📄 draft-ietf-dnsext-wcard-clarify-02.txt
字号:
Halley & Lewis [Expires March 2004] [Page 6]
Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003 Quotations of RFC 1034 (as has already been done once above) are denoted by a '#' in the leftmost column.2. Defining the Wild Card Domain Name A wild card domain name is defined by having the initial label be: 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal) This defines domain names that may play a role in being a wild card, that is, being a source for synthesized answers. Domain names conforming to this definition that appear in queries and RDATA sections do not have any special role. These cases will be described in more detail in following sections. R2.1 A domain name that is to be interpreted as a wild card MUST begin with a label of '0000 0001 0010 1010' in binary. The first octet is the normal label type and length for a 1 octet long label, the second octet is the ASCII representation [RFC 20] for the '*' character. In RFC 1034, ASCII encoding is assumed to be the character encoding. In the master file formats used in RFCs, a "*" is a legal representation for the wild card label. Even if the "*" is escaped, it is still interpreted as the wild card when it is the only character in the label. R2.2 A server MUST treat a wild card domain name as the basis of synthesized answers regardless of any "escape" sequences in the input format. RFC 1034 and RFC 1035 ignore the case in which a domain name might be "the*.example.com." The interpretation is that this domain name in a zone would only match queries for "the*.example.com" and not have any other role. Note: By virtue of this definition, a wild card domain name may have a subdomain. The subdomain (or sub-subdomain) itself may also be a wild card. E.g., *.*.example. is a wild card, so is *.sub.*.example. More discussion on this is given in Appendix A.Halley & Lewis [Expires March 2004] [Page 7]
Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 20033. Defining Existence As described in the Introduction, a precise definition of existence is needed. R3.1 An authoritative server MUST treat a domain name as existing during the execution of the algorithms in RFC 1034 when the domain name conforms to the following definition. A domain name is defined to exist if the domain name owns data and/or has a subdomain that exists. Note that at a zone boundary, the domain name owns data, including the NS RR set. At the delegating server, the NS RR set is not authoritative, but that is of no consequence here. The domain name owns data, therefore, it exists. R3.2 An authoritative server MUST treat a domain name that has neither a resource record set nor an existing subdomain as non- existent when executing the algorithm in section 4.3.2. of RFC 1034. A note on terminology. A domain transcends zones, i.e., all DNS data is in the root domain but segmented into zones of control. In this document, there are references to a "domain name" in the context of existing "in a zone." In this usage, a domain name is the root of a domain, not the entire domain. The domain's root point is said to "exist in a zone" if the zone is authoritative for the name. RR sets existing in a domain need not be owned by the domain's root domain name, but are owned by other domain names in the domain.4. Impact of a Wild Card In a Query or in RDATA When a wild card domain name appears in a question, e.g., the query name is "*.example.", the response in no way differs from any other query. In other words, the wild card label in a QNAME has no special meaning, and query processing will proceed using '*' as a literal query name. R4.1 A wild card domain name acting as a QNAME MUST be treated as any other QNAME, there MUST be no special processing accorded it. If a wild card domain name appears in the RDATA of a CNAME RR or any other RR that has a domain name in it, the same rule applies. In the instance of a CNAME RR, the wild card domain name is used in the same manner of as being the original QNAME. For other RR's, rules vary regarding what is done with the domain name(s) appearing in them, in no case does the wild card hold special meaning.Halley & Lewis [Expires March 2004] [Page 8]
Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003 R4.2 A wild card domain name appearing in any RR's RDATA MUST be treated as any other domain name in that situation, there MUST be no special processing accorded it.5. Impact of a Wild Card Domain On a Response The description of how wild cards impact response generation is in RFC 1034, section 4.3.2. That passage contains the algorithm followed by a server in constructing a response. Within that algorithm, step 3, part 'c' defines the behavior of the wild card. The algorithm is directly quoted in lines that begin with a '#' sign. Commentary is interleaved. There is a documentation issue deserving some explanation. The algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo code, i.e., it's steps are not intended to be followed in strict order. The "algorithm" is a suggestion. As such, in step 3, parts a, b, and c, do not have to be implemented in that order. Another issue needing explanation is that RFC 1034 is a full standard. There is another RFC, RFC 2672, which makes, or proposes an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME RR. RFC 2672 is a proposed standard. The dilemma in writing these clarifications is knowing which document is the one being clarified. Fortunately, the difference between RFC 1034 and RFC 2672 is not significant with respect to wild card synthesis, so this document will continue to state that it is clarifying RFC 1034. If RFC 2672 progresses along the standards track, it will need to refer to modifying RFC 1034's algorithm as amended here. The context of part 'c' is that the search is progressing label by label through the QNAME. (Note that the data being searched is the authoritative data in the server, the cache is searched in step 4.) Step 3's part 'a' covers the case that the QNAME has been matched in full, regardless of the presence of a CNAME RR. Step 'b' covers crossing a cut point, resulting in a referral. All that is left is to look for the wild card. Step 3 of the algorithm also assumes that the search is looking in the zone closest to the answer, i.e., in the same class as QCLASS and as close to the authority as possible on this server. If the zone is not the authority, then a referral is given, possibly one indicating lameness.Halley & Lewis [Expires March 2004] [Page 9]
Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003# c. If at some label, a match is impossible (i.e., the# corresponding label does not exist), look to see if a# the "*" label exists. The above paragraph refers to finding the domain name that exists in the zone and that most encloses the QNAME. Such a domain name will mark the boundary of candidate wild card domain names that might be used to synthesize an answer. (Remember that at this point, if the most enclosing name is the same as the QNAME, part 'a' would have recorded an exact match.) The existence of the enclosing name means that no wild card name higher in the tree is a candidate to answer the query. Once the closest enclosing node is identified, there's the matter of what exists below it. It may have subdomains, but none will be closer to the QNAME. One of the subdomains just might be a wild card. If it exists, this is the only wild card eligible to be used to synthesize an answer for the query. Even if the closest enclosing node conforms to the syntax rule in section 2 for being a wild card domain name, the closest enclosing node is not eligible to be a source of a synthesized answer. The only wild card domain name that is a candidate to synthesize an answer will be the "*" subdomain of the closest enclosing domain name. Three possibilities can happen. The "*" subdomain does not exist, the "*" subdomain does but does not have an RR set of the same type as the QTYPE, or it exists and has the desired RR set. For the sake of brevity, the closest enclosing node can be referred to as the "closest encloser." The closest encloser is the most important concept in this clarification. Describing the closest encloser is a bit tricky, but it is an easy concept. To find the closest encloser, you have to first locate the zone that is the authority for the query name. This eliminates the need to be concerned that the closest encloser is a cut point. In addition, we can assume too that the query name does not exist, hence the closest encloser is not equal to the query name. We can assume away these two cases because they are handled in steps 2, 3a and 3b of section 4.3.2.'s algorithm. What is left is to identify the existing domain name that would have been up the tree (closer to the root) from the query name. Knowing that an exact match is impossible, if there is a "*" label descending from the unique closest encloser, this is the one and only wild card from which an answer can be synthesized for the query.Halley & Lewis [Expires March 2004] [Page 10]
Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 2003 To illustrate, using the example in section 1.2 of this document, the following chart shows QNAMEs and the closest enclosers. In Appendix A there is another chart showing unusual cases. QNAME Closest Encloser Wild Card Source host3.example. example. *.example. _telnet._tcp.host1.example. _tcp.host1.example. no wild card _telnet._tcp.host2.example. host2.example. no wild card _telnet._tcp.host3.example. example. *.example. _chat._udp.host3.example. example. *.example. Note that host1.subdel.example. is in a subzone, so the search for it ends in a referral in part 'b', thus does not enter into finding a closest encloser. The fact that a closest encloser will be the only superdomain that can have a candidate wild card will have an impact when it comes to designing authenticated denial of existence proofs.# If the "*" label does not exist, check whether the name# we are looking for is the original QNAME in the query# or a name we have followed due to a CNAME. If the name# is original, set an authoritative name error in the# response and exit. Otherwise just exit. The above passage says that if there is not even a wild card domain name to match at this point (failing to find an explicit answer elsewhere), we are to return an authoritative name error at this point. If we were following a CNAME, the specification is unclear, but seems to imply that a no error return code is appropriate, with just the CNAME RR (or sequence of CNAME RRs) in the answer section.# If the "*" label does exist, match RRs at that node# against QTYPE. If any match, copy them into the answer# section, but set the owner of the RR to be QNAME, and# not the node with the "*" label. Go to step 6. This final paragraph covers the role of the QTYPE in the process. Note that if no resource record set matches the QTYPE the result is that no data is copied, but the search still ceases ("Go to step 6."). In the following section, a suggested change is made to this, under the heading "CNAME RRs at a Wild Card Domain Name."Halley & Lewis [Expires March 2004] [Page 11]
Internet Draft draft-ietf-dnsext-wcard-clarify-02.txt September 20036. Considerations with Special Types For the purposes of this section, "special" means that a record induces processing at the server beyond simple lookup. The special types in this section are SOA, NS, CNAME, and DNAME. SOA is special because it is used as a zone marker and has an impact on step 2 of the algorithm in 4.3.2. NS denotes a cut point and has an impact on step 3b. CNAME redirects the query and is mentioned in steps 3a and 3b. DNAME is a "CNAME generator."6.1. SOA RR's at a Wild Card Domain Name If the owner of an SOA record conforms to the basic rules of owning an SOA RR (meaning it is the apex of a zone) the impact on the search algorithm is not in section 3c (where records are synthesized) as would be expected. The impact is really in step 2 of the algorithm, the choice of zone. We are no longer talking about whether or not an SOA RR can be synthesized in a response because we are shifting attention to step 2. We are now talking about what it means for a name server to synthesize a zone for a response. To date, no implementation has done this. Thinking ahead though, anyone choosing to pursue this would have to be aware that a server would have to be able to distinguish between queries for data it will have to synthesize and queries that ought to be treated as if they were prompted by a lame delegation. It is not a protocol error to have an SOA RR owned by a wild card domain name, just as it is not an error to have zone name be syntactically equivalent to a domain name. However, this situation requires careful consideration of how a server chooses the appropriate zone for an answer. And an SOA RR is not able to be synthesized as in step 3c.6.2. NS RR's at a Wild Card Domain Name Complimentary to the issue of an SOA RR owned by a wild card domain name is the issue of NS RR's owned by a wild card domain name. In this instance, each machine being referred to in the RDATA of the NS RR has to be able to understand the impact of this on step 2, the choosing of the authoritative zone. Referring to the same machine in such a NS RR will probably not work well. This is because the server may become confused as to whether the query name ought to be answered by the zone owning the NS RR in question or a synthesized zone. (It isn't known in advance that the query name will invoke the wild card synthesis.)Halley & Lewis [Expires March 2004] [Page 12]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -