< draft-ietf-dnsext-dns-name-p-s-00.txt   draft-ietf-dnsext-dns-name-p-s-01.txt >
DNS Extensions Working Group G. Sisson DNS Extensions Working Group G. Sisson
Internet-Draft B. Laurie Internet-Draft B. Laurie
Expires: January 11, 2006 Nominet Expires: March 5, 2006 Nominet
July 10, 2005 September 2005
Derivation of DNS Name Predecessor and Successor Derivation of DNS Name Predecessor and Successor
draft-ietf-dnsext-dns-name-p-s-00 draft-ietf-dnsext-dns-name-p-s-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 11, 2006. This Internet-Draft will expire on March 5, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document describes two methods for deriving the canonically- This document describes two methods for deriving the canonically-
ordered predecessor and successor of a DNS name. These methods may ordered predecessor and successor of a DNS name. These methods may
be used for dynamic NSEC resource record synthesis, enabling be used for dynamic NSEC resource record synthesis, enabling
security-aware name servers to provide authenticated denial of security-aware name servers to provide authenticated denial of
existence without disclosing other owner names in a DNSSEC-secured existence without disclosing other owner names in a DNSSEC-secured
zone. zone.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3
3. Absolute Method . . . . . . . . . . . . . . . . . . . . . . . 4 3. Derivations . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Derivation of DNS Name Predecessor . . . . . . . . . . . . 4 3.1. Absolute Method . . . . . . . . . . . . . . . . . . . . . 4
3.2. Derivation of DNS Name Successor . . . . . . . . . . . . . 4 3.1.1. Derivation of DNS Name Predecessor . . . . . . . . . . 4
4. Modified Method . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.2. Derivation of DNS Name Successor . . . . . . . . . . . 5
4.1. Derivation of DNS Name Predecessor . . . . . . . . . . . . 6 3.2. Modified Method . . . . . . . . . . . . . . . . . . . . . 5
4.2. Derivation of DNS Name Successor . . . . . . . . . . . . . 6 3.2.1. Derivation of DNS Name Predecessor . . . . . . . . . . 6
5. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2. Derivation of DNS Name Successor . . . . . . . . . . . 6
5.1. Case Considerations . . . . . . . . . . . . . . . . . . . 7 4. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Choice of Range . . . . . . . . . . . . . . . . . . . . . 7 4.1. Test for Existence . . . . . . . . . . . . . . . . . . . . 7
5.3. Wild Card Considerations . . . . . . . . . . . . . . . . . 8 4.2. Case Considerations . . . . . . . . . . . . . . . . . . . 7
5.4. Possible Modifications . . . . . . . . . . . . . . . . . . 8 4.3. Choice of Range . . . . . . . . . . . . . . . . . . . . . 8
5.4.1. Restriction of Effective Maximum DNS Name Length . . . 8 4.4. Wild Card Considerations . . . . . . . . . . . . . . . . . 8
5.4.2. Use of Modified Method With Zones Containing 4.5. Possible Modifications . . . . . . . . . . . . . . . . . . 9
4.5.1. Restriction of Effective Maximum DNS Name Length . . . 9
4.5.2. Use of Modified Method With Zones Containing
SRV RRs . . . . . . . . . . . . . . . . . . . . . . . 9 SRV RRs . . . . . . . . . . . . . . . . . . . . . . . 9
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Examples of Immediate Predecessors Using Absolute 5.1. Examples of Immediate Predecessors Using Absolute
Method . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Method . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.2. Examples of Immediate Successors Using Absolute Method . . 13 5.2. Examples of Immediate Successors Using Absolute Method . . 14
6.3. Examples of Predecessors Using Modified Method . . . . . . 19 5.3. Examples of Predecessors Using Modified Method . . . . . . 20
6.4. Examples of Successors Using Modified Method . . . . . . . 20 5.4. Examples of Successors Using Modified Method . . . . . . . 21
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22
10.1. Normative References . . . . . . . . . . . . . . . . . . . 22 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
10.2. Informative References . . . . . . . . . . . . . . . . . . 22 9.1. Normative References . . . . . . . . . . . . . . . . . . . 23
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 9.2. Informative References . . . . . . . . . . . . . . . . . . 23
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 22 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 23
A.1. Changes from sisson-02 to ietf-00 . . . . . . . . . . . . 22 A.1. Changes from -00 to -01 . . . . . . . . . . . . . . . . . 23
A.2. Changes from sisson-01 to sisson-02 . . . . . . . . . . . 23 A.2. Changes from sisson-02 to ietf-00 . . . . . . . . . . . . 24
