]).
|
||||
|
||||
0x0003 - 0xfffe = Available to be assigned by IANA.
|
||||
|
||||
0xffff = RESERVED
|
||||
|
||||
3.4 Computation of the RDATA
|
||||
|
||||
The DHCID RDATA is formed by concatenating the two type bytes with
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 4]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
some variable-length identifying data.
|
||||
|
||||
< type > < data >
|
||||
|
||||
The RDATA for all type codes other than 0xffff, which is reserved for
|
||||
future expansion, is formed by concatenating the two type bytes and a
|
||||
16-byte MD5 hash value. The input to the hash function is defined to
|
||||
be:
|
||||
|
||||
data = MD5(< identifier > < FQDN >)
|
||||
|
||||
The FQDN is represented in the buffer in unambiguous canonical form
|
||||
as described in RFC 2535 [8], section 8.1. The type code and the
|
||||
identifier are related as specified in Section 3.3: the type code
|
||||
describes the source of the identifier.
|
||||
|
||||
When the updater is using the client's link-layer address as the
|
||||
identifier, the first two bytes of the DHCID RDATA MUST be zero. To
|
||||
generate the rest of the resource record, the updater computes a
|
||||
one-way hash using the MD5 algorithm across a buffer containing the
|
||||
client's network hardware type, link-layer address, and the FQDN
|
||||
data. Specifically, the first byte of the buffer contains the
|
||||
network hardware type as it appeared in the DHCP 'htype' field of the
|
||||
client's DHCPREQUEST message. All of the significant bytes of the
|
||||
chaddr field in the client's DHCPREQUEST message follow, in the same
|
||||
order in which the bytes appear in the DHCPREQUEST message. The
|
||||
number of significant bytes in the 'chaddr' field is specified in the
|
||||
'hlen' field of the DHCPREQUEST message. The FQDN data, as specified
|
||||
above, follows.
|
||||
|
||||
When the updater is using the DHCPv4 Client Identifier option sent by
|
||||
the client in its DHCPREQUEST message, the first two bytes of the
|
||||
DHCID RR MUST be 0x0001, in network byte order. The rest of the
|
||||
DHCID RR MUST contain the results of computing an MD5 hash across the
|
||||
payload of the option, followed by the FQDN. The payload of the
|
||||
option consists of the bytes of the option following the option code
|
||||
and length.
|
||||
|
||||
When the updater is using the DHCPv6 DUID sent by the client in its
|
||||
REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
|
||||
in network byte order. The rest of the DHCID RR MUST contain the
|
||||
results of computing an MD5 hash across the payload of the option,
|
||||
followed by the FQDN. The payload of the option consists of the
|
||||
bytes of the option following the option code and length.
|
||||
|
||||
3.5 Examples
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 5]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
3.5.1 Example 1
|
||||
|
||||
A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
|
||||
Ethernet MAC address 01:02:03:04:05:06 using domain name
|
||||
"client.example.com" uses the client's link-layer address to identify
|
||||
the client. The DHCID RDATA is composed by setting the two type
|
||||
bytes to zero, and performing an MD5 hash computation across a buffer
|
||||
containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
|
||||
address, and the domain name (represented as specified in
|
||||
Section 3.4).
|
||||
|
||||
client.example.com. A 10.0.0.1
|
||||
client.example.com. DHCID AAAUMru0ZM5OK/PdVAJgZ/HU
|
||||
|
||||
|
||||
3.5.2 Example 2
|
||||
|
||||
A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
|
||||
included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
|
||||
in its DHCP request. The server updates the name "chi.example.com"
|
||||
on the client's behalf, and uses the DHCP client identifier option
|
||||
data as input in forming a DHCID RR. The DHCID RDATA is formed by
|
||||
setting the two type bytes to the value 0x0001, and performing an MD5
|
||||
hash computation across a buffer containing the seven bytes from the
|
||||
client-id option and the FQDN (represented as specified in
|
||||
Section 3.4).
|
||||
|
||||
chi.example.com. A 10.0.12.99
|
||||
chi.example.com. DHCID AAHdd5jiQ3kEjANDm82cbObk\012
|
||||
|
||||
|
||||
4. Use of the DHCID RR
|
||||
|
||||
This RR MUST NOT be used for any purpose other than that detailed in
|
||||
"Resolution of DNS Name Conflicts" [1]. Although this RR contains
|
||||
data that is opaque to DNS servers, the data must be consistent
|
||||
across all entities that update and interpret this record.
|
||||
Therefore, new data formats may only be defined through actions of
|
||||
the DHC Working Group, as a result of revising [1].
|
||||
|
||||
5. Updater Behavior
|
||||
|
||||
The data in the DHCID RR allows updaters to determine whether more
|
||||
than one DHCP client desires to use a particular FQDN. This allows
|
||||
site administrators to establish policy about DNS updates. The DHCID
|
||||
RR does not establish any policy itself.
|
||||
|
||||
Updaters use data from a DHCP client's request and the domain name
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 6]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
that the client desires to use to compute a client identity hash, and
|
||||
then compare that hash to the data in any DHCID RRs on the name that
|
||||
they wish to associate with the client's IP address. If an updater
|
||||
discovers DHCID RRs whose RDATA does not match the client identity
|
||||
that they have computed, the updater SHOULD conclude that a different
|
||||
client is currently associated with the name in question. The
|
||||
updater SHOULD then proceed according to the site's administrative
|
||||
policy. That policy might dictate that a different name be selected,
|
||||
or it might permit the updater to continue.
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
The DHCID record as such does not introduce any new security problems
|
||||
into the DNS. In order to avoid exposing private information about
|
||||
DHCP clients to public scrutiny, a one-way hash is used to obscure
|
||||
all client information. In order to make it difficult to 'track' a
|
||||
client by examining the names associated with a particular hash
|
||||
value, the FQDN is included in the hash computation. Thus, the RDATA
|
||||
is dependent on both the DHCP client identification data and on each
|
||||
FQDN associated with the client.
|
||||
|
||||
Administrators should be wary of permitting unsecured DNS updates to
|
||||
zones which are exposed to the global Internet. Both DHCP clients
|
||||
and servers SHOULD use some form of update authentication (e.g., TSIG
|
||||
[11]) when performing DNS updates.
|
||||
|
||||
7. IANA Considerations
|
||||
|
||||
IANA is requested to allocate an RR type number for the DHCID record
|
||||
type.
|
||||
|
||||
This specification defines a new number-space for the 16-bit type
|
||||
codes associated with the DHCID RR. IANA is requested to establish a
|
||||
registry of the values for this number-space.
|
||||
|
||||
Three initial values are assigned in Section 3.3, and the value
|
||||
0xFFFF is reserved for future use. New DHCID RR type codes are
|
||||
tentatively assigned after the specification for the associated type
|
||||
code, published as an Internet Draft, has received expert review by a
|
||||
designated expert. The final assignment of DHCID RR type codes is
|
||||
through Standards Action, as defined in RFC 2434 [6].
|
||||
|
||||
8. Acknowledgements
|
||||
|
||||
Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
|
||||
Ralph Droms for their review and suggestions.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 7]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
9. References
|
||||
|
||||
9.1 Normative References
|
||||
|
||||
[1] Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
|
||||
DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.
|
||||
|
||||
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||||
Levels", BCP 14, RFC 2119, March 1997.
|
||||
|
||||
[3] Mockapetris, P., "Domain names - concepts and facilities",
|
||||
STD 13, RFC 1034, November 1987.
|
||||
|
||||
[4] Mockapetris, P., "Domain names - implementation and
|
||||
specification", STD 13, RFC 1035, November 1987.
|
||||
|
||||
[5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
|
||||
1992.
|
||||
|
||||
[6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
|
||||
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
|
||||
|
||||
9.2 Informative References
|
||||
|
||||
[7] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
|
||||
March 1997.
|
||||
|
||||
[8] Eastlake, D., "Domain Name System Security Extensions",
|
||||
RFC 2535, March 1999.
|
||||
|
||||
[9] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
|
||||
Extensions", RFC 2132, March 1997.
|
||||
|
||||
[10] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
|
||||
Carney, "Dynamic Host Configuration Protocol for IPv6
|
||||
(DHCPv6)", RFC 3315, July 2003.
|
||||
|
||||
[11] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
|
||||
"Secret Key Transaction Authentication for DNS (TSIG)",
|
||||
RFC 2845, May 2000.
|
||||
|
||||
[12] Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
|
||||
for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 8]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
Authors' Addresses
|
||||
|
||||
Mark Stapp
|
||||
Cisco Systems, Inc.
|
||||
1414 Massachusetts Ave.
|
||||
Boxborough, MA 01719
|
||||
USA
|
||||
|
||||
Phone: 978.936.1535
|
||||
Email: mjs@cisco.com
|
||||
|
||||
|
||||
Ted Lemon
|
||||
Nominum, Inc.
|
||||
950 Charter St.
|
||||
Redwood City, CA 94063
|
||||
USA
|
||||
|
||||
Email: mellon@nominum.com
|
||||
|
||||
|
||||
Andreas Gustafsson
|
||||
Nominum, Inc.
|
||||
950 Charter St.
|
||||
Redwood City, CA 94063
|
||||
USA
|
||||
|
||||
Email: gson@nominum.com
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 9]
|
||||
|
||||
Internet-Draft The DHCID RR February 2005
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the procedures with respect to rights in RFC documents can be
|
||||
found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2005). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires August 13, 2005 [Page 10]
|
||||
|
||||
|
@ -1,560 +0,0 @@
|
||||
|
||||
|
||||
|
||||
Network Working Group S. Weiler
|
||||
Internet-Draft SPARTA, Inc
|
||||
Updates: 4034, 4035 (if approved) J. Ihren
|
||||
Expires: November 13, 2005 Autonomica AB
|
||||
May 12, 2005
|
||||
|
||||
|
||||
Minimally Covering NSEC Records and DNSSEC On-line Signing
|
||||
draft-ietf-dnsext-dnssec-online-signing-00
|
||||
|
||||
Status of this Memo
|
||||
|
||||
By submitting this Internet-Draft, each author represents that any
|
||||
applicable patent or other IPR claims of which he or she is aware
|
||||
have been or will be disclosed, and any of which he or she becomes
|
||||
aware will be disclosed, in accordance with Section 6 of BCP 79.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on November 13, 2005.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2005).
|
||||
|
||||
Abstract
|
||||
|
||||
This document describes how to construct DNSSEC NSEC resource records
|
||||
that cover a smaller range of names than called for by RFC4034. By
|
||||
generating and signing these records on demand, authoritative name
|
||||
servers can effectively stop the disclosure of zone contents
|
||||
otherwise made possible by walking the chain of NSEC records in a
|
||||
signed zone.
|
||||
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 1]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
Changes from weiler-01 to ietf-00
|
||||
|
||||
Inserted RFC numbers for 4033, 4034, and 4035.
|
||||
|
||||
Specified contents of bitmap field in synthesized NSEC RR's, pointing
|
||||
out that this relaxes a constraint in 4035. Added 4035 to the
|
||||
Updates header.
|
||||
|
||||
Changes from weiler-00 to weiler-01
|
||||
|
||||
Clarified that this updates RFC4034 by relaxing requirements on the
|
||||
next name field.
|
||||
|
||||
Added examples covering wildcard names.
|
||||
|
||||
In the 'better functions' section, reiterated that perfect functions
|
||||
aren't needed.
|
||||
|
||||
Added a reference to RFC 2119.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 2]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Introduction and Terminology . . . . . . . . . . . . . . . . 4
|
||||
2. Minimally Covering NSEC Records . . . . . . . . . . . . . . 4
|
||||
3. Better Increment & Decrement Functions . . . . . . . . . . . 6
|
||||
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
|
||||
5. Security Considerations . . . . . . . . . . . . . . . . . . 7
|
||||
6. Normative References . . . . . . . . . . . . . . . . . . . . 8
|
||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
|
||||
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 8
|
||||
Intellectual Property and Copyright Statements . . . . . . . 10
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 3]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
1. Introduction and Terminology
|
||||
|
||||
With DNSSEC [1], an NSEC record lists the next instantiated name in
|
||||
its zone, proving that no names exist in the "span" between the
|
||||
NSEC's owner name and the name in the "next name" field. In this
|
||||
document, an NSEC record is said to "cover" the names between its
|
||||
owner name and next name.
|
||||
|
||||
Through repeated queries that return NSEC records, it is possible to
|
||||
retrieve all of the names in the zone, a process commonly called
|
||||
"walking" the zone. Some zone owners have policies forbidding zone
|
||||
transfers by arbitrary clients; this side-effect of the NSEC
|
||||
architecture subverts those policies.
|
||||
|
||||
This document presents a way to prevent zone walking by constructing
|
||||
NSEC records that cover fewer names. These records can make zone
|
||||
walking take approximately as many queries as simply asking for all
|
||||
possible names in a zone, making zone walking impractical. Some of
|
||||
these records must be created and signed on demand, which requires
|
||||
on-line private keys. Anyone contemplating use of this technique is
|
||||
strongly encouraged to review the discussion of the risks of on-line
|
||||
signing in Section 5.
|
||||
|
||||
The technique presented here may be useful to a zone owner that wants
|
||||
to use DNSSEC, is concerned about exposure of its zone contents via
|
||||
zone walking, and is willing to bear the costs of on-line signing.
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||||
document are to be interpreted as described in RFC 2119 [4].
|
||||
|
||||
2. Minimally Covering NSEC Records
|
||||
|
||||
This mechanism involves changes to NSEC records for instantiated
|
||||
names, which can still be generated and signed in advance, as well as
|
||||
the on-demand generation and signing of new NSEC records whenever a
|
||||
name must be proven not to exist.
|
||||
|
||||
In the 'next name' field of instantiated names' NSEC records, rather
|
||||
than list the next instantiated name in the zone, list any name that
|
||||
falls lexically after the NSEC's owner name and before the next
|
||||
instantiated name in the zone, according to the ordering function in
|
||||
RFC4034 [2] section 6.2. This relaxes the requirement in section
|
||||
4.1.1 of RFC4034 that the 'next name' field contains the next owner
|
||||
name in the zone. This change is expected to be fully compatible
|
||||
with all existing DNSSEC validators. These NSEC records are returned
|
||||
whenever proving something specifically about the owner name (e.g.
|
||||
that no resource records of a given type appear at that name).
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 4]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
Whenever an NSEC record is needed to prove the non-existence of a
|
||||
name, a new NSEC record is dynamically produced and signed. The new
|
||||
NSEC record has an owner name lexically before the QNAME but
|
||||
lexically following any existing name and a 'next name' lexically
|
||||
following the QNAME but before any existing name.
|
||||
|
||||
The generated NSEC record's type bitmap SHOULD have the RRSIG and
|
||||
NSEC bits set and SHOULD NOT have any other bits set. This relaxes
|
||||
the requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
|
||||
names that did not exist before the zone wsa signed.
|
||||
|
||||
The functions to generate the lexically following and proceeding
|
||||
names need not be perfect nor consistent, but the generated NSEC
|
||||
records must not cover any existing names. Furthermore, this
|
||||
technique works best when the generated NSEC records cover as few
|
||||
names as possible.
|
||||
|
||||
An NSEC record denying the existence of a wildcard may be generated
|
||||
in the same way. Since the NSEC record covering a non-existent
|
||||
wildcard is likely to be used in response to many queries,
|
||||
authoritative name servers using the techniques described here may
|
||||
want to pregenerate or cache that record and its corresponding RRSIG.
|
||||
|
||||
For example, a query for an A record at the non-instantiated name
|
||||
example.com might produce the following two NSEC records, the first
|
||||
denying the existence of the name example.com and the second denying
|
||||
the existence of a wildcard:
|
||||
|
||||
exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
|
||||
|
||||
).com 3600 IN NSEC +.com ( RRSIG NSEC )
|
||||
|
||||
Before answering a query with these records, an authoritative server
|
||||
must test for the existence of names between these endpoints. If the
|
||||
generated NSEC would cover existing names (e.g. exampldd.com or
|
||||
*bizarre.example.com), a better increment or decrement function may
|
||||
be used or the covered name closest to the QNAME could be used as the
|
||||
NSEC owner name or next name, as appropriate. If an existing name is
|
||||
used as the NSEC owner name, that name's real NSEC record MUST be
|
||||
returned. Using the same example, assuming an exampldd.com
|
||||
delegation exists, this record might be returned from the parent:
|
||||
|
||||
exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
|
||||
|
||||
Like every authoritative record in the zone, each generated NSEC
|
||||
record MUST have corresponding RRSIGs generated using each algorithm
|
||||
(but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
|
||||
described in RFC4035 [3] section 2.2. To minimize the number of
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 5]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
signatures that must be generated, a zone may wish to limit the
|
||||
number of algorithms in its DNSKEY RRset.
