Clarifications to the Dynamic Updates in the Domain Name System (DNS UPDATE) specification

This document clarifies interaction among Dynamic Updates in the Domain Name System (DNS UPDATE), Classless IN-ADDR.ARPA delegation, and Secure Domain Name System (DNS) Dynamic Update. It was identified that common implementations using DNS update protocol often ignore existence of CNAME/DNAME redirections and, as a result, fail to update records if redirection is used. One common example is failure to update PTR records in classless IN-ADDR.ARPA zones. describes how to use the CNAME records in IN-ADDR.ARPA DNS zones to split administrative control over IN-ADDR.ARPA data for classless networks. The described method is perfectly compatible with standard DNS resolution but DNS update requests need special handling described in this document. This clarification is applicable to parties wanting to update records in IN-ADDR.ARPA and other zones without changing existing CNAME/DNAME redirections. A typical example are PTR record updates in zones which might potentially use . This clarification is not applicable to cases where the purpose of the DNS update is to change CNAME/DNAME redirection.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in . Terms "requestor", "update message", and names of update message's sections are used in the same sense as in . Examples involving IN-ADDR.ARPA zone and PTR records are referring to .

The problem described herein typically occurs when an implementation intends to update resource records resolvable by using particular owner name while keeping all CNAME/DNAME redirections intact. In other words, the purpose of the update is to change resource records associated with terminal node of (potential) chain of redirections starting at a known owner name. Typically, this is the case when the resource records are associated with a known owner name or an owner name that is derived from data obtained outside of DNS. For example, implementations often translate IPv4 address to DNS owner name using the algorithm from section 5.2.1.4:

1.2.0.192.in-addr.arpa. ]]> The problem is that implementations often use this original node name in an Update Message without checking for redirections. If the original owner name contains redirection, then this behavior results in an attempt to add or delete another record to or from a node that already contains the CNAME record, and the update fails. Such inappropriately constructed update request will be silently ignored in accordance with section 3.4.2.2. Alternatively, an error will be reported to the requestor if the non-existence of the CNAME record was added as a prerequisite to the Update Message.

Please see applicability note in Introduction. A Requestor MUST resolve (canonicalize) the original owner name (e.g. the one derived from an IPv4 address) to a canonical owner name before constructing the Update Message. The requestor MUST follow whole chain of redirections until the terminal node of the chain is reached and use canonical name found at the terminal node. Implementations MUST detect infinite loops. Canonical owner name MUST be used instead of the original owner name in the resulting Update Message: All names used in the Prerequisite and Update sections MUST be canonicalized as specified above. Only prerequisites concerning the CNAME or DNAME records are an exception to this rule and should not be canonicalized. ZNAME in the Zone Section has to contain the name of the zone that encloses the canonical owner names. An implementation MAY chose to use canonicalized names in RDATA and an Additional Section. This is an application specific decision.

This draft does not involve IANA Considerations.

Canonicalization process changes the owner name which is going to be affected by the update. An active attacker might interfere with the canonicalization process and trick the requestor to update a node of the attacker's choice if the canonicalization process is not secured by using DNSSEC or by other means. Security properties of DNS updates using only DNS UPDATE without any security mechanisms on top of it are vulnerable anyway because an active attacker can very well modify the update message itself. Canonicalization generally increases overall risk for implementations of Secure DNS Dynamic Update because an attacker might have a chance to modify the owner name in an Update Message before the message is signed by the requestor. An implementation might decide to accept canonicalized names only on condition that the overall security status of the canonicalization process is sufficient according to the local policy. Because the chain of redirections might involve multiple DNS zones, implementations MUST use the lowest security status from all links in the chain of redirections when doing security decisions. For example, a strict implementation might accept canonicalized names only on condition that all redirections were secured by DNSSEC and the security state of all redirections was "secure". Another implementation might decide that security checks on a server side are sufficient, so requestors will accept canonical names obtained using insecure protocols. In case of PTR records, a server might require the TCP transport and map an IP address of the requestor to the canonical owner name and/or check data in an Update Message with the requestor's identity.