draft-muks-dnsop-dns-catalog-zones-03.txt   draft-muks-dnsop-dns-catalog-zones-04.txt 
Internet Engineering Task Force M. Sivaraman Internet Engineering Task Force M. Sivaraman
Internet-Draft S. Morris Internet-Draft S. Morris
Intended status: Experimental R. Bellis Intended status: Experimental R. Bellis
Expires: January 4, 2018 W. Krecicki Expires: September 2, 2018 W. Krecicki
Internet Systems Consortium Internet Systems Consortium
July 3, 2017 March 1, 2018
DNS catalog zones DNS Catalog Zones
draft-muks-dnsop-dns-catalog-zones-03 draft-muks-dnsop-dns-catalog-zones-04
Abstract Abstract
This document describes a method for automatic zone catalog This document describes a method for automatic DNS zone provisioning
provisioning and synchronization among DNS primary and secondary among DNS primary and secondary nameservers by storing and
nameservers by storing and transferring the catalogs as regular DNS transferring the catalog of zones to be provisioned as one or more
zones. regular DNS zones.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2018. This Internet-Draft will expire on September 2, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Catalog zones . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Description . . . . . . . . . . . . . . . . . . . . . . . 3 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Resource record fields . . . . . . . . . . . . . . . . . 4 4. Catalog Zone Structure . . . . . . . . . . . . . . . . . . . 4
2.3. SOA and NS records at apex . . . . . . . . . . . . . . . 4 4.1. SOA and NS Records . . . . . . . . . . . . . . . . . . . 4
2.4. Zone properties map and owner names . . . . . . . . . . . 5 4.2. Zone Data . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5. Zone property value data types . . . . . . . . . . . . . 6 4.2.1. Resource Record Format . . . . . . . . . . . . . . . 5
2.5.1. Strings . . . . . . . . . . . . . . . . . . . . . . . 6 4.2.2. Multi-valued Properties . . . . . . . . . . . . . . . 5
2.5.2. Booleans . . . . . . . . . . . . . . . . . . . . . . 6 4.2.3. Vendor-specific Properties . . . . . . . . . . . . . 6
2.5.3. Integers . . . . . . . . . . . . . . . . . . . . . . 6 4.3. Zone Structure . . . . . . . . . . . . . . . . . . . . . 6
2.5.4. Floating-point values . . . . . . . . . . . . . . . . 7 4.3.1. List of Member Zones . . . . . . . . . . . . . . . . 6
2.5.5. Single domain names . . . . . . . . . . . . . . . . . 7 4.3.2. Catalog Zone Schema Version . . . . . . . . . . . . . 7
2.5.6. Unordered list of domain names . . . . . . . . . . . 8 4.3.3. Default Zone Configuration . . . . . . . . . . . . . 7
2.5.7. List of network addresses . . . . . . . . . . . . . . 8 4.3.4. Zone Properties Specific to a Member Zone . . . . . . 7
2.5.8. Single host address . . . . . . . . . . . . . . . . . 9 5. Data Types . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.5.9. Comments . . . . . . . . . . . . . . . . . . . . . . 9 5.1. String . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.6. Catalog zone schema version . . . . . . . . . . . . . . . 9 5.2. Booleans . . . . . . . . . . . . . . . . . . . . . . . . 8
2.7. List of member zones . . . . . . . . . . . . . . . . . . 9 5.3. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
2.8. Zone configuration properties . . . . . . . . . . . . . . 10 5.4. Floating-Point Values . . . . . . . . . . . . . . . . . . 9
2.8.1. zone-soa-default-serial . . . . . . . . . . . . . . . 10 5.5. Domain Name . . . . . . . . . . . . . . . . . . . . . . . 9
2.8.2. zone-soa-default-refresh . . . . . . . . . . . . . . 10 5.6. IP Prefix . . . . . . . . . . . . . . . . . . . . . . . . 9
2.9. Zone properties specific to a member zone . . . . . . . . 10 5.7. Single Host Address . . . . . . . . . . . . . . . . . . . 10
2.10. Example of a catalog zone . . . . . . . . . . . . . . . . 11 6. Nameserver Behavior . . . . . . . . . . . . . . . . . . . . . 10
3. Nameserver behavior and requirements . . . . . . . . . . . . 11 6.1. General Requirements . . . . . . . . . . . . . . . . . . 10
3.1. General requirements . . . . . . . . . . . . . . . . . . 11 6.2. Updating Catalog Zones . . . . . . . . . . . . . . . . . 11
3.2. Updating catalog zones . . . . . . . . . . . . . . . . . 12 6.3. Implementation Notes . . . . . . . . . . . . . . . . . . 11
3.3. Implementation notes . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
4. Security considerations . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 13 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 10.1. Normative references . . . . . . . . . . . . . . . . . . 12
7.1. Normative references . . . . . . . . . . . . . . . . . . 14 10.2. Informative references . . . . . . . . . . . . . . . . . 13
7.2. Informative references . . . . . . . . . . . . . . . . . 15 Appendix A. Open issues and discussion (to be removed before
Appendix A. Glossary . . . . . . . . . . . . . . . . . . . . . . 15 final publication) . . . . . . . . . . . . . . . . . 14
Appendix B. Open issues and discussion (to be removed before Appendix B. Change History (to be removed before final
final publication) . . . . . . . . . . . . . . . . . 16 publication) . . . . . . . . . . . . . . . . . . . . 14
Appendix C. Change History (to be removed before final Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
publication) . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
DNS nameservers implement AXFR and IXFR for zone data synchronization The data in a DNS zone is synchronized amongst its primary and
among a zone's primary and secondary nameservers, but the list of secondary nameservers using AXFR and IXFR. However, the list of
zones served by the primary (called a catalog in [RFC1035]) is not zones served by the primary (called a catalog in [RFC1035]) is not
automatically synchronized. The administrator of a DNS nameserver automatically synchronized with the secondaries. To add or remove a
farm has to synchronize such zone catalogs among primaries and their zone, the administrator of a DNS nameserver farm not only has to add
secondary nameservers manually or via an external application layer. or remove the zone from the primary, they must also add/remove the
This can be inconvenient, error-prone and dependent on the nameserver zone from all secondaries, either manually or via an external
implementation. application. This can be both inconvenient and error-prone; it will
also be dependent on the nameserver implementation.
