idnits 2.17.1 draft-ietf-dnsop-attrleaf-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 166: '...l' (right-most) _underscored name MUST...' RFC 2119 keyword, line 177: '...fied as part of the scope MAY be used....' RFC 2119 keyword, line 250: '... in the registry MUST contain values f...' RFC 2119 keyword, line 254: '... MUST be unique....' RFC 2119 keyword, line 259: '...nce for an entry MUST have a stable re...' (1 more instance...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 22, 2018) is 2165 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 432 == Outdated reference: A later version (-18) exists of draft-ietf-acme-acme-11 ** Downref: Normative reference to an Informational RFC: RFC 7489 ** Downref: Normative reference to an Informational RFC: RFC 7553 ** Downref: Normative reference to an Experimental RFC: RFC 7929 -- Duplicate reference: RFC8126, mentioned in 'RFC8126', was also mentioned in 'IANA'. ** Downref: Normative reference to an Experimental RFC: RFC 8162 ** Downref: Normative reference to an Unknown state RFC: RFC 952 Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop D. Crocker 3 Internet-Draft Brandenburg InternetWorking 4 Intended status: Best Current Practice May 22, 2018 5 Expires: November 23, 2018 7 DNS Scoped Data Through '_Underscore' Naming of Attribute Leaves 8 draft-ietf-dnsop-attrleaf-08 10 Abstract 12 Formally, any DNS resource record may occur for any domain name. 13 However some services have defined an operational convention, which 14 applies to DNS leaf nodes that are under a DNS branch having one or 15 more reserved node names, each beginning with an underscore. The 16 underscore naming construct defines a semantic scope for DNS record 17 types that are associated with the parent domain, above the 18 underscored branch. This specification explores the nature of this 19 DNS usage and defines the "DNS Global Underscore Scoped Entry 20 Registry" with IANA. The purpose of the Underscore registry is to 21 avoid collisions resulting from the use of the same underscore-based 22 name, for different services. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on November 23, 2018. 41 Copyright Notice 43 Copyright (c) 2018 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.1. _Underscore Scoping . . . . . . . . . . . . . . . . . . . 2 60 1.2. Scaling Benefits . . . . . . . . . . . . . . . . . . . . 4 61 2. DNS Underscore Scoped Entry Registries Function . . . . . . . 4 62 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 63 3.1. DNS Underscore Global Scoped Entry Registry . . . . . . . 6 64 3.2. DNS Underscore Global Scoped Entry Registry Definition . 6 65 3.3. Initial entries . . . . . . . . . . . . . . . . . . . . . 7 66 4. Guidance for Expert Review . . . . . . . . . . . . . . . . . 9 67 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 68 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 6.1. Normative References . . . . . . . . . . . . . . . . . . 9 70 6.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 74 1. Introduction 76 The core Domain Name System (DNS) technical specifications assign no 77 semantics to domain names or their parts, and no constraints upon 78 which resource record (RR) types are permitted to be stored under 79 particular names [RFC1035], [RFC2181]. Over time, some leaf node 80 names, such as "www" and "ftp" have come to imply support for 81 particular services, but this is a matter of operational convention, 82 rather than defined protocol semantics. This freedom in the basic 83 technology has permitted a wide range of administrative and semantic 84 policies to be used -- in parallel. DNS data semantics have been 85 limited to the specification of particular resource record types, on 86 the expectation that new ones would be added as needed. 87 Unfortunately, the addition of new resource record types has proven 88 extremely challenging, over the life of the DNS, with significant 89 adoption and use barriers. 91 1.1. _Underscore Scoping 93 As an alternative to defining a new RR type, some DNS service 94 enhancements call for using an existing resource record type, but 95 specify a restricted scope for its occurrence. Scope is meant as a 96 static property, not one dependent on the nature of the query. It is 97 an artifact of the DNS name. That scope is a leaf node, within which 98 the uses of specific resource record sets can be formally defined and 99 constrained. The leaf occurs in a branch having a distinguished 100 naming convention: At the top of the branch -- beneath the parent 101 domain name to which the scope applies -- one or more reserved DNS 102 node names begin with an underscore ("_"). Because the DNS rules for 103 a "host" (host name) are not allowed to use the underscore character, 104 this distinguishes the underscore name from all legal host names 105 [RFC952]. Effectively, this convention for leaf node naming creates 106 a space for the listing of 'attributes' -- in the form of resource 107 record types -- that are associated with the parent domain, above the 108 underscored sub-branch. 