A.3. Changes from sisson-00 to sisson-01 . . . . . . . . . . . 23 A.3. Changes from sisson-01 to sisson-02 . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24 A.4. Changes from sisson-00 to sisson-01 . . . . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
Intellectual Property and Copyright Statements . . . . . . . . . . 26
1. Introduction 1. Introduction
One of the proposals for avoiding the exposure of zone information One of the proposals for avoiding the exposure of zone information
during the deployment DNSSEC is dynamic NSEC resource record (RR) during the deployment DNSSEC is dynamic NSEC resource record (RR)
synthesis. This technique is described in [I-D.ietf-dnsext-dnssec- synthesis. This technique is described in [I-D.ietf-dnsext-dnssec-
trans] and [I-D.ietf-dnsext-dnssec-online-signing], and involves the trans] and [I-D.ietf-dnsext-dnssec-online-signing], and involves the
generation of NSEC RRs that just span the query name for non-existent generation of NSEC RRs that just span the query name for non-existent
owner names. In order to do this, the DNS names which would occur owner names. In order to do this, the DNS names which would occur
just prior to and just following a given query name must be just prior to and just following a given query name must be
skipping to change at page 3, line 31 skipping to change at page 3, line 31
aid to implementors and a reference to other interested parties. aid to implementors and a reference to other interested parties.
This document describes two methods: This document describes two methods:
1. An ``absolute method'', which returns the immediate predecessor 1. An ``absolute method'', which returns the immediate predecessor
or successor of a domain name such that no valid DNS name could or successor of a domain name such that no valid DNS name could
exist between that DNS name and the predecessor or successor. exist between that DNS name and the predecessor or successor.
2. A ``modified method'', which returns a predecessor and successor 2. A ``modified method'', which returns a predecessor and successor
which are more economical in size and computation. This method which are more economical in size and computation. This method
is restricted to use with zones consisting only of single-label is restricted to use with zones consisting exclusively of owner
owner names where a maximum-length owner name would not result in names that contain no more than one label more than the owner
a DNS name exceeding the maximum DNS name length. This is, name of the apex, where the longest possible owner name (i.e. one
however, the type of zone for which the technique of online- with a maximum length left-most label) would not exceed the
signing is most likely to be used. maximum DNS name length. This is, however, the type of zone for
which the technique of online signing is most likely to be used.
2. Notational Conventions 2. Notational Conventions
The following notational conventions are used in this document for The following notational conventions are used in this document for
economy of expression: economy of expression:
N: An unspecified DNS name. N: An unspecified DNS name.
P(N): Immediate predecessor to N (absolute method). P(N): Immediate predecessor to N (absolute method).
S(N): Immediate successor to N (absolute method). S(N): Immediate successor to N (absolute method).
P'(N): Predecessor to N (modified method). P'(N): Predecessor to N (modified method).
S'(N): Successor to N (modified method). S'(N): Successor to N (modified method).
3. Absolute Method 3. Derivations
These derivations assume that all uppercase US-ASCII letters in N These derivations assume that all uppercase US-ASCII letters in N
have already been replaced by their corresponding lowercase have already been replaced by their corresponding lowercase
equivalents. Unless otherwise specified, processing stops after the equivalents. Unless otherwise specified, processing stops after the
first step in which a condition is met. first step in which a condition is met.
3.1. Derivation of DNS Name Predecessor The derivations make reference to maximum label length and maximum
DNS name length; these are defined in Section 3.1 of [RFC1034] to be
63 and 255 octets respectively.
3.1. Absolute Method
3.1.1. Derivation of DNS Name Predecessor
To derive P(N): To derive P(N):
1. If N is the same as the owner name of the zone apex, prepend N 1. If N is the same as the owner name of the zone apex, prepend N
repeatedly with labels of the maximum length possible consisting repeatedly with labels of the maximum length possible consisting
of octets of the maximum sort value (e.g. 0xff) until N is the of octets of the maximum sort value (e.g. 0xff) until N is the
maximum length possible; otherwise continue to the next step. maximum length possible; otherwise continue to the next step.