A method for automatic zone catalog provisioning and synchronization
is useful, so that the zone catalog can be maintained in a reference
location by an administrator, similar to zone data.
This document describes one such method, in which the catalog is This document describes a method in which the catalog is represented
represented as a regular DNS zone called a "catalog zone", and as a regular DNS zone (called a "catalog zone" here), and transferred
transferred using DNS zone transfers. The representation of catalogs using DNS zone transfers. As zones are added to or removed from the
within DNS zones is specified and nameserver requirements are listed catalog zone, the changes are propagated to the secondary nameservers
so that DNS implementations can support catalog zones. in the normal way. The secondary nameservers then add/remove/modify
the zones they serve in accordance with the changes to the zone.
The contents and representation of catalog zones are described in The contents and representation of catalog zones are described in
Section 2. Nameserver behavior is described in Section 3. A Section 3. Nameserver behavior is described in Section 6.
glossary of some terms used in this memo is provided in Appendix A.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Catalog zones Catalog zone: A DNS zone containing a DNS catalog, that is, a list
of DNS zones and associated zone configuration.
2.1. Description
A catalog zone is a specially crafted DNS zone that contains, as DNS Member zone: A DNS zone whose configuration is published inside a
zone data, a list of DNS zones called member zones, associated catalog zone.
template zone configuration common to all its member zones, and zone-
specific configuration that applies to a respective zone. An
implementation of catalog zones MAY allow catalog zones to include
other catalog zones, but template zone configuration present in a
catalog zone only applies to its immediate member zones. A catalog
zone is meant to be used to provision DNS catalogs to secondary
nameservers via zone transfers, for the purpose of setting up member
zones to be served from these secondary nameservers.
A catalog zone uses some RR TYPEs such as PTR with alternate Zone property: A configuration parameter of a zone, sometimes also
semantics for its purposes. Although this may be controversial, the called a zone option, represented as a key/value pair.
situation is similar to other similar zone-based representations such
as response-policy zones [RPZ]. A design criterion of catalog zones
is that none of the RR TYPEs used therein may incur any additional
section processing during DNS QUERY.
Member zones' configuration is specified as a map of zone properties, $CATZ: Used in examples as a placeholder to represent the domain
represented as a subtree of a node [RFC1034] in the domain name space name of the catalog zone itself (c.f. $ORIGIN).
inside a catalog zone. This is described in Section 2.4. Each zone
property has a name and an associated value of a specific data type.
Zone property value data types are described in Section 2.5. A list
of permitted zone property names and their data types is given in
Section 2.8.
TBD: Transitive catalogs 3. Description
2.2. Resource record fields A catalog zone is a specially crafted DNS zone that contains, as DNS
zone data:
A catalog zone contains various resource records (RRs). They have o A list of DNS zones (called "member zones").
NAME, TYPE, CLASS, TTL, RDLENGTH and RDATA as fields [RFC1035].
The NAME field contains the owner name of the respective RR. As with o Default zone configuration information common to all member zones.
all DNS zones, the owner name must be a child of the catalog zone
name.
The TYPE field depends on the type of catalog zone property value o Zone-specific configuration information.
being represented. Section 2.5 describes how various zone property
value types are represented.
The CLASS field of the RR MUST be set to IN(1) [RFC1035]. This is An implementation of catalog zones MAY allow the catalog to contain
because some RR TYPEs such as APL used by catalog zones are defined other catalog zones as member zones, but default zone configuration
only for the IN CLASS. present in a catalog zone only applies to its immediate member zones.
The TTL field's value is not specially defined by this memo. Catalog Although the contents of a catalog zone are interpreted and acted
zones are for nameserver management only and are not intended for upon by nameservers, a catalog zone is a regular DNS zone and so must
general querying. Operators should use whatever value seems adhere to the standards for such zones.
convenient for any management applications that may query the catalog
zone.
The RDLENGTH field contains the length of the RDATA field. A catalog zone is primarily intended for the management of a farm of
authoritative nameservers. It is not expected that the content of
catalog zones will be accessible from any recursive nameserver.
The content of the RDATA field depends on the type of catalog zone 4. Catalog Zone Structure
property value being represented. Section 2.5 describes how various
zone property value types are represented.
2.3. SOA and NS records at apex 4.1. SOA and NS Records
Similar to any other DNS zone, a catalog zone would be expected to As with any other DNS zone, a catalog zone MUST have a syntactically
have a syntactically correct SOA record and one or more NS records at correct SOA record and one or more NS records at its apex.
its apex.
The SOA record's SERIAL, REFRESH, RETRY and EXPIRE fields [RFC1035] The SOA record's SERIAL, REFRESH, RETRY and EXPIRE fields [RFC1035]
are used during zone transfer. A catalog zone's SOA SERIAL field are used during zone transfer. A catalog zone's SOA SERIAL field
SHOULD increase when an update is made to the catalog zone's contents MUST increase when an update is made to the catalog zone's contents
as per serial number arithmetic defined in [RFC1982]. Otherwise, as per serial number arithmetic defined in [RFC1982]. Otherwise,
secondary nameservers may not notice updates to the catalog zone's secondary nameservers might not notice updates to the catalog zone's
contents. contents.
The SOA record's MINIMUM field's value is not specially defined by Should the zone be made available for querying, the SOA record's
this memo. Although they are regular DNS zones, catalog zones MINIMUM field's value is the negative cache time (as defined in
contain only information for the management of a set of nameservers. [RFC2308]). Since recursive nameservers are not expected to be able
For this reason, operators may want to limit the systems able to to access (and subsequently cache) entries from a catalog zone a
query these zones. value of zero (0) is RECOMMENDED.
