draft-ietf-dnsop-attrleaf-11.txt   draft-ietf-dnsop-attrleaf-12.txt 
dnsop D. Crocker dnsop D. Crocker
Internet-Draft Brandenburg InternetWorking Internet-Draft Brandenburg InternetWorking
Intended status: Best Current Practice July 15, 2018 Intended status: Best Current Practice July 21, 2018
Expires: January 16, 2019 Expires: January 22, 2019
DNS Scoped Data Through 'underscore' Naming of Attribute Leaves DNS Scoped Data Through "Underscore" Naming of Attribute Leaves
draft-ietf-dnsop-attrleaf-11 draft-ietf-dnsop-attrleaf-12
Abstract Abstract
Formally, any DNS resource record may occur under any domain name. Formally, any DNS resource record may occur under any domain name.
However some services have defined an operational convention, which However some services have defined an operational convention, which
applies to DNS leaf nodes that are under a DNS branch having one or applies to DNS leaf nodes that are under a DNS branch having one or
more reserved node names, each beginning with an _underscore. The more reserved node names, each beginning with an _underscore. The
underscored naming construct defines a semantic scope for DNS record underscored naming construct defines a semantic scope for DNS record
types that are associated with the parent domain, above the types that are associated with the parent domain, above the
underscored branch. This specification explores the nature of this underscored branch. This specification explores the nature of this
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2019. This Internet-Draft will expire on January 22, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Underscore Scoping . . . . . . . . . . . . . . . . . . . 3 1.1. Underscore Scoping . . . . . . . . . . . . . . . . . . . 3
1.2. Scaling Benefits . . . . . . . . . . . . . . . . . . . . 4 1.2. Scaling Benefits . . . . . . . . . . . . . . . . . . . . 4
1.3. 'Global' Underscored Node Names . . . . . . . . . . . . . 4 1.3. "Global" Underscored Node Names . . . . . . . . . . . . . 4
2. DNS Underscore Scoped Entry Registries Function . . . . . . . 4 1.4. Interaction with DNS wildcards . . . . . . . . . . . . . 5
2. DNS Underscore Scoped Entry Registries Function . . . . . . . 5
3. RRset Use Registration Template . . . . . . . . . . . . . . . 6 3. RRset Use Registration Template . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
4.1. DNS Underscore Global Scoped Entry Registry . . . . . . . 7 4.1. DNS Underscore Global Scoped Entry Registry . . . . . . . 7
4.2. DNS Underscore Global Scoped Entry Registry Definition . 7 4.2. DNS Underscore Global Scoped Entry Registry Definition . 7
4.3. Initial entries . . . . . . . . . . . . . . . . . . . . . 8 4.3. Initial entries . . . . . . . . . . . . . . . . . . . . . 8
5. Guidance for Expert Review . . . . . . . . . . . . . . . . . 10 5. Guidance for Expert Review . . . . . . . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6.1. Interaction with DNS wildcards . . . . . . . . . . . . . 10 6.1. Interaction with DNS wildcards . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
7.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12
skipping to change at page 3, line 20 skipping to change at page 3, line 20
static property, not one dependent on the nature of the query. It is static property, not one dependent on the nature of the query. It is
an artifact of the DNS name. That scope is a leaf node, within which an artifact of the DNS name. That scope is a leaf node, within which
the uses of specific resource record sets can be formally defined and the uses of specific resource record sets can be formally defined and
constrained. The leaf occurs in a branch having a distinguished constrained. The leaf occurs in a branch having a distinguished
naming convention: At the top of the branch -- beneath the parent naming convention: At the top of the branch -- beneath the parent
domain name to which the scope applies -- one or more reserved DNS domain name to which the scope applies -- one or more reserved DNS
node names begin with an underscore ("_"). Because the DNS rules for node names begin with an underscore ("_"). Because the DNS rules for
a "host" (host name) do not allow use of the underscore character, a "host" (host name) do not allow use of the underscore character,
this distinguishes the underscored name from all legal host names this distinguishes the underscored name from all legal host names
[RFC952]. Effectively, this convention for leaf node naming creates [RFC952]. Effectively, this convention for leaf node naming creates
a space for the listing of 'attributes' -- in the form of resource a space for the listing of "attributes" -- in the form of resource
record types -- that are associated with the parent domain, above the record types -- that are associated with the parent domain, above the
underscored sub-branch. underscored sub-branch.
