DNS Scoped Data Through '_Underscore' Naming
of Attribute LeavesBrandenburg InternetWorking675 Spruce Dr.SunnyvaleCA94086USA+1.408.246.8253dcrocker@bbiw.nethttp://bbiw.net/dnsopDNSDomain Name System> Formally, any DNS resource record may occur for any domain name.
However some services have defined an operational convention, which
applies to DNS leaf nodes that are under a DNS branch having one or
more reserved node names, each beginning with an underscore. The
underscore naming construct defines a semantic scope for DNS record
types that are associated with the parent domain, above the
underscored branch. This specification explores the nature of this
DNS usage and defines the "DNS Global Underscore Scoped Entry
Registry" with IANA. The purpose of the Underscore registry is to
avoid collisions resulting from the use of the same underscore-based
name, for different services.The core Domain Name System (DNS) technical specifications assign no
semantics to domain names or their parts, and no constraints upon
which resource record (RR) types are permitted to be stored under
particular names , . Over time, some leaf node names, such as "www" and "ftp" have
come to imply support for particular services, but this is a matter
of operational convention, rather than defined protocol semantics.
This freedom in the basic technology has permitted a wide range of
administrative and semantic policies to be used -- in parallel. DNS
data semantics have been limited to the specification of particular
resource record types, on the expectation that new ones would be
added as needed. Unfortunately, the addition of new resource record
types has proven extremely challenging, over the life of the DNS,
with significant adoption and use barriers. As an alternative to defining a new RR type, some DNS service
enhancements call for using an existing resource record type, but
specify a restricted scope for its occurrence. Scope is meant as
a static property, not one dependent on the nature of the query.
It is an artifact of the DNS name. That scope is a leaf node,
within which the uses of specific resource record sets can be
formally defined and constrained. The leaf occurs in a branch
having a distinguished naming convention: At the top of the
branch -- beneath the parent domain name to which the scope
applies -- one or more reserved DNS node names begin with an
underscore ("_"). Because the DNS rules for a
"host" (host name) are not allowed to use the
underscore character, this distinguishes the underscore name from
all legal host names . Effectively, this
convention for leaf node naming creates a space for the listing
of 'attributes' -- in the form of resource record types -- that
are associated with the parent domain, above the underscored
sub-branch. The scoping feature is particularly useful when generalized
resource record types are used -- notably
TXT, SRV,
and URI, , , . It provides
efficient separation of one use of them from others. Absent this
separation, an undifferentiated mass of these
RRsets is returned to the DNS client,
which then must parse through the internals of the records in the
hope of finding ones that are relevant. Worse, in some cases the
results are ambiguous because a record type might not adequately
self-identify. With underscore-based scoping, only the relevant
RRsetss are returned.A simple example is DKIM , which
uses "_domainkeys" for defining a place to hold a
TXT record containing signing
information for the parent domain. This specification formally defines how underscore labels are
used as "attribute" enhancements for their parent domain names.
For example, domain name "_domainkey.example." acts as attribute
of parent domain name "example." To avoid collisions resulting
from the use of the same underscore-based labels for different
applications using the same resource record type, this document
establishes DNS Underscore Global Scoped Entry IANA Registry for
the highest-level reserved names that begin with _underscore;
_underscore-based names that are farther down the hierarchy are
handled within the scope of the highest-level _underscore name.