2. If the least significant (left-most) label of N consists of a 2. If the least significant (left-most) label of N consists of a
single octet of the minimum sort value (e.g. 0x00), remove that single octet of the minimum sort value (e.g. 0x00), remove that
label; otherwise continue to the next step. label; otherwise continue to the next step. (If this condition
is met, P(N) is the owner name of the apex.)
3. If the least significant (right-most) octet in the least 3. If the least significant (right-most) octet in the least
significant (left-most) label of N is the minimum sort value, significant (left-most) label of N is the minimum sort value,
remove the least significant octet and continue with step 5. remove the least significant octet and continue with step 5.
4. Decrement the value of the least significant (right-most) octet, 4. Decrement the value of the least significant (right-most) octet
skipping any values that correspond to uppercase US-ASCII of the least significant (left-most) label, skipping any values
letters, and then append the label with as many octets as that correspond to uppercase US-ASCII letters, and then append
the least significant (left-most) label with as many octets as
possible of the maximum sort value. Continue to the next step. possible of the maximum sort value. Continue to the next step.
5. Prepend N repeatedly with labels of as long a length as possible 5. Prepend N repeatedly with labels of as long a length as possible
consisting of octets of the maximum sort value until N is the consisting of octets of the maximum sort value until N is the
maximum length possible. maximum length possible.
3.2. Derivation of DNS Name Successor 3.1.2. Derivation of DNS Name Successor
To derive S(N): To derive S(N):
1. If N is two or more octets shorter than the maximum DNS name 1. If N is two or more octets shorter than the maximum DNS name
length, prepend N with a label containing a single octet of the length, prepend N with a label containing a single octet of the
minimum sort value (e.g. 0x00); otherwise continue to the next minimum sort value (e.g. 0x00); otherwise continue to the next
step. step.
2. If N is one or more octets shorter than the maximum DNS name 2. If N is one octet shorter than the maximum DNS name length and
length and the least significant (left-most) label is one or more the least significant (left-most) label is one or more octets
octets shorter than the maximum label length, append an octet of shorter than the maximum label length, append an octet of the
the minimum sort value to the least significant label; otherwise minimum sort value to the least significant label; otherwise
continue to the next step. continue to the next step.
3. Increment the value of the least significant (right-most) octet 3. Increment the value of the least significant (right-most) octet
in the least significant (left-most) label that is less than the in the least significant (left-most) label that is less than the
maximum sort value (e.g. 0xff), skipping any values that maximum sort value (e.g. 0xff), skipping any values that
correspond to uppercase US-ASCII letters, and then remove any correspond to uppercase US-ASCII letters, and then remove any
octets to the right of that one. If all octets in the label are octets to the right of that one. If all octets in the label are
the maximum sort value, then continue to the next step. the maximum sort value, then continue to the next step.
4. Remove the least significant (left-most) label. If N is now the 4. Remove the least significant (left-most) label. Unless N is the
same as the owner name of the zone apex, do nothing. (This will same as the owner name of the zone apex (this will occur only if
occur only if N is the maximum possible name in canonical DNS N is the maximum possible name in canonical DNS name order, and
name order, and thus has wrapped to the owner name of zone apex.) thus has wrapped to the owner name of zone apex), repeat starting
Otherwise repeat starting at step 2. at step 2.
4. Modified Method 3.2. Modified Method
This method is for use with zones consisting only of single-label This method is for use with zones consisting only of single-label
owner names where an owner name consisting of label of maximum length owner names where an owner name consisting of label of maximum length
would not result in a DNS name which exceeded the maximum DNS name would not result in a DNS name which exceeded the maximum DNS name
length. This method is computationally simpler and returns values length. This method is computationally simpler and returns values
which are more economical in size than the absolute method. It which are more economical in size than the absolute method. It
differs from the absolute method detailed above in the following differs from the absolute method detailed above in the following
ways: ways:
1. Step 1 of the derivation P(N) has been omitted as the existence 1. Step 1 of the derivation P(N) has been omitted as the existence
skipping to change at page 6, line 5 skipping to change at page 6, line 16
necessary for zones containing owner names consisting of more necessary for zones containing owner names consisting of more
than one label. This omission results in a tiny reduction of the than one label. This omission results in a tiny reduction of the
length of derived successors, and maintains consistency with the length of derived successors, and maintains consistency with the
modification of step 4 of the derivation P(N) described above. modification of step 4 of the derivation P(N) described above.