The scoping feature is particularly useful when generalized resource The scoping feature is particularly useful when generalized resource
record types are used -- notably "TXT", "SRV", and "URI" [RFC1035], record types are used -- notably "TXT", "SRV", and "URI" [RFC1035],
[RFC2782], [RFC6335], [RFC7553]. It provides efficient separation of [RFC2782], [RFC6335], [RFC7553]. It provides efficient separation of
one use of them from others. Absent this separation, an one use of them from others. Absent this separation, an
undifferentiated mass of these "RRsets" is returned to the DNS undifferentiated mass of these "RRsets" is returned to the DNS
client, which then must parse through the internals of the records in client, which then must parse through the internals of the records in
the hope of finding ones that are relevant. Worse, in some cases the the hope of finding ones that are relevant. Worse, in some cases the
skipping to change at page 3, line 48 skipping to change at page 3, line 48
This specification formally defines how underscored labels are used This specification formally defines how underscored labels are used
as "attribute" enhancements for their parent domain names. For as "attribute" enhancements for their parent domain names. For
example, domain name "_domainkey.example." acts as an attribute of example, domain name "_domainkey.example." acts as an attribute of
the parent domain name "example." To avoid collisions resulting from the parent domain name "example." To avoid collisions resulting from
the use of the same underscore-based labels for different the use of the same underscore-based labels for different
applications using the same resource record type, this document applications using the same resource record type, this document
establishes the DNS Underscore Global Scoped Entry IANA Registry. establishes the DNS Underscore Global Scoped Entry IANA Registry.
Use of such node names, which begin with underscore, are reserved Use of such node names, which begin with underscore, are reserved
when they are the underscored name closest to the DNS root; they are when they are the underscored name closest to the DNS root; they are
considered 'global'. Underscore-based names that are farther down considered "global". Underscore-based names that are farther down
the hierarchy are handled within the scope of the global underscore the hierarchy are handled within the scope of the global underscore
name. name.
Discussion Venue: Discussion about this draft should be directed Discussion Venue: Discussion about this draft should be directed
to the dnsop@ietf.org [1] mailing list. to the dnsop@ietf.org [1] mailing list.
NOTE TO RFC EDITOR: Please remove "Discussion Venue" paragraph NOTE TO RFC EDITOR: Please remove "Discussion Venue" paragraph
prior to publication. prior to publication.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
1.2. Scaling Benefits 1.2. Scaling Benefits
Some resource record types are used in a fashion that can create Some resource record types are used in a fashion that can create
scaling problems, if an entire RRset associated with a domain name is scaling problems, if an entire RRset associated with a domain name is
aggregated in the leaf node for that name. An increasingly-popular aggregated in the leaf node for that name. An increasingly-popular
approach, with excellent scaling properties, places the RRset under a approach, with excellent scaling properties, places the RRset under a
specially named branch, which is in turn under the node name that specially named branch, which is in turn under the node name that
would otherwise contain the RRset. The rules for naming that branch would otherwise contain the RRset. The rules for naming that branch
define the context for interpreting the RRset. That is, rather than: define the context for interpreting the RRset. That is, rather than:
skipping to change at page 4, line 34 skipping to change at page 4, line 38
the arrangement is: the arrangement is:
_branch.domain-name.example _branch.domain-name.example
/ /
RRset RRset
A direct lookup to the subordinate leaf node produces only the A direct lookup to the subordinate leaf node produces only the
desired record types, at no greater cost than a typical DNS lookup. desired record types, at no greater cost than a typical DNS lookup.
1.3. 'Global' Underscored Node Names 1.3. "Global" Underscored Node Names
As defined in [RFC1034] the DNS uses names organized in a tree- As defined in [RFC1034] the DNS uses names organized in a tree-
structured, or hierarchical fashion. A domain name might have structured, or hierarchical fashion. A domain name might have
multiple node names that begin with an _underscore. A 'global' multiple node names that begin with an _underscore. A "global"
underscored node name is the one that is closest to the root of the underscored node name is the one that is closest to the root of the
DNS hierarchy, also called the highest-level or top-most. In the DNS hierarchy, also called the highest-level or top-most. In the
presentation convention described in Section 3.1 or [RFC1034] this is presentation convention described in Section 3.1 of [RFC1034] this is
the right-most name beginning with an underscore. In other the right-most name beginning with an underscore. In other
presentation environments it might be positioned differently. To presentation environments it might be positioned differently. To
avoid concern for the presentation variations, the qualifier 'global' avoid concern for the presentation variations, the qualifier "global"
is used here. is used here.
