| < draft-andrews-dns-hostnames-01.txt | draft-andrews-dns-hostnames-02.txt > | |||
|---|---|---|---|---|
| Mark Andrews | Mark Andrews | |||
| INTERNET DRAFT CSIRO | INTERNET DRAFT CSIRO | |||
| Expires: October 1996 April 1996 | Expires: October 1996 April 1996 | |||
| Clarification on the use of | Clarification on the use of | |||
| Hostnames and Mail domain names in the DNS | Hostnames, Mail Boxes and Mail Domains in the DNS | |||
| draft-andrews-dns-hostnames-01.txt | draft-andrews-dns-hostnames-02.txt | |||
| 1. Status of This Memo | 1. Status of This Memo | |||
| This document is an Internet Draft. Internet Drafts are working | This document is an Internet Draft. Internet Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its Areas, | documents of the Internet Engineering Task Force (IETF), its Areas, | |||
| and its Working Groups. Note that other groups may also distribute | and its Working Groups. Note that other groups may also distribute | |||
| working documents as Internet Drafts. | working documents as Internet Drafts. | |||
| Internet Drafts are draft documents valid for a maximum of six | Internet Drafts are draft documents valid for a maximum of six | |||
| months. Internet Drafts may be updated, replaced, or obsoleted by | months. Internet Drafts may be updated, replaced, or obsoleted by | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Please check the 1id-abstracts.txt listing contained in the internet- | Please check the 1id-abstracts.txt listing contained in the internet- | |||
| drafts Shadow Directories to learn the current status of any Internet | drafts Shadow Directories to learn the current status of any Internet | |||
| Draft. | Draft. | |||
| 2. Abstract | 2. Abstract | |||
| At the protocol level, DNS domain names and records may contain | At the protocol level, DNS domain names and records may contain | |||
| arbitrary binary data. However, many domain names and records are, | arbitrary binary data. However, many domain names and records are, | |||
| or refer to, hostnames, which are restricted by RFCs 952 and 1123 to | or refer to, hostnames, which are restricted by RFCs 952 and 1123 to | |||
| contain only certain characters. Similar restrictions apply to mail | contain only certain characters. Similar restrictions apply to mail | |||
| domain names, RFC-821. This document identifies the types of domain names | domain names, RFC-821. This document identifies the types of domain | |||
| and records which are hostnames / mail domain names, and specifies | names and records which are hostnames / mail domain names, and | |||
| the circumstances under which validation checks should be performed | specifies the circumstances under which validation checks should be | |||
| within the class IN. | performed within the class IN. | |||
| 3. Scope | 3. Scope | |||
| This document addresses restrictions that apply to records of class IN. | This document addresses restrictions that apply to records of class | |||
| Similar restrictions may apply to other classes but no attempt has | IN. Similar restrictions may apply to other classes but no attempt | |||
| been made to address them here. | has been made to address them here. | |||
| "hostname" is an ASCII string as specified by [RFC-952] and modified | "hostname" is an ASCII string as specified by [RFC-952] and modified | |||
| by [RFC-1123]. | by [RFC-1123]. | |||
| "mail domain name" is an ASCII string as specified by [RFC-821]. It | "mail domain name" is an ASCII string as specified by [RFC-821]. It | |||
| is syntactically identical to a hostname. While a broader definition | is syntactically identical to a hostname. While a broader definition | |||
| is described in [RFC-822] only the subset describe within [RFC-821] | is described in [RFC-822] only the subset described within [RFC-821] | |||
| will be allowed. [RFC-1123] does not explicitly change the syntax | will be allowed. [RFC-1123] does not explicitly change the syntax | |||
| for mail domain names, the changes to hostnames MUST flow through | for mail domain names, the changes to hostnames MUST flow through | |||
| indicating an implicit change. For the purposes of this RFC hostname | indicating an implicit change. For the purposes of this document | |||
| refers to either a hostname or a mail domain name. | hostname refers to either a hostname or a mail domain name. | |||