As catalog zones do not participate in the DNS, NS records at the
apex are not used but they are still required so that catalog zones
are syntactically correct DNS zones. No parent delegation for the
catalog zone is required. Any valid DNS name can be used in the
NSDNAME field of such NS records [RFC1035] and they MUST be ignored.
A single NS RR with an NSDNAME field containing the absolute name
"invalid." is recommended [RFC2606].
2.4. Zone properties map and owner names Since there is no requirement to be able to query the catalog zone
via recursive namservers the NS records at the apex will not be used
and no parent delegation is required. However, they are still
required so that catalog zones are syntactically correct DNS zones.
Any valid DNS name can be used in the NSDNAME field of such NS
records [RFC1035] and they MUST be ignored. A single NS RR with an
NSDNAME field containing the absolute name "invalid." is RECOMMENDED
[RFC2606].
Member zones' configuration is specified as a map of zone properties, 4.2. Zone Data
represented as a subtree of a node [RFC1034] in the domain name space
inside a catalog zone. A subtree of child nodes is used for a nested
map, occuping another label level. A map element's key (property
name) is represented in the label at that level. For example, if a
catalog zone is named "catalog1.example.org." and contains a property
with name "prop0", the corresponding owner name of the node
representing that property is "prop0.catalog1.example.org."
Zone property names are case-insensitive. Each zone property may use A catalog zone contains a set of key/value pairs, where each key is
only one data type for its values. A list of permitted zone property encapsulated within the owner name of a DNS RR and the corresponding
names and their data types is given in Section 2.8. value is stored in the RR's RDATA. The specific owner name depends
on whether the property relates to the catalog zone itself, a member
zone thereof, or to default zone properties described in Section 4.3.
The owner names are case insensitive.
Many properties are single-valued, but some properties can be 4.2.1. Resource Record Format
collections with thousands of values. An example is the list of
member zones within a catalog zone, which can be larger than any
single RDATA instance can allow. Multiple RRs are used to represent
such properties.
TBD: Currently a hashing method in owner names is used to split the Each key/value pair has a defined data type, and each data type
elements of such properties with multiple RRs into individual RRsets, accordingly uses a particular RR TYPE to represent its possible
one per RR. This needs to be revisited as IXFR and DNS UPDATE both values, as specified in Section 5.
allow individual RRs within an RRset to be modified. The hashing
method used is described in the appropriate property value data types
in Section 2.5.
2.5. Zone property value data types The general form of a catalog zone record is as follows:
2.5.1. Strings [<unique-id>.]<key>.<path>.$CATZ 0 IN <RRTYPE> <value>
A property with a string value is specified using a single TXT RR where <path> is a sequence of labels with values depending on the
[RFC1035] with owner name set to the name of the property as a sub- purpose (and hence position) of the record within the catalog zone
domain of the catalog zone name, and RDATA set to the property value. (see Section 4.3) and where the <unique-id> prefix is only present
for multi-valued properties (see Section 4.2.2).
For example, if a catalog zone is named "catalog1.example.org." and NB: Catalog zones use some RR TYPEs (such as PTR) with alternate
contains a property "prop0" with string value "Example", the semantics to those originally defined for them. Although this may be
corresponding RR would appear as follows: controversial, the situation is similar to other similar zone-based
representations such as response-policy zones [RPZ].
prop0.catalog1.example.org. 3600 IN TXT "Example" The CLASS field of every RR in a catalog zone MUST be IN (1). This
is because some RR TYPEs such as APL used by catalog zones are
defined only for the IN class.
Here, "prop0" can contain multiple TXT RRs at that node of the domain The TTL field's value is not specially defined by this memo. Catalog
name space [RFC1034]. The single string property SHOULD be checked zones are for authoritative nameserver management only and are not
by the implementation. intended for general querying via recursive resolvers and therefore a
value of zero (0) is RECOMMENDED.
2.5.2. Booleans It is an error for any single owner name within a catalog zone (other
than the apex of the zone itself) to have more than one RR associated
with it.
A property with a boolean value is specified using a single TXT RR 4.2.2. Multi-valued Properties
with owner name set to the name of the property as a sub-domain of
the catalog zone name, and RDATA set to "true" for true condition and
"false" for false condition. The RDATA is case-insensitive.
For example, if a catalog zone is named "catalog1.example.org." and Some properties do not represent single values but instead represent
contains a property "active" with boolean value false, the a collection of values. The specification for each property
corresponding RR would appear as follows: describes whether it is single-valued or multi-valued. A multi-
valued property is encoded as multiple RRs where the owner name of
each individual RR contains a unique (user specified) DNS label.
active.catalog1.example.org. 3600 IN TXT "false" So, while a single-valued key might be represented like this:
Here, "active" can contain multiple TXT RRs at that node of the <key>.<path>.$CATZ IN TXT "value"
domain name space [RFC1034]. The single boolean property SHOULD be
checked by the implementation.
2.5.3. Integers a multi-valued key would be represented like this:
A property with an integer value is specified using a single TXT RR <unique-id-1>.<key>.<path>.$CATZ IN TXT "value 1"
for signed integers or unsigned integers, with owner name set to the <unique-id-2>.<key>.<path>.$CATZ IN TXT "value 2"
name of the property as a sub-domain of the catalog zone name, and ...
RDATA set to the property value.
A signed integer's TXT RDATA uses the representation of an unsuffixed NB: a property that is specified to be multi-valued MUST be encoded
"integer constant" as defined in the C programming language standard using the unique prefixed key syntax even if there is only one value
[ISO.9899.1990] (of the type matching a 64-bit signed integer on that present.
platform), with an optional minus prefix. The representation MUST be
specified using a single <character-string> [RFC1034].
An unsigned integer's TXT RDATA uses the representation of an The specification of any multi-valued property MUST document whether
unsuffixed "integer constant" as defined in the C programming the collection represents either an ordered or un-ordered list. In
language standard [ISO.9899.1990] (of the type matching a 64-bit the former case the ordering of the prefixes according to the usual
unsigned integer on that platform). The representation MUST be DNS canonical name ordering will determine the sort order.
specified using a single <character-string> [RFC1034].