Discussion about this draft
should be directed to the dnsop@ietf.org
mailing list.Please remove
"Discussion Venue" paragraph prior to
publication.Some resource record types are used in a fashion that can create
scaling problems, if an entire RRset associated with a domain
name is aggregated in the leaf node for that name. An
increasingly-popular approach, with excellent scaling properties,
places the RRset under a specially named branch, which is in turn
under the node name that would otherwise contain the RRset. The
rules for naming that branch define the context for interpreting
the RRset. That is, rather than: the arrangement is: A direct lookup to the subordinate leaf node produces
only the desired record types, at no greater cost than a typical
DNS lookup.The definition of an underscore global registry, provided in this
specification, primarily attends to the top-most names used for
scoping an RR type; that is the _underscore "global" names. A global registry for DNS nodes names that begin with an _underscore
is defined here. The purpose of the Underscore Global Registry is to
avoid collisions resulting from the use of the same
_underscore-based name, for different applications. If a public specification calls for use of an
_underscore-prefixed domain node name, the 'global'
(right-most) _underscored name MUST be entered into this
registry. The _underscore names define scope of use for specific resource
record types, which are associated with the domain name that is the
"parent" to the branch defined by the _underscore naming. A given
name defines a specific, constrained context for one or more RR
types, where use of such record types conforms to the defined
constraints. Within an _underscore scoped leaf, other RRsets that are not
specified as part of the scope MAY be used.Structurally, the registry is defined as a single, flat table of RR
types, under node names beginning with _underscore. In some cases,
such as for use of an SRV record, the
full scoping name might be multi-part, as a sequence of underscore
names. Semantically, that sequence represents a hierarchical model
and it is theoretically reasonable to allow re-use of a subordinate
underscore name in different underscore context; that is, a
subordinate name is meaningful only within the scope of the
right-most (top-level) underscore name. Therefore they are ignored
by this DNS Underscore Global Scoped Entry Registry. This registry
is for the definition of highest-level -- ie, global -- underscore
node name used.NAME_service1._protoB._service2_protoB._service3_protoC._service3_useX._protoD._service4_protoE._region._authorityOnly the right-most _underscore names are registered in the IANA
Underscore Global table. The use of underscored node names is specific to each RRTYPE
that is being scoped. Each name defines a place, but does not
define the rules for what appears underneath that place,
either as additional underscored naming or as a leaf node with
resource records. Details for those rules are provided by
specifications for individual RRTYPEs. The sections below
describe the way that existing underscore labels are used with
the RRTYPEs that they name.Definition and registration of the subordinate underscore node
names is the responsibility of the specification that creates
the highest-level (right-most) global registry entry.That is, if a scheme using a global underscore node name also
has one or more subordinate levels of underscore node naming,
the namespaces from which names for those lower levels is
chosen is controlled by the parent underscore node name. Each
globally-registered underscore name owns a distinct,
subordinate name space.This section provides a basic template that can be used to register
new entries in the IANA DNS Underscore Global Scoped Entry Registry,
if the right-most underscored name above the RRTYPE is not already
registered. The text can be added to specifications using
RRTYPE/_Node-name combinations that have not already been
registered.Per {RFC Attrleaf} please add the following entry to the DNS
Underscore Global Scoped Entry Registry:Please replace the above "{RFC
Attrleaf}" text with a reference to this document's RFC
number. /dRR Type_NODE NAME REFERENCE{RRTYPE}_{DNS global node name} {citation for the document making the addition.} Per , IANA is requested to establish the:DNS Underscore Global Scoped Entry RegistryThis section describes actions requested of IANA. The
guidance in is used.The DNS Global Underscore Scoped Entry Registry is for DNS node
names that begin with the underscore character (_) and are the
right-most occurrence of any underscored names in a domain name
sequence having that form; that is they are the "top" of a DNS
branch, under a "parent" domain name. This registry is to operate under the IANA rules for
"Expert Review" registration; see .The contents of each entry in the Global registry are
defined in .Each entry in the registry MUST contain values for all of