| Field names are as described by [RFC-1035]. | "mailbox" is a ASCII string specified by [RFC-821] and mapped into | |||
| the DNS using the mapping specified by [RFC-1035] Section 8. The | ||||
| first label represents the local part and the second and subsequent | ||||
| labels MUST form a hostname / mail domain name. The local part is | ||||
| restricted to printable ASCII (0x21 - 0x7e) plus single interior | ||||
| SPACE (0x21), that is a SPACE MUST be surrounded by printable ASCII. | ||||
| This definition is tighter than [RFC-821]. | ||||
| legal: | ||||
| "abc def.foo.bar" | ||||
| "ab cd ef.foo.bar" | ||||
| illegal: | ||||
| " abcdef.foo.bar" | ||||
| "abcdef .foo.bar" | ||||
| "abc def.foo.bar" (sequence of two spaces) | ||||
| Field names are as described by [RFC-1035] unless otherwise noted. | ||||
| The terms "SHOULD", "SHOULD NOT", "MUST" and "MUST NOT" are defined | The terms "SHOULD", "SHOULD NOT", "MUST" and "MUST NOT" are defined | |||
| in [RFC-1123] and specify the latitude developers may take. | in [RFC-1123] and specify the latitude developers may take. | |||
| 4. Owner Name: Unconditional | 4. Owner Name: Unconditional | |||
| The owner names of the following resource records MUST be hostnames: | The owner names of the following resource records MUST be hostnames: | |||
| A [RFC-1035] | A [RFC-1035] | |||
| WKS [RFC-1035] | WKS [RFC-1035] | |||
| MD [RFC-1035] (Obsolete) | MD [RFC-1035] (Obsolete) | |||
| MF [RFC-1035] (Obsolete) | MF [RFC-1035] (Obsolete) | |||
| MINFO [RFC-1035] all but the first label MUST be a hostname | MINFO [RFC-1035] MUST be a mailbox | |||
| MR [RFC-1035] all but the first label MUST be a hostname | MR [RFC-1035] MUST be a mailbox | |||
| MX [RFC-974] | MX [RFC-974] | |||
| AAAA [RFC-1886] | AAAA [RFC-1886] | |||
| X25 [RFC-1183] | X25 [RFC-1183] | |||
| ISDN [RFC-1183] | ISDN [RFC-1183] | |||
| RT [RFC-1183] | RT [RFC-1183] | |||
| AFSDB [RFC-1183] | AFSDB [RFC-1183] | |||
| Records which do not conform MUST NOT be accepted or sent by | Records which do not conform MUST NOT be accepted or sent by | |||
| nameservers, and queries containing non-conforming names MUST NOT be | nameservers, and queries containing non-conforming names MUST NOT be | |||
| generated by library routines. Nameservers MUST return FORMERR to | generated by library routines. Nameservers MUST return FORMERR to | |||
| skipping to change at page 3, line 19 ¶ | skipping to change at page 3, line 34 ¶ | |||
| to conform and MUST NOT forward non-conforming records. FORMERR MUST | to conform and MUST NOT forward non-conforming records. FORMERR MUST | |||
| be returned if non-conforming records are received. | be returned if non-conforming records are received. | |||
| SOA MNAME field MUST be a hostname. | SOA MNAME field MUST be a hostname. | |||
| SOA RNAME field. All but the first label MUST be a hostname. | SOA RNAME field. All but the first label MUST be a hostname. | |||
| MX EXCHANGE field MUST be a hostname. | MX EXCHANGE field MUST be a hostname. | |||
| NS NSDNAME field MUST be a hostname. | NS NSDNAME field MUST be a hostname. | |||
| MB MADNAME field MUST be a hostname. | MB MADNAME field MUST be a hostname. | |||
| MD MADNAME field MUST be a hostname (Obsolete). | MD MADNAME field MUST be a hostname (Obsolete). | |||
| MF MADNAME field MUST be a hostname (Obsolete). | MF MADNAME field MUST be a hostname (Obsolete). | |||
| MG MGMNAME field. All but the first label MUST be a hostname. | MG MGMNAME field MUST be a mailbox. | |||
| MINFO RMAILBX field. All but the first label MUST be a hostname. | MINFO RMAILBX field MUST be a mailbox. | |||
| MINFO EMAILBX field. All but the first label MUST be a hostname. | MINFO EMAILBX field MUST be a mailbox. | |||
| AFSDB <hostname> field [RFC-1183] MUST be a hostname. | AFSDB <hostname> field [RFC-1183] MUST be a hostname. | |||
| RP <mbox-dname> field [RFC-1183]. All but the first label MUST be a | RP <mbox-dname> field [RFC-1183] MUST be a mailbox. | |||
| hostname same as SOA RNAME field. Empty <mbox-dname> field, | Empty <mbox-dname> field, e.g. ".", need not be checked. | |||
| e.g. ".", need not be checked. | ||||
| RT <intermediate-host> field [RFC-1183] MUST be a hostname. | RT <intermediate-host> field [RFC-1183] MUST be a hostname. | |||
| If a query of type ANY is made, non-conforming records with the types | If a query of type ANY is made, non-conforming records with the types | |||