110 The scoping feature is particularly useful when generalized resource 111 record types are used -- notably "TXT", "SRV", and "URI" [RFC1035], 112 [RFC2782], [RFC6335], [RFC7553]. It provides efficient separation of 113 one use of them from others. Absent this separation, an 114 undifferentiated mass of these "RRsets" is returned to the DNS 115 client, which then must parse through the internals of the records in 116 the hope of finding ones that are relevant. Worse, in some cases the 117 results are ambiguous because a record type might not adequately 118 self-identify. With underscore-based scoping, only the relevant 119 "RRsets"s are returned. 121 A simple example is DKIM [RFC6376] , which uses "_domainkeys" for 122 defining a place to hold a "TXT" record containing signing 123 information for the parent domain. 125 This specification formally defines how underscore labels are used as 126 "attribute" enhancements for their parent domain names. For example, 127 domain name "_domainkey.example." acts as attribute of parent domain 128 name "example." To avoid collisions resulting from the use of the 129 same underscore-based labels for different applications using the 130 same resource record type, this document establishes DNS Underscore 131 Global Scoped Entry IANA Registry for the highest-level reserved 132 names that begin with _underscore; _underscore-based names that are 133 farther down the hierarchy are handled within the scope of the 134 highest-level _underscore name. 136 Discussion Venue: Discussion about this draft should be directed 137 to the dnsop@ietf.org [1] mailing list. 139 NOTE TO RFC EDITOR: Please remove "Discussion Venue" paragraph 140 prior to publication. 142 1.2. Scaling Benefits 144 Some resource record types are used in a fashion that can create 145 scaling problems, if an entire RRset associated with a domain name is 146 aggregated in the leaf node for that name. An increasingly-popular 147 approach, with excellent scaling properties, places the RRset under a 148 node having an underscore-based name, at a defined place in the DNS 149 tree under the 'parent' name. This constrains the use of particular 150 "RR" types associated with that parent name. A direct lookup to the 151 subordinate leaf node produces only the desired record types, at no 152 greater cost than a typical DNS lookup. 154 The definition of a underscore global registry, provided in this 155 specification, primarily attends to the top-most names used for 156 scoping an RR type; that is the _underscore "global" names. 158 2. DNS Underscore Scoped Entry Registries Function 160 A global registry for DNS nodes names that begin with an _underscore 161 is defined here. The purpose of the Underscore Global Registry is to 162 avoid collisions resulting from the use of the same _underscore-based 163 name, for different applications. 165 o If a public specification calls for use of an _underscore-prefixed 166 domain node name, the 'global' (right-most) _underscored name MUST 167 be entered into this registry. 169 The _underscore names define scope of use for specific resource 170 record types, which are associated with the domain name that is the 171 "parent" to the branch defined by the _underscore naming. A given 172 name defines a specific, constrained context for one or more RR 173 types, where use of such record types conforms to the defined 174 constraints. 176 o Within an _underscore scoped leaf, other RRsets that are not 177 specified as part of the scope MAY be used. 179 Structurally, the registry is defined as a single, flat table of RR 180 types, under node names beginning with _underscore. In some cases, 181 such as for use of an "SRV" record, the full scoping name might be 182 multi-part, as a sequence of underscore names. Semantically, that 183 sequence represents a hierarchical model and it is theoretically 184 reasonable to allow re-use of a subordinate underscore name in 185 different underscore context; that is, a subordinate name is 186 meaningful only within the scope of the right-most (top-level) 187 underscore name. Therefore they are ignored by this DNS Underscore 188 Global Scoped Entry Registry. This registry is for the definition of 189 highest-level -- ie, global -- underscore node name used. 191 +----------------------------+ 192 | NAME | 193 +----------------------------+ 194 | _service1 | 195 | ._protoB._service2 | 196 | _protoB._service3 | 197 | _protoC._service3 | 198 | _useX._protoD._service4 | 199 | _protoE._region._authority | 200 +----------------------------+ 202 Example of Underscore Names 204 Only the right-most _underscore names are registered in the IANA 205 Underscore Global table. 