Internet DRAFT - draft-ietf-dnsext-xnamercode

draft-ietf-dnsext-xnamercode




Network Working Group                                Donald Eastlake 3rd
INTERNET-DRAFT                                                    Huawei
Intended status: Proposed Standard
Expires: July 10, 2012                                  January 11, 2012


               xNAME RCODE and Status Bits Clarification
                 <draft-ietf-dnsext-xnamercode-00.txt>



Abstract

   The Domain Name System (DNS) has long provided means, such as CNAME
   (Canonical Name), where a query can be redirected to a different
   name. A DNS response header has an RCODE (Response Code) field, used
   for indicating errors, and response status bits. This document
   clarifies, in the case of such redirected queries, how the RCODE and
   status bits correspond to the initial query cycle (where the CNAME or
   the like was detected) and subsequent or final query cycles.




Status of This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Distribution of this document is unlimited. Comments should be sent
   to the DNSEXT working group mailing list:
   <namedroppers@ops.ietf.org>.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html







D. Eastlake                                                     [Page 1]

INTERNET-DRAFT                                 xNAME RCODE Clarification


Table of Contents

      1. Introduction............................................3
      1.1 Conventions used in this document......................3

      2. Status Bits.............................................4
      2.1 The Authoritative Answer Bit...........................4
      2.2 The Authentic Data Bit.................................4

      3. RCODE Clarification.....................................5

      4. Security Considerations.................................6
      5. IANA Considerations.....................................6

      6. References..............................................7
      6.1 Normative References...................................7
      6.2 Informative References.................................7

      Change History.............................................8

































D. Eastlake                                                     [Page 2]

INTERNET-DRAFT                                 xNAME RCODE Clarification


1. Introduction

   The Domain Name System (DNS) has long provided means, such as the
   CNAME (Canonical Name [RFC1035]) and DNAME [RFC2672] RRs (Resource
   Records), whereby a DNS query can be redirected to a different name.
   In particular, CNAME normally causes a query to its owner name to be
   redirected, while DNAME normally causes a query to any lower level
   name to be redirected. There has been a proposal for another
   redirection RR. In addition, as specified in [RFC2672], redirection
   through a DNAME also results in the synthesis of a CNAME RR in the
   response. In this document, we will refer to all RRs causing such
   redirection as xNAME RRs.

   xNAME RRs can be explicitly retrieved by querying for the xNAME type.
   When a different type is queried and an xNAME RR is encountered, the
   xNAME RR (and possibly a synthesized CNAME) is added to the answer of
   the response, DNSSEC RRs applicable to the xNAME RR may be added to
   the response, and the query is restarted with the name to which it
   was redirected.

   An xNAME may redirect a query to a name at which there is another
   xNAME and so on. In this document, we use "xNAME chain" to refer to a
   series of one or more xNAMEs each of which refers to another xNAME
   except the last, which refers to a non-xNAME or results in an error.

   A DNS response header has an RCODE (Response Code) field, used for
   indicating errors, and status bits that indicate whether an answer is
   authoritative and/or authentic. This document clarifies, in the case
   of such redirected queries, how the RCODE and status bits correspond
   to the initial query cycle (where the (first) xNAME was detected) and
   subsequent or final query cycles.




1.1 Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].












D. Eastlake                                                     [Page 3]

INTERNET-DRAFT                                 xNAME RCODE Clarification


2. Status Bits

   There are two status bits returned in query responses for which a
   question could arise as to how, in the case of an xNAME chain, they
   relate to the first, possible intermediate, and/or last queries, as
   follows:




2.1 The Authoritative Answer Bit

   The AA, or Authoritative Answer bit, in the DNS response header
   indicates that the answer returned is from a DNS server authoritative
   for the zone containing that answer. For an xNAME chain, this
   "authoritative" status could be different for each answer in that
   chain.

   [RFC1035] states that the AA bit is to be set based on whether the
   server providing the answer with the first owner name in the answer
   section is authoritative.  This specification of the AA bit has not
   been changed.




2.2 The Authentic Data Bit

   The AD, or Authentic Data bit, indicates that the response returned
   is authentic according to the dictates of DNSSEC [RFC4035]. [RFC4035]
   unambiguously states that the AD bit is to be set in a DNS response
   header only if the DNSSEC enabled server believes all RRs in the
   answer and authority sections of that response to be authentic.  This
   specification of the AD bit has not been changed.


















D. Eastlake                                                     [Page 4]

INTERNET-DRAFT                                 xNAME RCODE Clarification


3. RCODE Clarification

   The RCODE (Response Code) field in a DNS query response header is
   non-zero to indicate an error. Section 4.3.2 of [RFC1034] has a
   resolution algorithm that includes CNAME processing but has been
   found to be unclear concerning the ultimate setting of RCODE in the
   case of such redirection. Section 2.1 of [RFC2308] implies that the
   RCODE should be set based on the last query cycle in the case of an
   xNAME chain but Section 2.2.1 of [RFC2308] says that some servers
   don't do that!