|
||||
|
||||
3. Better Increment & Decrement Functions
|
||||
|
||||
Section 6.2 of RFC4034 defines a strict ordering of DNS names.
|
||||
Working backwards from that definition, it should be possible to
|
||||
define increment and decrement functions that generate the
|
||||
immediately following and preceding names, respectively. This
|
||||
document does not define such functions. Instead, this section
|
||||
presents functions that come reasonably close to the perfect ones.
|
||||
As described above, an authoritative server should still ensure than
|
||||
no generated NSEC covers any existing name.
|
||||
|
||||
To increment a name, add a leading label with a single null (zero-
|
||||
value) octet.
|
||||
|
||||
To decrement a name, decrement the last character of the leftmost
|
||||
label, then fill that label to a length of 63 octets with octets of
|
||||
value 255. To decrement a null (zero-value) octet, remove the octet
|
||||
-- if an empty label is left, remove the label. Defining this
|
||||
function numerically: fill the left-most label to its maximum length
|
||||
with zeros (numeric, not ASCII zeros) and subtract one.
|
||||
|
||||
In response to a query for the non-existent name foo.example.com,
|
||||
these functions produce NSEC records of:
|
||||
|
||||
fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
|
||||
|
||||
)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
|
||||
\255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
|
||||
|
||||
The first of these NSEC RRs proves that no exact match for
|
||||
foo.example.com exists, and the second proves that there is no
|
||||
wildcard in example.com.
|
||||
|
||||
Both of these functions are imperfect: they don't take into account
|
||||
constraints on number of labels in a name nor total length of a name.
|
||||
As noted in the previous section, though, this technique does not
|
||||
depend on the use of perfect increment or decrement functions: it is
|
||||
sufficient to test whether any instantiated names fall into the span
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 6]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
covered by the generated NSEC and, if so, substitute those
|
||||
instantiated owner names for the NSEC owner name or next name, as
|
||||
appropriate.
|
||||
|
||||
4. IANA Considerations
|
||||
|
||||
Per RFC4041, IANA should think carefully about the protection of
|
||||
their immortal souls.
|
||||
|
||||
5. Security Considerations
|
||||
|
||||
This approach requires on-demand generation of RRSIG records. This
|
||||
creates several new vulnerabilities.
|
||||
|
||||
First, on-demand signing requires that a zone's authoritative servers
|
||||
have access to its private keys. Storing private keys on well-known
|
||||
internet-accessible servers may make them more vulnerable to
|
||||
unintended disclosure.
|
||||
|
||||
Second, since generation of public key signatures tends to be
|
||||
computationally demanding, the requirement for on-demand signing
|
||||
makes authoritative servers vulnerable to a denial of service attack.
|
||||
|
||||
Lastly, if the increment and decrement functions are predictable, on-
|
||||
demand signing may enable a chosen-plaintext attack on a zone's
|
||||
private keys. Zones using this approach should attempt to use
|
||||
cryptographic algorithms that are resistant to chosen-plaintext
|
||||
attacks. It's worth noting that while DNSSEC has a "mandatory to
|
||||
implement" algorithm, that is a requirement on resolvers and
|
||||
validators -- there is no requirement that a zone be signed with any
|
||||
given algorithm.
|
||||
|
||||
The success of using minimally covering NSEC record to prevent zone
|
||||
walking depends greatly on the quality of the increment and decrement
|
||||
functions chosen. An increment function that chooses a name
|
||||
obviously derived from the next instantiated name may be easily
|
||||
reverse engineered, destroying the value of this technique. An
|
||||
increment function that always returns a name close to the next
|
||||
instantiated name is likewise a poor choice. Good choices of
|
||||
increment and decrement functions are the ones that produce the
|
||||
immediately following and preceding names, respectively, though zone
|
||||
administrators may wish to use less perfect functions that return
|
||||
more human-friendly names than the functions described in Section 3
|
||||
above.
|
||||
|
||||
Another obvious but misguided concern is the danger from synthesized
|
||||
NSEC records being replayed. It's possible for an attacker to replay
|
||||
an old but still validly signed NSEC record after a new name has been
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 7]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
added in the span covered by that NSEC, incorrectly proving that
|
||||
there is no record at that name. This danger exists with DNSSEC as
|
||||
defined in [-bis]. The techniques described here actually decrease
|
||||
the danger, since the span covered by any NSEC record is smaller than
|
||||
before. Choosing better increment and decrement functions will
|
||||
further reduce this danger.
|
||||
|
||||
6. Normative References
|
||||
|
||||
[1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
|
||||
"DNS Security Introduction and Requirements", RFC 4033,
|
||||
March 2005.
|
||||
|
||||
[2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
|
||||
"Resource Records for the DNS Security Extensions", RFC 4034,
|
||||
March 2005.
|
||||
|
||||
[3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
|
||||
"Protocol Modifications for the DNS Security Extensions",
|
||||
RFC 4035, March 2005.
|
||||
|
||||
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||||
Levels", BCP 14, RFC 2119, March 1997.
|
||||
|
||||
|
||||
Authors' Addresses
|
||||
|
||||
Samuel Weiler
|
||||
SPARTA, Inc
|
||||
7075 Samuel Morse Drive
|
||||
Columbia, Maryland 21046
|
||||
US
|
||||
|
||||
Email: weiler@tislabs.com
|
||||
|
||||
|
||||
Johan Ihren
|
||||
Autonomica AB
|
||||
Bellmansgatan 30
|
||||
Stockholm SE-118 47
|
||||
Sweden
|
||||
|
||||
Email: johani@autonomica.se
|
||||
|
||||
Appendix A. Acknowledgments
|
||||
|
||||
Many individuals contributed to this design. They include, in
|
||||
addition to the authors of this document, Olaf Kolkman, Ed Lewis,
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 8]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
|
||||
Jakob Schlyter, Bill Manning, and Joao Damas.
|
||||
|
||||
The key innovation of this document, namely that perfect increment
|
||||
and decrement functions are not necessary, arose during a discussion
|
||||
among the above-listed people at the RIPE49 meeting in September
|
||||
2004.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 9]
|
||||
|
||||
Internet-Draft NSEC Epsilon May 2005
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the procedures with respect to rights in RFC documents can be
|
||||
found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2005). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
Weiler & Ihren Expires November 13, 2005 [Page 10]
|
||||
|
@ -1,754 +0,0 @@
|
||||
|
||||
INTERNET-DRAFT Donald E. Eastlake 3rd
|
||||
Updates RFC 1034, 1035 Motorola Laboratories
|
||||
Expires January 2006 July 2005
|
||||
|
||||
|
||||
|
||||
Domain Name System (DNS) Case Insensitivity Clarification
|
||||
------ ---- ------ ----- ---- ------------- -------------
|
||||
<draft-ietf-dnsext-insensitive-06.txt>
|
||||
|
||||
Donald E. Eastlake 3rd
|
||||
|
||||
|
||||
|
||||
Status of This Document
|
||||
|
||||
By submitting this Internet-Draft, each author represents that any
|
||||
applicable patent or other IPR claims of which he or she is aware
|
||||
have been or will be disclosed, and any of which he or she becomes
|
||||
aware will be disclosed, in accordance with Section 6 of BCP 79.
|
||||
|
||||
Distribution of this document is unlimited. Comments should be sent
|
||||
to the DNSEXT working group at namedroppers@ops.ietf.org.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than a "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/1id-abstracts.html
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html
|
||||
|
||||
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2005). All Rights Reserved.
|
||||
|
||||
|
||||
|
||||
Abstract
|
||||
|
||||
Domain Name System (DNS) names are "case insensitive". This document
|
||||
explains exactly what that means and provides a clear specification
|
||||
of the rules. This clarification updates RFCs 1034 and 1035.
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 1]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Acknowledgements
|
||||
|
||||
The contributions to this document of Rob Austein, Olafur
|
||||
Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
|
||||
Andreas Gustafsson, Andrew Main, Thomas Narten, and Scott Seligman
|
||||
are gratefully acknowledged.
|
||||
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
Status of This Document....................................1
|
||||
Copyright Notice...........................................1
|
||||
Abstract...................................................1
|
||||
|
||||
Acknowledgements...........................................2
|
||||
Table of Contents..........................................2
|
||||
|
||||
1. Introduction............................................3
|
||||
2. Case Insensitivity of DNS Labels........................3
|
||||
2.1 Escaping Unusual DNS Label Octets......................3
|
||||
2.2 Example Labels with Escapes............................4
|
||||
3. Name Lookup, Label Types, and CLASS.....................4
|
||||
3.1 Original DNS Label Types...............................5
|
||||
3.2 Extended Label Type Case Insensitivity Considerations..5
|
||||
3.3 CLASS Case Insensitivity Considerations................5
|
||||
4. Case on Input and Output................................6
|
||||
4.1 DNS Output Case Preservation...........................6
|
||||
4.2 DNS Input Case Preservation............................6
|
||||
5. Internationalized Domain Names..........................7
|
||||
6. Security Considerations.................................8
|
||||
|
||||
Copyright and Disclaimer...................................9
|
||||
Normative References.......................................9
|
||||
Informative References....................................10
|
||||
|
||||
Changes Between Draft Version.............................11
|
||||
-02 to -03 Changes........................................11
|
||||
-03 to -04 Changes........................................11
|
||||
-04 to -05 Changes........................................11
|
||||
-05 to -06 Changes........................................12
|
||||
|
||||
Author's Address..........................................13
|
||||
Expiration and File Name..................................13
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 2]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
The Domain Name System (DNS) is the global hierarchical replicated
|
||||
distributed database system for Internet addressing, mail proxy, and
|
||||
other information. Each node in the DNS tree has a name consisting of
|
||||
zero or more labels [STD 13][RFC 1591, 2606] that are treated in a
|
||||
case insensitive fashion. This document clarifies the meaning of
|
||||
"case insensitive" for the DNS. This clarification updates RFCs 1034
|
||||
and 1035 [STD 13].
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||||
document are to be interpreted as described in [RFC 2119].
|
||||
|
||||
|
||||
|
||||
2. Case Insensitivity of DNS Labels
|
||||
|
||||
DNS was specified in the era of [ASCII]. DNS names were expected to
|
||||
look like most host names or Internet email address right halves (the
|
||||
part after the at-sign, "@") or be numeric as in the in-addr.arpa
|
||||
part of the DNS name space. For example,
|
||||
|
||||
foo.example.net.
|
||||
aol.com.
|
||||
www.gnu.ai.mit.edu.
|
||||
or 69.2.0.192.in-addr.arpa.
|
||||
|
||||
Case varied alternatives to the above would be DNS names like
|
||||
|
||||
Foo.ExamplE.net.
|
||||
AOL.COM.
|
||||
WWW.gnu.AI.mit.EDU.
|
||||
or 69.2.0.192.in-ADDR.ARPA.
|
||||
|
||||
However, the individual octets of which DNS names consist are not
|
||||
limited to valid ASCII character codes. They are 8-bit bytes and all
|
||||
values are allowed. Many applications, however, interpret them as
|
||||
ASCII characters.
|
||||
|
||||
|
||||
|
||||
2.1 Escaping Unusual DNS Label Octets
|
||||
|
||||
In Master Files [STD 13] and other human readable and writable ASCII
|
||||
contexts, an escape is needed for the byte value for period (0x2E,
|
||||
".") and all octet values outside of the inclusive range of 0x21
|
||||
("!") to 0x7E ("~"). That is to say, 0x2E and all octet values in
|
||||
the two inclusive ranges 0x00 to 0x20 and 0x7F to 0xFF.
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 3]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
One typographic convention for octets that do not correspond to an
|
||||
ASCII printing graphic is to use a back-slash followed by the value
|
||||
of the octet as an unsigned integer represented by exactly three
|
||||
decimal digits.
|
||||
|
||||
The same convention can be used for printing ASCII characters so that
|
||||
they will be treated as a normal label character. This includes the
|
||||
back-slash character used in this convention itself which can be
|
||||
expressed as \092 or \\ and the special label separator period (".")
|
||||
which can be expressed as and \046 or \. respectively. It is
|
||||
advisable to avoid using a backslash to quote an immediately
|
||||
following non-printing ASCII character code to avoid implementation
|
||||
difficulties.
|
||||
|
||||
A back-slash followed by only one or two decimal digits is undefined.
|
||||
A back-slash followed by four decimal digits produces two octets, the
|
||||
first octet having the value of the first three digits considered as
|
||||
a decimal number and the second octet being the character code for
|
||||
the fourth decimal digit.
|
||||
|
||||
|
||||
|
||||
2.2 Example Labels with Escapes
|
||||
|
||||
The first example below shows embedded spaces and a period (".")
|
||||
within a label. The second one show a 5-octet label where the second
|
||||
octet has all bits zero, the third is a backslash, and the fourth
|
||||
octet has all bits one.
|
||||
|
||||
Donald\032E\.\032Eastlake\0323rd.example.
|
||||
and a\000\\\255z.example.
|
||||
|
||||
|
||||
|
||||
3. Name Lookup, Label Types, and CLASS
|
||||
|
||||
The original DNS design decision was made that comparisons on name
|
||||
lookup for DNS queries should be case insensitive [STD 13]. That is
|
||||
to say, a lookup string octet with a value in the inclusive range of
|
||||
0x41 to 0x5A, the upper case ASCII letters, MUST match the identical
|
||||
value and also match the corresponding value in the inclusive range
|
||||
0x61 to 0x7A, the lower case ASCII letters. And a lookup string octet
|
||||
with a lower case ASCII letter value MUST similarly match the
|
||||
identical value and also match the corresponding value in the upper
|
||||
case ASCII letter range.
|
||||
|
||||
(Historical Note: the terms "upper case" and "lower case" were
|
||||
invented after movable type. The terms originally referred to the
|
||||
two font trays for storing, in partitioned areas, the different
|
||||
physical type elements. Before movable type, the nearest equivalent
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 4]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
terms were "majuscule" and "minuscule".)
|
||||
|
||||
One way to implement this rule would be, when comparing octets, to
|
||||
subtract 0x20 from all octets in the inclusive range 0x61 to 0x7A
|
||||
before the comparison. Such an operation is commonly known as "case
|
||||
folding" but implementation via case folding is not required. Note
|
||||
that the DNS case insensitivity does NOT correspond to the case
|
||||
folding specified in [iso-8859-1] or [iso-8859-2]. For example, the
|
||||
octets 0xDD (\221) and 0xFD (\253) do NOT match although in other
|
||||
contexts, where they are interpreted as the upper and lower case
|
||||
version of "Y" with an acute accent, they might.
|
||||
|
||||
|
||||
|
||||
3.1 Original DNS Label Types
|
||||
|
||||
DNS labels in wire-encoded names have a type associated with them.
|
||||
The original DNS standard [RFC 1035] had only two types. ASCII
|
||||
labels, with a length of from zero to 63 octets, and indirect (or
|
||||
compression) labels which consist of an offset pointer to a name
|
||||
location elsewhere in the wire encoding on a DNS message. (The ASCII
|
||||
label of length zero is reserved for use as the name of the root node
|
||||
of the name tree.) ASCII labels follow the ASCII case conventions
|
||||
described herein and, as stated above, can actually contain arbitrary
|
||||
byte values. Indirect labels are, in effect, replaced by the name to
|
||||
which they point which is then treated with the case insensitivity
|
||||
rules in this document.
|
||||
|
||||
|
||||
|
||||
3.2 Extended Label Type Case Insensitivity Considerations
|
||||
|
||||
DNS was extended by [RFC 2671] to have additional label type numbers
|
||||
available. (The only such type defined so far is the BINARY type [RFC
|
||||
2673] which is now Experimental [RFC 3363].)
|
||||
|
||||
The ASCII case insensitivity conventions only apply to ASCII labels,
|
||||
that is to say, label type 0x0, whether appearing directly or invoked
|
||||
by indirect labels.
|
||||
|
||||
|
||||
|
||||
3.3 CLASS Case Insensitivity Considerations
|
||||
|
||||
As described in [STD 13] and [RFC 2929], DNS has an additional axis
|
||||
for data location called CLASS. The only CLASS in global use at this
|
||||
time is the "IN" or Internet CLASS.
|
||||
|
||||
The handling of DNS label case is not CLASS dependent. With the
|
||||
original design of DNS, it was intended that a recursive DNS resolver
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 5]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
be able to handle new CLASSes that were unknown at the time of its
|
||||
implementation. This requires uniform handling of label case
|
||||
insensitivity. Should it become desireable, for example, to allocate
|
||||
a CLASS with "case sensitive ASCII labels" for example, it would be
|
||||
necessary to allocate a new label type for these labels.
|
||||
|
||||
|
||||
|
||||
4. Case on Input and Output
|
||||
|
||||
While ASCII label comparisons are case insensitive, [STD 13] says
|
||||
case MUST be preserved on output, and preserved when convenient on
|
||||
input. However, this means less than it would appear since the
|
||||
preservation of case on output is NOT required when output is
|
||||
optimized by the use of indirect labels, as explained below.
