XPTR: DNS Prefix Pointerdraft-hallambaker-xptr-00

I just submitted the attached as a personal Internet draft. It describes the 
use of the XPTR record to provide generalized discovery of wildcarded prefix 
records.


XPTR: DNS Prefix Pointer   draft-hallambaker-xptr-00

 TOC 

Internet Engineering Task Force	P. Hallam-Baker
Internet-Draft	VeriSign Inc
Intended status: Informational	June 29, 2007
Expires: December 31, 2007

XPTR: DNS Prefix Pointer
draft-hallambaker-xptr-00

Status of this Memo

By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on December 31, 2007.

Copyright Notice

Copyright © The IETF Trust (2007).

Abstract

The DNS XPTR resource record is defined. An XPTR record may be used in combination with prefixed DNS records to create the effect of wildcarding and to simplify management where prefixed records are employed on an extended scale.

---

Table of Contents

1.  Definitions
    1.1.  Requirements Language
2.  Introduction
3.  Resolving Prefix records with XPTR
    3.1.  Basic Prefix Resolution
    3.2.  Reverse Prefix Resolution
4.  Using XPTR
    4.1.  Wildcards
    4.2.  Policy Administration
5.  Acknowledgements
6.  IANA Considerations
7.  Security Considerations
8.  Normative References
§  Author's Address
§  Intellectual Property and Copyright Statements

---

 TOC 

1.  Definitions

The following definitions are used in this document:

DNS Resource Record

A DNS Resource Record as defined in [TBS]

Prefixed Record

A DNS Resource Record in which one or more labels contain characters that are not valid DNS host names. [TBS]

---

 TOC 

1.1.  Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].

---

 TOC 

2.  Introduction

Prefixed resource records, first introduced in the SRV specification provide a means of extending the DNS without allocating a new resource record

The principle disadvantage faced when using prefixed DNS records is that the existing DNS specifications do not provide a 'midpoint wildcard' of the form _prefix.*.example.com. While a DNS server can implement such a wildcard in response to a DNS query as a 'synthetic' wildcard this usage is not compatible with the mechanisms of DNSSEC or Zone Transfer.

While support for wildcarding of prefixed records has not been considered an essential requirement in service discovery applications such as SRV and NAPTR, wildcarding is considered an essential requirement for publication of protocol policy statements. In particular the ability to make policy statements of the form 'All mail from *.example.com is signed' is frequently a requirement.

While such a requirement could be satisified by issuing separate DNS RRs for each protocol policy advertisement, this approach is only acceptable if the number of policy advertisements is expected to be small. While the number of official prefix registrations is small, informal registrations number in excess of 500 in June 2007. This number is likely to rise rapidly as the use of Web Services increases.

The DNS resource record is expressed as a fixed 16 bit field giving 65,336 possible values. An architecture which limits the Internet to 65,336 possible protocols for machine-machine interaction is not sustainable.

---

 TOC 

3.  Resolving Prefix records with XPTR

XPTR allows a resolution algorithm to be defined that supports the use of wildcards in conjunction with prefixed DNS records by introducing an additional step of indirection. Although a wildcard cannot be applied to prefixed DNS record itself, a wildcard can be applied to the XPTR indirection record.

---

 TOC 

3.1.  Basic Prefix Resolution

The basic XPTR prefix resolution (basic) algorithm MAY be specified as the means of resolving a particular DNS record prefix.

The basic resolution algorithm resolves a triple consisting of a DNS node, a DNS prefix label and a DNS record type. The resolution algorithm returns either the record requested or the result ?not present?.

The resolution algorithm always produces a result in a maximum of three steps when applied to DNS nodes in the forward DNS. The requestor first looks for a prefix record at the query node itself. If this search fails the requestor looks for a PREPTR record at the query node and if this is found:

Record BasicPrefixResolve (
                  String node, String prefix, RecordType  record)
   1.	Record F1 =  Lookup (prefix + "." + node, record)
      If  (F1 <> NIL) Return F1
   2.	Record F2 = Lookup (node, PREPTR)
      If (F2 = NIL) Return NIL
   3.	Record F3 = Lookup (prefix + "." + F2.domain)
      Return F3

---

 TOC 

3.2.  Reverse Prefix Resolution

In most cases an Internet service is identified by means of a domain name. In certain circumstances it is desirable to perform service and policy discovery by means of the IP address. This requirement is most likely to occur in protocols for real time reporting of security incidents where the IP address of the source of attack is known with some degree of certainty, but not a domain name.