207 The use of underscored node names is specific to each RRTYPE that 208 is being scoped. Each name defines a place, but does not define 209 the rules for what appears underneath that place, either as 210 additional underscored naming or as a leaf node with resource 211 records. Details for those rules are provided by specifications 212 for individual RRTYPEs. The sections below describe the way that 213 existing underscore labels are used with the RRTYPEs that they 214 name. 216 Definition and registration of the subordinate underscore node 217 names is the responsibility of the specification that creates the 218 highest-level (right-most) global registry entry. 220 That is, if a scheme using a global underscore node name also has 221 one or more subordinate levels of underscore node naming, the 222 namespaces from which names for those lower levels is chosen is 223 controlled by the parent underscore node name. Each globally- 224 registered underscore name owns a distinct, subordinate name 225 space. 227 3. IANA Considerations 229 Per [RFC8126], IANA is requested to establish the: 231 DNS Underscore Global Scoped Entry Registry 233 This section describes actions requested of IANA. The guidance in 234 [IANA] is used. 236 3.1. DNS Underscore Global Scoped Entry Registry 238 The DNS Global Underscore Scoped Entry Registry is for DNS node names 239 that begin with the underscore character (_) and are the right-most 240 occurrence of any underscored names in a domain name sequence having 241 that form; that is they are the "top" of a DNS branch, under a 242 "parent" domain name. 244 o This registry is to operate under the IANA rules for "Expert 245 Review" registration; see Section 4. 247 o The contents of each entry in the Global registry are defined in 248 Section 3.2. 250 o Each entry in the registry MUST contain values for all of the 251 fields specified in Section 3.2. 253 o Within the registry, the combination of RR Type and _Node Name 254 MUST be unique. 256 o The table is to be maintained with entries sorted by the first 257 column (RR Type) and within that the second column (_Node Name). 259 o The required Reference for an entry MUST have a stable resolution 260 to the organization controlling that registry entry 262 3.2. DNS Underscore Global Scoped Entry Registry Definition 264 A registry entry contains: 266 RR Type: Lists an RR type that is defined for use within this 267 scope. 269 _Node Name: Specifies a single _underscore name that defines a 270 reserved name; this name is the "global" entry name for the 271 scoped resource record types that are associated with that 272 name 274 References: Lists specification that defines a record type and its 275 use under this Name. The organization producing the 276 specification retains control over the registry entry for 277 the _Node Name. 279 Each RR type that is to be used MUST have a separate registry entry. 281 3.3. Initial entries 283 Initial entries in the registry are: 285 +------------+-----------------+------------+ 286 | RR Type | _NODE NAME | REFERENCE | 287 +------------+-----------------+------------+ 288 | OPENPGPKEY | _openpgpkey | [RFC7929] | 289 | SMIMEA | _smimecert | [RFC8162] | 290 | SRV | _dccp | [RFC2782] | 291 | SRV | _sctp | [RFC2782] | 292 | SRV | _tcp | [RFC2782] | 293 | SRV | _udp | [RFC2782] | 294 | TLSA | _sctp | [RFC6698] | 295 | TLSA | _tcp | [RFC6698] | 296 | TLSA | _udp | [RFC6698] | 297 | TXT | _mta-sts | [MTA-STS] | 298 | TXT | _acme-challenge | [ACME] | 299 | TXT | _dmarc | [RFC7489] | 300 | TXT | _domainkey | [RFC6376] | 301 | TXT | _spf | [RFC7208] | 302 | TXT | _vouch | [RFC5518] | 303 | URI | _iax | [RFC7553] | 304 | URI | _acct | [RFC7553] | 305 | URI | _dccp | [RFC7553] | 306 | URI | _email | [RFC7553] | 307 | URI | _ems | [RFC7553] | 308 | URI | _fax | [RFC7553] | 309 | URI | _ft | [RFC7553] | 310 | URI | _h323 | [RFC7553] | 311 | URI | _ical-sched | [RFC7553] | 312 | URI | _ical-access | [RFC7553] | 313 | URI | _ifax | [RFC7553] | 314 | URI | _im | [RFC7553] | 315 | URI | _mms | [RFC7553] | 316 | URI | _pres | [RFC7553] | 317 | URI | _pstn | [RFC7553] | 318 | URI | _sctp | [RFC7553] | 319 | URI | _sip | [RFC7553] | 320 | URI | _sms | [RFC7553] | 321 | URI | _tcp | [RFC7553] | 322 | URI | _udp | [RFC7553] | 323 | URI | _unifmsg | [RFC7553] | 324 | URI | _vcard | [RFC7553] | 325 | URI | _videomsg | [RFC7553] | 326 | URI | _voice | [RFC7553] | 327 | URI | _voicemsg | [RFC7553] | 328 | URI | _vpim | [RFC7553] | 329 | URI | _xmp | [RFC7553] | 330 +------------+-----------------+------------+ 332 Table 1: Underscore Global Registry (initial entries) 334 4. Guidance for Expert Review 336 This section provides guidance for expert review of registration 337 requests in the of DNS Underscore Global Scoped Entry Registry. 