For example, if a catalog zone is named "catalog1.example.org." and 4.2.3. Vendor-specific Properties
contains a property "min-ttl" with unsigned integer value 300, the
corresponding RR would appear as follows:
min-ttl.catalog1.example.org. 3600 IN TXT "300" TBD: Prepare a list of zone configuration properties that are common
to DNS implementations. This is so that a company may manage a
catalog zone using a Windows DNS server as the primary, and a
secondary nameserver hosting service may pick up the common
properties and may use a different nameserver implementation such as
BIND or NSD on a POSIX operating system to serve it.
Here, "min-ttl" can contain multiple TXT RRs at that node of the TBD: We may specify that unrecognized zone property names must be
domain name space [RFC1034]. The single integer property SHOULD be ignored, or that nameserver specific properties must be specified
checked by the implementation. using the "x-" prefix similar to MIME type naming.
2.5.4. Floating-point values TBD: Any list of zone properties is ideally maintained as a registry
rather than within this memo.
A property with a floating-point value is specified using a single 4.3. Zone Structure
TXT RR with owner name set to the name of the property as a sub-
domain of the catalog zone name, and RDATA set to the property value.
A floating-point value's TXT RDATA uses the representation of an 4.3.1. List of Member Zones
unsuffixed "floating constant" as defined in the C programming
language standard [ISO.9899.1990]. The representation MUST be
specified using a single <character-string> [RFC1034].
For example, if a catalog zone is named "catalog1.example.org." and The list of member zones is specified as a multi-valued collection of
contains a property "decay-rate" with value 0.15, the corresponding domain names under the owner name "zones" where "zones" is a direct
RR may appear as follows: child domain of the catalog zone.
decay-rate.catalog1.example.org. 3600 IN TXT "15e-2" The names of member zones are represented on the RDATA side (instead
of as a part of owner names) so that all valid domain names may be
represented regardless of their length [RFC1035].
Here, "decay-rate" can contain multiple TXT RRs at that node of the For example, if a catalog zone lists three zones "example.com.",
domain name space [RFC1034]. The single floating-point property "example.net." and "example.org.", the RRs would appear as follows:
SHOULD be checked by the implementation.
2.5.5. Single domain names <m-unique-1>.zones.$CATZ 0 IN PTR example.com.
<m-unique-2>.zones.$CATZ 0 IN PTR example.net.
<m-unique-3>.zones.$CATZ 0 IN PTR example.org.
A property with a single domain name as value is specified using a where <m-unique-N> is a label that uniquely tags each record in the
PTR RR [RFC1035] with owner name set to the name of the property as a collection, as described in Section 4.2.2.
sub-domain of the catalog zone name, and RDATA set to the property
value.
For example, if a catalog zone is named "catalog1.example.org." and Although any legal label could be used for <m-unique-N> it is
contains a property "prop1" with value "val1.example.com.", the RECOMMENDED that it be a value deterministically derived from the
corresponding RR would appear as follows: fully-qualified member zone name. The BIND9 implementation uses the
40 character hexadecimal representation of the SHA-1 digest
[FIPS.180-4.2015] of the lower-cased member zone name as encoded in
uncompressed wire format.
prop1.catalog1.example.org. 3600 IN PTR val1.example.com. 4.3.2. Catalog Zone Schema Version
Here, "prop1" can contain multiple PTR RRs at that node of the domain The catalog zone schema version is specified by an unsigned integer
name space [RFC1034]. The single domain name property SHOULD be property with the property name "version". All catalog zones MUST
checked by the implementation. have this property present. Primary and secondary nameservers MUST
NOT use catalog zones with an unexpected value in this property, but
they may be transferred as ordinary zones. For this memo, the
"version" property value MUST be set to 2, i.e.
2.5.6. Unordered list of domain names version.$CATZ 0 IN TXT "2"
Let N be an absolute name formed by concatenating the RDATA hash (see NB: Version 1 was used in a draft version of this memo and reflected
Appendix A), the name of the property, and the catalog zone name in the implementation first found in BIND 9.11.
that order, such that N is a unique owner name in the catalog zone.
Then, a property containing an unordered list of domain names as 4.3.3. Default Zone Configuration
value is specified using multiple PTR RRs [RFC1035] with owner name
set to N, and each RR's RDATA set to each domain name in the list of
the property's value respectively.
For example, if a catalog zone is named "catalog1.example.org." and Default zone configuration comprises a set of properties that are
contains a property "prop2" with its value being an unordered list of applied to all member zones listed in the catalog zone unless
two names "a.example.com." and "b.example.com.", the corresponding overridden my member zone-specific information.
RRs would appear as follows:
<hash1>.prop2.catalog1.example.org. 3600 IN PTR a.example.com. All such properties are stored as child nodes of the owner name
<hash2>.prop2.catalog1.example.org. 3600 IN PTR b.example.com. "defaults" itself a direct child node of the catalog zone, e.g.:
Here, "prop2"'s subtree child nodes (in the domain name space example-prop.defaults.$CATZ 0 IN TXT "Example"
[RFC1034]) can contain multiple PTR RRs at each child. For example,
<hash1>.prop2 may contain multiple PTR RRs at that node. The single
domain name property SHOULD be checked by the implementation.
2.5.7. List of network addresses 4.3.4. Zone Properties Specific to a Member Zone
A property with a list of network addresses as value is specified Default zone properties can be overridden on a per-zone basis by
using a single APL RR [RFC3123] with owner name set to the name of specifying the property under the the sub-domain associated with the
the property as a sub-domain of the catalog zone name, and RDATA set member zone in the list of zones, e.g.:
to the property value. In its presentation format, the "!" character
(corresponding to the negation flag) is used to negate a network
element. The exact meaning of a negated network element is left to
be described by the property that APL is used for. Note that the APL
RR TYPE is defined only for the IN(1) RR CLASS.
For example, if a catalog zone is named "catalog1.example.org." and example-prop.<m-unique>.zones.$CATZ 0 IN TXT "Example"
contains a property "allow-query" with value [192.0.2.0/24,
2001:db8::/32] as the list of networks, the corresponding RR would
appear as follows:
allow-query.catalog1.example.org. 3600 IN APL ( where "m-unique" is the label that uniquely identifies the member
1:192.0.2.0/24 2:2001:db8::/32) zone name as described in Section 4.3.1.