|
||||
|
||||
|
||||
|
||||
4.1 DNS Output Case Preservation
|
||||
|
||||
[STD 13] views the DNS namespace as a node tree. ASCII output is as
|
||||
if a name was marshaled by taking the label on the node whose name is
|
||||
to be output, converting it to a typographically encoded ASCII
|
||||
string, walking up the tree outputting each label encountered, and
|
||||
preceding all labels but the first with a period ("."). Wire output
|
||||
follows the same sequence but each label is wire encoded and no
|
||||
periods inserted. No "case conversion" or "case folding" is done
|
||||
during such output operations, thus "preserving" case. However, to
|
||||
optimize output, indirect labels may be used to point to names
|
||||
elsewhere in the DNS answer. In determining whether the name to be
|
||||
pointed to, for example the QNAME, is the "same" as the remainder of
|
||||
the name being optimized, the case insensitive comparison specified
|
||||
above is done. Thus such optimization may easily destroy the output
|
||||
preservation of case. This type of optimization is commonly called
|
||||
"name compression".
|
||||
|
||||
|
||||
|
||||
4.2 DNS Input Case Preservation
|
||||
|
||||
Originally, DNS data came from an ASCII Master File as defined in
|
||||
[STD 13] or a zone transfer. DNS Dynamic update and incremental zone
|
||||
transfers [RFC 1995] have been added as a source of DNS data [RFC
|
||||
2136, 3007]. When a node in the DNS name tree is created by any of
|
||||
such inputs, no case conversion is done. Thus the case of ASCII
|
||||
labels is preserved if they are for nodes being created. However,
|
||||
when a name label is input for a node that already exist in DNS data
|
||||
being held, the situation is more complex. Implementations are free
|
||||
to retain the case first loaded for such a label or allow new input
|
||||
to override the old case or even maintain separate copies preserving
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 6]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
the input case.
|
||||
|
||||
For example, if data with owner name "foo.bar.example" is loaded and
|
||||
then later data with owner name "xyz.BAR.example" is input, the name
|
||||
of the label on the "bar.example" node, i.e. "bar", might or might
|
||||
not be changed to "BAR" in the DNS stored data or the actual input
|
||||
case could be preserved. Thus later retrieval of data stored under
|
||||
"xyz.bar.example" in this case can return all data with
|
||||
"xyz.BAR.example" or all data with "xyz.bar.example" or even, when
|
||||
more than one RR is being returned, a mixture of these two cases.
|
||||
This last case is unlikely because optimization of answer length
|
||||
through indirect labels tends to cause only copy of the name tail
|
||||
("bar.example" or "BAR.example") to be used for all returned RRs.
|
||||
Note that none of this has any effect on the number of completeness
|
||||
of the RR set returned, only on the case of the names in the RR set
|
||||
returned.
|
||||
|
||||
The same considerations apply when inputting multiple data records
|
||||
with owner names differing only in case. For example, if an "A"
|
||||
record is the first resourced record stored under owner name
|
||||
"xyz.BAR.example" and then a second "A" record is stored under
|
||||
"XYZ.BAR.example", the second MAY be stored with the first (lower
|
||||
case initial label) name or the second MAY override the first so that
|
||||
only an upper case initial label is retained or both capitalizations
|
||||
MAY be kept in the DNS stored data. In any case, a retrieval with
|
||||
either capitalization will retrieve all RRs with either
|
||||
capitalization.
|
||||
|
||||
Note that the order of insertion into a server database of the DNS
|
||||
name tree nodes that appear in a Master File is not defined so that
|
||||
the results of inconsistent capitalization in a Master File are
|
||||
unpredictable output capitalization.
|
||||
|
||||
|
||||
|
||||
5. Internationalized Domain Names
|
||||
|
||||
A scheme has been adopted for "internationalized domain names" and
|
||||
"internationalized labels" as described in [RFC 3490, 3454, 3491, and
|
||||
3492]. It makes most of [UNICODE] available through a separate
|
||||
application level transformation from internationalized domain name
|
||||
to DNS domain name and from DNS domain name to internationalized
|
||||
domain name. Any case insensitivity that internationalized domain
|
||||
names and labels have varies depending on the script and is handled
|
||||
entirely as part of the transformation described in [RFC 3454] and
|
||||
[RFC 3491] which should be seen for further details. This is not a
|
||||
part of the DNS as standardized in STD 13.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 7]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
The equivalence of certain DNS label types with case differences, as
|
||||
clarified in this document, can lead to security problems. For
|
||||
example, a user could be confused by believing two domain names
|
||||
differing only in case were actually different names.
|
||||
|
||||
Furthermore, a domain name may be used in contexts other than the
|
||||
DNS. It could be used as a case sensitive index into some data base
|
||||
or file system. Or it could be interpreted as binary data by some
|
||||
integrity or authentication code system. These problems can usually
|
||||
be handled by using a standardized or "canonical" form of the DNS
|
||||
ASCII type labels, that is, always mapping the ASCII letter value
|
||||
octets in ASCII labels to some specific pre-chosen case, either upper
|
||||
case or lower case. An example of a canonical form for domain names
|
||||
(and also a canonical ordering for them) appears in Section 6 of [RFC
|
||||
4034]. See also [RFC 3597].
|
||||
|
||||
Finally, a non-DNS name may be stored into DNS with the false
|
||||
expectation that case will always be preserved. For example, although
|
||||
this would be quite rare, on a system with case sensitive email
|
||||
address local parts, an attempt to store two "RP" records that
|
||||
differed only in case would probably produce unexpected results that
|
||||
might have security implications. That is because the entire email
|
||||
address, including the possibly case sensitive local or left hand
|
||||
part, is encoded into a DNS name in a readable fashion where the case
|
||||
of some letters might be changed on output as described above.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 8]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Copyright and Disclaimer
|
||||
|
||||
Copyright (C) The Internet Society (2005). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
|
||||
Normative References
|
||||
|
||||
[ASCII] - ANSI, "USA Standard Code for Information Interchange",
|
||||
X3.4, American National Standards Institute: New York, 1968.
|
||||
|
||||
[RFC 1034, 1035] - See [STD 13].
|
||||
|
||||
[RFC 1995] - M. Ohta, "Incremental Zone Transfer in DNS", August
|
||||
1996.
|
||||
|
||||
[RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
|
||||
Requirement Levels", March 1997.
|
||||
|
||||
[RFC 2136] - P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
|
||||
"Dynamic Updates in the Domain Name System (DNS UPDATE)", April 1997.
|
||||
|
||||
[RFC 3007] - B. Wellington, "Secure Domain Name System (DNS) Dynamic
|
||||
Update", November 2000.
|
||||
|
||||
[RFC 3597] - Andreas Gustafsson, "Handling of Unknown DNS RR Types",
|
||||
draft-ietf-dnsext-unknown-rrs-05.txt, March 2003.
|
||||
|
||||
[RFC 4034} - Arends, R., Austein, R., Larson, M., Massey, D., and S.
|
||||
Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
|
||||
March 2005.
|
||||
|
||||
[STD 13]
|
||||
- P. Mockapetris, "Domain names - concepts and facilities", RFC
|
||||
1034, November 1987.
|
||||
- P. Mockapetris, "Domain names - implementation and
|
||||
specification", RFC 1035, November 1987.
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 9]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Informative References
|
||||
|
||||
[ISO 8859-1] - International Standards Organization, Standard for
|
||||
Character Encodings, Latin-1.
|
||||
|
||||
[ISO 8859-2] - International Standards Organization, Standard for
|
||||
Character Encodings, Latin-2.
|
||||
|
||||
[RFC 1591] - J. Postel, "Domain Name System Structure and
|
||||
Delegation", March 1994.
|
||||
|
||||
[RFC 2606] - D. Eastlake, A. Panitz, "Reserved Top Level DNS Names",
|
||||
June 1999.
|
||||
|
||||
[RFC 2929] - D. Eastlake, E. Brunner-Williams, B. Manning, "Domain
|
||||
Name System (DNS) IANA Considerations", September 2000.
|
||||
|
||||
[RFC 2671] - P. Vixie, "Extension mechanisms for DNS (EDNS0)", August
|
||||
1999.
|
||||
|
||||
[RFC 2673] - M. Crawford, "Binary Labels in the Domain Name System",
|
||||
August 1999.
|
||||
|
||||
[RFC 3092] - D. Eastlake 3rd, C. Manros, E. Raymond, "Etymology of
|
||||
Foo", 1 April 2001.
|
||||
|
||||
[RFC 3363] - Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
|
||||
Hain, "Representing Internet Protocol version 6 (IPv6) Addresses in
|
||||
the Domain Name System (DNS)", RFC 3363, August 2002.
|
||||
|
||||
[RFC 3454] - P. Hoffman, M. Blanchet, "Preparation of
|
||||
Internationalized String ("stringprep")", December 2002.
|
||||
|
||||
[RFC 3490] - P. Faltstrom, P. Hoffman, A. Costello,
|
||||
"Internationalizing Domain Names in Applications (IDNA)", March 2003.
|
||||
|
||||
[RFC 3491] - P. Hoffman, M. Blanchet, "Nameprep: A Stringprep Profile
|
||||
for Internationalized Domain Names (IDN)", March 2003.
|
||||
|
||||
[RFC 3492] - A. Costello, "Punycode: A Bootstring encoding of Unicode
|
||||
for Internationalized Domain Names in Applications (IDNA)", March
|
||||
2003.
|
||||
|
||||
[UNICODE] - The Unicode Consortium, "The Unicode Standard",
|
||||
<http://www.unicode.org/unicode/standard/standard.html>.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 10]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Changes Between Draft Version
|
||||
|
||||
RFC Editor: The following summaries of changes between draft versions
|
||||
are to be removed before publication.
|
||||
|
||||
|
||||
|
||||
-02 to -03 Changes
|
||||
|
||||
The following changes were made between draft version -02 and -03:
|
||||
|
||||
1. Add internationalized domain name section and references.
|
||||
|
||||
2. Change to indicate that later input of a label for an existing DNS
|
||||
name tree node may or may not be normalized to the earlier input or
|
||||
override it or both may be preserved.
|
||||
|
||||
3. Numerous minor wording changes.
|
||||
|
||||
|
||||
|
||||
-03 to -04 Changes
|
||||
|
||||
The following changes were made between draft versions -03 and -04:
|
||||
|
||||
1. Change to conform to the new IPR, Copyright, etc., notice
|
||||
requirements.
|
||||
|
||||
2. Change in some section headers for clarity.
|
||||
|
||||
3. Drop section on wildcards.
|
||||
|
||||
4. Add emphasis on loss of case preservation due to name compression.
|
||||
|
||||
5. Add references to RFCs 1995 and 3092.
|
||||
|
||||
|
||||
|
||||
-04 to -05 Changes
|
||||
|
||||
The following changes were made between draft versions -04 and -05:
|
||||
|
||||
1. More clearly state that this draft updates RFCs 1034, 1035 [STD
|
||||
13].
|
||||
|
||||
2. Add informative references to ISO 8859-1 and ISO 8859-2.
|
||||
|
||||
3. Fix hyphenation and capitalization nits.
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 11]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
-05 to -06 Changes
|
||||
|
||||
The following changes were made between draft version -05 and -06.
|
||||
|
||||
1. Add notation to the RFC Editor that the draft version change
|
||||
summaries are to be removed before RFC publication.
|
||||
|
||||
2. Additional text explaining why labe case insensitivity is CLASS
|
||||
independent.
|
||||
|
||||
3. Changes and additional text clarifying that the fact that
|
||||
inconsistent case in data loaded into DNS may result in
|
||||
unpredicatable or inconsistent case in DNS storage but has no effect
|
||||
on the completeness of RR sets retrieved.
|
||||
|
||||
4. Add reference to [RFC 3363] and update reference to [RFC 2535] to
|
||||
be to [RFC 4034].
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 12]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Author's Address
|
||||
|
||||
Donald E. Eastlake 3rd
|
||||
Motorola Laboratories
|
||||
155 Beaver Street
|
||||
Milford, MA 01757 USA
|
||||
|
||||
Telephone: +1 508-786-7554 (w)
|
||||
|
||||
EMail: Donald.Eastlake@motorola.com
|
||||
|
||||
|
||||
|
||||
Expiration and File Name
|
||||
|
||||
This draft expires January 2006.
|
||||
|
||||
Its file name is draft-ietf-dnsext-insensitive-06.txt.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 13]
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,730 +0,0 @@
|
||||
|
||||
|
||||
|
||||
|
||||
Network Working Group M. StJohns
|
||||
Internet-Draft Nominum, Inc.
|
||||
Expires: February 16, 2006 August 15, 2005
|
||||
|
||||
|
||||
Automated Updates of DNSSEC Trust Anchors
|
||||
draft-ietf-dnsext-trustupdate-timers-01
|
||||
|
||||
Status of this Memo
|
||||
|
||||
By submitting this Internet-Draft, each author represents that any
|
||||
applicable patent or other IPR claims of which he or she is aware
|
||||
have been or will be disclosed, and any of which he or she becomes
|
||||
aware will be disclosed, in accordance with Section 6 of BCP 79.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on February 16, 2006.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2005).
|
||||
|
||||
Abstract
|
||||
|
||||
This document describes a means for automated, authenticated and
|
||||
authorized updating of DNSSEC "trust anchors". The method provides
|
||||
protection against single key compromise of a key in the trust point
|
||||
key set. Based on the trust established by the presence of a current
|
||||
anchor, other anchors may be added at the same place in the
|
||||
hierarchy, and, ultimately, supplant the existing anchor.
|
||||
|
||||
This mechanism, if adopted, will require changes to resolver
|
||||
management behavior (but not resolver resolution behavior), and the
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 1]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
addition of a single flag bit to the DNSKEY record.
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
1.1 Compliance Nomenclature . . . . . . . . . . . . . . . . . 3
|
||||
1.2 Changes since -00 . . . . . . . . . . . . . . . . . . . . 3
|
||||
2. Theory of Operation . . . . . . . . . . . . . . . . . . . . . 4
|
||||
2.1 Revocation . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
2.2 Add Hold-Down . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
2.3 Remove Hold-down . . . . . . . . . . . . . . . . . . . . . 5
|
||||
2.4 Active Refresh . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
2.5 Resolver Parameters . . . . . . . . . . . . . . . . . . . 6
|
||||
2.5.1 Add Hold-Down Time . . . . . . . . . . . . . . . . . . 6
|
||||
2.5.2 Remove Hold-Down Time . . . . . . . . . . . . . . . . 6
|
||||
2.5.3 Minimum Trust Anchors per Trust Point . . . . . . . . 6
|
||||
3. Changes to DNSKEY RDATA Wire Format . . . . . . . . . . . . . 6
|
||||
4. State Table . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
4.1 Events . . . . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||
4.2 States . . . . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||
5. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||||
5.1 Adding A Trust Anchor . . . . . . . . . . . . . . . . . . 8
|
||||
5.2 Deleting a Trust Anchor . . . . . . . . . . . . . . . . . 9
|
||||
5.3 Key Roll-Over . . . . . . . . . . . . . . . . . . . . . . 9
|
||||
5.4 Active Key Compromised . . . . . . . . . . . . . . . . . . 9
|
||||
5.5 Stand-by Key Compromised . . . . . . . . . . . . . . . . . 9
|
||||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
|
||||
6.1 Key Ownership vs Acceptance Policy . . . . . . . . . . . . 10
|
||||
6.2 Multiple Key Compromise . . . . . . . . . . . . . . . . . 10
|
||||
6.3 Dynamic Updates . . . . . . . . . . . . . . . . . . . . . 10
|
||||
7. Normative References . . . . . . . . . . . . . . . . . . . . . 10
|
||||
Editorial Comments . . . . . . . . . . . . . . . . . . . . . . 11
|
||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 11
|
||||
Intellectual Property and Copyright Statements . . . . . . . . 12
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 2]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
As part of the reality of fielding DNSSEC (Domain Name System
|
||||
Security Extensions) [RFC2535] [RFC4033][RFC4034][RFC4035], the
|
||||
community has come to the realization that there will not be one
|
||||
signed name space, but rather islands of signed name space each
|
||||
originating from specific points (i.e. 'trust points') in the DNS
|
||||
tree. Each of those islands will be identified by the trust point
|
||||
name, and validated by at least one associated public key. For the
|
||||
purpose of this document we'll call the association of that name and
|
||||
a particular key a 'trust anchor'. A particular trust point can have
|
||||
more than one key designated as a trust anchor.
|
||||
|
||||
For a DNSSEC-aware resolver to validate information in a DNSSEC
|
||||
protected branch of the hierarchy, it must have knowledge of a trust
|
||||
anchor applicable to that branch. It may also have more than one
|
||||
trust anchor for any given trust point. Under current rules, a chain
|
||||
of trust for DNSSEC-protected data that chains its way back to ANY
|
||||
known trust anchor is considered 'secure'.