339 This review is solely to determine adequacy of a requested entry 340 in this Registry, and does not include review of other aspects of 341 the document specifying that entry. For example such a document 342 might also contain a definition of the resource record type that 343 is referenced by the requested entry. Any required review of that 344 definition is separate from the expert review required here. 346 The review is for the purposes of ensuring that: 348 o The details for creating the registry entry are sufficiently 349 clear, precise and complete 351 o The combination of the _underscore name, under which the listed 352 resource record type is used, and the resource record type, is 353 unique in the table 355 For the purposes of this Expert Review, other matters of the 356 specification's technical quality, adequacy or the like are outside 357 of scope. 359 5. Security Considerations 361 This memo raises no security issues. 363 6. References 365 6.1. Normative References 367 [ACME] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. 368 Kasten, "Automatic Certificate Management Environment 369 (ACME)", I-D draft-ietf-acme-acme-11, March 2018. 371 [IANA] M. Cotton, B. Leiba, and T. Narten, "Guidelines for 372 Writing an IANA Considerations Section in RFCs", RFC 8126, 373 June 2017. 375 [MTA-STS] Margolis, D., Risher, M., Ramakrishnan, B., Brotman, A., 376 and J. Jones, "SMTP MTA Strict Transport Security (MTA- 377 STS)", I-D draft-ietf-uta-mta-sts. 379 [RFC1035] Mockapetris, P., "Domain names - implementation and 380 specification", STD 13, RFC 1035, November 1987. 382 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 383 Specification", RFC 2181, July 1997. 385 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 386 specifying the location of services (DNS SRV)", RFC 2782, 387 February 2000. 389 [RFC5518] Hoffman, P., Levine, J., and A. Hathcock, "Vouch By 390 Reference", RFC 5518, April 2009. 392 [RFC6335] Cotton, M., Eggert, L., Tpuch, J., Westerlund, M., and S. 393 Cheshire, "nternet Assigned Numbers Authority (IANA) 394 Procedures for the Management of the Service Name and 395 Transport Protocol Port Number Registry", RFC 6335, Aug 396 2011. 398 [RFC6376] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys 399 Identified Mail (DKIM) Signatures", RFC 6376, Sept 2011. 401 [RFC6698] Hoffman, J. and J. Schlyter, "The DNS-Based Authentication 402 of Named Entities (DANE) Transport Layer Security (TLS) 403 Protocol: TLSA", RFC 6698, August . 405 [RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for 406 Authorizing Use of Domains in E-Mail, Version 1", 407 RFC 7208, April 2014. 409 [RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based 410 Message Authentication, Reporting, and Conformance 411 (DMARC)", RFC 7489, March 2015. 413 [RFC7553] Falstrom, P. and O. Kolkman, "The Uniform Resource 414 Identifier (URI) DNS Resource Record", RFC 7553, 415 ISSN 2070-1721, June 2015. 417 [RFC7929] Wouters, P., , RFC 7929, August 2016. 419 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 420 Writing an IANA Considerations Section in RFCs", RFC 8126, 421 June 2017. 423 [RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to 424 Associate Certificates with Domain Names for S/MIME", 425 RFC 8162, May 2017. 427 [RFC952] Harrenstien, K., Stahl, M., and E. Feinler, "DOD Internet 428 Host Table Specification", RFC 952, October 1985. 430 6.2. URIs 432 [1] mailto:dnsop@ietf.org 434 Appendix A. Acknowledgements 436 Thanks go to Bill Fenner, Tony Hansen, Martin Hoffmann, Peter Koch, 437 Olaf Kolkman, and Andrew Sullivan for diligent review of the (much) 438 earlier drafts. For the later enhancements, thanks to: Stephane 439 Bortzmeyer, Bob Harold, Warren Kumari, John Levine, Joel Jaeggli, 440 Petr Špaček, Ondřej Surř, Paul Vixie, Tim 441 Wicinski, and Paul Wouters. 443 Special thanks to Ray Bellis for his persistent encouragement to 444 continue this effort, as well as the suggestion for an essential 445 simplification to the registration model. 447 Author's Address 449 Dave Crocker 450 Brandenburg InternetWorking 451 675 Spruce Dr. 452 Sunnyvale, CA 94086 453 USA 455 Phone: +1.408.246.8253 456 Email: dcrocker@bbiw.net 457 URI: http://bbiw.net/