Here, "allow-query" can contain multiple APL RRs at that node of the NB: when a zone-specific property is multi-valued the owner name will
domain name space [RFC1034]. The single APL RR property SHOULD be contain two unique identifiers, the left-most tagging being
checked by the implementation. associated with the individual value (<unique-id-N>) and the other
(<m-unique>) associated with the member zone itself, e.g.:
2.5.8. Single host address $ORIGIN <m-unique>.zones.$CATZ
<unique-id-1>.example-prop 0 IN TXT "Value 1"
<unique-id-2>.example-prop 0 IN TXT "Value 2"
...
A single host address is represented using the list of network 5. Data Types
addresses data type (see Section 2.5.7) with a suitable network and
prefix to result in a single host address.
2.5.9. Comments This section lists the various data types defined for use within
catalog zones.
Comments may be added anywhere in a catalog zone using a scheme such 5.1. String
as NOTE RRs [I-D.hunt-note-rr]. This memo does not depend on NOTE
RRs and it is only suggested here as an informative reference.
2.6. Catalog zone schema version A key with a string value is represented with a TXT RR [RFC1035],
e.g.:
The catalog zone schema version is specified by an unsigned integer example-prop.<m-unique>.zones.$CATZ 0 IN TXT "Example"
property with the property name "version". All catalog zones MUST
have this property present. Primary and secondary nameservers MUST
NOT use catalog zones with an unexpected value in this property, but
they may be transferred as ordinary zones. For this memo, the
"version" property value MUST be set to 1.
For example, if a catalog zone is named "catalog1.example.org.", the If the RDATA is split into multiple <character-string> elements the
corresponding RR MUST look as follows: MUST be directly concatenated without any separating character.
version.catalog1.example.org. 3600 IN TXT "1" 5.2. Booleans
Here, "version" can contain multiple TXT RRs at that node of the A key with a boolean value is represented with a TXT RR containing a
domain name space [RFC1034]. The single TXT RR property SHOULD be single <character-string> with a value of "true" for true condition
checked by the implementation. and "false" for false condition, e.g:
2.7. List of member zones example-prop.<m-unique>.zones.$CATZ 0 IN TXT "false"
The list of member zones are specified as an unordered list (see The RDATA is case-insensitive.
Section 2.5.6) of domain names under the owner name "zones" where
"zones" is a sub-domain of the catalog zone.
The names of member zones are represented on the RDATA side instead 5.3. Integers
of as part of owner names so that all valid domain names may be
represented regardless of their length. [RFC1035]
For example, if a catalog zone is named "catalog1.example.org." and A key with an integer value is specified using a TXT RR containing a
lists 3 zones "example.com.", "example.net." and "example.org.", the single <character-string>.
RRs would appear as follows:
<hash>.zones.catalog1.example.org. 3600 IN PTR example.com. A signed integer's TXT RDATA uses the representation of an unsuffixed
<hash>.zones.catalog1.example.org. 3600 IN PTR example.net. "integer constant" as defined in the C programming language standard
<hash>.zones.catalog1.example.org. 3600 IN PTR example.org. [ISO.9899.1990] (of the type matching a 64-bit signed integer on that
platform), with an optional minus prefix.
2.8. Zone configuration properties An unsigned integer's TXT RDATA uses the representation of an
unsuffixed "integer constant" as defined in the C programming
language standard [ISO.9899.1990] (of the type matching a 64-bit
unsigned integer on that platform).
TBD: Prepare a list of zone configuration properties that are common For example, a property with an unsigned integer value of 300 would
to DNS implementations. This is so that a company may manage a appear as follows:
catalog zone using a Windows DNS server as the primary, and a
secondary nameserver hosting service may pick up the common
properties and may use a different nameserver implementation such as
BIND or NSD on a POSIX operating system to serve it.
TBD: We may specify that unrecognized zone property names must be example-prop.<m-unique>.zones.$CATZ 0 IN TXT "300"
ignored, or that nameserver specific properties must be specified
using the "x-" prefix similar to MIME type naming.
TBD: Any list of zone properties is ideally maintained as a registry 5.4. Floating-Point Values
rather than within this memo.
2.8.1. zone-soa-default-serial A key with a floating-point value is specified using a TXT RR
containing a single <character-string>.
TBD. A floating-point value's TXT RDATA uses the representation of an
unsuffixed "floating constant" as defined in the C programming
language standard [ISO.9899.1990].
2.8.2. zone-soa-default-refresh For example, a property with an unsigned integer value of 0.15 may
appear as follows:
TBD. example-prop.<m-unique>.zones.$CATZ 0 IN TXT "15e-2"
2.9. Zone properties specific to a member zone 5.5. Domain Name
Member zones in a catalog zone share template zone configuration that A key whose value is a domain name is specified using a PTR RR
is common to all member zones in that catalog. This section [RFC1035], e.g.:
describes the syntax that can be used to specify zone properties
specific to single member zones.
Let N be an absolute name formed by concatenating the member zone example-prop.defaults.$CATZ 0 IN PTR ns1.example.com.
name hash as a label (see Appendix A), the label "zones", and the
catalog zone name in that order, such that N is a unique owner name
in the catalog zone.
Zone properties specific to a particular member zone are specified 5.6. IP Prefix
under the respective sub-domain N.