| specified above MUST be discarded by library routines before the | specified above MUST be discarded by library routines before the | |||
| results are returned to the application. | results are returned to the application. | |||
| 7. Hostnames in the data field: Conditional | 7. Hostnames in the data field: Conditional | |||
| The following resource record MAY contain hostnames in its data | The following resource record MAY contain hostnames in its data | |||
| fields. Library routines MUST ignore the resource record and indicate | fields. Library routines MUST ignore the resource record and indicate | |||
| an error to the calling routine. | an error to the calling routine. | |||
| PTR records in the IP6.INT [RFC-1886] and IN-ADDR.ARPA [RFC-1033] | PTR records in the IP6.INT [RFC-1886] and IN-ADDR.ARPA [RFC-1033] | |||
| domains are used for mapping addresses into host and network names. | domains are used for mapping addresses into host and network names. | |||
| The data fields of PTR records in these two domains MUST be | The data fields of PTR records in these two domains MUST be | |||
| hostnames. Records which do not conform MUST NOT be accepted or sent | hostnames. Records which do not conform MUST NOT be accepted or sent | |||
| by nameservers. FORMERR MUST be returned if received. In addition the | by nameservers. FORMERR MUST be returned if received. In addition the | |||
| data fields of PTR records refered to by CNAMES within this space | data fields of PTR records referred to by CNAMES within this space | |||
| MUST also conform [EIDNES]. Servers and libraries MUST ensure | MUST also conform [EIDNES]. Servers and libraries MUST ensure | |||
| conformance. REFUSED MUST be returned in this case. | conformance. REFUSED MUST be returned in this case. | |||
| When looking up address records, A or AAAA, the CNAME data field MUST | When looking up address records, A or AAAA, the CNAME data field MUST | |||
| be checked for conformance and the query terminated if required. | be checked for conformance and the query terminated if required. | |||
| REFUSED MUST be returned in this case. | REFUSED MUST be returned in this case. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| This document addresses security issues raised by the use of non- | This document addresses security issues raised by the use of non- | |||
| conforming hostnames. | conforming hostnames. | |||
| Some applications use hostnames as returned by the DNS without | Some applications use hostnames as returned by the DNS without | |||
| checking their conformance. This has caused security problems in | checking their conformance. This has caused security problems in | |||
| those applications. This document addresses these problems by requiring | those applications. This document addresses these problems by | |||
| DNS resolvers and nameservers to enforce conformance, and specifying | requiring DNS resolvers and nameservers to enforce conformance, and | |||
| exactly which parts of the DNS namespace are subject to these | specifying exactly which parts of the DNS namespace are subject to | |||
| restrictions. | these restrictions. | |||
| This document is believed to introduce no additional security | This document is believed to introduce no additional security | |||
| problems to the current DNS protocol, except perhaps by lulling | problems to the current DNS protocol, except perhaps by lulling | |||
| application developers into a false sense of security by having DNS | application developers into a false sense of security by having DNS | |||
| servers and resolver libraries implement conformance checks that | servers and resolver libraries implement conformance checks that | |||
| applications should implement in any case. DNS servers and resolver | applications should implement in any case. DNS servers and resolver | |||
| libraries may be out-of-date, or compromised by malicious users, and | libraries may be out-of-date, or compromised by malicious users, and | |||
| no application should depend on them actually performing conformance | no application should depend on them actually performing conformance | |||
| checks. | checks. | |||
| End of changes. 13 change blocks. | ||||
| 26 lines changed or deleted | 42 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||