5. Steps 2 and 4 of the derivation S(N) have been modified to 5. Steps 2 and 4 of the derivation S(N) have been modified to
eliminate checks for maximum DNS name length, as it is an eliminate checks for maximum DNS name length, as it is an
assumption of this method that no DNS name in the zone can exceed assumption of this method that no DNS name in the zone can exceed
the maximum DNS name length. the maximum DNS name length.
These derivations assume that all uppercase US-ASCII letters in N 3.2.1. Derivation of DNS Name Predecessor
have already been replaced by their corresponding lowercase
equivalents. Unless otherwise specified, processing stops after the
first step in which a condition is met.
4.1. Derivation of DNS Name Predecessor
To derive P'(N): To derive P'(N):
1. If N has more labels than the number of labels in the owner name 1. If N has more labels than the number of labels in the owner name
of the apex + 1, repeatedly remove the least significant (left- of the apex + 1, repeatedly remove the least significant (left-
most) label until N has no more labels than the number of labels most) label until N has no more labels than the number of labels
in the owner name of the apex + 1; otherwise continue to next in the owner name of the apex + 1; otherwise continue to next
step. step.
2. If the least significant (left-most) label of N consists of a 2. If the least significant (left-most) label of N consists of a
single octet of the minimum sort value (e.g. 0x00), remove that single octet of the minimum sort value (e.g. 0x00), remove that
label; otherwise continue to the next step. label; otherwise continue to the next step. (If this condition
is met, P'(N) is the owner name of the apex.)
3. If the least significant (right-most) octet in the least 3. If the least significant (right-most) octet in the least
significant (left-most) label of N is the minimum sort value, significant (left-most) label of N is the minimum sort value,
remove the least significant octet. remove the least significant octet.
4. Decrement the value of the least significant (right-most) octet, 4. Decrement the value of the least significant (right-most) octet,
skipping any values which correspond to uppercase US-ASCII skipping any values which correspond to uppercase US-ASCII
letters, and then append the label with as many octets as letters, and then append the label with as many octets as
possible of the maximum sort value. possible of the maximum sort value.
4.2. Derivation of DNS Name Successor 3.2.2. Derivation of DNS Name Successor
To derive S'(N): To derive S'(N):
1. If N has more labels than the number of labels in the owner name 1. If N has more labels than the number of labels in the owner name
of the apex + 1, repeatedly remove the least significant (left- of the apex + 1, repeatedly remove the least significant (left-
most) label until N has no more labels than the number of labels most) label until N has no more labels than the number of labels
in the owner name of the apex + 1. Continue to next step. in the owner name of the apex + 1. Continue to next step.
2. If the least significant (left-most) label of N is one or more 2. If the least significant (left-most) label of N is one or more
octets shorter than the maximum label length, append an octet of octets shorter than the maximum label length, append an octet of
skipping to change at page 7, line 10 skipping to change at page 7, line 17
maximum sort value (e.g. 0xff), skipping any values which maximum sort value (e.g. 0xff), skipping any values which
correspond to uppercase US-ASCII letters, and then remove any correspond to uppercase US-ASCII letters, and then remove any
octets to the right of that one. If all octets in the label are octets to the right of that one. If all octets in the label are
the maximum sort value, then continue to the next step. the maximum sort value, then continue to the next step.
4. Remove the least significant (left-most) label. (This will occur 4. Remove the least significant (left-most) label. (This will occur
only if the least significant label is the maximum label length only if the least significant label is the maximum label length
and consists entirely of octets of the maximum sort value, and and consists entirely of octets of the maximum sort value, and
thus has wrapped to the owner name of the zone apex.) thus has wrapped to the owner name of the zone apex.)
5. Notes 4. Notes
5.1. Case Considerations 4.1. Test for Existence
Before using the result of P(N) or P'(N) as the owner name of an NSEC
RR in a DNS response, a name server should test to see whether the
name exists. If it does, either a standard non-synthesised NSEC RR
should be used, or the synthesised NSEC RR should reflect the RRset
types that exist at the NSEC RR's owner name in the Type Bit Map
field as specified by Section 4.1.2 of [RFC4034]. Implementors will
likely find it simpler to use a non-synthesised NSEC RR. For further
details see Section 2 of [I-D.ietf-dnsext-dnssec-online-signing].