For example, if a catalog zone is named "catalog1.example.org." and a A property whose value is an IP network prefix is specified using an
member zone "example.com." contains a property "prop0" with string APL RR [RFC3123]. The negation flag ("!" in presentation format) may
(see Section 2.5.1) value "Example", the corresponding RR would be used to indicate all addresses not included within that prefix,
appear as follows: e.g. for use in Access Control Lists, e.g.:
prop0.<m-hash>.zones.catalog1.example.org. 3600 IN TXT "Example" Although a single APL record is capable of containing multiple
prefixes, for consistency of representation lists of prefixes MUST
use the multi-valued property syntax as documented in Section 4.2.2,
e.g.:
As another example, if a catalog zone is named "cat1.example.org." $ORIGIN <m-unique>.zones.$CATZ
and a member zone "example.com." contains a property "prop2" with its <unique-id-1>.example-prop 0 IN APL ( 1:192.0.2.0/24 )
value being an unordered list (see Section 2.5.6) of two domain names <unique-id-2>.example-prop 0 IN APL ( !1:0.0.0.0/0 )
"a.example.com." and "b.example.com.", the corresponding RRs would
appear as follows:
(<hash>.prop2.<m-hash>.zones.cat1.example.org. Implementations MUST accept only the first prefix within each APL
3600 IN PTR a.example.com.) record and MUST ignore any subsequent prefixes found therein.
(<hash>.prop2.<m-hash>.zones.cat1.example.org.
3600 IN PTR b.example.com.)
2.10. Example of a catalog zone 5.7. Single Host Address
$ORIGIN catalog.example.org. A single host address is represented using either an A or AAAA record
@ IN SOA . . 1 3600 3600 86400 3600 as appropriate, e.g.:
IN NS invalid.
version IN TXT "1"
(5960775ba382e7a4e09263fc06e7c00569b6a05c.zones
IN PTR domain1.example.com.)
3. Nameserver behavior and requirements example-prop1.<m-unique>.zones.$CATZ 0 IN A 192.0.2.1
example-prop2.<m-unique>.zones.$CATZ 0 IN AAAA 2001:db8::1
3.1. General requirements 6. Nameserver Behavior
TBD: Explain nameserver behavior in a more detailed way here. It is 6.1. General Requirements
under-specified.
As it is a regular DNS zone, a catalog zone can be transferred using As it is a regular DNS zone, a catalog zone can be transferred using
DNS zone transfers among nameservers. DNS zone transfers among nameservers.
Although they are regular DNS zones, catalog zones contain only Although they are regular DNS zones, catalog zones contain only
information for the management of a set of nameservers. For this information for the management of a set of authoritative nameservers.
reason, operators may want to limit the systems able to query these For this reason, operators may want to limit the systems able to
zones. It may be inconvenient to serve some contents of catalog query these zones. It may be inconvenient to serve some contents of
zones via DNS queries anyway due to the nature of their catalog zones via DNS queries anyway due to the nature of their
representation. A separate method of querying entries inside the representation. A separate method of querying entries inside the
catalog zone may be made available by nameserver implementations (see catalog zone may be made available by nameserver implementations (see
Section 3.3). Section 6.3).
Catalog updates should be automatic, i.e., when a nameserver that Catalog updates should be automatic, i.e., when a nameserver that
supports catalog zones completes a zone transfer for a catalog zone, supports catalog zones completes a zone transfer for a catalog zone,
it SHOULD apply changes to the catalog within the running nameserver it SHOULD apply changes to the catalog within the running nameserver
automatically without any manual intervention. automatically without any manual intervention.
As with regular zones, primary and secondary nameservers for a As with regular zones, primary and secondary nameservers for a
catalog zone may be operated by different administrators. The catalog zone may be operated by different administrators. The
secondary nameservers may be configured to synchronize catalog zones secondary nameservers may be configured to synchronize catalog zones
from the primary, but the primary's administrators may not have any from the primary, but the primary's administrators may not have any
skipping to change at page 12, line 36 skipping to change at page 11, line 23
attempt to transfer the catalog zone upon refresh timeout, so care attempt to transfer the catalog zone upon refresh timeout, so care
must be taken to make the member zones available before any update to must be taken to make the member zones available before any update to
the list of member zones is visible in the catalog zone. the list of member zones is visible in the catalog zone.
When zones are deleted from a catalog zone, a primary MAY delete the When zones are deleted from a catalog zone, a primary MAY delete the
member zone immediately after notifying secondaries. It is up to the member zone immediately after notifying secondaries. It is up to the
secondary nameserver to handle this condition correctly. secondary nameserver to handle this condition correctly.
TBD: Transitive primary-secondary relationships TBD: Transitive primary-secondary relationships
3.2. Updating catalog zones 6.2. Updating Catalog Zones
TBD: Explain updating catalog zones using DNS UPDATE. TBD: Explain updating catalog zones using DNS UPDATE.
3.3. Implementation notes 6.3. Implementation Notes
Catalog zones on secondary nameservers would have to be setup Catalog zones on secondary nameservers would have to be setup
manually, perhaps as static configuration, similar to how ordinary manually, perhaps as static configuration, similar to how ordinary
DNS zones are configured. Members of such catalog zones will be DNS zones are configured. Members of such catalog zones will be
automatically synchronized by the secondary after the catalog zone is automatically synchronized by the secondary after the catalog zone is
configured. configured.
An administrator would want to look at data inside a catalog zone. An administrator may want to look at data inside a catalog zone.
Typical queries may include dumping the list of member zones, dumping Typical queries might include dumping the list of member zones,
a member zone's effective configuration, querying a specific property dumping a member zone's effective configuration, querying a specific
value of a member zone, etc. Because of the syntax of catalog zones, property value of a member zone, etc. Because of the structure of
it may not be possible to perform these queries intuitively, or in catalog zones, it may not be possible to perform these queries
some cases, at all, using DNS QUERY. The list of member zones may intuitively, or in some cases, at all, using DNS QUERY. For example
not fit in a single DNS message. The set of present properties for a it is not possible to enumerate the contents of a multi-valued
zone cannot be queried using a single DNS QUERY. property (such as the list of member zones) with a single QUERY.
Implementations are therefore advised to provide a tool that uses
Implementations are advised to provide a tool that uses either the either the output of AXFR or an out-of-band method to perform queries
output of AXFR or an out-of-band method to perform queries on catalog on catalog zones.
zones.