the fields specified in .Within the registry, the combination of RR Type and _Node
Name MUST be unique.The table is to be maintained with entries sorted by the
first column (RR Type) and within that the second column
(_Node Name).The required Reference for an entry MUST have a stable
resolution to the organization controlling that registry
entryA registry entry contains: Lists an RR type that is defined for
use within this scope.Specifies a single _underscore
name that defines a reserved name; this name is the
"global" entry name for the scoped resource record types
that are associated with that name Lists specification that defines a
record type and its use under this Name. The organization
producing the specification retains control over the
registry entry for the _Node Name. Each RR type that is to be used MUST have a separate
registry entry. Initial entries in the registry are:RR Type_NODE NAME REFERENCEOPENPGPKEY_openpgpkeySMIMEA _smimecertSRV_dccpSRV_sctpSRV_tcpSRV_udpTLSA_sctpTLSA_tcpTLSA_udpTXT_mta-stsTXT_acme-challengeTXT_dmarcTXT_domainkeyTXT_spfTXT_vouchURI_iaxURI_acctURI_dccpURI_emailURI_emsURI_faxURI_ftURI_h323URI_ical-schedURI_ical-accessURI_ifaxURI_imURI_mmsURI_presURI_pstnURI_sctpURI_sipURI_smsURI_tcpURI_udpURI_unifmsgURI_vcardURI_videomsgURI_voiceURI_voicemsgURI_vpimURI_xmpThis section provides guidance for expert review of registration
requests in the of DNS Underscore Global Scoped Entry Registry.This review is solely to determine adequacy of a requested
entry in this Registry, and does not include review of other
aspects of the document specifying that entry. For example
such a document might also contain a definition of the
resource record type that is referenced by the requested
entry. Any required review of that definition is separate from
the expert review required here. The review is for the purposes of ensuring that:The details for creating the registry entry are sufficiently
clear, precise and completeThe combination of the _underscore name, under which the
listed resource record type is used, and the resource record
type, is unique in the tableFor the purposes of this Expert Review, other matters of the
specification's technical quality, adequacy or the like are outside
of scope. This memo raises no security issues.SMTP MTA Strict Transport Security (MTA-STS)DOD Internet Host Table SpecificationDomain
names - implementation and specificationUSC/ISI4676 Admiralty WayMarina del ReyCA90291US+1 213 822 1511Clarifications to the DNS SpecificationGuidelines for Writing an IANA Considerations Section in
RFCsPTIHuawei TechnologiesIBM CorporationA DNS RR for specifying the location
of services (DNS SRV)Troll TechWaldemar Thranes gate 98BOsloN-0175NO+47 22 806390+47 22 806380arnt@troll.noInternet Software Consortium950 Charter StreetRedwood CityCA94063US+1 650 779 7001Microsoft CorporationOne Microsoft WayRedmondWA98052USlevone@microsoft.comThis document describes a DNS
RR which specifies the location
of the server(s) for a specific protocol and domain.Vouch By ReferenceDomain Assurance CouncilDomain Assurance CouncilAlt-N Technologiesnternet Assigned Numbers Authority (IANA) Procedures for
the Management of the Service Name and Transport Protocol Port
Number RegistryDomainKeys Identified Mail (DKIM) SignaturesDomainKeys Identified Mail (DKIM) defines a domain-level
authentication framework for email using public-key
cryptography and key server technology to permit
verification of the source and contents of messages by
either Mail Transfer Agents (MTAs) or Mail User Agents
(MUAs). The ultimate goal of this framework is to permit a
signing domain to assert responsibility for a message, thus
protecting message signer identity and the integrity of the
messages they convey while retaining the functionality of
Internet email as it is known today. Protection of email
identity may assist in the global control of "spam" and
"phishing". [STANDARDS TRACK]The DNS-Based Authentication of Named Entities (DANE)
Transport Layer Security (TLS) Protocol: TLSASender Policy Framework (SPF) for Authorizing Use of
Domains in E-Mail, Version 1Domain-based Message Authentication, Reporting, and
Conformance (DMARC)The Uniform Resource Identifier (URI) DNS Resource
RecordNetnodISOCUsing Secure DNS to Associate Certificates with Domain
Names for S/MIMEAutomatic Certificate Management Environment
(ACME)Guidelines for Writing an IANA Considerations Section in
RFCsThanks go to Bill Fenner, Tony Hansen, Martin Hoffmann, Peter Koch,
Olaf Kolkman, and Andrew Sullivan for diligent review of the (much)
earlier drafts. For the later enhancements, thanks to: Stephane
Bortzmeyer, Bob Harold, Warren Kumari, John Levine, Joel Jaeggli,
Petr Špaček, OndÅ™ej Surř, Paul Vixie, Tim Wicinski,
and Paul Wouters. Special thanks to Ray Bellis for his persistent encouragement to
continue this effort, as well as the suggestion for an essential
simplification to the registration model.