idnits 2.17.1 draft-ietf-dnsext-xnamercode-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 11, 2012) is 4481 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2672 (Obsoleted by RFC 6672) -- Obsolete informational reference (is this intentional?): RFC 2845 (Obsoleted by RFC 8945) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 3rd 2 INTERNET-DRAFT Huawei 3 Intended status: Proposed Standard 4 Expires: July 10, 2012 January 11, 2012 6 xNAME RCODE and Status Bits Clarification 7 9 Abstract 11 The Domain Name System (DNS) has long provided means, such as CNAME 12 (Canonical Name), where a query can be redirected to a different 13 name. A DNS response header has an RCODE (Response Code) field, used 14 for indicating errors, and response status bits. This document 15 clarifies, in the case of such redirected queries, how the RCODE and 16 status bits correspond to the initial query cycle (where the CNAME or 17 the like was detected) and subsequent or final query cycles. 19 Status of This Memo 21 This Internet-Draft is submitted to IETF in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Distribution of this document is unlimited. Comments should be sent 25 to the DNSEXT working group mailing list: 26 . 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as Internet- 31 Drafts. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/1id-abstracts.html 41 The list of Internet-Draft Shadow Directories can be accessed at 42 http://www.ietf.org/shadow.html 44 Table of Contents 46 1. Introduction............................................3 47 1.1 Conventions used in this document......................3 49 2. Status Bits.............................................4 50 2.1 The Authoritative Answer Bit...........................4 51 2.2 The Authentic Data Bit.................................4 53 3. RCODE Clarification.....................................5 55 4. Security Considerations.................................6 56 5. IANA Considerations.....................................6 58 6. References..............................................7 59 6.1 Normative References...................................7 60 6.2 Informative References.................................7 62 Change History.............................................8 64 1. Introduction 66 The Domain Name System (DNS) has long provided means, such as the 67 CNAME (Canonical Name [RFC1035]) and DNAME [RFC2672] RRs (Resource 68 Records), whereby a DNS query can be redirected to a different name. 69 In particular, CNAME normally causes a query to its owner name to be 70 redirected, while DNAME normally causes a query to any lower level 71 name to be redirected. There has been a proposal for another 72 redirection RR. In addition, as specified in [RFC2672], redirection 73 through a DNAME also results in the synthesis of a CNAME RR in the 74 response. In this document, we will refer to all RRs causing such 75 redirection as xNAME RRs. 77 xNAME RRs can be explicitly retrieved by querying for the xNAME type. 78 When a different type is queried and an xNAME RR is encountered, the 79 xNAME RR (and possibly a synthesized CNAME) is added to the answer of 80 the response, DNSSEC RRs applicable to the xNAME RR may be added to 81 the response, and the query is restarted with the name to which it 82 was redirected. 84 An xNAME may redirect a query to a name at which there is another 85 xNAME and so on. In this document, we use "xNAME chain" to refer to a 86 series of one or more xNAMEs each of which refers to another xNAME 87 except the last, which refers to a non-xNAME or results in an error. 89 A DNS response header has an RCODE (Response Code) field, used for 90 indicating errors, and status bits that indicate whether an answer is 91 authoritative and/or authentic. This document clarifies, in the case 92 of such redirected queries, how the RCODE and status bits correspond 93 to the initial query cycle (where the (first) xNAME was detected) and 94 subsequent or final query cycles. 96 1.1 Conventions used in this document 98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 100 document are to be interpreted as described in [RFC2119]. 102 2. Status Bits 104 There are two status bits returned in query responses for which a 105 question could arise as to how, in the case of an xNAME chain, they 106 relate to the first, possible intermediate, and/or last queries, as 107 follows: 109 2.1 The Authoritative Answer Bit 111 The AA, or Authoritative Answer bit, in the DNS response header 112 indicates that the answer returned is from a DNS server authoritative 113 for the zone containing that answer. For an xNAME chain, this 114 "authoritative" status could be different for each answer in that 115 chain. 117 [RFC1035] states that the AA bit is to be set based on whether the 118 server providing the answer with the first owner name in the answer 119 section is authoritative. This specification of the AA bit has not 120 been changed. 122 2.2 The Authentic Data Bit 124 The AD, or Authentic Data bit, indicates that the response returned 125 is authentic according to the dictates of DNSSEC [RFC4035]. [RFC4035] 126 unambiguously states that the AD bit is to be set in a DNS response 127 header only if the DNSSEC enabled server believes all RRs in the 128 answer and authority sections of that response to be authentic. This 129 specification of the AD bit has not been changed. 