|
||||
|
||||
Because of the probable balkanization of the DNSSEC tree due to
|
||||
signing voids at key locations, a resolver may need to know literally
|
||||
thousands of trust anchors to perform its duties. (e.g. Consider an
|
||||
unsigned ".COM".) Requiring the owner of the resolver to manually
|
||||
manage this many relationships is problematic. It's even more
|
||||
problematic when considering the eventual requirement for key
|
||||
replacement/update for a given trust anchor. The mechanism described
|
||||
herein won't help with the initial configuration of the trust anchors
|
||||
in the resolvers, but should make trust point key replacement/
|
||||
rollover more viable.
|
||||
|
||||
As mentioned above, this document describes a mechanism whereby a
|
||||
resolver can update the trust anchors for a given trust point, mainly
|
||||
without human intervention at the resolver. There are some corner
|
||||
cases discussed (e.g. multiple key compromise) that may require
|
||||
manual intervention, but they should be few and far between. This
|
||||
document DOES NOT discuss the general problem of the initial
|
||||
configuration of trust anchors for the resolver.
|
||||
|
||||
1.1 Compliance Nomenclature
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||||
document are to be interpreted as described in BCP 14, [RFC2119].
|
||||
|
||||
1.2 Changes since -00
|
||||
|
||||
Added the concept of timer triggered resolver queries to refresh the
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 3]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
resolvers view of the trust anchor key RRSet.
|
||||
|
||||
Re-submitted expired draft as -01. Updated DNSSEC RFC References.
|
||||
|
||||
2. Theory of Operation
|
||||
|
||||
The general concept of this mechanism is that existing trust anchors
|
||||
can be used to authenticate new trust anchors at the same point in
|
||||
the DNS hierarchy. When a new SEP key is added to a trust point
|
||||
DNSKEY RRSet, and when that RRSet is validated by an existing trust
|
||||
anchor, then the new key can be added to the set of trust anchors.
|
||||
|
||||
There are some issues with this approach which need to be mitigated.
|
||||
For example, a compromise of one of the existing keys could allow an
|
||||
attacker to add their own 'valid' data. This implies a need for a
|
||||
method to revoke an existing key regardless of whether or not that
|
||||
key is compromised. As another example assuming a single key
|
||||
compromise, an attacker could add a new key and revoke all the other
|
||||
old keys.
|
||||
|
||||
2.1 Revocation
|
||||
|
||||
Assume two trust anchor keys A and B. Assume that B has been
|
||||
compromised. Without a specific revocation bit, B could invalidate A
|
||||
simply by sending out a signed trust point key set which didn't
|
||||
contain A. To fix this, we add a mechanism which requires knowledge
|
||||
of the private key of a DNSKEY to revoke that DNSKEY.
|
||||
|
||||
A key is considered revoked when the resolver sees the key in a self-
|
||||
signed RRSet and the key has the REVOKE bit set to '1'. Once the
|
||||
resolver sees the REVOKE bit, it MUST NOT use this key as a trust
|
||||
anchor or for any other purposes except validating the RRSIG over the
|
||||
DNSKEY RRSet specifically for the purpose of validating the
|
||||
revocation. Unlike the 'Add' operation below, revocation is
|
||||
immediate and permanent upon receipt of a valid revocation at the
|
||||
resolver.
|
||||
|
||||
N.B. A DNSKEY with the REVOKE bit set has a different fingerprint
|
||||
than one without the bit set. This affects the matching of a DNSKEY
|
||||
to DS records in the parent, or the fingerprint stored at a resolver
|
||||
used to configure a trust point. [msj3]
|
||||
|
||||
In the given example, the attacker could revoke B because it has
|
||||
knowledge of B's private key, but could not revoke A.
|
||||
|
||||
2.2 Add Hold-Down
|
||||
|
||||
Assume two trust point keys A and B. Assume that B has been
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 4]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
compromised. An attacker could generate and add a new trust anchor
|
||||
key - C (by adding C to the DNSKEY RRSet and signing it with B), and
|
||||
then invalidate the compromised key. This would result in the both
|
||||
the attacker and owner being able to sign data in the zone and have
|
||||
it accepted as valid by resolvers.
|
||||
|
||||
To mitigate, but not completely solve, this problem, we add a hold-
|
||||
down time to the addition of the trust anchor. When the resolver
|
||||
sees a new SEP key in a validated trust point DNSKEY RRSet, the
|
||||
resolver starts an acceptance timer, and remembers all the keys that
|
||||
validated the RRSet. If the resolver ever sees the DNSKEY RRSet
|
||||
without the new key but validly signed, it stops the acceptance
|
||||
process and resets the acceptance timer. If all of the keys which
|
||||
were originally used to validate this key are revoked prior to the
|
||||
timer expiring, the resolver stops the acceptance process and resets
|
||||
the timer.
|
||||
|
||||
Once the timer expires, the new key will be added as a trust anchor
|
||||
the next time the validated RRSet with the new key is seen at the
|
||||
resolver. The resolver MUST NOT treat the new key as a trust anchor
|
||||
until the hold down time expires AND it has retrieved and validated a
|
||||
DNSKEY RRSet after the hold down time which contains the new key.
|
||||
|
||||
N.B.: Once the resolver has accepted a key as a trust anchor, the key
|
||||
MUST be considered a valid trust anchor by that resolver until
|
||||
explictly revoked as described above.
|
||||
|
||||
In the given example, the zone owner can recover from a compromise by
|
||||
revoking B and adding a new key D and signing the DNSKEY RRSet with
|
||||
both A and B.
|
||||
|
||||
The reason this does not completely solve the problem has to do with
|
||||
the distributed nature of DNS. The resolver only knows what it sees.
|
||||
A determined attacker who holds one compromised key could keep a
|
||||
single resolver from realizing that key had been compromised by
|
||||
intercepting 'real' data from the originating zone and substituting
|
||||
their own (e.g. using the example, signed only by B). This is no
|
||||
worse than the current situation assuming a compromised key.
|
||||
|
||||
2.3 Remove Hold-down
|
||||
|
||||
A new key which has been seen by the resolver, but hasn't reached
|
||||
it's add hold-down time, MAY be removed from the DNSKEY RRSet by the
|
||||
zone owner. If the resolver sees a validated DNSKEY RRSet without
|
||||
this key, it waits for the remove hold-down time and then, if the key
|
||||
hasn't reappeared, SHOULD discard any information about the key.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 5]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
2.4 Active Refresh
|
||||
|
||||
A resolver which has been configured for automatic update of keys
|
||||
from a particular trust point MUST query that trust point (e.g. do a
|
||||
lookup for the DNSKEY RRSet and related RRSIG records) no less often
|
||||
than the lesser of 15 days or half the original TTL for the DNSKEY
|
||||
RRSet or half the RRSIG expiration interval. The expiration interval
|
||||
is the amount of time from when the RRSIG was last retrieved until
|
||||
the expiration time in the RRSIG.
|
||||
|
||||
If the query fails, the resolver MUST repeat the query until
|
||||
satisfied no more often than once an hour and no less often than the
|
||||
lesser of 1 day or 10% of the original TTL or 10% of the original
|
||||
expiration interval.
|
||||
|
||||
2.5 Resolver Parameters
|
||||
|
||||
2.5.1 Add Hold-Down Time
|
||||
|
||||
The add hold-down time is 30 days or the expiration time of the TTL
|
||||
of the first trust point DNSKEY RRSet which contained the key,
|
||||
whichever is greater. This ensures that at least two validated
|
||||
DNSKEY RRSets which contain the new key MUST be seen by the resolver
|
||||
prior to the key's acceptance.
|
||||
|
||||
2.5.2 Remove Hold-Down Time
|
||||
|
||||
The remove hold-down time is 30 days.
|
||||
|
||||
2.5.3 Minimum Trust Anchors per Trust Point
|
||||
|
||||
A compliant resolver MUST be able to manage at least five SEP keys
|
||||
per trust point.
|
||||
|
||||
3. Changes to DNSKEY RDATA Wire Format
|
||||
|
||||
Bit n [msj2] of the DNSKEY Flags field is designated as the 'REVOKE'
|
||||
flag. If this bit is set to '1', AND the resolver sees an
|
||||
RRSIG(DNSKEY) signed by the associated key, then the resolver MUST
|
||||
consider this key permanently invalid for all purposes except for
|
||||
validing the revocation.
|
||||
|
||||
4. State Table
|
||||
|
||||
The most important thing to understand is the resolver's view of any
|
||||
key at a trust point. The following state table describes that view
|
||||
at various points in the key's lifetime. The table is a normative
|
||||
part of this specification. The initial state of the key is 'Start'.
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 6]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
The resolver's view of the state of the key changes as various events
|
||||
occur.
|
||||
|
||||
[msj1] This is the state of a trust point key as seen from the
|
||||
resolver. The column on the left indicates the current state. The
|
||||
header at the top shows the next state. The intersection of the two
|
||||
shows the event that will cause the state to transition from the
|
||||
current state to the next.
|
||||
|
||||
NEXT STATE
|
||||
--------------------------------------------------
|
||||
FROM |Start |AddPend |Valid |Missing|Revoked|Removed|
|
||||
----------------------------------------------------------
|
||||
Start | |NewKey | | | | |
|
||||
----------------------------------------------------------
|
||||
AddPend |KeyRem | |AddTime| | |
|
||||
----------------------------------------------------------
|
||||
Valid | | | |KeyRem |Revbit | |
|
||||
----------------------------------------------------------
|
||||
Missing | | |KeyPres| |Revbit | |
|
||||
----------------------------------------------------------
|
||||
Revoked | | | | | |RemTime|
|
||||
----------------------------------------------------------
|
||||
Removed | | | | | | |
|
||||
----------------------------------------------------------
|
||||
|
||||
|
||||
4.1 Events
|
||||
NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
|
||||
That key will become a new trust anchor for the named trust point
|
||||
after its been present in the RRSet for at least 'add time'.
|
||||
KeyPres The key has returned to the valid DNSKEY RRSet.
|
||||
KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
|
||||
this key.
|
||||
AddTime The key has been in every valid DNSKEY RRSet seen for at
|
||||
least the 'add time'.
|
||||
RemTime A revoked key has been missing from the trust point DNSKEY
|
||||
RRSet for sufficient time to be removed from the trust set.
|
||||
RevBit The key has appeared in the trust anchor DNSKEY RRSet with its
|
||||
"REVOKED" bit set, and there is an RRSig over the DNSKEY RRSet
|
||||
signed by this key.
|
||||
|
||||
4.2 States
|
||||
Start The key doesn't yet exist as a trust anchor at the resolver.
|
||||
It may or may not exist at the zone server, but hasn't yet been
|
||||
seen at the resolver.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 7]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
AddPend The key has been seen at the resolver, has its 'SEP' bit set,
|
||||
and has been included in a validated DNSKEY RRSet. There is a
|
||||
hold-down time for the key before it can be used as a trust
|
||||
anchor.
|
||||
Valid The key has been seen at the resolver and has been included in
|
||||
all validated DNSKEY RRSets from the time it was first seen up
|
||||
through the hold-down time. It is now valid for verifying RRSets
|
||||
that arrive after the hold down time. Clarification: The DNSKEY
|
||||
RRSet does not need to be continuously present at the resolver
|
||||
(e.g. its TTL might expire). If the RRSet is seen, and is
|
||||
validated (i.e. verifies against an existing trust anchor), this
|
||||
key MUST be in the RRSet otherwise a 'KeyRem' event is triggered.
|
||||
Missing This is an abnormal state. The key remains as a valid trust
|
||||
point key, but was not seen at the resolver in the last validated
|
||||
DNSKEY RRSet. This is an abnormal state because the zone operator
|
||||
should be using the REVOKE bit prior to removal. [Discussion
|
||||
item: Should a missing key be considered revoked after some
|
||||
period of time?]
|
||||
Revoked This is the state a key moves to once the resolver sees an
|
||||
RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet contains
|
||||
this key with its REVOKE bit set to '1'. Once in this state, this
|
||||
key MUST permanently be considered invalid as a trust anchor.
|
||||
Removed After a fairly long hold-down time, information about this
|
||||
key may be purged from the resolver. A key in the removed state
|
||||
MUST NOT be considered a valid trust anchor.
|
||||
|
||||
5. Scenarios
|
||||
|
||||
The suggested model for operation is to have one active key and one
|
||||
stand-by key at each trust point. The active key will be used to
|
||||
sign the DNSKEY RRSet. The stand-by key will not normally sign this
|
||||
RRSet, but the resolver will accept it as a trust anchor if/when it
|
||||
sees the signature on the trust point DNSKEY RRSet.
|
||||
|
||||
Since the stand-by key is not in active signing use, the associated
|
||||
private key may (and SHOULD) be provided with additional protections
|
||||
not normally available to a key that must be used frequently. E.g.
|
||||
locked in a safe, split among many parties, etc. Notionally, the
|
||||
stand-by key should be less subject to compromise than an active key,
|
||||
but that will be dependent on operational concerns not addressed
|
||||
here.
|
||||
|
||||
5.1 Adding A Trust Anchor
|
||||
|
||||
Assume an existing trust anchor key 'A'.
|
||||
1. Generate a new key pair.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 8]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
2. Create a DNSKEY record from the key pair and set the SEP and Zone
|
||||
Key bits.
|
||||
3. Add the DNSKEY to the RRSet.
|
||||
4. Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
|
||||
'A'.
|
||||
5. Wait a while.
|
||||
|
||||
5.2 Deleting a Trust Anchor
|
||||
|
||||
Assume existing trust anchors 'A' and 'B' and that you want to revoke
|
||||
and delete 'A'.
|
||||
1. Set the revolcation bit on key 'A'.
|
||||
2. Sign the DNSKEY RRSet with both 'A' and 'B'.
|
||||
'A' is now revoked. The operator SHOULD include the revoked 'A' in
|
||||
the RRSet for at least the remove hold-down time, but then may remove
|
||||
it from the DNSKEY RRSet.
|
||||
|
||||
5.3 Key Roll-Over
|
||||
|
||||
Assume existing keys A and B. 'A' is actively in use (i.e. has been
|
||||
signing the DNSKEY RRSet.) 'B' was the stand-by key. (i.e. has been
|
||||
in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
|
||||
used to sign the RRSet.)
|
||||
1. Generate a new key pair 'C'.
|
||||
2. Add 'C' to the DNSKEY RRSet.
|
||||
3. Set the revocation bit on key 'A'.
|
||||
4. Sign the RRSet with 'A' and 'B'.
|
||||
'A' is now revoked, 'B' is now the active key, and 'C' will be the
|
||||
stand-by key once the hold-down expires. The operator SHOULD include
|
||||
the revoked 'A' in the RRSet for at least the remove hold-down time,
|
||||
but may then remove it from the DNSKEY RRSet.
|
||||
|
||||
5.4 Active Key Compromised
|
||||
|
||||
This is the same as the mechanism for Key Roll-Over (Section 5.3)
|
||||
above assuming 'A' is the active key.
|
||||
|
||||
5.5 Stand-by Key Compromised
|
||||
|
||||
Using the same assumptions and naming conventions as Key Roll-Over
|
||||
(Section 5.3) above:
|
||||
1. Generate a new key pair 'C'.
|
||||
2. Add 'C' to the DNSKEY RRSet.
|
||||
3. Set the revocation bit on key 'B'.
|
||||
4. Sign the RRSet with 'A' and 'B'.
|
||||
'B' is now revoked, 'A' remains the active key, and 'C' will be the
|
||||
stand-by key once the hold-down expires. 'B' SHOULD continue to be
|
||||
included in the RRSet for the remove hold-down time.
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 9]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
6.1 Key Ownership vs Acceptance Policy
|
||||
|
||||
The reader should note that, while the zone owner is responsible
|
||||
creating and distributing keys, it's wholly the decision of the
|
||||
resolver owner as to whether to accept such keys for the
|
||||
authentication of the zone information. This implies the decision
|
||||
update trust anchor keys based on trust for a current trust anchor
|
||||
key is also the resolver owner's decision.
|
||||
|
||||
The resolver owner (and resolver implementers) MAY choose to permit
|
||||
or prevent key status updates based on this mechanism for specific
|
||||
trust points. If they choose to prevent the automated updates, they
|
||||
will need to establish a mechanism for manual or other out-of-band
|
||||
updates outside the scope of this document.
|
||||
|
||||
6.2 Multiple Key Compromise
|
||||
|
||||
This scheme permits recovery as long as at least one valid trust
|
||||
anchor key remains uncompromised. E.g. if there are three keys, you
|
||||
can recover if two of them are compromised. The zone owner should
|
||||
determine their own level of comfort with respect to the number of
|
||||
active valid trust anchors in a zone and should be prepared to
|
||||
implement recovery procedures once they detect a compromise. A
|
||||
manual or other out-of-band update of all resolvers will be required
|
||||
if all trust anchor keys at a trust point are compromised.
|
||||
|
||||
6.3 Dynamic Updates
|
||||
|
||||
Allowing a resolver to update its trust anchor set based in-band key
|
||||
information is potentially less secure than a manual process.
|
||||
However, given the nature of the DNS, the number of resolvers that
|
||||
would require update if a trust anchor key were compromised, and the
|
||||
lack of a standard management framework for DNS, this approach is no
|
||||
worse than the existing situation.
|
||||
|
||||
7. Normative References
|
||||
|
||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||||
|
||||
[RFC2535] Eastlake, D., "Domain Name System Security Extensions",
|
||||
RFC 2535, March 1999.
|
||||
|
||||
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
|
||||
Rose, "DNS Security Introduction and Requirements",
|
||||
RFC 4033, March 2005.