4.2. Case Considerations
Section 3.5 of [RFC1034] specifies that "while upper and lower case Section 3.5 of [RFC1034] specifies that "while upper and lower case
letters are allowed in [DNS] names, no significance is attached to letters are allowed in [DNS] names, no significance is attached to
the case". Additionally, Section 6.1 of [RFC4034] states that when the case". Additionally, Section 6.1 of [RFC4034] states that when
determining canonical DNS name order, "uppercase US-ASCII letters are determining canonical DNS name order, "uppercase US-ASCII letters are
treated as if they were lowercase US-ASCII letters". Consequently, treated as if they were lowercase US-ASCII letters". Consequently,
values corresponding to US-ASCII uppercase letters must be skipped values corresponding to US-ASCII uppercase letters must be skipped
when decrementing and incrementing octets in the derivations when decrementing and incrementing octets in the derivations
described in Section 3.1 and Section 3.2. described in Section 3.
The following pseudo-code is illustrative: The following pseudo-code is illustrative:
Decrement the value of an octet: Decrement the value of an octet:
if (octet == '[') // '[' is just after uppercase 'Z' if (octet == '[') // '[' is just after uppercase 'Z'
octet = '@'; // '@' is just prior to uppercase 'A' octet = '@'; // '@' is just prior to uppercase 'A'
else else
octet--; octet--;
Increment the value of an octet: Increment the value of an octet:
if (octet == '@') // '@' is just prior to uppercase 'A' if (octet == '@') // '@' is just prior to uppercase 'A'
octet = '['; // '[' is just after uppercase 'Z' octet = '['; // '[' is just after uppercase 'Z'
else else
octet++; octet++;
5.2. Choice of Range 4.3. Choice of Range
[RFC2181] makes the clarification that "any binary string whatever [RFC2181] makes the clarification that "any binary string whatever
can be used as the label of any resource record". Consequently the can be used as the label of any resource record". Consequently the
minimum sort value may be set as 0x00 and the maximum sort value as minimum sort value may be set as 0x00 and the maximum sort value as
0xff, and the range of possible values will be any DNS name which 0xff, and the range of possible values will be any DNS name which
contains octets of any value other than those corresponding to contains octets of any value other than those corresponding to
uppercase US-ASCII letters. uppercase US-ASCII letters.
However, if all owner names in a zone are in the letter-digit-hyphen, However, if all owner names in a zone are in the letter-digit-hyphen,
or LDH, format specified in [RFC1034], it may be desirable to or LDH, format specified in [RFC1034], it may be desirable to
skipping to change at page 8, line 13 skipping to change at page 8, line 34
LDH values. This has the effect of: LDH values. This has the effect of:
1. making the output of tools such as `dig' and `nslookup' less 1. making the output of tools such as `dig' and `nslookup' less
subject to confusion; subject to confusion;
2. minimising the impact that NSEC RRs containing DNS names with 2. minimising the impact that NSEC RRs containing DNS names with
non-LDH values (or non-printable values) might have on faulty DNS non-LDH values (or non-printable values) might have on faulty DNS
resolver implementations; and resolver implementations; and
3. preventing the possibility of results which are wildcard DNS 3. preventing the possibility of results which are wildcard DNS
names (see Section 5.3). names (see Section 4.4).
This may be accomplished by using a minimum sort value of 0x1f (US- This may be accomplished by using a minimum sort value of 0x1f (US-
ASCII character `-') and a maximum sort value of 0x7a (US-ASCII ASCII character `-') and a maximum sort value of 0x7a (US-ASCII
character lowercase `z'), and then skipping non-LDH, non-lowercase character lowercase `z'), and then skipping non-LDH, non-lowercase
values when incrementing or decrementing octets. values when incrementing or decrementing octets.
5.3. Wild Card Considerations 4.4. Wild Card Considerations
Neither derivation avoids the possibility that the result may be a Neither derivation avoids the possibility that the result may be a
DNS name containing a wildcard label, i.e. a label containing a DNS name containing a wildcard label, i.e. a label containing a
single octet with the value 0x2a (US-ASCII character `*'). With single octet with the value 0x2a (US-ASCII character `*'). With
additional tests, wildcard DNS names may be explicitly avoided; additional tests, wildcard DNS names may be explicitly avoided;
alternatively, if the range of octet values can be restricted to alternatively, if the range of octet values can be restricted to
those corresponding to letter-digit-hyphen, or LDH, characters (see those corresponding to letter-digit-hyphen, or LDH, characters (see
Section 5.2), such DNS names will not occur. Section 4.3), such DNS names will not occur.