131 3. RCODE Clarification 133 The RCODE (Response Code) field in a DNS query response header is 134 non-zero to indicate an error. Section 4.3.2 of [RFC1034] has a 135 resolution algorithm that includes CNAME processing but has been 136 found to be unclear concerning the ultimate setting of RCODE in the 137 case of such redirection. Section 2.1 of [RFC2308] implies that the 138 RCODE should be set based on the last query cycle in the case of an 139 xNAME chain but Section 2.2.1 of [RFC2308] says that some servers 140 don't do that! 142 When there is an xNAME chain, the RCODE field is set as follows: 144 When an xNAME chain is followed, all but the last query cycle 145 necessarily had no error. The RCODE in the ultimate DNS response 146 MUST BE set based on the final query cycle leading to that 147 response. If the xNAME chain was terminated by an error, it will 148 be that error code. If the xNAME chain terminated without error, 149 it will be zero. 151 4. Security Considerations 153 The AA header flag bit is not protected by DNSSEC [RFC4033]. To 154 secure it, secure communications are needed between the querying 155 resolver and the DNS server. Such security can be provided by DNS 156 transaction security, either TSIG [RFC2845] or SIG(0) [RFC2931]. 158 An AD header flag bit and the RCODE in a response are not, in 159 general, protected by DNSSEC, so the same conditions as stated in the 160 previous paragraph generally apply to them; however, this is not 161 always true. In particular, if the following apply, then the AD bit 162 or an NXDOMAIN RCODE are protected by DNSSEC in the sense that the 163 querier can calculate whether they are correct: 164 1. The zone where an NXDOMAIN RCODE occurs or all the zones where the 165 data whose authenticity would be indicated by the AD flag bit are 166 signed zones. 167 2. The query or queries involved indicate that DNSSEC RRs are OK in 168 responses. 169 3. The responses providing these indications are from servers that 170 include the additional DNSSEC RRs required by DNSSEC. 171 4. The querier has appropriate trust anchor(s) and appropriately 172 validates and processes the DNSSEC RRs in the response. 174 5. IANA Considerations 176 This document requires no IANA actions. RFC Editor: please remove 177 this section on publication. 179 6. References 181 Normative and informative references for this document are given 182 below. 184 6.1 Normative References 186 [RFC1034] - Mockapetris, P., "Domain Names - Concepts and 187 Facilities", STD 13, RFC 1034, November 1987. 189 [RFC1035] - Mockapetris, P., "Domain names - implementation and 190 specification", STD 13, RFC 1035, November 1987. 192 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 193 Requirement Levels", BCP 14, RFC 2119, March 1997. 195 [RFC2672] - Crawford, M., "Non-Terminal DNS Name Redirection", RFC 196 2672, August 1999. 198 [RFC4035] - Arends, R., Austein, R., Larson, M., Massey, D., and S. 199 Rose, "Protocol Modifications for the DNS Security Extensions", 200 RFC 4035, March 2005 202 6.2 Informative References 204 [RFC2308] - Andrews, M., "Negative Caching of DNS Queries (DNS 205 NCACHE)", RFC 2308, March 1998. 207 [RFC2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. 208 Wellington, "Secret Key Transaction Authentication for DNS 209 (TSIG)", RFC 2845, May 2000. 211 [RFC2931] - Eastlake 3rd, D., "DNS Request and Transaction Signatures 212 ( SIG(0)s )", RFC 2931, September 2000. 214 [RFC4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S. 215 Rose, "DNS Security Introduction and Requirements", RFC 4033, 216 March 2005. 218 Authors' Addresses 220 Donald E. Eastlake 3rd 221 Huawei R&D USA 222 155 Beaver Street 223 Milford, MA 01757 225 Phone: +1-508-333-2270 226 email: d3e3e3@gmail.com 228 Change History 230 RFC Editor: Please delete this section before publication. 232 Personal Version -02 to version -03: 234 Drop interpretation opion A and leave only option B, no longer so 235 labeled. 237 Add this change history section. 239 Update date and version. 241 Personal Version -03 to -04 243 Remove the word "unambiguously". 245 Update dates, version number, author information. 247 Personal Version -04 to -05 249 Just update dates and version number. 251 Personal Version -05 to WG Version -00 253 Change file name, version, and dates. 255 Copyright and IPR Provisions 257 Copyright (c) 2012 IETF Trust and the persons identified as the 258 document authors. All rights reserved. 260 This document is subject to BCP 78 and the IETF Trust's Legal 261 Provisions Relating to IETF Documents 262 (http://trustee.ietf.org/license-info) in effect on the date of 263 publication of this document. Please review these documents 264 carefully, as they describe your rights and restrictions with respect 265 to this document. Code Components extracted from this document must 266 include Simplified BSD License text as described in Section 4.e of 267 the Trust Legal Provisions and are provided without warranty as 268 described in the Simplified BSD License. The definitive version of 269 an IETF Document is that published by, or under the auspices of, the 270 IETF. Versions of IETF Documents that are published by third parties, 271 including those that are translated into other languages, should not 272 be considered to be definitive versions of IETF Documents. The 273 definitive version of these Legal Provisions is that published by, or 274 under the auspices of, the IETF. Versions of these Legal Provisions 275 that are published by third parties, including those that are 276 translated into other languages, should not be considered to be 277 definitive versions of these Legal Provisions. For the avoidance of 278 doubt, each Contributor to the IETF Standards Process licenses each 279 Contribution that he or she makes as part of the IETF Standards 280 Process to the IETF Trust pursuant to the provisions of RFC 5378. No 281 language to the contrary, or terms, conditions or rights that differ 282 from or are inconsistent with the rights and licenses granted under 283 RFC 5378, shall have any effect and shall be null and void, whether 284 published or posted by such Contributor, or included with or in such 285 Contribution.