Network Working Group J. Yao Internet-Draft X. Lee Intended status: Informational CNNIC Expires: May 17, 2012 November 14, 2011 xNAME loop detection and its usage suggestion draft-yao-dnsop-xname-loop-00.txt Abstract The Domain Name System (DNS) has provided some means, such as CNAME or DNAME, where a query can be redirected to a different name. The zone operator should be careful about this redirection, which may forms a loop. The detail analysis of xNAME loop detection and its impacts are not specified in the RFC 1035 and RFC 2672. This document gives a detail analysis of xNAME loop and its impacts. It also gives some advices for using xNAME. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 17, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Yao & Lee Expires May 17, 2012 [Page 1] Internet-Draft bname November 2011 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Single xNAME . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. a CNAME b . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. a DNAME b . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. a BNAME b . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Single-mapping and Multi-mapping . . . . . . . . . . . . . . . 4 4. Combination of xNAMEs . . . . . . . . . . . . . . . . . . . . . 4 4.1. Combination of xNAMEs of the same type . . . . . . . . . . 4 4.1.1. CNAME chain . . . . . . . . . . . . . . . . . . . . . . 4 4.1.2. DNAME chain . . . . . . . . . . . . . . . . . . . . . . 5 4.1.3. BNAME chain . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Combination of xNAMEs of the different types . . . . . . . 6 5. Suggestion of xNAME use . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 8. Change History . . . . . . . . . . . . . . . . . . . . . . . . 7 8.1. draft-yao-dnsop-xNAME-loop: Version 00 . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Yao & Lee Expires May 17, 2012 [Page 2] Internet-Draft bname November 2011 1. Introduction RFC 1035 defines the canonical name (CNAME) RR, which directs itself to other names. RFC 2672 defines the DNAME RR, which directs its descedants to other names. There has been a proposal for another redirection RR, "BNAME", which will direct both itself and its descedants to other names. In addition, as specified in [RFC2672], redirection through a DNAME also results in the synthesis of a CNAME RR in the response; as described in [I-D.yao-dnsext-bname], redirection through a BNAME also results in the synthesis of a CNAME RR in the response In this document, we will refer to all RRs causing such redirection as xNAME RRs. Naming loops can be created with CNAME, DNAME or BNAME record alone, or any combinations of CNAME, DNAME and BNAME records. Implementors should note, however, that fairly lengthy chains of xNAME records may be valid. The zone operator should be careful about this redirection, which may forms a loop. However, the detail analysis of name loop detection and its impacts are not specified in the RFC 1035 and RFC 2672. This document gives a detail analysis of xNAME loop and its impacts. It also gives some advices for using xNAME. xNAME RRs can be explicitly retrieved by querying for the xNAME type. When a different type is queried and an xNAME RR is encountered, the xNAME RR (and possibly a synthesized CNAME) is added to the answer of the response, and the query is restarted with the name to which it was redirected. An xNAME may redirect a query to a name at which there is another xNAME and so on. In this document, we use "xNAME chain" to refer to a series of one or more xNAMEs each of which refers to another xNAME except the last, which may refer to a non- xNAME or results in an error. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] All the basic terms used in this specification are defined in the documents [RFC1034] and [RFC1035]. 2. Single xNAME If there is only one xNAME which does not creat any chain, it will not cause a xNAME loop. Yao & Lee Expires May 17, 2012 [Page 3] Internet-Draft bname November 2011 2.1. a CNAME b A single CNAME RR identifies its owner name as an alias. If a CNAME b, and b refers to a non-xNAME or results in an error, it will not cause the loop. 2.2. a DNAME b A single DNAME RR directs its descedants to other names. If a DNAME b, and b refers to a non-xNAMEor results in an error, it will not cause the loop. 2.3. a BNAME b A single BNAME RR directs both the owner name itself and its descedants to other names. If a BNAME b, and b refers to a non-xNAME or results in an error, it will not cause the loop. 3. Single-mapping and Multi-mapping The resource record "a CNAME b" creates a one-to-one mapping, which means that name a is redirected to b. We call such mapping as single-mapping, and such xNAME as single-mapping xNAME. The resource record "a DNAME b" or "a BNAME b" create a many-to-many mapping, which means that many names under a is redirected to many names under b. We call such mapping as multi-mapping, and such xNAME as multi- mapping xNAME. 4. Combination of xNAMEs 4.1. Combination of xNAMEs of the same type It is possible to form a xNAME loop due to the same types. 