Note that it is improbable that a result which is a wildcard DNS name Note that it is improbable that a result which is a wildcard DNS name
will occur unintentionally; even if one does occur either as the will occur unintentionally; even if one does occur either as the
owner name of, or in the RDATA of an NSEC RR, it is treated as a owner name of, or in the RDATA of an NSEC RR, it is treated as a
literal DNS name with no special meaning. literal DNS name with no special meaning.
5.4. Possible Modifications 4.5. Possible Modifications
5.4.1. Restriction of Effective Maximum DNS Name Length 4.5.1. Restriction of Effective Maximum DNS Name Length
[RFC1034] specifies that "the total number of octets that represent a [RFC1034] specifies that "the total number of octets that represent a
[DNS] name (i.e., the sum of all label octets and label lengths) is [DNS] name (i.e., the sum of all label octets and label lengths) is
limited to 255", including the null (zero-length) label which limited to 255", including the null (zero-length) label which
represents the root. For the purpose of deriving predecessors and represents the root. For the purpose of deriving predecessors and
successors during NSEC RR synthesis, the maximum DNS name length may successors during NSEC RR synthesis, the maximum DNS name length may
be effectively restricted to the length of the longest DNS name in be effectively restricted to the length of the longest DNS name in
the zone. This will minimise the size of responses containing the zone. This will minimise the size of responses containing
synthesised NSEC RRs but, especially in the case of the modified synthesised NSEC RRs but, especially in the case of the modified
method, may result in some additional computational complexity. method, may result in some additional computational complexity.
Note that this modification will have the effect of revealing Note that this modification will have the effect of revealing
information about the longest name in the zone. Moreover, when the information about the longest name in the zone. Moreover, when the
contents of the zone changes, e.g. during dynamic updates and zone contents of the zone changes, e.g. during dynamic updates and zone
transfers, care must be taken to ensure that the effective maximum transfers, care must be taken to ensure that the effective maximum
DNS name length agrees with the new contents. DNS name length agrees with the new contents.
5.4.2. Use of Modified Method With Zones Containing SRV RRs 4.5.2. Use of Modified Method With Zones Containing SRV RRs
Normally the modified method cannot be used in zones that contain Normally the modified method cannot be used in zones that contain
SRV RRs [RFC2782], as SRV RRs have owner names which contain multiple SRV RRs [RFC2782], as SRV RRs have owner names which contain multiple
labels. However the use of SRV RRs can be accommodated by various labels. However the use of SRV RRs can be accommodated by various
techniques. There are at least four possible ways to do this: techniques. There are at least four possible ways to do this:
1. Use conventional NSEC RRs for the region of the zone that 1. Use conventional NSEC RRs for the region of the zone that
contains first-level labels beginning with the underscore (`_') contains first-level labels beginning with the underscore (`_')
character. For the purposes of generating these NSEC RRs, the character. For the purposes of generating these NSEC RRs, the
existence of (possibly fictional) ownernames `9{63}' and `a' existence of (possibly fictional) ownernames `9{63}' and `a'
skipping to change at page 9, line 31 skipping to change at page 10, line 4
This approach would make it possible to enumerate all DNS names This approach would make it possible to enumerate all DNS names
in the zone containing a first-level label beginning with in the zone containing a first-level label beginning with
underscore, including all SRV RRs, but this may be of less a underscore, including all SRV RRs, but this may be of less a
concern to the zone administrator than incurring the overhead of concern to the zone administrator than incurring the overhead of
the absolute method or of the following variants of the modified the absolute method or of the following variants of the modified
method. method.
2. The absolute method could be used for synthesising NSEC RRs for 2. The absolute method could be used for synthesising NSEC RRs for
all queries where the QNAME contains a leading underscore. all queries where the QNAME contains a leading underscore.
However this re-introduces the susceptibility of the absolute However this re-introduces the susceptibility of the absolute
method to denial of service activity, as an attacker could send method to denial of service activity, as an attacker could send
queries for an effectively inexhaustible supply of domain names queries for an effectively inexhaustible supply of domain names
beginning with a leading underscore. beginning with a leading underscore.