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 10]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
|
||||
Rose, "Resource Records for the DNS Security Extensions",
|
||||
RFC 4034, March 2005.
|
||||
|
||||
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
|
||||
Rose, "Protocol Modifications for the DNS Security
|
||||
Extensions", RFC 4035, March 2005.
|
||||
|
||||
Editorial Comments
|
||||
|
||||
[msj1] msj: N.B. This table is preliminary and will be revised to
|
||||
match implementation experience. For example, should there
|
||||
be a state for "Add hold-down expired, but haven't seen the
|
||||
new RRSet"?
|
||||
|
||||
[msj2] msj: To be assigned.
|
||||
|
||||
[msj3] msj: For discussion: What's the implementation guidance for
|
||||
resolvers currently with respect to the non-assigned flag
|
||||
bits? If they consider the flag bit when doing key matching
|
||||
at the trust anchor, they won't be able to match.
|
||||
|
||||
|
||||
Author's Address
|
||||
|
||||
Michael StJohns
|
||||
Nominum, Inc.
|
||||
2385 Bay Road
|
||||
Redwood City, CA 94063
|
||||
USA
|
||||
|
||||
Phone: +1-301-528-4729
|
||||
Email: Mike.StJohns@nominum.com
|
||||
URI: www.nominum.com
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 11]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the procedures with respect to rights in RFC documents can be
|
||||
found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
The IETF has been notified of intellectual property rights claimed in
|
||||
regard to some or all of the specification contained in this
|
||||
document. For more information consult the online list of claimed
|
||||
rights.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2005). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 12]
|
||||
|
||||
Internet-Draft trustanchor-update August 2005
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
StJohns Expires February 16, 2006 [Page 13]
|
||||
|
||||
|
@ -1,580 +0,0 @@
|
||||
|
||||
INTERNET-DRAFT Donald E. Eastlake 3rd
|
||||
UPDATES RFC 2845 Motorola Laboratories
|
||||
Expires: December 2005 June 2005
|
||||
|
||||
|
||||
HMAC SHA TSIG Algorithm Identifiers
|
||||
---- --- ---- --------- -----------
|
||||
<draft-ietf-dnsext-tsig-sha-04.txt>
|
||||
|
||||
|
||||
Status of This Document
|
||||
|
||||
By submitting this Internet-Draft, each author represents that any
|
||||
applicable patent or other IPR claims of which he or she is aware
|
||||
have been or will be disclosed, and any of which he or she becomes
|
||||
aware will be disclosed, in accordance with Section 6 of BCP 79.
|
||||
|
||||
This draft is intended to be become a Proposed Standard RFC.
|
||||
Distribution of this document is unlimited. Comments should be sent
|
||||
to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than a "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/1id-abstracts.html
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html
|
||||
|
||||
|
||||
Abstract
|
||||
|
||||
Use of the TSIG DNS resource record requires specification of a
|
||||
cryptographic message authentication code. Currently identifiers
|
||||
have been specified only for the HMAC-MD5 and GSS TSIG algorithms.
|
||||
This document standardizes identifiers and implementation
|
||||
requirements for additional HMAC SHA TSIG algorithms and standardizes
|
||||
how to specify and handle the truncation of HMAC values.
|
||||
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society 2005. All Rights Reserved.
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 1]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
Status of This Document....................................1
|
||||
Abstract...................................................1
|
||||
Copyright Notice...........................................1
|
||||
|
||||
Table of Contents..........................................2
|
||||
|
||||
1. Introduction............................................3
|
||||
|
||||
2. Algorithms and Identifiers..............................4
|
||||
|
||||
3. Specifying Truncation...................................5
|
||||
3.1 Truncation Specification...............................5
|
||||
|
||||
4. TSIG Policy Provisions and Truncation Error.............7
|
||||
|
||||
5. IANA Considerations.....................................8
|
||||
6. Security Considerations.................................8
|
||||
6. Copyright and Disclaimer................................8
|
||||
|
||||
7. Normative References....................................9
|
||||
8. Informative References..................................9
|
||||
|
||||
Author's Address..........................................10
|
||||
Expiration and File Name..................................10
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 2]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
[RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
|
||||
authenticate DNS queries and responses. This RR contains a domain
|
||||
name syntax data item which names the authentication algorithm used.
|
||||
[RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for
|
||||
authentication codes using the HMAC [RFC 2104] algorithm with the MD5
|
||||
[RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an
|
||||
identifier for TSIG authentication where the cryptographic operations
|
||||
are delegated to GSS [RFC 3645].
|
||||
|
||||
In Section 2, this document specifies additional names for TSIG
|
||||
authentication algorithms based on US NIST SHA algorithms and HMAC
|
||||
and specifies the implementation requirements for those algorithms.
|
||||
|
||||
In Section 3, this document specifies the meaning of inequality
|
||||
between the normal output size of the specified hash function and the
|
||||
length of MAC (message authentication code) data given in the TSIG
|
||||
RR. In particular, it specifies that a shorter length field value
|
||||
specifies truncation and a longer length field is an error.
|
||||
|
||||
In Section 4, policy restrictions and implications related to
|
||||
truncation and a new error code to indicate truncation shorter than
|
||||
permitted by policy are described and specified.
|
||||
|
||||
The use herein of MUST, SHOULD, MAY, MUST NOT, and SHOULD NOT is as
|
||||
defined in [RFC 2119].
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 3]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
2. Algorithms and Identifiers
|
||||
|
||||
TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
|
||||
queries and responses. They are intended to be efficient symmetric
|
||||
authentication codes based on a shared secret. (Asymmetric signatures
|
||||
can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
|
||||
can be used for transaction signatures.) Used with a strong hash
|
||||
function, HMAC [RFC 2104] provides a way to calculate such symmetric
|
||||
authentication codes. The only specified HMAC based TSIG algorithm
|
||||
identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
|
||||
|
||||
The use of SHA-1 [FIPS 180-2, RFC 3174], which is a 160 bit hash, as
|
||||
compared with the 128 bits for MD5, and additional hash algorithms in
|
||||
the SHA family [FIPS 180-2, RFC 3874, SHA2draft] with 224, 256, 384,
|
||||
and 512 bits, may be preferred in some cases particularly since
|
||||
increasingly successful cryptanalytic attacks are being made on the
|
||||
shorter hashes. Use of TSIG between a DNS resolver and server is by
|
||||
mutual agreement. That agreement can include the support of
|
||||
additional algorithms and may specify policies as to which algorithms
|
||||
and truncations are acceptable subject to the restrication and
|
||||
guidelines in Section 3 and 4 below.
|
||||
|
||||
The current HMAC-MD5.SIG-ALG.REG.INT identifier is included in the
|
||||
table below for convenience. Implementations which support TSIG MUST
|
||||
also implement HMAC SHA1 and HMAC SHA256 and MAY implement gss-tsig
|
||||
and the other algorithms listed below.
|
||||
|
||||
Mandatory HMAC-MD5.SIG-ALG.REG.INT
|
||||
Mandatory hmac-sha1
|
||||
Optional hmac-sha224
|
||||
Mandatory hmac-sha256
|
||||
Optional hamc-sha384
|
||||
Optional hmac-sha512
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 4]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
3. Specifying Truncation
|
||||
|
||||
When space is at a premium and the strength of the full length of an
|
||||
HMAC is not needed, it is reasonable to truncate the HMAC output and
|
||||
use the truncated value for authentication. HMAC SHA-1 truncated to
|
||||
96 bits is an option available in several IETF protocols including
|
||||
IPSEC and TLS.
|
||||
|
||||
The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
|
||||
size of the MAC field in octets. But [RFC 2845] does not specify what
|
||||
to do if this MAC size differs from the length of the output of HMAC
|
||||
for a particular hash function. Truncation is indicated by a MAC size
|
||||
less than the HMAC size as specified below.
|
||||
|
||||
|
||||
|
||||
3.1 Truncation Specification
|
||||
|
||||
The specification for TSIG handling is changed as follows:
|
||||
|
||||
1. If "MAC size" field is greater than HMAC output length:
|
||||
This case MUST NOT be generated and if received MUST cause the
|
||||
packet to be dropped and RCODE 1 (FORMERR) to be returned.
|
||||
|
||||
2. If "MAC size" field equals HMAC output length:
|
||||
Operation is as described in [RFC 2845] with the entire output
|
||||
HMAC output present.
|
||||
|
||||
3. "MAC size" field is less than HMAC output length but greater than
|
||||
that specified in case 4 below:
|
||||
This is sent when the signer has truncated the HMAC output to
|
||||
an allowable length, as described in RFC 2104, taking initial
|
||||
octets and discarding trailing octets. TSIG truncation can only be
|
||||
to an integral number of octets. On receipt of a packet with
|
||||
truncation thus indicated, the locally calculated MAC is similarly
|
||||
truncated and only the truncated values compared for
|
||||
authentication. The request MAC used when calculating the TSIG MAC
|
||||
for a reply is the trucated request MAC.
|
||||
|
||||
4. "MAC size" field is less than the larger of 10 (octets) and half
|
||||
the length of the hash function in use:
|
||||
With the exception of certain TSIG error messages described in
|
||||
RFC 2845 section 3.2 where it is permitted that the MAC size be
|
||||
zero, this case MUST NOT be generated and if received MUST cause
|
||||
the packet to be dropped and RCODE 1 (FORMERR) to be returned. The
|
||||
size limit for this case can also, for the hash functions
|
||||
mentioned in this document, be stated as less than half the hash
|
||||
function length for hash functions other than MD5 and less than 10
|
||||
octets for MD5.
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 5]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 6]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
4. TSIG Policy Provisions and Truncation Error
|
||||
|
||||
Use of TSIG is by mutual agreement between a resolver and server.
|
||||
Implicit in such "agreement" are policies as to acceptable keys and
|
||||
algorithms and, with the extensions in this doucment, truncations. In
|
||||
particular note the following:
|
||||
|
||||
Such policies MAY require the rejection of TSIGs even though they
|
||||
use an algorithm for which implementation is mandatory.
|
||||
|
||||
When a policy calls for the acceptance of a TSIG with a particular
|
||||
algorithm and a particular non-zero amount of trunction it SHOULD
|
||||
also permit the use of that algorithm with lesser truncation (a
|
||||
longer MAC) up to the full HMAC output.
|
||||
|
||||
Regardless of a lower acceptable truncated MAC length specified by
|
||||
policy, a reply SHOULD be sent with a MAC at least as long as that in
|
||||
the corresponding request unless the request specified a MAC length
|
||||
longer than the HMAC output.
|
||||
|
||||
Implementations permitting policies with multiple acceptable
|
||||
algorithms and/or truncations SHOULD permit this list to be ordered
|
||||
by presumed strength and SHOULD allow different truncations for the
|
||||
same algorithm to be treatred as spearate entities in this list. When
|
||||
so implemented, policies SHOULD accept a presumed stronger algorithm
|
||||
and truncation than the minimum strength required by the policy.
|
||||
|
||||
If a TSIG is received with truncation which is permitted under
|
||||
Section 3 above but the MAC is too short for the policy in force, an
|
||||
RCODE of TBA [22 suggested](BADTRUNC) MUST be returned.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 7]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
5. IANA Considerations
|
||||
|
||||
This document, on approval for publication as a standards track RFC,
|
||||
(1) registers the new TSIG algorithm identifiers listed in Section 2
|
||||
with IANA and (2) Section 4 allocates the BADTRUNC RCODE TBA [22
|
||||
suggested].
|
||||
|
||||
|
||||
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
For all of the message authentication code algorithms listed herein,
|
||||
those producing longer values are believed to be stronger; however,
|
||||
while there have been some arguments that mild truncation can
|
||||
strengthen a MAC by reducing the information available to an
|
||||
attacker, excessive truncation clearly weakens authentication by
|
||||
reducing the number of bits an attacker has to try to brute force
|
||||
[RFC 2104].
|
||||
|
||||
Significant progress has been made recently in cryptanalysis of hash
|
||||
function of the type used herein, all of which ultimately derive from
|
||||
the design of MD4. While the results so far should not effect HMAC,
|
||||
the stronger SHA-1 and SHA-256 algorithms are being made mandatory
|
||||
due to caution.
|
||||
|
||||
See the Security Considerations section of [RFC 2845]. See also the
|
||||
Security Considerations section of [RFC 2104] from which the limits
|
||||
on truncation in this RFC were taken.
|
||||
|
||||
|
||||
|
||||
6. Copyright and Disclaimer
|
||||
|
||||
Copyright (C) The Internet Society (2005). This document is subject to
|
||||
the rights, licenses and restrictions contained in BCP 78, and except
|
||||
as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 8]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
7. Normative References
|
||||
|
||||
[FIPS 180-2] - "Secure Hash Standard", (SHA-1/224/256/384/512) US
|
||||
Federal Information Processing Standard, with Change Notice 1,
|
||||
February 2004.
|
||||
|
||||
[RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
|
||||
1321, April 1992.
|
||||
|
||||
[RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
|
||||
Hashing for Message Authentication", RFC 2104, February 1997.
|
||||
|
||||
[RFC 2119] - Bradner, S., "Key words for use in RFCs to Indicate
|
||||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||||
|
||||
[RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
|
||||
Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
|
||||
RFC 2845, May 2000.
|
||||
|
||||
|
||||
|
||||
8. Informative References.
|
||||
|
||||
[RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
|
||||
Signatures ( SIG(0)s )", RFC 2931, September 2000.
|
||||
|
||||
[RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
|
||||
1 (SHA1)", RFC 3174, September 2001.
|
||||
|
||||
[RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
|
||||
J., and R. Hall, "Generic Security Service Algorithm for Secret Key
|
||||
Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
|
||||
2003.
|
||||
|
||||
[RFC 3874] - R. Housely, "A 224-bit One-way Hash Function: SHA-224",
|
||||
September 2004,
|
||||
|
||||
[SHA2draft] - Eastlake, D., T. Hansen, "US Secure Hash Algorithms
|
||||
(SHA)", work in progress.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 9]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
Author's Address
|
||||
|
||||
Donald E. Eastlake 3rd
|
||||
Motorola Laboratories
|
||||
155 Beaver Street
|
||||
Milford, MA 01757 USA
|
||||
|
||||
Telephone: +1-508-786-7554 (w)
|
||||
|
||||
EMail: Donald.Eastlake@motorola.com
|
||||
|
||||
|
||||
|
||||
Expiration and File Name
|
||||
|
||||
This draft expires in December 2005.
|
||||
|
||||
Its file name is draft-ietf-dnsext-tsig-sha-04.txt
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 10]
|
||||
|
@ -1,956 +0,0 @@
|
||||
DNSEXT Working Group E. Lewis
|
||||
INTERNET DRAFT NeuStar
|
||||
Expiration Date: January 6, 2006 July 6, 2005
|
||||
Updates RFC 1034, RFC 2672
|
||||
|
||||
The Role of Wildcards
|
||||
in the Domain Name System
|
||||
draft-ietf-dnsext-wcard-clarify-08.txt
|
||||
|
||||
Status of this Memo
|
||||
|
||||
By submitting this Internet-Draft, each author represents that
|
||||
any applicable patent or other IPR claims of which he or she is
|
||||
aware have been or will be disclosed, and any of which he or she
|
||||
becomes aware will be disclosed, in accordance with Section 6 of
|
||||
BCP 79.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six
|
||||
months and may be updated, replaced, or obsoleted by other
|
||||
documents at any time. It is inappropriate to use Internet-Drafts
|
||||
as reference material or to cite them other than as "work in
|
||||
progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html
|
||||
|
||||
This Internet-Draft will expire on January 6, 2006.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2005).
|
||||
|
||||
Abstract
|
||||
|
||||
This is an update to the wildcard definition of RFC 1034. The
|
||||
interaction with wildcards and CNAME is changed, an error
|
||||
condition removed, and the words defining some concepts central
|
||||
to wildcards are changed. The overall goal is not to change
|
||||
wildcards, but to refine the definition of RFC 1034.