4.1.1. CNAME chain CNAME can form a long chain. We can chain together CNAME records, which may lead to create a CNAME loop. For example, a CNAME b b CNAME c c CNAME d In this case, d may point to another CNAME or a non-xNAME or results in an error. CNAME is a kind of one to one mapping, which means that one name points or maps to only one name. The resolver can detect Yao & Lee Expires May 17, 2012 [Page 4] Internet-Draft bname November 2011 the loop, just following the chain. 4.1.2. DNAME chain DNAME can form a long chain. We can chain together DNAME records, which may lead to create a DNAME loop. For example, a DNAME b b DNAME c c DNAME d In this case, d may point to another DNAME or a non-xNAME or results in an error. DNAME is a kind of many to many mapping, which means that many names point or map to many names. The resolver can not easily detect the loop. Using the example above, for any X which is a valid name string, we have X.a CNAME X.b X.b CNAME X.c X.c CNAME X.d In this case, in order to detect whether it forms a loop, it must check every name under "d" domain while "d" may have millions of names or thousands of sub-zones. If the domain "a" and "d" are not under the control of the same owner, detection of dname loop are impossilbe if "a" and "d" have too many childrens. 4.1.3. BNAME chain BNAME can form a long chain. we can chain together BNAME records, which may lead to create a BNAME loop. For example, a BNAME b b BNAME c c BNAME d In this case, d may point to another BNAME or a non-xNAME or results in an error. BNAME is a kind of many to many mapping, which means that many names point or map to many names. The resolver can not easily detect the loop. Using the example above, for any X which is a valid name string, we have X.a CNAME X.b X.b CNAME X.c X.c CNAME X.d In this case, in order to detect whether it forms a loop, it must check every name under "d" domain while "d" may have millions of Yao & Lee Expires May 17, 2012 [Page 5] Internet-Draft bname November 2011 names or thousands of sub-zones. If the domain "a" and "d" are not under the control of the same owner, detection of dname loop are impossilbe if "a" and "d" have too many childrens. On the other hand, since the BNAME also maps the owner name itself, we also have a CNAME b; b CNAME c; c CNAME d; For this case, it is easy to detect the name loop. But in the whole, it is not easy to detect the BNAME loop. 4.2. Combination of xNAMEs of the different types If there are many different types of xNAME in the chain, it is very difficulty to identify the loop. Different xNAMEs can form a long chain. We can chain together different xNAME records, which may lead to create a xNAME loop. For example, a xNAME b; x xNAME c; if xNAME is DNAME or BNAME, it will creat a many to many mapping; if it is CNAME, it will create a one to one mapping. For the example above, we can divid it into 4 cases: For the case 1: a Single-mapping b; x Single-mapping c; For the case 2: a Multi-mapping b; x Multi-mapping c; For the case 3: a Single-mapping b; x Multi-mapping c; For the case 4: a Multi-mapping b; x Single-mapping c; In the cases above for the example provided in this section, the user may easily detect the loop for the case 1. For other cases, it is Yao & Lee Expires May 17, 2012 [Page 6] Internet-Draft bname November 2011 very difficult to detect the mapping since Multi-mapping create complex mappling which is not easily detected. There are other more complex examples. But one thing is clear. If Multi-mapping xNAME is involved, it will create the complex of detecting of the loop of xNAME. 5. Suggestion of xNAME use If the xNAME chain is formed with single-mapping xNAME only, it can easily check the xNAME loop. But when multi-mapping xNAME is added into the chain, it makes the xNAME detection very difficult. In order to avoid the possible loop, the following suggestions should be considered: 1. If there is a xNAME chain, it is better that all names related to xNAME records are under the control of the same owner. 2. If there is a xNAME chain, the shortes chain is preferred. 3. If there is a xNAME chain, there should have only one multi- mapping xNAME 4. Adding a new xNAME to a xNAME chain, the 1, 2 and 3 requirements listed above should be considered to check whether the new xNAME should be configured. 6. IANA Considerations IANA is requested to do nothing for this document 7. Security Considerations TBD 8. Change History [[anchor16: RFC Editor: Please remove this section.]] 8.1. draft-yao-dnsop-xNAME-loop: Version 00 o xNAME loop detection 9. References Yao & Lee Expires May 17, 2012 [Page 7] Internet-Draft bname November 2011 9.1. Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC 2672, August 1999. 9.2. Informative References [I-D.yao-dnsext-bname] Yao, J., Lee, X., and P. Vixie, "Bundled DNS Name Redirection", draft-yao-dnsext-bname-05 (work in progress), August 2010. [RFC2672bis] Rose, S. and W. Wijngaards, "Update to DNAME Redirection in the DNS", Internet-Draft ietf-dnsext-rfc2672bis-dname- 17.txt, 6 2009. Authors' Addresses Jiankang YAO CNNIC No.4 South 4th Street, Zhongguancun Beijing Phone: +86 10 58813007 Email: yaojk@cnnic.cn Xiaodong LEE CNNIC No.4 South 4th Street, Zhongguancun Beijing Phone: +86 10 58813020 Email: lee@cnnic.cn Yao & Lee Expires May 17, 2012 [Page 8]