1.4. Interaction with DNS wildcards
DNS wildcards interact poorly with underscored names in two ways.
Since wildcards only are interpreted as leaf names, one cannot create
the equivalent of a wildcard name for prefixed names. A name such as
label.*.example.com is not a wildcard.
Conversely, a wildcard such as *.example.com can match any name
including an underscored name. So, a wildcard might match an
underscored name, returning a record that is the type controlled by
the underscored name but is not intended to be used in the
underscored context and does not conform to its rules.
2. DNS Underscore Scoped Entry Registries Function 2. DNS Underscore Scoped Entry Registries Function
A registry for 'global' DNS nodes names that begin with an underscore A registry for "global" DNS nodes names that begin with an underscore
is defined here. The purpose of the Underscore Global Registry is to is defined here. The purpose of the Underscore Global Registry is to
avoid collisions resulting from the use of the same underscore-based avoid collisions resulting from the use of the same underscore-based
name, for different applications. name, for different applications.
o If a public specification calls for use of an underscore-prefixed o If a public specification calls for use of an underscore-prefixed
domain node name, the 'global' underscored name -- the underscored domain node name, the "global" underscored name -- the underscored
name that is closest to the DNS root -- MUST be entered into this name that is closest to the DNS root -- MUST be entered into this
registry. registry.
An underscored name define scope of use for specific resource record An underscored name defines scope of use for specific resource record
types, which are associated with the domain name that is the "parent" types, which are associated with the domain name that is the "parent"
to the branch defined by the underscored name. A given name defines to the branch defined by the underscored name. A given name defines
a specific, constrained context for one or more RR types, where use a specific, constrained context for one or more RR types, where use
of such record types conforms to the defined constraints. of such record types conforms to the defined constraints.
o Within an underscore scoped leaf, other RRsets that are not o Within an underscore scoped leaf, other RRsets that are not
specified as part of the scope MAY be used. specified as part of the scope MAY be used.
Structurally, the registry is defined as a single, flat table of RR Structurally, the registry is defined as a single, flat table of RR
types, under node names beginning with underscore. In some cases, types, under node names beginning with underscore. In some cases,
skipping to change at page 5, line 42 skipping to change at page 6, line 16
| NAME | | NAME |
+----------------------------+ +----------------------------+
| _service1 | | _service1 |
| ._protoB._service2 | | ._protoB._service2 |
| _protoB._service3 | | _protoB._service3 |
| _protoC._service3 | | _protoC._service3 |
| _useX._protoD._service4 | | _useX._protoD._service4 |
| _protoE._region._authority | | _protoE._region._authority |
+----------------------------+ +----------------------------+
Example of Underscore Names Examples of Underscored Names
Only global underscored names are registered in the IANA Underscore Only global underscored names are registered in the IANA Underscore
Global table. Global table.
o The use of underscored node names is specific to each RRTYPE that o The use of underscored node names is specific to each RRTYPE that
is being scoped. Each name defines a place, but does not define is being scoped. Each name defines a place, but does not define
the rules for what appears underneath that place, either as the rules for what appears underneath that place, either as
additional underscored naming or as a leaf node with resource additional underscored naming or as a leaf node with resource
records. Details for those rules are provided by specifications records. Details for those rules are provided by specifications
for individual RRTYPEs. The sections below describe the way that for individual RRTYPEs. The sections below describe the way that
skipping to change at page 7, line 8 skipping to change at page 7, line 26
Per [RFC8126], IANA is requested to establish the: Per [RFC8126], IANA is requested to establish the:
DNS Underscore Global Scoped Entry Registry DNS Underscore Global Scoped Entry Registry
This section describes actions requested of IANA. The guidance in This section describes actions requested of IANA. The guidance in
[IANA] is used. [IANA] is used.