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Introduction
|
||||
1.1 Motivation
|
||||
1.2 The Original Definition
|
||||
1.3 Roadmap to This Document
|
||||
1.3.1 New Terms
|
||||
1.3.2 Changed Text
|
||||
1.3.3 Considerations with Special Types
|
||||
1.4 Standards Terminology
|
||||
2. Wildcard Syntax
|
||||
2.1 Identifying a Wildcard
|
||||
2.1.1 Wild Card Domain Name and Asterisk Label
|
||||
2.1.2 Asterisks and Other Characters
|
||||
2.1.3 Non-terminal Wild Card Domain Names
|
||||
2.2 Existence Rules
|
||||
2.2.1 An Example
|
||||
2.2.2 Empty Non-terminals
|
||||
2.2.3 Yet Another Definition of Existence
|
||||
2.3 When is a Wild Card Domain Name Not Special
|
||||
3. Impact of a Wild Card Domain Name On a Response
|
||||
3.1 Step 2
|
||||
3.2 Step 3
|
||||
3.3 Part 'c'
|
||||
3.3.1 Closest Encloser and the Source of Synthesis
|
||||
3.3.2 Closest Encloser and Source of Synthesis Examples
|
||||
3.3.3 Type Matching
|
||||
4. Considerations with Special Types
|
||||
4.1 SOA RRSet at a Wild Card Domain Name
|
||||
4.2 NS RRSet at a Wild Card Domain Name
|
||||
4.2.1 Discarded Notions
|
||||
4.3 CNAME RRSet at a Wild Card Domain Name
|
||||
4.4 DNAME RRSet at a Wild Card Domain Name
|
||||
4.5 SRV RRSet at a Wild Card Domain Name
|
||||
4.6 DS RRSet at a Wild Card Domain Name
|
||||
4.7 NSEC RRSet at a Wild Card Domain Name
|
||||
4.8 RRSIG at a Wild Card Domain Name
|
||||
4.9 Empty Non-terminal Wild Card Domain Name
|
||||
5. Security Considerations
|
||||
6. IANA Considerations
|
||||
7. References
|
||||
8. Editor
|
||||
9. Others Contributing to the Document
|
||||
10. Trailing Boilerplate
|
||||
|
||||
1. Introduction
|
||||
|
||||
In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
|
||||
synthesis of answers from special resource records called
|
||||
wildcards. The definition in RFC 1034 is incomplete and has
|
||||
proven to be confusing. This document describes the wildcard
|
||||
synthesis by adding to the discussion and making limited
|
||||
modifications. Modifications are made to close inconsistencies
|
||||
that have led to interoperability issues. This description
|
||||
does not expand the service intended by the original definition.
|
||||
|
||||
Staying within the spirit and style of the original documents,
|
||||
this document avoids specifying rules for DNS implementations
|
||||
regarding wildcards. The intention is to only describe what is
|
||||
needed for interoperability, not restrict implementation choices.
|
||||
In addition, consideration is given to minimize any backwards
|
||||
compatibility issues with implementations that comply with RFC
|
||||
1034's definition.
|
||||
|
||||
This document is focused on the concept of wildcards as defined
|
||||
in RFC 1034. Nothing is implied regarding alternative means of
|
||||
synthesizing resource record sets, nor are alternatives discussed.
|
||||
|
||||
1.1 Motivation
|
||||
|
||||
Many DNS implementations diverge, in different ways, from the
|
||||
original definition of wildcards. Although there is clearly a
|
||||
need to clarify the original documents in light of this alone,
|
||||
the impetus for this document lay in the engineering of the DNS
|
||||
security extensions [RFC4033]. With an unclear definition of
|
||||
wildcards the design of authenticated denial became entangled.
|
||||
|
||||
This document is intended to limit its changes, documenting only
|
||||
those based on implementation experience, and to remain as close
|
||||
to the original document as possible. To reinforce that this
|
||||
document is meant to clarify and adjust and not redefine wildcards,
|
||||
relevant sections of RFC 1034 are repeated verbatim to facilitate
|
||||
comparison of the old and new text.
|
||||
|
||||
1.2 The Original Definition
|
||||
|
||||
The defintion of the wildcard concept is comprised by the
|
||||
documentation of the algorithm by which a name server prepares
|
||||
a response (in RFC 1034's section 4.3.2) and the way in which
|
||||
a resource record (set) is identified as being a source of
|
||||
synthetic data (section 4.3.3).
|
||||
|
||||
This is the definition of the term "wildcard" as it appears in
|
||||
RFC 1034, section 4.3.3.
|
||||
|
||||
# In the previous algorithm, special treatment was given to RRs with
|
||||
# owner names starting with the label "*". Such RRs are called
|
||||
# wildcards. Wildcard RRs can be thought of as instructions for
|
||||
# synthesizing RRs. When the appropriate conditions are met, the name
|
||||
# server creates RRs with an owner name equal to the query name and
|
||||
# contents taken from the wildcard RRs.
|
||||
|
||||
This passage follows the algorithm in which the term wildcard
|
||||
is first used. In this definition, wildcard refers to resource
|
||||
records. In other usage, wildcard has referred to domain names,
|
||||
and it has been used to describe the operational practice of
|
||||
relying on wildcards to generate answers. It is clear from this
|
||||
that there is a need to define clear and unambiguous terminology
|
||||
in the process of discussing wildcards.
|
||||
|
||||
The mention of the use of wildcards in the preparation of a
|
||||
response is contained in step 3c of RFC 1034's section 4.3.2
|
||||
entitled "Algorithm." Note that "wildcard" does not appear in
|
||||
the algorithm, instead references are made to the "*" label.
|
||||
The portion of the algorithm relating to wildcards is
|
||||
deconstructed in detail in section 3 of this document, this is
|
||||
the beginning of the relevant portion of the "Algorithm."
|
||||
|
||||
# c. If at some label, a match is impossible (i.e., the
|
||||
# corresponding label does not exist), look to see if [...]
|
||||
# the "*" label exists.
|
||||
|
||||
The scope of this document is the RFC 1034 definition of
|
||||
wildcards and the implications of updates to those documents,
|
||||
such as DNSSEC. Alternate schemes for synthesizing answers are
|
||||
not considered. (Note that there is no reference listed. No
|
||||
document is known to describe any alternate schemes, although
|
||||
there has been some mention of them in mailing lists.)
|
||||
|
||||
1.3 Roadmap to This Document
|
||||
|
||||
This document accomplishes these three items.
|
||||
o Defines new terms
|
||||
o Makes minor changes to avoid conflicting concepts
|
||||
o Describes the actions of certain resource records as wildcards
|
||||
|
||||
1.3.1 New Terms
|
||||
|
||||
To help in discussing what resource records are wildcards, two
|
||||
terms will be defined - "asterisk label" and "wild card domain
|
||||
name". These are defined in section 2.1.1.
|
||||
|
||||
To assist in clarifying the role of wildcards in the name server
|
||||
algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest
|
||||
encloser" are defined. These definitions are in section 3.3.2.
|
||||
"Label match" is defined in section 3.2.
|
||||
|
||||
The new terms are used to make discussions of wildcards clearer.
|
||||
Terminology doesn't directly have an impact on implementations.
|
||||
|
||||
1.3.2 Changed Text
|
||||
|
||||
The definition of "existence" is changed superficially. This
|
||||
change will not be apparent to implementations; it is needed to
|
||||
make descriptions more precise. The change appears in section
|
||||
2.2.3.
|
||||
|
||||
RFC 1034, section 4.3.3., seems to prohibit having two asterisk
|
||||
labels in a wildcard owner name. With this document the
|
||||
restriction is removed entirely. This change and its implications
|
||||
are in section 2.1.3.
|
||||
|
||||
The actions when a source of synthesis owns a CNAME RR are
|
||||
changed to mirror the actions if an exact match name owns a
|
||||
CNAME RR. This is an addition to the words in RFC 1034,
|
||||
section 4.3.2, step 3, part c. The discussion of this is in
|
||||
section 3.3.3.
|
||||
|
||||
Only the latter change represents an impact to implementations.
|
||||
The definition of existence is not a protocol impact. The change
|
||||
to the restriction on names is unlikely to have an impact, as
|
||||
RFC 1034 contained no specification on when and how to enforce the
|
||||
restriction.
|
||||
|
||||
1.3.3 Considerations with Special Types
|
||||
|
||||
This document describes semantics of wildcard RRSets for
|
||||
"interesting" types as well as empty non-terminal wildcards.
|
||||
Understanding these situations in the context of wildcards has
|
||||
been clouded because these types incur special processing if
|
||||
they are the result of an exact match. This discussion is in
|
||||
section 4.
|
||||
|
||||
These discussions do not have an implementation impact, they cover
|
||||
existing knowledge of the types, but to a greater level of detail.
|
||||
|
||||
1.4 Standards Terminology
|
||||
|
||||
This document does not use terms as defined in "Key words for use
|
||||
in RFCs to Indicate Requirement Levels." [RFC2119]
|
||||
|
||||
Quotations of RFC 1034 are denoted by a '#' in the leftmost
|
||||
column. References to section "4.3.2" are assumed to refer
|
||||
to RFC 1034's section 4.3.2, simply titled "Algorithm."
|
||||
|
||||
2. Wildcard Syntax
|
||||
|
||||
The syntax of a wildcard is the same as any other DNS resource
|
||||
record, across all classes and types. The only significant
|
||||
feature is the owner name.
|
||||
|
||||
Because wildcards are encoded as resource records with special
|
||||
names, they are included in zone transfers and incremental zone
|
||||
transfers[RFC1995] just as non-wildcard resource records are.
|
||||
This feature has been underappreciated until discussions on
|
||||
alternative approaches to wildcards appeared on mailing lists.
|
||||
|
||||
2.1 Identifying a Wildcard
|
||||
|
||||
To provide a more accurate description of wildcards, the
|
||||
definition has to start with a discussion of the domain names
|
||||
that appear as owners. Two new terms are needed, "Asterisk
|
||||
Label" and "Wild Card Domain Name."
|
||||
|
||||
2.1.1 Wild Card Domain Name and Asterisk Label
|
||||
|
||||
A "wild card domain name" is defined by having its initial
|
||||
(i.e., left-most or least significant) label be, in binary format:
|
||||
|
||||
0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
|
||||
|
||||
The first octet is the normal label type and length for a 1 octet
|
||||
long label, the second octet is the ASCII representation [RFC20]
|
||||
for the '*' character.
|
||||
|
||||
A descriptive name of a label equaling that value is an "asterisk
|
||||
label."
|
||||
|
||||
RFC 1034's definition of wildcard would be "a resource record
|
||||
owned by a wild card domain name."
|
||||
|
||||
2.1.2 Asterisks and Other Characters
|
||||
|
||||
No label values other than that in section 2.1.1 are asterisk
|
||||
labels, hence names beginning with other labels are never wild
|
||||
card domain names. Labels such as 'the*' and '**' are not
|
||||
asterisk labels so these labels do not start wild card domain
|
||||
names.
|
||||
|
||||
2.1.3 Non-terminal Wild Card Domain Names
|
||||
|
||||
In section 4.3.3, the following is stated:
|
||||
|
||||
# .......................... The owner name of the wildcard RRs is of
|
||||
# the form "*.<anydomain>", where <anydomain> is any domain name.
|
||||
# <anydomain> should not contain other * labels......................
|
||||
|
||||
The restriction is now removed. The original documentation of it
|
||||
is incomplete and the restriction does not serve any purpose given
|
||||
years of operational experience.
|
||||
|
||||
There are three possible reasons for putting the restriction in
|
||||
place, but none of the three has held up over time. One is
|
||||
that the restriction meant that there would never be subdomains
|
||||
of wild card domain names, but the restriciton as stated still
|
||||
permits "example.*.example." for instance. Another is that
|
||||
wild card domain names are not intended to be empty non-terminals,
|
||||
but this situation does not disrupt the algorithm in 4.3.2.
|
||||
Finally, "nested" wild card domain names are not ambiguous once
|
||||
the concept of the closest encloser had been documented.
|
||||
|
||||
A wild card domain name can have subdomains. There is no need
|
||||
to inspect the subdomains to see if there is another asterisk
|
||||
label in any subdomain.
|
||||
|
||||
A wild card domain name can be an empty non-terminal. (See the
|
||||
upcoming sections on empty non-terminals.) In this case, any
|
||||
lookup encountering it will terminate as would any empty
|
||||
non-terminal match.
|
||||
|
||||
2.2 Existence Rules
|
||||
|
||||
The notion that a domain name 'exists' is mentioned in the
|
||||
definition of wildcards. In section 4.3.3 of RFC 1034:
|
||||
|
||||
# Wildcard RRs do not apply:
|
||||
#
|
||||
...
|
||||
# - When the query name or a name between the wildcard domain and
|
||||
# the query name is know[n] to exist. For example, if a wildcard
|
||||
|
||||
"Existence" is therefore an important concept in the understanding
|
||||
of wildcards. Unfortunately, the definition of what exists, in RFC
|
||||
1034, is unlcear. So, in sections 2.2.2. and 2.2.3, another look is
|
||||
taken at the definition of existence.
|
||||
|
||||
2.2.1 An Example
|
||||
|
||||
To illustrate what is meant by existence consider this complete
|
||||
zone:
|
||||
|
||||
$ORIGIN example.
|
||||
example. 3600 IN SOA <SOA RDATA>
|
||||
example. 3600 NS ns.example.com.
|
||||
example. 3600 NS ns.example.net.
|
||||
*.example. 3600 TXT "this is a wild card"
|
||||
*.example. 3600 MX 10 host1.example.
|
||||
sub.*.example. 3600 TXT "this is not a wild card"
|
||||
host1.example. 3600 A 192.0.4.1
|
||||
_ssh._tcp.host1.example. 3600 SRV <SRV RDATA>
|
||||
_ssh._tcp.host2.example. 3600 SRV <SRV RDATA>
|
||||
subdel.example. 3600 NS ns.example.com.
|
||||
subdel.example. 3600 NS ns.example.net.
|
||||
|
||||
A look at the domain names in a tree structure is helpful:
|
||||
|
||||
|
|
||||
-------------example------------
|
||||
/ / \ \
|
||||
/ / \ \
|
||||
/ / \ \
|
||||
* host1 host2 subdel
|
||||
| | |
|
||||
| | |
|
||||
sub _tcp _tcp
|
||||
| |
|
||||
| |
|
||||
_ssh _ssh
|
||||
|
||||
The following responses would be synthesized from one of the
|
||||
wildcards in the zone:
|
||||
|
||||
QNAME=host3.example. QTYPE=MX, QCLASS=IN
|
||||
the answer will be a "host3.example. IN MX ..."
|
||||
|
||||
QNAME=host3.example. QTYPE=A, QCLASS=IN
|
||||
the answer will reflect "no error, but no data"
|
||||
because there is no A RR set at '*.example.'
|
||||
|
||||
QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
|
||||
the answer will be "foo.bar.example. IN TXT ..."
|
||||
because bar.example. does not exist, but the wildcard
|
||||
does.
|
||||
|
||||
The following responses would not be synthesized from any of the
|
||||
wildcards in the zone:
|
||||
|
||||
QNAME=host1.example., QTYPE=MX, QCLASS=IN
|
||||
because host1.example. exists
|
||||
|
||||
QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
|
||||
because sub.*.example. exists
|
||||
|
||||
QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
|
||||
because _tcp.host1.example. exists (without data)
|
||||
|
||||
QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
|
||||
because subdel.example. exists (and is a zone cut)
|
||||
|
||||
QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
|
||||
because *.example. exists
|
||||
|
||||
The final example highlights one common misconception about
|
||||
wildcards. A wildcard "blocks itself" in the sense that a
|
||||
wildcard does not match its own subdomains. I.e. "*.example."
|
||||
does not match all names in the "example." zone, it fails to
|
||||
match the names below "*.example." To cover names under
|
||||
"*.example.", another wild card domain name is needed -
|
||||
"*.*.example." - which covers all but it's own subdomains.
|
||||
|
||||
2.2.2 Empty Non-terminals
|
||||
|
||||
Empty non-terminals [RFC2136, Section 7.16] are domain names
|
||||
that own no resource records but have subdomains that do. In
|
||||
section 2.2.1, "_tcp.host1.example." is an example of a empty
|
||||
non-terminal name. Empty non-terminals are introduced by this
|
||||
text in section 3.1 of RFC 1034:
|
||||
|
||||
# The domain name space is a tree structure. Each node and leaf on
|
||||
# the tree corresponds to a resource set (which may be empty). The
|
||||
# domain system makes no distinctions between the uses of the
|
||||
# interior nodes and leaves, and this memo uses the term "node" to
|
||||
# refer to both.
|
||||
|
||||
The parenthesized "which may be empty" specifies that empty non-
|
||||
terminals are explicitly recognized, and that empty non-terminals
|
||||
"exist."
