[ietf-dkim] FW: draft-hallambaker-xptr-002007-06-29 11:19:14I just submitted the attached as a personal Internet draft. It describes the use of the XPTR record to provide generalized discovery of wildcarded prefix records. XPTR: DNS Prefix Pointer draft-hallambaker-xptr-00
|
TOC |
The following definitions are used in this document:
- DNS Resource Record
- A DNS Resource Record as defined in [TBS]
- Prefixed Record
- A DNS Resource Record in which one or more labels contain characters that are not valid DNS host names. [TBS]
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].
TOC |
Prefixed resource records, first introduced in the SRV specification provide a means of extending the DNS without allocating a new resource record
The principle disadvantage faced when using prefixed DNS records is that the existing DNS specifications do not provide a 'midpoint wildcard' of the form _prefix.*.example.com. While a DNS server can implement such a wildcard in response to a DNS query as a 'synthetic' wildcard this usage is not compatible with the mechanisms of DNSSEC or Zone Transfer.
While support for wildcarding of prefixed records has not been considered an essential requirement in service discovery applications such as SRV and NAPTR, wildcarding is considered an essential requirement for publication of protocol policy statements. In particular the ability to make policy statements of the form 'All mail from *.example.com is signed' is frequently a requirement.
While such a requirement could be satisified by issuing separate DNS RRs for each protocol policy advertisement, this approach is only acceptable if the number of policy advertisements is expected to be small. While the number of official prefix registrations is small, informal registrations number in excess of 500 in June 2007. This number is likely to rise rapidly as the use of Web Services increases.
The DNS resource record is expressed as a fixed 16 bit field giving 65,336 possible values. An architecture which limits the Internet to 65,336 possible protocols for machine-machine interaction is not sustainable.
TOC |
XPTR allows a resolution algorithm to be defined that supports the use of wildcards in conjunction with prefixed DNS records by introducing an additional step of indirection. Although a wildcard cannot be applied to prefixed DNS record itself, a wildcard can be applied to the XPTR indirection record.
TOC |
The basic XPTR prefix resolution (basic) algorithm MAY be specified as the means of resolving a particular DNS record prefix.
The basic resolution algorithm resolves a triple consisting of a DNS node, a DNS prefix label and a DNS record type. The resolution algorithm returns either the record requested or the result ?not present?.
The resolution algorithm always produces a result in a maximum of three steps when applied to DNS nodes in the forward DNS. The requestor first looks for a prefix record at the query node itself. If this search fails the requestor looks for a PREPTR record at the query node and if this is found:
Record BasicPrefixResolve ( String node, String prefix, RecordType record) 1. Record F1 = Lookup (prefix + "." + node, record) If (F1 <> NIL) Return F1 2. Record F2 = Lookup (node, PREPTR) If (F2 = NIL) Return NIL 3. Record F3 = Lookup (prefix + "." + F2.domain) Return F3
TOC |
In most cases an Internet service is identified by means of a domain name. In certain circumstances it is desirable to perform service and policy discovery by means of the IP address. This requirement is most likely to occur in protocols for real time reporting of security incidents where the IP address of the source of attack is known with some degree of certainty, but not a domain name.
In such situations the service discovery process MAY specify the use of the Reverse DNS. The reverse DNS is an area of the DNS space (in-addr.arpa, ipv6.arpa). A PTR record in the reverse DNS maps an IPv4 or IPv6 address to a DNS name.
Depending on the requirements of the service it MAY be desirable for discovery to process XPTR records in the reverse DNS directly or to first attempt to follow a PTR record to obtain a DNS node where basic prefix resolution is to be performed.
Record ReversePrefixResolve( IPAddress address, String prefix, RecordType record) 1. Record R1 = Lookup (prefix + "." + ReverseToNode (address), record) If (F1 <> NIL) Return F1 2. Record R2 = Lookup (node, ReverseToNode (address) If (R2 = NIL) Return NIL Else Return BasicPrefixResolve (R2.domain, prefix, record)
TOC |
XPTR may be used to simplfy administration of prefixed DNS records and to permit the resolution of wildcard DNS records.