4. Security considerations 7. Security Considerations
As catalog zones are transmitted using DNS zone transfers, it is As catalog zones are transmitted using DNS zone transfers, it is
absolutely essential for these transfers to be protected from absolutely essential for these transfers to be protected from
unexpected modifications on the route. So, catalog zone transfers unexpected modifications on the route. So, catalog zone transfers
SHOULD be authenticated using TSIG [RFC2845]. A primary nameserver SHOULD be authenticated using TSIG [RFC2845]. A primary nameserver
SHOULD NOT serve a catalog zone for transfer without using TSIG and a SHOULD NOT serve a catalog zone for transfer without using TSIG and a
secondary nameserver SHOULD abandon an update to a catalog zone that secondary nameserver SHOULD abandon an update to a catalog zone that
was received without using TSIG. was received without using TSIG.
DNS UPDATE [RFC2136] to catalog zones similarly SHOULD be Use of DNS UPDATE [RFC2136] to modify the content of catalog zones
authenticated using TSIG. SHOULD similarly be authenticated using TSIG.
Zone transfers of member zones SHOULD similarly be authenticated Zone transfers of member zones SHOULD similarly be authenticated
using TSIG [RFC2845]. The TSIG shared secrets used for member zones using TSIG [RFC2845]. The TSIG shared secrets used for member zones
MUST NOT be mentioned anywhere in the catalog zone data. However, MUST NOT be mentioned anywhere in the catalog zone data. However,
key identifiers may be shared within catalog zones. key identifiers may be shared within catalog zones.
Catalog zones do not need to be signed using DNSSEC; their zone Catalog zones do not need to be signed using DNSSEC, their zone
transfers being authenticated by TSIG. Signed zones MUST be handled transfers being authenticated by TSIG. Signed zones MUST be handled
normally by nameservers, and their contents MUST NOT be DNSSEC- normally by nameservers, and their contents MUST NOT be DNSSEC-
validated. validated.
5. IANA considerations 8. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
6. Acknowledgements 9. Acknowledgements
Catalog zones originated as the chosen method among various proposals Catalog zones originated as the chosen method among various proposals
that were evaluated at ISC for easy zone management. The chosen that were evaluated at ISC for easy zone management. The chosen
method of storing the catalog as a regular DNS zone was proposed by method of storing the catalog as a regular DNS zone was proposed by
Stephen Morris. Stephen Morris.
We later discovered that Paul Vixie's earlier [Metazones] proposal We later discovered that Paul Vixie's earlier [Metazones] proposal
implemented a similar approach and reviewed it. Catalog zones implemented a similar approach and reviewed it. Catalog zones
borrows some syntax ideas from Metazones, as both share this scheme borrows some syntax ideas from Metazones, as both share this scheme
of representing the catalog as a regular DNS zone. of representing the catalog as a regular DNS zone.
Thanks to Brian Conry, Evan Hunt, and Victoria Risk for reviewing Thanks to Brian Conry, Tony Finch, Evan Hunt, Patrik Lundin, Victoria
draft proposals and providing support, comments and suggestions. Risk and Carsten Strettman for reviewing draft proposals and offering
Thanks to Tony Finch and Patrik Lundin for reviewing the draft and
providing comments.
Thanks to BIND users who reviewed draft proposals and offered
comments and suggestions. comments and suggestions.
7. References 10. References
7.1. Normative references 10.1. Normative references
[FIPS.180-4.2015] [FIPS.180-4.2015]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-4, August 2015, Hash Standard", FIPS PUB 180-4, August 2015,
<http://csrc.nist.gov/publications/fips/fips180-4/ <http://csrc.nist.gov/publications/fips/fips180-4/
fips-180-4.pdf>. fips-180-4.pdf>.
[ISO.9899.1990] [ISO.9899.1990]
International Organization for Standardization, International Organization for Standardization,
"Programming languages - C", ISO Standard 9899, 1990. "Programming languages - C", ISO Standard 9899, 1990.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
DOI 10.17487/RFC1982, August 1996, DOI 10.17487/RFC1982, August 1996, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc1982>. editor.org/info/rfc1982>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
DOI 10.17487/RFC2119, March 1997, RFC2119, March 1997, <https://www.rfc-editor.org/info/
<http://www.rfc-editor.org/info/rfc2119>. rfc2119>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<http://www.rfc-editor.org/info/rfc2136>. <https://www.rfc-editor.org/info/rfc2136>.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
<https://www.rfc-editor.org/info/rfc2308>.
[RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS [RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
Names", BCP 32, RFC 2606, DOI 10.17487/RFC2606, June 1999, Names", BCP 32, RFC 2606, DOI 10.17487/RFC2606, June 1999,
<http://www.rfc-editor.org/info/rfc2606>. <https://www.rfc-editor.org/info/rfc2606>.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000, (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000,
<http://www.rfc-editor.org/info/rfc2845>. <https://www.rfc-editor.org/info/rfc2845>.
[RFC3123] Koch, P., "A DNS RR Type for Lists of Address Prefixes [RFC3123] Koch, P., "A DNS RR Type for Lists of Address Prefixes
(APL RR)", RFC 3123, DOI 10.17487/RFC3123, June 2001, (APL RR)", RFC 3123, DOI 10.17487/RFC3123, June 2001,
<http://www.rfc-editor.org/info/rfc3123>. <https://www.rfc-editor.org/info/rfc3123>.
[RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", RFC 7719, DOI 10.17487/RFC7719, December
2015, <http://www.rfc-editor.org/info/rfc7719>.
7.2. Informative references
[I-D.hunt-note-rr] 10.2. Informative references
Hunt, E. and D. Mahoney, "A DNS Resource Record for
Confidential Comments (NOTE RR)", draft-hunt-note-rr-01
(work in progress), May 2014.
[Metazones] [Metazones]
Vixie, P., "Federated Domain Name Service Using DNS Vixie, P., "Federated Domain Name Service Using DNS
Metazones", 2005, <http://ss.vix.su/~vixie/mz.pdf>. Metazones", 2005, <http://ss.vix.su/~vixie/mz.pdf>.
[RPZ] Vixie, P. and V. Schryver, "DNS Response Policy Zones (DNS [RPZ] Vixie, P. and V. Schryver, "DNS Response Policy Zones (DNS
RPZ)", 2010, RPZ)", 2010,
<http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt>. <http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt>.