|
||||
|
||||
Pedantically reading the above paragraph can lead to an
|
||||
interpretation that all possible domains exist - up to the
|
||||
suggested limit of 255 octets for a domain name [RFC1035].
|
||||
For example, www.example. may have an A RR, and as far as is
|
||||
practically concerned, is a leaf of the domain tree. But the
|
||||
definition can be taken to mean that sub.www.example. also
|
||||
exists, albeit with no data. By extension, all possible domains
|
||||
exist, from the root on down.
|
||||
|
||||
As RFC 1034 also defines "an authoritative name error indicating
|
||||
that the name does not exist" in section 4.3.1, so this apparently
|
||||
is not the intent of the original definition, justifying the
|
||||
need for an updated definition in the next section.
|
||||
|
||||
2.2.3 Yet Another Definition of Existence
|
||||
|
||||
RFC1034's wording is fixed by the following paragraph:
|
||||
|
||||
The domain name space is a tree structure. Nodes in the tree
|
||||
either own at least one RRSet and/or have descendants that
|
||||
collectively own at least one RRSet. A node may exist with no
|
||||
RRSets only if it has descendents that do, this node is an empty
|
||||
non-terminal.
|
||||
|
||||
A node with no descendants is a leaf node. Empty leaf nodes do
|
||||
not exist.
|
||||
|
||||
Note that at a zone boundary, the domain name owns data,
|
||||
including the NS RR set. In the delegating zone, the NS RR
|
||||
set is not authoritative, but that is of no consequence here.
|
||||
The domain name owns data, therefore, it exists.
|
||||
|
||||
2.3 When is a Wild Card Domain Name Not Special
|
||||
|
||||
When a wild card domain name appears in a message's query section,
|
||||
no special processing occurs. An asterisk label in a query name
|
||||
only matches a single, corresponding asterisk label in the
|
||||
existing zone tree when the 4.3.2 algorithm is being followed.
|
||||
|
||||
When a wild card domain name appears in the resource data of a
|
||||
record, no special processing occurs. An asterisk label in that
|
||||
context literally means just an asterisk.
|
||||
|
||||
3. Impact of a Wild Card Domain Name On a Response
|
||||
|
||||
RFC 1034's description of how wildcards impact response
|
||||
generation is in its section 4.3.2. That passage contains the
|
||||
algorithm followed by a server in constructing a response.
|
||||
Within that algorithm, step 3, part 'c' defines the behavior of
|
||||
the wildcard.
|
||||
|
||||
The algorithm in section 4.3.2. is not intended to be pseudo-code,
|
||||
i.e., its steps are not intended to be followed in strict order.
|
||||
The "algorithm" is a suggested means of implementing the
|
||||
requirements. As such, in step 3, parts a, b, and c, do not have
|
||||
to be implemented in that order, provided that the result of the
|
||||
implemented code is compliant with the protocol's specification.
|
||||
|
||||
3.1 Step 2
|
||||
|
||||
Step 2 of the section 4.3.2 reads:
|
||||
|
||||
# 2. Search the available zones for the zone which is the nearest
|
||||
# ancestor to QNAME. If such a zone is found, go to step 3,
|
||||
# otherwise step 4.
|
||||
|
||||
In this step, the most appropriate zone for the response is
|
||||
chosen. The significance of this step is that it means all of
|
||||
step 3 is being performed within one zone. This has significance
|
||||
when considering whether or not an SOA RR can be ever be used for
|
||||
synthesis.
|
||||
|
||||
3.2 Step 3
|
||||
|
||||
Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'.
|
||||
But the beginning of the step is important and needs explanation.
|
||||
|
||||
# 3. Start matching down, label by label, in the zone. The
|
||||
# matching process can terminate several ways:
|
||||
|
||||
The word 'matching' refers to label matching. The concept
|
||||
is based in the view of the zone as the tree of existing names.
|
||||
The query name is considered to be an ordered sequence of
|
||||
labels - as if the name were a path from the root to the owner
|
||||
of the desired data. (Which it is - 3rd paragraph of RFC 1034,
|
||||
section 3.1.)
|
||||
|
||||
The process of label matching a query name ends in exactly one of
|
||||
three choices, the parts 'a', 'b', and 'c'. Either the name is
|
||||
found, the name is below a cut point, or the name is not found.
|
||||
|
||||
Once one of the parts is chosen, the other parts are not
|
||||
considered. (E.g., do not execute part 'c' and then change
|
||||
the execution path to finish in part 'b'.) The process of label
|
||||
matching is also done independent of the query type (QTYPE).
|
||||
|
||||
Parts 'a' and 'b' are not an issue for this clarification as they
|
||||
do not relate to record synthesis. Part 'a' is an exact match
|
||||
that results in an answer, part 'b' is a referral.
|
||||
|
||||
3.3 Part 'c'
|
||||
|
||||
The context of part 'c' is that the process of label matching the
|
||||
labels of the query name has resulted in a situation in which
|
||||
there is no corresponding label in the tree. It is as if the
|
||||
lookup has "fallen off the tree."
|
||||
|
||||
# c. If at some label, a match is impossible (i.e., the
|
||||
# corresponding label does not exist), look to see if [...]
|
||||
# the "*" label exists.
|
||||
|
||||
To help describe the process of looking 'to see if [...] the "*"
|
||||
label exists' a term has been coined to describe the last domain
|
||||
(node) matched. The term is "closest encloser."
|
||||
|
||||
3.3.1 Closest Encloser and the Source of Synthesis
|
||||
|
||||
The closest encloser is the node in the zone's tree of existing
|
||||
domain names that has the most labels matching the query name
|
||||
(consecutively, counting from the root label downward). Each match
|
||||
is a "label match" and the order of the labels is the same.
|
||||
|
||||
The closest encloser is, by definition, an existing name in the
|
||||
zone. The closest encloser might be an empty non-terminal or even
|
||||
be a wild card domain name itself. In no circumstances is the
|
||||
closest encloser to be used to synthesize records for the current
|
||||
query.
|
||||
|
||||
The source of synthesis is defined in the context of a query
|
||||
process as that wild card domain name immediately descending
|
||||
from the closest encloser, provided that this wild card domain
|
||||
name exists. "Immediately descending" means that the source
|
||||
of synthesis has a name of the form:
|
||||
<asterisk label>.<closest encloser>.
|
||||
A source of synthesis does not guarantee having a RRSet to use
|
||||
for synthesis. The source of synthesis could be an empty
|
||||
non-terminal.
|
||||
|
||||
If the source of synthesis does not exist (not on the domain
|
||||
tree), there will be no wildcard synthesis. There is no search
|
||||
for an alternate.
|
||||
|
||||
The important concept is that for any given lookup process, there
|
||||
is at most one place at which wildcard synthetic records can be
|
||||
obtained. If the source of synthesis does not exist, the lookup
|
||||
terminates, the lookup does not look for other wildcard records.
|
||||
|
||||
3.3.2 Closest Encloser and Source of Synthesis Examples
|
||||
|
||||
To illustrate, using the example zone in section 2.2.1 of this
|
||||
document, the following chart shows QNAMEs and the closest
|
||||
enclosers.
|
||||
|
||||
QNAME Closest Encloser Source of Synthesis
|
||||
host3.example. example. *.example.
|
||||
_telnet._tcp.host1.example. _tcp.host1.example. no source
|
||||
_telnet._tcp.host2.example. host2.example. no source
|
||||
_telnet._tcp.host3.example. example. *.example.
|
||||
_chat._udp.host3.example. example. *.example.
|
||||
foobar.*.example. *.example. no source
|
||||
|
||||
3.3.3 Type Matching
|
||||
|
||||
RFC 1034 concludes part 'c' with this:
|
||||
|
||||
# If the "*" label does not exist, check whether the name
|
||||
# we are looking for is the original QNAME in the query
|
||||
# or a name we have followed due to a CNAME. If the name
|
||||
# is original, set an authoritative name error in the
|
||||
# response and exit. Otherwise just exit.
|
||||
#
|
||||
# If the "*" label does exist, match RRs at that node
|
||||
# against QTYPE. If any match, copy them into the answer
|
||||
# section, but set the owner of the RR to be QNAME, and
|
||||
# not the node with the "*" label. Go to step 6.
|
||||
|
||||
The final paragraph covers the role of the QTYPE in the lookup
|
||||
process.
|
||||
|
||||
Based on implementation feedback and similarities between step
|
||||
'a' and step 'c' a change to this passage has been made.
|
||||
|
||||
The change is to add the following text to step 'c' prior to the
|
||||
instructions to "go to step 6":
|
||||
|
||||
If the data at the source of synthesis is a CNAME, and
|
||||
QTYPE doesn't match CNAME, copy the CNAME RR into the
|
||||
answer section of the response changing the owner name
|
||||
to the QNAME, change QNAME to the canonical name in the
|
||||
CNAME RR, and go back to step 1.
|
||||
|
||||
This is essentially the same text in step a covering the
|
||||
processing of CNAME RRSets.
|
||||
|
||||
4. Considerations with Special Types
|
||||
|
||||
Sections 2 and 3 of this document discuss wildcard synthesis
|
||||
with respect to names in the domain tree and ignore the impact
|
||||
of types. In this section, the implication of wildcards of
|
||||
specific types are discussed. The types covered are those
|
||||
that have proven to be the most difficult to understand. The
|
||||
types are SOA, NS, CNAME, DNAME, SRV, DS, NSEC, RRSIG and
|
||||
"none," i.e., empty non-terminal wild card domain names.
|
||||
|
||||
4.1 SOA RRSet at a Wild Card Domain Name
|
||||
|
||||
A wild card domain name owning an SOA RRSet means that the
|
||||
domain is at the root of the zone (apex). The domain can not
|
||||
be a source of synthesis because that is, by definition, a
|
||||
descendent node (of the closest encloser) and a zone apex is
|
||||
at the top of the zone.
|
||||
|
||||
Although a wild card domain name owning an SOA RRSet can never
|
||||
be a source of synthesis, there is no reason to forbid the
|
||||
ownership of an SOA RRSet.
|
||||
|
||||
E.g., given this zone:
|
||||
$ORIGIN *.example.
|
||||
@ 3600 IN SOA <SOA RDATA>
|
||||
3600 NS ns1.example.com.
|
||||
3600 NS ns1.example.net.
|
||||
www 3600 TXT "the www txt record"
|
||||
|
||||
A query for www.*.example.'s TXT record would still find the
|
||||
"the www txt record" answer. The reason is that the asterisk
|
||||
label only becomes significant when section's 4.3.2, step 3
|
||||
part 'c' in in effect.
|
||||
|
||||
Of course, there would need to be a delegation in the parent
|
||||
zone, "example." for this to work too. This is covered in the
|
||||
next section.
|
||||
|
||||
4.2 NS RRSet at a Wild Card Domain Name
|
||||
|
||||
With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now
|
||||
in place, the semantics of a wild card domain name owning an
|
||||
NS RRSet has come to be poorly defined. The dilemma relates to
|
||||
a conflict between the rules for synthesis in part 'c' and the
|
||||
fact that the resulting synthesis generates a record for which
|
||||
the zone is not authoritative. In a DNSSEC signed zone, the
|
||||
mechanics of signature management (generation and inclusion
|
||||
in a message) become unclear.
|
||||
|
||||
After some lengthy discussions, there has been no clear "best
|
||||
answer" on how to document the semantics of such a situation.
|
||||
Barring such records from the DNS would require definition of
|
||||
rules for that, as well as introducing a restriction on records
|
||||
that were once legal. Allowing such records and amending the
|
||||
process of signature management would entail complicating the
|
||||
DNSSEC definition.
|
||||
|
||||
There is one more ingredient to the discussion, that being the
|
||||
utility of a wild card domain name owned NS RRSet. Although
|
||||
there are cases of this use, it is an operational rarity.
|
||||
Expending effort to close this topic has proven to be an
|
||||
exercise in diminishing returns.
|
||||
|
||||
In summary, there is no definition given for wild card domain
|
||||
names owning an NS RRSet. The semantics are left undefined until
|
||||
there is a clear need to have a set defined, and until there is
|
||||
a clear direction to proceed. Operationally, inclusion of wild
|
||||
card NS RRSets in a zone is discouraged, but not barred.
|
||||
|
||||
4.2.1 Discarded Notions
|
||||
|
||||
Prior to DNSSEC, a wild card domain name owning a NS RRSet
|
||||
appeared to be workable, and there are some instances in which
|
||||
it is found in deployments using implementations that support
|
||||
this. Continuing to allow this in the specificaion is not
|
||||
tenable with DNSSEC. The reason is that the synthesis of the
|
||||
NS RRSet is being done in a zone that has delegated away the
|
||||
responsibility for the name. This "unauthorized" synthesis is
|
||||
not a problem for the base DNS protocol, but DNSSEC, in affirming
|
||||
the authorization model for DNS exposes the problem.
|
||||
|
||||
Outright banning of wildcards of type NS is also untenable as
|
||||
the DNS protocol does not define how to handle "illegal" data.
|
||||
Implementations may choose not to load a zone, but there is no
|
||||
protocol definition. The lack of the definition is complicated
|
||||
by having to cover dynamic update [RFC 2136], zone transfers,
|
||||
as well as loading at the master server. The case of a client
|
||||
(resolver, cacheing server) getting a wildcard of type NS in
|
||||
a reply would also have to be considered.
|
||||
|
||||
Given the daunting challenge of a complete definition of how to
|
||||
ban such records, dealing with existing implementations that
|
||||
permit the records today is a further complication. There are
|
||||
uses of wild card domain name owning NS RRSets.
|
||||
|
||||
One compromise proposed would have redefined wildcards of type
|
||||
NS to not be used in synthesis, this compromise fell apart
|
||||
because it would have required significant edits to the DNSSEC
|
||||
signing and validation work. (Again, DNSSEC catches
|
||||
unauthorized data.)
|
||||
|
||||
With no clear consensus forming on the solution to this dilemma,
|
||||
and the realization that wildcards of type NS are a rarity in
|
||||
operations, the best course of action is to leave this open-ended
|
||||
until "it matters."
|
||||
|
||||
4.3 CNAME RRSet at a Wild Card Domain Name
|
||||
|
||||
The issue of a CNAME RRSet owned by a wild card domain name has
|
||||
prompted a suggested change to the last paragraph of step 3c of
|
||||
the algorithm in 4.3.2. The changed text appears in section
|
||||
3.3.3 of this document.
|
||||
|
||||
4.4 DNAME RRSet at a Wild Card Domain Name
|
||||
|
||||
Ownership of a DNAME [RFC2672] RRSet by a wild card domain name
|
||||
represents a threat to the coherency of the DNS and is to be
|
||||
avoided or outright rejected. Such a DNAME RRSet represents
|
||||
non-deterministic synthesis of rules fed to different caches.
|
||||
As caches are fed the different rules (in an unpredictable
|
||||
manner) the caches will cease to be coherent. ("As caches
|
||||
are fed" refers to the storage in a cache of records obtained
|
||||
in responses by recursive or iterative servers.)
|
||||
|
||||
For example, assume one cache, responding to a recursive
|
||||
request, obtains the record:
|
||||
"a.b.example. DNAME foo.bar.example.net."
|
||||
and another cache obtains:
|
||||
"b.example. DNAME foo.bar.example.net."
|
||||
both generated from the record:
|
||||
"*.example. DNAME foo.bar.example.net."
|
||||
by an authoritative server.
|
||||
|
||||
The DNAME specification is not clear on whether DNAME records
|
||||
in a cache are used to rewrite queries. In some interpretations,
|
||||
the rewrite occurs, in some, it is not. Allowing for the
|
||||
occurrence of rewriting, queries for "sub.a.b.example. A" may
|
||||
be rewritten as "sub.foo.bar.tld. A" by the former caching
|
||||
server and may be rewritten as "sub.a.foo.bar.tld. A" by the
|
||||
latter. Coherency is lost, an operational nightmare ensues.
|
||||
|
||||
Another justification for banning or avoiding wildcard DNAME
|
||||
records is the observation that such a record could synthesize
|
||||
a DNAME owned by "sub.foo.bar.example." and "foo.bar.example."
|
||||
There is a restriction in the DNAME definition that no domain
|
||||
exist below a DNAME-owning domain, hence, the wildcard DNAME
|
||||
is not to be permitted.
|
||||
|
||||
4.5 SRV RRSet at a Wild Card Domain Name
|
||||
|
||||
The definition of the SRV RRset is RFC 2782 [RFC2782]. In the
|
||||
definition of the record, there is some confusion over the term
|
||||
"Name." The definition reads as follows:
|
||||
|
||||
# The format of the SRV RR
|
||||
...
|
||||
# _Service._Proto.Name TTL Class SRV Priority Weight Port Target
|
||||
...