3. A variant of the modified method could be used for synthesising 3. A variant of the modified method could be used for synthesising
NSEC RRs for all queries where the QNAME contains a leading NSEC RRs for all queries where the QNAME contains a leading
underscore. This variant would assume that all predecessors and underscore. This variant would assume that all predecessors and
successors to queries where the QNAME contains a leading successors to queries where the QNAME contains a leading
underscore may consist of two lablels rather than only one. This underscore may consist of two labels rather than only one. This
introduces a little additional complexity without incurring the introduces a little additional complexity without incurring the
full increase in response size and computational complexity as full increase in response size and computational complexity as
the absolute method. the absolute method.
4. Finally, a variant the modified method which assumes that all 4. Finally, a variant the modified method which assumes that all
owner names in the zone consist of one or two labels could be owner names in the zone consist of one or two labels could be
used. However this negates much of the reduction in response used. However this negates much of the reduction in response
size of the modified method and may be nearly as computationally size of the modified method and may be nearly as computationally
complex as the absolute method. complex as the absolute method.
6. Examples 5. Examples
In the following examples: In the following examples:
the owner name of the zone apex is "example.com."; the owner name of the zone apex is "example.com.";
the range of octet values is 0x00 - 0xff excluding values the range of octet values is 0x00 - 0xff excluding values
corresponding to uppercase US-ASCII letters; and corresponding to uppercase US-ASCII letters; and
non-printable octet values are expressed as three-digit decimal non-printable octet values are expressed as three-digit decimal
numbers preceded by a backslash (as specified in Section 5.1 of numbers preceded by a backslash (as specified in Section 5.1 of
[RFC1035]). [RFC1035]).
6.1. Examples of Immediate Predecessors Using Absolute Method 5.1. Examples of Immediate Predecessors Using Absolute Method
Example of typical case: Example of typical case:
P(foo.example.com.) = P(foo.example.com.) =
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255.\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255
skipping to change at page 13, line 37 skipping to change at page 14, line 37
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255.example.com. \255.example.com.
or, in alternate notation: or, in alternate notation:
\255{49}.\255{63}.\255{63}.\255{63}.example.com. \255{49}.\255{63}.\255{63}.\255{63}.example.com.
6.2. Examples of Immediate Successors Using Absolute Method 5.2. Examples of Immediate Successors Using Absolute Method
Example of typical case: Example of typical case:
S(foo.example.com.) = \000.foo.example.com. S(foo.example.com.) = \000.foo.example.com.
Example where DNS name is one octet short of the maximum DNS name Example where DNS name is one octet short of the maximum DNS name
length: length:
N = fooooooooooooooooooooooooooooooooooooooooooooooo N = fooooooooooooooooooooooooooooooooooooooooooooooo
.ooooooooooooooooooooooooooooooooooooooooooooooo .ooooooooooooooooooooooooooooooooooooooooooooooo
skipping to change at page 19, line 36 skipping to change at page 20, line 36
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255.example.com. \255.example.com.
or, in alternate notation: or, in alternate notation:
\255{49}.\255{63}.\255{63}.\255{63}.example.com. \255{49}.\255{63}.\255{63}.\255{63}.example.com.
S(N) = example.com. S(N) = example.com.
6.3. Examples of Predecessors Using Modified Method 5.3. Examples of Predecessors Using Modified Method
Example of typical case: Example of typical case:
P'(foo.example.com.) = P'(foo.example.com.) =
fon\255\255\255\255\255\255\255\255\255\255\255 fon\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
skipping to change at page 20, line 37 skipping to change at page 21, line 37
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255.example.com. \255\255\255.example.com.
or, in alternate notation: or, in alternate notation:
\255{63}.example.com. \255{63}.example.com.
6.4. Examples of Successors Using Modified Method 5.4. Examples of Successors Using Modified Method
Example of typical case: Example of typical case:
S'(foo.example.com.) = foo\000.example.com. S'(foo.example.com.) = foo\000.example.com.
Example where DNS name contains more labels than DNS names in the Example where DNS name contains more labels than DNS names in the
zone: zone:
S'(bar.foo.example.com.) = foo\000.example.com. S'(bar.foo.example.com.) = foo\000.example.com.
skipping to change at page 21, line 22 skipping to change at page 22, line 22
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255.example.com. \255\255\255.example.com.
or, in alternate notation: or, in alternate notation:
\255{63}.example.com. \255{63}.example.com.
S'(N) = example.com. S'(N) = example.com.