Appendix A. Glossary Appendix A. Open issues and discussion (to be removed before final
Catalog zone: A DNS zone containing a DNS catalog, that is, a list
of DNS zones and associated template zone configuration common
to all member zones.
Member zone: A DNS zone whose configuration is published inside a
catalog zone.
Primary nameserver: An authoritative server configured to be the
source of zone transfer to one or more [secondary] nameservers.
Also see [RFC7719].
RDATA hash: The hexadecimal format 40-digit SHA-1 [FIPS.180-4.2015]
digest, of the RDATA of the corresponding RR. For RDATA
containing DNS names, no name compression must be in use, i.e.,
the name must be in its full expanded wire data format when it
is hashed.
Member zone name hash: The hexadecimal format 40-digit SHA-1
[FIPS.180-4.2015] digest, of a zone name in uncompressed wire
format.
Secondary nameserver: An authoritative server which uses zone
transfer to retrieve the zone. Also see [RFC7719].
Zone property: A configuration parameter of a zone, sometimes also
called a zone option.
Appendix B. Open issues and discussion (to be removed before final
publication) publication)
1. Config options 1. Config options
We want catalog zones to be adopted by multiple DNS We want catalog zones to be adopted by multiple DNS
implementations. Towards this, we have to generalize zone config implementations. Towards this, we have to generalize zone config
options and adopt a minimal set that we can expect most options and adopt a minimal set that we can expect most
implementations to support. implementations to support.
2. Catalog zone and member zones on different primary nameservers 2. Catalog zone and member zones on different primary nameservers
Will it be possible to setup a catalog zone on one nameserver as Will it be possible to setup a catalog zone on one nameserver as
primary, and allow its member zones to be served by different primary, and allow its member zones to be served by different
primary namesservers? primary nameservers?
3. Transitive relationships 3. Transitive relationships
For a catalog zone, a secondary nameserver may be a primary For a catalog zone, a secondary nameserver may be a primary
nameserver to a different set of nameservers in a nameserver nameserver to a different set of nameservers in a nameserver
farm. In these transitive relationships, zone configuration farm. In these transitive relationships, zone configuration
options (such as also-notify and allow-transfer) may differ based options (such as also-notify and allow-transfer) may differ based
on the location of the primary in the hierarchy. It may not be on the location of the primary in the hierarchy. It may not be
possible to specify this within a catalog zone. possible to specify this within a catalog zone.
4. Templates 4. Overriding controls
Are support for config and zone data templates useful at this
level? They would add complexity across implementations. If
added, it would be better to restrict templates at the primary
nameserver and let the secondary receive regular expanded zones.
5. Overriding controls
A way to override zone config options (as prescribed by the A way to override zone config options (as prescribed by the
catalog zones) on secondary nameservers was requested. As this catalog zones) on secondary nameservers was requested. As this
would be configured outside catalog zones, it may be better to would be configured outside catalog zones, it may be better to
leave this to implementations. leave this to implementations.
6. Use of hashing Appendix B. Change History (to be removed before final publication)
Should use of hashing be completely removed, and replaced with
the same common owner name for all property RRs in a collection?
Both IXFR and DNS UPDATE allow changing individual RRs in a
RRset.
7. Choice of hash function
Should a different faster hash function be chosen to replace
SHA-1 when computing catalog member zone name hashes?
8. Overriding existing RR types
This memo currently overrides only the PTR RR TYPE's meaning as
PTR is currently used for reverse lookups. But such overridden
use seems like a non-issue as PTR is defined to be a pointer to
any name in [RFC1035].
9. APL limits
APL can only support as many networks as can fit in its RDATA.
Though a very large number of networks can be listed in a single
RDATA field, it is still limited in size. Will this limitation
become a problem for any users?
Appendix C. Change History (to be removed before final publication)
o draft-muks-dnsop-dns-catalog-zones-00 o draft-muks-dnsop-dns-catalog-zones-00
Initial public draft. Initial public draft.
o draft-muks-dnsop-dns-catalog-zones-01 o draft-muks-dnsop-dns-catalog-zones-01
Added Witold, Ray as authors. Fixed typos, consistency issues. Added Witold, Ray as authors. Fixed typos, consistency issues.
Fixed references. Updated Area. Removed newly introduced custom Fixed references. Updated Area. Removed newly introduced custom
RR TYPEs. Changed schema version to 1. Changed TSIG requirement RR TYPEs. Changed schema version to 1. Changed TSIG requirement
from MUST to SHOULD. Removed restrictive language about use of from MUST to SHOULD. Removed restrictive language about use of
DNS QUERY. When zones are introduced into a catalog zone, a DNS QUERY. When zones are introduced into a catalog zone, a
primary SHOULD first make the new zones available for transfers primary SHOULD first make the new zones available for transfers
first (instead of MUST). Updated examples, esp. use IPv6 in first (instead of MUST). Updated examples, esp. use IPv6 in
examples per Fred Baker. Add catalog zone example. examples per Fred Baker. Add catalog zone example.
o draft-muks-dnsop-dns-catalog-zones-02 o draft-muks-dnsop-dns-catalog-zones-02
Addressed some review comments by Patrik Lundin. Addressed some review comments by Patrik Lundin.
o draft-muks-dnsop-dns-catalog-zones-03 o draft-muks-dnsop-dns-catalog-zones-03
Revision bump. Revision bump.
o draft-muks-dnsop-dns-catalog-zones-04
Reordering of sections into more logical order.
Separation of multi-valued properties into their own category.
Authors' Addresses Authors' Addresses
Mukund Sivaraman Mukund Sivaraman
Internet Systems Consortium Internet Systems Consortium
950 Charter Street 950 Charter Street
Redwood City, CA 94063 Redwood City, CA 94063
US US
Email: muks@mukund.org Email: muks@mukund.org
URI: http://www.isc.org/ URI: http://www.isc.org/
 End of changes. 136 change blocks. 
475 lines changed or deleted 335 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/