|
||||
# Name
|
||||
# The domain this RR refers to. The SRV RR is unique in that the
|
||||
# name one searches for is not this name; the example near the end
|
||||
# shows this clearly.
|
||||
|
||||
Do not confuse the definition "Name" with the owner name. I.e.,
|
||||
once removing the _Service and _Proto labels from the owner name
|
||||
of the SRV RRSet, what remains could be a wild card domain name
|
||||
but this is immaterial to the SRV RRSet.
|
||||
|
||||
E.g., If an SRV record is:
|
||||
_foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
|
||||
|
||||
*.example is a wild card domain name and although it it the Name
|
||||
of the SRV RR, it is not the owner (domain name). The owner
|
||||
domain name is "_foo._udp.*.example." which is not a wild card
|
||||
domain name.
|
||||
|
||||
The confusion is likely based on the mixture of the specification
|
||||
of the SRV RR and the description of a "use case."
|
||||
|
||||
4.6 DS RRSet at a Wild Card Domain Name
|
||||
|
||||
A DS RRSet owned by a wild card domain name is meaningless and
|
||||
harmless. This statement is made in the context that an NS RRSet
|
||||
at a wild card domain name is undefined. At a non-delegation
|
||||
point, a DS RRSet has no value (no corresponding DNSKEY RRSet
|
||||
will be used in DNSSEC validation). If there is a synthesized
|
||||
DS RRSet, it alone will not be very useful as it exists in the
|
||||
context of a delegation point.
|
||||
|
||||
4.7 NSEC RRSet at a Wild Card Domain Name
|
||||
|
||||
Wild card domain names in DNSSEC signed zones will have an NSEC
|
||||
RRSet. Synthesis of these records will only occur when the
|
||||
query exactly matches the record. Synthesized NSEC RR's will not
|
||||
be harmful as they will never be used in negative caching or to
|
||||
generate a negative response.
|
||||
|
||||
4.8 RRSIG at a Wild Card Domain Name
|
||||
|
||||
RRSIG records will be present at a wild card domain name in a
|
||||
signed zone, and will be synthesized along with data sought in a
|
||||
query. The fact that the owner name is synthesized is not a
|
||||
problem as the label count in the RRSIG will instruct the
|
||||
verifying code to ignore it.
|
||||
|
||||
4.9 Empty Non-terminal Wild Card Domain Name
|
||||
|
||||
If a source of synthesis is an empty non-terminal, then the
|
||||
response will be one of no error in the return code and no RRSet
|
||||
in the answer section.
|
||||
|
||||
5. Security Considerations
|
||||
|
||||
This document is refining the specifications to make it more
|
||||
likely that security can be added to DNS. No functional
|
||||
additions are being made, just refining what is considered
|
||||
proper to allow the DNS, security of the DNS, and extending
|
||||
the DNS to be more predictable.
|
||||
|
||||
6. IANA Considerations
|
||||
|
||||
None.
|
||||
|
||||
7. References
|
||||
|
||||
Normative References
|
||||
|
||||
[RFC20] ASCII Format for Network Interchange, V.G. Cerf,
|
||||
Oct-16-1969
|
||||
|
||||
[RFC1034] Domain Names - Concepts and Facilities,
|
||||
P.V. Mockapetris, Nov-01-1987
|
||||
|
||||
[RFC1035] Domain Names - Implementation and Specification, P.V
|
||||
Mockapetris, Nov-01-1987
|
||||
|
||||
[RFC1995] Incremental Zone Transfer in DNS, M. Ohta, August 1996
|
||||
|
||||
[RFC2119] Key Words for Use in RFCs to Indicate Requirement
|
||||
Levels, S Bradner, March 1997
|
||||
|
||||
[RFC2181] Clarifications to the DNS Specification, R. Elz and
|
||||
R. Bush, July 1997
|
||||
|
||||
[RFC2308] Negative Caching of DNS Queries (DNS NCACHE),
|
||||
M. Andrews, March 1998
|
||||
|
||||
[RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
|
||||
August 1999.
|
||||
|
||||
[RFC2782] A DNS RR for specifying the location of services (DNS
|
||||
SRV), A. Gulbrandsen, et.al., February 2000
|
||||
|
||||
[RFC4033] DNS Security Introduction and Requirements, R. Arends,
|
||||
et.al., March 2005
|
||||
|
||||
[RFC4034] Resource Records for the DNS Security Extensions,
|
||||
R. Arends, et.al., March 2005
|
||||
|
||||
[RFC4035] Protocol Modifications for the DNS Security Extensions,
|
||||
R. Arends, et.al., March 2005
|
||||
|
||||
[RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
|
||||
August 1999
|
||||
|
||||
Informative References
|
||||
|
||||
[RFC2136] Dynamic Updates in the Domain Name System (DNS UPDATE),
|
||||
P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
|
||||
April 1997
|
||||
|
||||
8. Editor
|
||||
|
||||
Name: Edward Lewis
|
||||
Affiliation: NeuStar
|
||||
Address: 46000 Center Oak Plaza, Sterling, VA, 20166, US
|
||||
Phone: +1-571-434-5468
|
||||
Email: ed.lewis@neustar.biz
|
||||
|
||||
Comments on this document can be sent to the editor or the mailing
|
||||
list for the DNSEXT WG, namedroppers@ops.ietf.org.
|
||||
|
||||
9. Others Contributing to the Document
|
||||
|
||||
This document represents the work of a large working group. The
|
||||
editor merely recorded the collective wisdom of the working group.
|
||||
|
||||
10. Trailing Boilerplate
|
||||
|
||||
Copyright (C) The Internet Society (2005).
|
||||
|
||||
This document is subject to the rights, licenses and restrictions
|
||||
contained in BCP 78, and except as set forth therein, the authors
|
||||
retain all their rights.
|
||||
|
||||
This document and the information contained herein are provided
|
||||
on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION
|
||||
HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET
|
||||
SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
|
||||
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
|
||||
ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
|
||||
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Intellectual Property
|
||||
|
||||
The IETF takes no position regarding the validity or scope of
|
||||
any Intellectual Property Rights or other rights that might
|
||||
be claimed to pertain to the implementation or use of the
|
||||
technology described in this document or the extent to which
|
||||
any license under such rights might or might not be available;
|
||||
nor does it represent that it has made any independent effort
|
||||
to identify any such rights. Information on the procedures
|
||||
with respect to rights in RFC documents can be found in BCP 78
|
||||
and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the
|
||||
use of such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR
|
||||
repository at http://www.ietf.org/ipr. The IETF invites any
|
||||
interested party to bring to its attention any copyrights,
|
||||
patents or patent applications, or other proprietary rights
|
||||
that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
Acknowledgement
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
Expiration
|
||||
|
||||
This document expires on or about January 6, 2006.
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,616 +0,0 @@
|
||||
|
||||
|
||||
Network Working Group S. Woolf
|
||||
Internet-Draft Internet Systems Consortium, Inc.
|
||||
Expires: September 14, 2005 D. Conrad
|
||||
Nominum, Inc.
|
||||
March 13, 2005
|
||||
|
||||
|
||||
Identifying an Authoritative Name Server
|
||||
draft-ietf-dnsop-serverid-04
|
||||
|
||||
Status of this Memo
|
||||
|
||||
This document is an Internet-Draft and is subject to all provisions
|
||||
of Section 3 of RFC 3667. By submitting this Internet-Draft, each
|
||||
author represents that any applicable patent or other IPR claims of
|
||||
which he or she is aware have been or will be disclosed, and any of
|
||||
which he or she become aware will be disclosed, in accordance with
|
||||
RFC 3668.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as
|
||||
Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on September 14, 2005.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2005).
|
||||
|
||||
Abstract
|
||||
|
||||
With the increased use of DNS anycast, load balancing, and other
|
||||
mechanisms allowing more than one DNS name server to share a single
|
||||
IP address, it is sometimes difficult to tell which of a pool of name
|
||||
servers has answered a particular query. A standardized mechanism to
|
||||
determine the identity of a name server responding to a particular
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 1]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
query would be useful, particularly as a diagnostic aid. Existing ad
|
||||
hoc mechanisms for addressing this concern are not adequate. This
|
||||
document attempts to describe the common ad hoc solution to this
|
||||
problem, including its advantages and disadvantages, and to
|
||||
characterize an improved mechanism.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 2]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
With the increased use of DNS anycast, load balancing, and other
|
||||
mechanisms allowing more than one DNS name server to share a single
|
||||
IP address, it is sometimes difficult to tell which of a pool of name
|
||||
servers has answered a particular query. A standardized mechanism to
|
||||
determine the identity of a name server responding to a particular
|
||||
query would be useful, particularly as a diagnostic aid.
|
||||
|
||||
Unfortunately, existing ad-hoc mechanisms for providing such
|
||||
identification have some shortcomings, not the least of which is the
|
||||
lack of prior analysis of exactly how such a mechanism should be
|
||||
designed and deployed. This document describes the existing
|
||||
convention used in one widely deployed implementation of the DNS
|
||||
protocol and discusses requirements for an improved solution to the
|
||||
problem.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 3]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
2. Rationale
|
||||
|
||||
Identifying which name server is responding to queries is often
|
||||
useful, particularly in attempting to diagnose name server
|
||||
difficulties. However, relying on the IP address of the name server
|
||||
has become more problematic due the deployment of various load
|
||||
balancing solutions, including the use of shared unicast addresses as
|
||||
documented in [RFC3258].
|
||||
|
||||
An unfortunate side effect of these load balancing solutions, and
|
||||
some changes in management practices as the public Internet has
|
||||
evolved, is that traditional methods of determining which server is
|
||||
responding can be unreliable. Specifically, non-DNS methods such as
|
||||
ICMP ping, TCP connections, or non-DNS UDP packets (such as those
|
||||
generated by tools such as "traceroute"), etc., can end up going to a
|
||||
different server than that which receives the DNS queries.
|
||||
|
||||
There is a well-known and frequently-used technique for determining
|
||||
an identity for a nameserver more specific than the
|
||||
possibly-non-unique "server that answered my query". The widespread
|
||||
use of the existing convention suggests a need for a documented,
|
||||
interoperable means of querying the identity of a nameserver that may
|
||||
be part of an anycast or load-balancing cluster. At the same time,
|
||||
however, it also has some drawbacks that argue against standardizing
|
||||
it as it's been practiced so far.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 4]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
3. Existing Conventions
|
||||
|
||||
Recent versions of the commonly deployed Berkeley Internet Name
|
||||
Domain implementation of the DNS protocol suite from the Internet
|
||||
Software Consortium [BIND] support a way of identifying a particular
|
||||
server via the use of a standard, if somewhat unusual, DNS query.
|
||||
Specifically, a query to a late model BIND server for a TXT resource
|
||||
record in class 3 (CHAOS) for the domain name "HOSTNAME.BIND." will
|
||||
return a string that can be configured by the name server
|
||||
administrator to provide a unique identifier for the responding
|
||||
server (defaulting to the value of a gethostname() call). This
|
||||
mechanism, which is an extension of the BIND convention of using
|
||||
CHAOS class TXT RR queries to sub-domains of the "BIND." domain for
|
||||
version information, has been copied by several name server vendors.
|
||||
|
||||
For reference, the other well-known name used by recent versions of
|
||||
BIND within the CHAOS class "BIND." domain is "VERSION.BIND." A
|
||||
query for a TXT RR for this name will return an administratively
|
||||
defined string which defaults to the version of the server
|
||||
responding. This is, however, not generally implemented by other
|
||||
vendors.
|
||||
|
||||
3.1 Advantages
|
||||
|
||||
There are several valuable attributes to this mechanism, which
|
||||
account for its usefulness.
|
||||
1. The "hostname.bind" query response mechanism is within the DNS
|
||||
protocol itself. An identification mechanism that relies on the
|
||||
DNS protocol is more likely to be successful (although not
|
||||
guaranteed) in going to the same machine as a "normal" DNS query.
|
||||
2. Since the identity information is requested and returned within
|
||||
the DNS protocol, it doesn't require allowing any other query
|
||||
mechanism to the server, such as holes in firewalls for
|
||||
otherwise-unallowed ICMP Echo requests. Thus it does not require
|
||||
any special exceptions to site security policy.
|
||||
3. It is simple to configure. An administrator can easily turn on
|
||||
this feature and control the results of the relevant query.
|
||||
4. It allows the administrator complete control of what information
|
||||
is given out in the response, minimizing passive leakage of
|
||||
implementation or configuration details. Such details are often
|
||||
considered sensitive by infrastructure operators.
|
||||
|
||||
3.2 Disadvantages
|
||||
|
||||
At the same time, there are some forbidding drawbacks to the
|
||||
VERSION.BIND mechanism that argue against standardizing it as it
|
||||
currently operates.
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 5]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
1. It requires an additional query to correlate between the answer
|
||||
to a DNS query under normal conditions and the supposed identity
|
||||
of the server receiving the query. There are a number of
|
||||
situations in which this simply isn't reliable.
|
||||
2. It reserves an entire class in the DNS (CHAOS) for what amounts
|
||||
to one zone. While CHAOS class is defined in [RFC1034] and
|
||||
[RFC1035], it's not clear that supporting it solely for this
|
||||
purpose is a good use of the namespace or of implementation
|
||||
effort.
|
||||
3. It is implementation specific. BIND is one DNS implementation.
|
||||
At the time of this writing, it is probably the most prevalent
|
||||
for authoritative servers. This does not justify standardizing
|
||||
on its ad hoc solution to a problem shared across many operators
|
||||
and implementors.
|
||||
|
||||
The first of the listed disadvantages is technically the most
|
||||
serious. It argues for an attempt to design a good answer to the
|
||||
problem that "I need to know what nameserver is answering my
|
||||
queries", not simply a convenient one.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 6]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
4. Characteristics of an Implementation Neutral Convention
|
||||
|
||||
The discussion above of advantages and disadvantages to the
|
||||
HOSTNAME.BIND mechanism suggest some requirements for a better
|
||||
solution to the server identification problem. These are summarized
|
||||
here as guidelines for any effort to provide appropriate protocol
|
||||
extensions:
|
||||
1. The mechanism adopted MUST be in-band for the DNS protocol. That
|
||||
is, it needs to allow the query for the server's identifying
|
||||
information to be part of a normal, operational query. It SHOULD
|
||||
also permit a separate, dedicated query for the server's
|
||||
identifying information.
|
||||
2. The new mechanism SHOULD not require dedicated namespaces or
|
||||
other reserved values outside of the existing protocol mechanisms
|
||||
for these, i.e. the OPT pseudo-RR. In particular, it should not
|
||||
propagate the existing drawback of requiring support for a CLASS
|
||||
and top level domain in the authoritative server (or the querying
|
||||
tool) to be useful.
|
||||
3. Support for the identification functionality SHOULD be easy to
|
||||
implement and easy to enable. It MUST be easy to disable and
|
||||
SHOULD lend itself to access controls on who can query for it.
|
||||
4. It should be possible to return a unique identifier for a server
|
||||
without requiring the exposure of information that may be
|
||||
non-public and considered sensitive by the operator, such as a
|
||||
hostname or unicast IP address maintained for administrative
|
||||
purposes.
|
||||
5. The identification mechanism SHOULD NOT be
|
||||
implementation-specific.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 7]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
5. IANA Considerations
|
||||
|
||||
This document proposes no specific IANA action. Protocol extensions,
|
||||
if any, to meet the requirements described are out of scope for this
|
||||
document. Should such extensions be specified and adopted by normal
|
||||
IETF process, the specification will include appropriate guidance to
|
||||
IANA.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 8]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
Providing identifying information as to which server is responding to
|
||||
a particular query from a particular location in the Internet can be
|
||||
seen as information leakage and thus a security risk. This motivates
|
||||
the suggestion above that a new mechanism for server identification
|
||||
allow the administrator to disable the functionality altogether or
|
||||
partially restrict availability of the data. It also suggests that
|
||||
the serverid data should not be readily correlated with a hostname or
|
||||
unicast IP address that may be considered private to the nameserver
|
||||
operator's management infrastructure.
|
||||
|
||||
Propagation of protocol or service meta-data can sometimes expose the
|
||||
application to denial of service or other attack. As DNS is a
|
||||
critically important infrastructure service for the production
|
||||
Internet, extra care needs to be taken against this risk for
|
||||
designers, implementors, and operators of a new mechanism for server
|
||||
identification.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 9]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
7. Acknowledgements
|
||||
|
||||
The technique for host identification documented here was initially
|
||||
implemented by Paul Vixie of the Internet Software Consortium in the
|
||||
Berkeley Internet Name Daemon package. Comments and questions on
|
||||
earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
|
||||
Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
|
||||
ICANN Root Server System Advisory Committee. The newest version
|
||||
takes a significantly different direction from previous versions,
|
||||
owing to discussion among contributors to the DNSOP working group and
|
||||
others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
|
||||
Weiler, and Rob Austein.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 10]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name Server March 2005
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the procedures with respect to rights in RFC documents can be
|
||||
found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2005). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires September 14, 2005 [Page 11]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user