In such situations the service discovery process MAY specify the use of the Reverse DNS. The reverse DNS is an area of the DNS space (in-addr.arpa, ipv6.arpa). A PTR record in the reverse DNS maps an IPv4 or IPv6 address to a DNS name.

Depending on the requirements of the service it MAY be desirable for discovery to process XPTR records in the reverse DNS directly or to first attempt to follow a PTR record to obtain a DNS node where basic prefix resolution is to be performed.

Record ReversePrefixResolve(
                  IPAddress address, String prefix, RecordType  record)
    1.	Record R1 =  Lookup (prefix + "." +
                             ReverseToNode (address), record)
        If  (F1 <> NIL) Return F1
    2.	Record R2 = Lookup (node, ReverseToNode (address)
        If (R2 = NIL) Return NIL
        Else Return BasicPrefixResolve (R2.domain, prefix, record)

---

 TOC 

4.  Using XPTR

XPTR may be used to simplfy administration of prefixed DNS records and to permit the resolution of wildcard DNS records.

---

 TOC 

4.1.  Wildcards

In order to illustrate the use of XPTR we consider the resolution of a hypothetical Internet protocol 'NOOP'.

The discovery protocol for NOOP is specified as using SRV with the basic prefix resolution protocol. There is no default port assignment.

All service requests for the 'NOOP' service with SRV Prefix _noop in the domain example.com are to be directed to the main noop server, except for the mathematics department math.example.com which has its own server.

The zone file is:

_noop._tcp.example.com        SRV 1 1 80 noop.example.com
_noop._tcp.math.example.com   SRV 1 1 80 math.example.com

h1.example.com                A    10.1.1.1
h1.example.com                XPTR example.com

*.example.com                 XPTR example.com

Although XPTR addresses the lack of a DNS midpoint wildcard it does not address the fact that the semantics of DNS wildcards are considerably more restrictive than is generally convenient and a DNS wildcard only binds to a DNS zone if there are no other records of any type defined for that node. It is therefore necessary to specify an XPTR record for the node h1.example.com which is outside the scope of the wildcard.

---

 TOC 

4.2.  Policy Administration

We hypothecate the existence of a protocol policy prefixes _a._policy, _b._policy etc. to be used to specify protocol configuration options.

The administrator of example.com has three basic types of machine; desktops, laptops and servers. The range of services a particular machine is allowed to offer is determined by its class. Instead of defining the protocol configuration policy for each machine individually the administrator specifies an XPTR record to direct resolution to a node where the characteristics for the whole class are defined:

_a._policy.laptop.example.com   TXT  "SSL=always"
_b._policy.laptop.example.com   TXT  "MinVersion=2.3 MaxVersion=3.4"

_a._policy.desktop.example.com  TXT  ""
_b._policy.desktop.example.com  TXT  "MinVersion=2.1 MaxVersion=3.4"

_a._policy.server.example.com   TXT  ""
_b._policy.server.example.com   TXT  "MinVersion=1.0 MaxVersion=3.4"


 alice.example.com              XPTR laptop.example.com
   bob.example.com              XPTR laptop.example.com
 carol.example.com              XPTR desktop.example.com
  doug.example.com              XPTR laptop.example.com
_b._policy.doug.example.com     TXT  "MinVersion=2.3 MaxVersion=3.4"
edward.example.com              XPTR server.example.com
  mail.example.com              XPTR server.example.com

The default policy may be overriden as necessary by a policy declared at the specific node. In this case the administrator has overriden policy B for doug.example.com.

---

 TOC 

5.  Acknowledgements

The ideas in this document arose from extensive discussions with the DKIM and DNSEXT working groups.

---

 TOC 

6.  IANA Considerations

This document requests allocation of a DNS Resource Record for the XPTR record.

---

 TOC 

7.  Security Considerations

The XPTR record does not change the security model or field of application of DNS. It does however make it more likely that DNS will be used in situations where the need for robust integrity and authenticity controls such as those provided by DNSSEC will become more apparent.

In particular it is highly desirable for a prefixed record used to distribute a security policy to be signed.

In cases where an XPTR directs resolution of prefixed records to a DNS zone that is under a different administrative control regime, administrative control and the ability to enforce security controls is transfered to another party.

---

 TOC 

8. Normative References

[RFC2119]

Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).

---

 TOC 

Author's Address

	Phillip Hallam-Baker
	VeriSign Inc
Email:	pbaker(_at_)verisign(_dot_)com

---

 TOC 

Full Copyright Statement

Copyright © The IETF Trust (2007).

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr(_at_)ietf(_dot_)org.

Acknowledgment

Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).

draft-hallambaker-xptr-00.txt
Description: draft-hallambaker-xptr-00.txt

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html