   When there is an xNAME chain, the RCODE field is set as follows:

      When an xNAME chain is followed, all but the last query cycle
      necessarily had no error. The RCODE in the ultimate DNS response
      MUST BE set based on the final query cycle leading to that
      response. If the xNAME chain was terminated by an error, it will
      be that error code. If the xNAME chain terminated without error,
      it will be zero.

































D. Eastlake                                                     [Page 5]

INTERNET-DRAFT                                 xNAME RCODE Clarification


4. Security Considerations

   The AA header flag bit is not protected by DNSSEC [RFC4033]. To
   secure it, secure communications are needed between the querying
   resolver and the DNS server. Such security can be provided by DNS
   transaction security, either TSIG [RFC2845] or SIG(0) [RFC2931].

   An AD header flag bit and the RCODE in a response are not, in
   general, protected by DNSSEC, so the same conditions as stated in the
   previous paragraph generally apply to them; however, this is not
   always true. In particular, if the following apply, then the AD bit
   or an NXDOMAIN RCODE are protected by DNSSEC in the sense that the
   querier can calculate whether they are correct:
   1. The zone where an NXDOMAIN RCODE occurs or all the zones where the
      data whose authenticity would be indicated by the AD flag bit are
      signed zones.
   2. The query or queries involved indicate that DNSSEC RRs are OK in
      responses.
   3. The responses providing these indications are from servers that
      include the additional DNSSEC RRs required by DNSSEC.
   4. The querier has appropriate trust anchor(s) and appropriately
      validates and processes the DNSSEC RRs in the response.




5. IANA Considerations

   This document requires no IANA actions. RFC Editor: please remove
   this section on publication.






















D. Eastlake                                                     [Page 6]

INTERNET-DRAFT                                 xNAME RCODE Clarification


6. References

   Normative and informative references for this document are given
   below.




6.1 Normative References

   [RFC1034] - Mockapetris, P., "Domain Names - Concepts and
         Facilities", STD 13, RFC 1034, November 1987.

   [RFC1035] - Mockapetris, P., "Domain names - implementation and
         specification", STD 13, RFC 1035, November 1987.

   [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
         Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2672] - Crawford, M., "Non-Terminal DNS Name Redirection", RFC
         2672, August 1999.

   [RFC4035] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
         Rose, "Protocol Modifications for the DNS Security Extensions",
         RFC 4035, March 2005




6.2 Informative References

   [RFC2308] - Andrews, M., "Negative Caching of DNS Queries (DNS
         NCACHE)", RFC 2308, March 1998.

   [RFC2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
         Wellington, "Secret Key Transaction Authentication for DNS
         (TSIG)", RFC 2845, May 2000.

   [RFC2931] - Eastlake 3rd, D., "DNS Request and Transaction Signatures
         ( SIG(0)s )", RFC 2931, September 2000.

   [RFC4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
         Rose, "DNS Security Introduction and Requirements", RFC 4033,
         March 2005.








D. Eastlake                                                     [Page 7]

INTERNET-DRAFT                                 xNAME RCODE Clarification


Authors' Addresses

   Donald E. Eastlake 3rd
   Huawei R&D USA
   155 Beaver Street
   Milford, MA 01757

   Phone: +1-508-333-2270
   email: d3e3e3@gmail.com





Change History

   RFC Editor: Please delete this section before publication.

   Personal Version -02 to version -03:

      Drop interpretation opion A and leave only option B, no longer so
      labeled.

      Add this change history section.

      Update date and version.

   Personal Version -03 to -04

      Remove the word "unambiguously".

      Update dates, version number, author information.

   Personal Version -04 to -05

      Just update dates and version number.

   Personal Version -05 to WG Version -00

      Change file name, version, and dates.












D. Eastlake                                                     [Page 8]

INTERNET-DRAFT                                 xNAME RCODE Clarification


Copyright and IPR Provisions

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.  The definitive version of
   an IETF Document is that published by, or under the auspices of, the
   IETF. Versions of IETF Documents that are published by third parties,
   including those that are translated into other languages, should not
   be considered to be definitive versions of IETF Documents. The
   definitive version of these Legal Provisions is that published by, or
   under the auspices of, the IETF. Versions of these Legal Provisions
   that are published by third parties, including those that are
   translated into other languages, should not be considered to be
   definitive versions of these Legal Provisions.  For the avoidance of
   doubt, each Contributor to the IETF Standards Process licenses each
   Contribution that he or she makes as part of the IETF Standards
   Process to the IETF Trust pursuant to the provisions of RFC 5378. No
   language to the contrary, or terms, conditions or rights that differ
   from or are inconsistent with the rights and licenses granted under
   RFC 5378, shall have any effect and shall be null and void, whether
   published or posted by such Contributor, or included with or in such
   Contribution.





















D. Eastlake                                                     [Page 9]