4.1. DNS Underscore Global Scoped Entry Registry 4.1. DNS Underscore Global Scoped Entry Registry
The DNS Global Underscore Scoped Entry Registry is any DNS node name The DNS Global Underscore Scoped Entry Registry is any DNS node name
that begin with the underscore character (_) and is the underscored that begin with the underscore character ("_", ASCII 0x5F) and is the
node name closest to the root; that is it defines the highest-level underscored node name closest to the root; that is it defines the
of a DNS branch, under a "parent" domain name. highest-level of a DNS branch, under a "parent" domain name.
o This registry is to operate under the IANA rules for "Expert o This registry is to operate under the IANA rules for "Expert
Review" registration; see Section 5. Review" registration; see Section 5.
o The contents of each entry in the Global registry are defined in o The contents of each entry in the Global registry are defined in
Section 4.2. Section 4.2.
o Each entry in the registry MUST contain values for all of the o Each entry in the registry MUST contain values for all of the
fields specified in Section 4.2. fields specified in Section 4.2.
o Within the registry, the combination of RR Type and _Node Name o Within the registry, the combination of RR Type and _Node Name
MUST be unique. MUST be unique.
o The table is to be maintained with entries sorted by the first o The table is to be maintained with entries sorted by the first
column (RR Type) and, within that, the second column (_Node Name). column (RR Type) and, within that, the second column (_Node Name).
o The required Reference for an entry MUST have a stable resolution o The required Reference for an entry MUST have a stable resolution
to the organization controlling that registry entry to the organization controlling that registry entry.
4.2. DNS Underscore Global Scoped Entry Registry Definition 4.2. DNS Underscore Global Scoped Entry Registry Definition
A registry entry contains: A registry entry contains:
RR Type: Lists an RR type that is defined for use within this RR Type: Lists an RR type that is defined for use within this
scope scope
_Node Name: Specifies a single, underscored name that defines a _Node Name: Specifies a single, underscored name that defines a
reserved name; this name is the "global" entry name for the reserved name; this name is the "global" entry name for the
skipping to change at page 10, line 38 skipping to change at page 10, line 38
of scope. of scope.
6. Security Considerations 6. Security Considerations
This memo raises no security issues. This memo raises no security issues.
6.1. Interaction with DNS wildcards 6.1. Interaction with DNS wildcards
DNS wildcards interact poorly with underscored names in two ways. DNS wildcards interact poorly with underscored names in two ways.
Since wildcards only are interpreted as leaf names, one cannot create Since wildcards only are interpreted as leaf names, one cannot create
the equivalent of a wildcard name for prefixed names. A name such the equivalent of a wildcard name for prefixed names. A name such as
as_label.*.example.com is not a wildcard. label.*.example.com is not a wildcard.
Conversely, a wildcard such as *.example.com can match any name Conversely, a wildcard such as *.example.com can match any name
including an underscored name. So, a wildcard might match an including an underscored name. So, a wildcard might match an
underscored name, returning a record that is the type controlled by underscored name, returning a record that is the type controlled by
the underscored name but is not intended to be used in the the underscored name but is not intended to be used in the
underscored context and does not conform to its rules. underscored context and does not conform to its rules.
7. References 7. References
7.1. Normative References 7.1. Normative References
skipping to change at page 11, line 22 skipping to change at page 11, line 22
June 2017. June 2017.
[MTA-STS] Margolis, D., Risher, M., Ramakrishnan, B., Brotman, A., [MTA-STS] Margolis, D., Risher, M., Ramakrishnan, B., Brotman, A.,
and J. Jones, "SMTP MTA Strict Transport Security (MTA- and J. Jones, "SMTP MTA Strict Transport Security (MTA-
STS)", I-D draft-ietf-uta-mta-sts. STS)", I-D draft-ietf-uta-mta-sts.
[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain Names - Implementation and [RFC1035] Mockapetris, P., "Domain Names - Implementation and
SSpecification", STD 13, RFC 1035, November 1987. Specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[RFC5518] Hoffman, P., Levine, J., and A. Hathcock, "Vouch By [RFC5518] Hoffman, P., Levine, J., and A. Hathcock, "Vouch By
Reference", RFC 5518, April 2009. Reference", RFC 5518, April 2009.
 End of changes. 21 change blocks. 
25 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/