7. Security Considerations 6. Security Considerations
The derivation of some predecessors/successors requires the testing The derivation of some predecessors/successors requires the testing
of more conditions than others. Consequently the effectiveness of a of more conditions than others. Consequently the effectiveness of a
denial-of-service attack may be enhanced by sending queries that denial-of-service attack may be enhanced by sending queries that
require more conditions to be tested. The modified method involves require more conditions to be tested. The modified method involves
the testing of fewer conditions than the absolute method and the testing of fewer conditions than the absolute method and
consequently is somewhat less susceptible to this exposure. consequently is somewhat less susceptible to this exposure.
8. IANA Considerations 7. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
Note to RFC Editor: This section is included to make it clear during Note to RFC Editor: This section is included to make it clear during
pre-publication review that this document has no IANA actions. It pre-publication review that this document has no IANA actions. It
may therefore be removed should it be published as an RFC. may therefore be removed should it be published as an RFC.
9. Acknowledgments 8. Acknowledgments
The authors would like to thank Olaf Kolkman, Olafur Gudmundsson and The authors would like to thank Sam Weiler, Olaf Kolkman, Olafur
Niall O'Reilly for their review and input. Gudmundsson and Niall O'Reilly for their review and input.
10. References 9. References
10.1 Normative References 9.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005. RFC 4034, March 2005.
10.2 Informative References 9.2. Informative References
[I-D.ietf-dnsext-dnssec-online-signing] [I-D.ietf-dnsext-dnssec-online-signing]
Ihren, J. and S. Weiler, "Minimally Covering NSEC Records Ihren, J. and S. Weiler, "Minimally Covering NSEC Records
and DNSSEC On-line Signing", and DNSSEC On-line Signing",
draft-ietf-dnsext-dnssec-online-signing-00 (work in draft-ietf-dnsext-dnssec-online-signing-01 (work in
progress), May 2005. progress), May 2005.
[I-D.ietf-dnsext-dnssec-trans] [I-D.ietf-dnsext-dnssec-trans]
Arends, R., Koch, P., and J. Schlyter, "Evaluating DNSSEC Arends, R., Koch, P., and J. Schlyter, "Evaluating DNSSEC
Transition Mechanisms", Transition Mechanisms",
draft-ietf-dnsext-dnssec-trans-02 (work in progress), draft-ietf-dnsext-dnssec-trans-02 (work in progress),
February 2005. February 2005.
Appendix A. Change History Appendix A. Change History
A.1. Changes from sisson-02 to ietf-00 A.1. Changes from -00 to -01
o Added note advising testing for the pre-existence of owner names
prior to using synthesised NSEC RRs.
o Added explicit reference to [RFC1034] maximum label and DNS name
lengths.
o Made minor clarifications to derivations.
o Reorganised derivations section for clarity.
A.2. Changes from sisson-02 to ietf-00
o Added notes on use of SRV RRs with modified method. o Added notes on use of SRV RRs with modified method.
o Changed reference from weiler-dnssec-online-signing to ietf- o Changed reference from weiler-dnssec-online-signing to ietf-
dnsext-dnssec-online-signing. dnsext-dnssec-online-signing.
o Changed reference from ietf-dnsext-dnssec-records to RFC 4034. o Changed reference from ietf-dnsext-dnssec-records to [RFC4034].
o Miscellaneous minor changes to text. o Miscellaneous minor changes to text.
A.2. Changes from sisson-01 to sisson-02 A.3. Changes from sisson-01 to sisson-02
o Added modified version of derivation (with supporting examples). o Added modified version of derivation (with supporting examples).
o Introduced notational conventions N, P(N), S(N), P'(N) and S'(N). o Introduced notational conventions N, P(N), S(N), P'(N) and S'(N).
o Added clarification to derivations about when processing stops. o Added clarification to derivations about when processing stops.
o Miscellaneous minor changes to text. o Miscellaneous minor changes to text.
A.3. Changes from sisson-00 to sisson-01 A.4. Changes from sisson-00 to sisson-01
o Split step 3 of derivation of DNS name predecessor into two o Split step 3 of derivation of DNS name predecessor into two
distinct steps for clarity. distinct steps for clarity.
o Added clarifying text and examples related to the requirement to o Added clarifying text and examples related to the requirement to
avoid uppercase characters when decrementing or incrementing avoid uppercase characters when decrementing or incrementing
octets. octets.
o Added optimisation using restriction of effective maximum DNS name o Added optimisation using restriction of effective maximum DNS name
length. length.
 End of changes. 46 change blocks. 
94 lines changed or deleted 127 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/