TOC |
In order to illustrate the use of XPTR we consider the resolution of a hypothetical Internet protocol 'NOOP'.
The discovery protocol for NOOP is specified as using SRV with the basic prefix resolution protocol. There is no default port assignment.
All service requests for the 'NOOP' service with SRV Prefix _noop in the domain example.com are to be directed to the main noop server, except for the mathematics department math.example.com which has its own server.
The zone file is:
_noop._tcp.example.com SRV 1 1 80 noop.example.com _noop._tcp.math.example.com SRV 1 1 80 math.example.com h1.example.com A 10.1.1.1 h1.example.com XPTR example.com *.example.com XPTR example.com
Although XPTR addresses the lack of a DNS midpoint wildcard it does not address the fact that the semantics of DNS wildcards are considerably more restrictive than is generally convenient and a DNS wildcard only binds to a DNS zone if there are no other records of any type defined for that node. It is therefore necessary to specify an XPTR record for the node h1.example.com which is outside the scope of the wildcard.
TOC |
We hypothecate the existence of a protocol policy prefixes _a._policy, _b._policy etc. to be used to specify protocol configuration options.
The administrator of example.com has three basic types of machine; desktops, laptops and servers. The range of services a particular machine is allowed to offer is determined by its class. Instead of defining the protocol configuration policy for each machine individually the administrator specifies an XPTR record to direct resolution to a node where the characteristics for the whole class are defined:
_a._policy.laptop.example.com TXT "SSL=always" _b._policy.laptop.example.com TXT "MinVersion=2.3 MaxVersion=3.4" _a._policy.desktop.example.com TXT "" _b._policy.desktop.example.com TXT "MinVersion=2.1 MaxVersion=3.4" _a._policy.server.example.com TXT "" _b._policy.server.example.com TXT "MinVersion=1.0 MaxVersion=3.4" alice.example.com XPTR laptop.example.com bob.example.com XPTR laptop.example.com carol.example.com XPTR desktop.example.com doug.example.com XPTR laptop.example.com _b._policy.doug.example.com TXT "MinVersion=2.3 MaxVersion=3.4" edward.example.com XPTR server.example.com mail.example.com XPTR server.example.com
The default policy may be overriden as necessary by a policy declared at the specific node. In this case the administrator has overriden policy B for doug.example.com.
TOC |
The ideas in this document arose from extensive discussions with the DKIM and DNSEXT working groups.
TOC |
This document requests allocation of a DNS Resource Record for the XPTR record.
TOC |
The XPTR record does not change the security model or field of application of DNS. It does however make it more likely that DNS will be used in situations where the need for robust integrity and authenticity controls such as those provided by DNSSEC will become more apparent.
In particular it is highly desirable for a prefixed record used to distribute a security policy to be signed.
In cases where an XPTR directs resolution of prefixed records to a DNS zone that is under a different administrative control regime, administrative control and the ability to enforce security controls is transfered to another party.
TOC |
[RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
TOC |
Phillip Hallam-Baker | |
VeriSign Inc | |
Email: | pbaker(_at_)verisign(_dot_)com |
TOC |
Copyright © The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr(_at_)ietf(_dot_)org.
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
draft-hallambaker-xptr-00.txt
Description: draft-hallambaker-xptr-00.txt
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
<Prev in Thread] | Current Thread | [Next in Thread> |
---|---|---|
|
Previous by Date: | Fwd: Re: [ietf-dkim] I-D Action:draft-ietf-dkim-ssp-00.txt, Charles Lindsey |
---|---|
Next by Date: | [ietf-dkim] SSP Policy NOMAIL, Hallam-Baker, Phillip |
Previous by Thread: | [ietf-dkim] Possible extensions for SSP // domain tasting correction, Douglas Otis |
Next by Thread: | Re: [ietf-dkim] FW: draft-hallambaker-xptr-00, Douglas Otis |
Indexes: | [Date] [Thread] [Top] [All Lists] |