idnits 2.17.1 draft-sisson-dnsext-dns-name-p-s-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 702. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 679. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 686. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 692. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == It seems as if not all pages are separated by form feeds - found 0 form feeds but 18 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 1, 2004) is 7076 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DNS' is mentioned on line 242, but not defined == Outdated reference: A later version (-06) exists of draft-ietf-dnsext-dnssec-trans-01 == Outdated reference: A later version (-01) exists of draft-weiler-dnsext-dnssec-online-signing-00 Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 DNS Extensions Working Group G. Sisson 2 Internet-Draft B. Laurie 3 Expires: June 1, 2005 Nominet 4 December 1, 2004 6 Derivation of DNS Name Predecessor and Successor 7 draft-sisson-dnsext-dns-name-p-s-01 9 Status of this Memo 11 This document is an Internet-Draft and is subject to all provisions 12 of section 3 of RFC 3667. By submitting this Internet-Draft, each 13 author represents that any applicable patent or other IPR claims of 14 which he or she is aware have been or will be disclosed, and any of 15 which he or she become aware will be disclosed, in accordance with 16 RFC 3668. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as 21 Internet-Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on June 1, 2005. 36 Copyright Notice 38 Copyright (C) The Internet Society (2004). 40 Abstract 42 This document describes a method for deriving the canonically-ordered 43 predecessor and successor of a DNS name. This is expected to be 44 useful for real-time NSEC resource record synthesis, which may be 45 used in alterative implementations of DNSSEC-enabled DNS servers. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Derivation of DNS Name Predecessor . . . . . . . . . . . . . . 3 51 3. Derivation of DNS Name Successor . . . . . . . . . . . . . . . 4 52 4. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 4.1 Case Considerations . . . . . . . . . . . . . . . . . . . 4 54 4.2 Choice of Range . . . . . . . . . . . . . . . . . . . . . 5 55 4.3 Wild Card Considerations . . . . . . . . . . . . . . . . . 6 56 4.4 Potential Optimisations . . . . . . . . . . . . . . . . . 6 57 4.4.1 Omission of Step . . . . . . . . . . . . . . . . . . . 6 58 4.4.2 Restriction of Effective Maximum DNS Name Length . . . 6 59 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 60 5.1 Examples of Immediate Predecessors . . . . . . . . . . . . 8 61 5.2 Examples of Immediate Successors . . . . . . . . . . . . . 11 62 6. Security Considerations . . . . . . . . . . . . . . . . . . . 15 63 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 64 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 65 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 66 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 16 67 9.2 Informative References . . . . . . . . . . . . . . . . . . . 16 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 16 69 A. Change History . . . . . . . . . . . . . . . . . . . . . . . . 17 70 A.1 Changes from -00 to -01 . . . . . . . . . . . . . . . . . 17 71 Intellectual Property and Copyright Statements . . . . . . . . 18 73 1. Introduction 75 One of the proposals for avoiding the exposure of zone information 76 while deploying DNSSEC is dynamic NSEC synthesis. This technique is 77 described in [I-D.ietf-dnsext-dnssec-trans] and 78 [I-D.weiler-dnsext-dnssec-online-signing], and involves the 79 generation of NSEC RRs which just span the query name for 80 non-existent owner names. In order to do this, the DNS names which 81 would occur just prior to and just following a given query name must 82 be calculated in real time, as maintaining a list of all possible 83 owner names that might occur in a zone would normally be prohibitive. 85 Section 6.1 of [I-D.ietf-dnsext-dnssec-records] defines canonical DNS 86 name order. This document does not amend or modify this definition. 87 However, the derivation of immediate predecessor and successor, while 88 trivial, is non-obvious. Accordingly, the method is described here 89 as an aid to implementors and a reference to other interested 90 parties. 92 2. Derivation of DNS Name Predecessor 94 This derivation assumes that all upper-case US-ASCII letters in the 95 DNS name have already been replaced by their corresponding lower-case 96 equivalents. 98 To derive the immediate predecessor of a DNS name: 100 1. If the DNS name is the same as the owner name of the apex, 101 prepend the DNS name repeatedly with labels of the maximum length 102 possible consisting of octets of the maximum sort value (e.g. 103 0xff) until the DNS name is the maximum length possible; 104 otherwise continue to the next step. 106 2. If the least significant (left-most) label consists of a single 107 octet of the minimum sort value (e.g. 0x00), remove that label; 108 otherwise continue to the next step. 110 3. If the least significant (right-most) octet in the least 111 significant (left-most) label is the minimum sort value, remove 112 that octet and continue with step 5. 114 4. Decrement the value of the least significant (right-most) octet, 115 skipping any values which correspond to upper-case US-ASCII 116 letters, and then append the label with as many octets as 117 possible of the maximum sort value. Continue to the next step. 119 5. Prepend the DNS name repeatedly with labels of as long a length 120 as possible consisting of octets of the maximum sort value until 121 the DNS name is the maximum length possible. 123 3. Derivation of DNS Name Successor 125 This derivation assumes that all upper-case US-ASCII letters in the 126 DNS name have already been replaced by their corresponding lower-case 127 equivalents. 129 To derive the immediate successor of a DNS name: 131 1. If the DNS name is two or more octets shorter than the maximum 132 DNS name length, prepend the DNS name with a label containing a 133 single octet of the minimum sort value (e.g. 0x00); otherwise 134 continue to the next step. 136 2. If the DNS name is one or more octets shorter than the maximum 137 DNS name length and the least significant (left-most) label is 138 one or more octets shorter than the maximum label length, append 139 an octet of the minimum sort value to the least significant 140 label; otherwise continue to the next step. 142 3. Increment the value of the least significant (right-most) octet 143 in the least significant (left-most) label that is less than the 144 maximum sort value (e.g. 0xff), skipping any values which 145 correspond to upper-case US-ASCII letters, and then remove any 146 octets to the right of that one. If all octets in the label are 147 the maximum sort value, then continue to the next step. 149 4. Remove the least significant (left-most) label. If the DNS name 150 is now the same as the owner name of the apex, do nothing. (This 151 will occur only if the DNS name was the maximum possible in 152 canonical DNS name order, and thus has wrapped to the apex.) 153 Otherwise repeat starting at Step 2. 155 4. Notes 157 4.1 Case Considerations 159 Section 3.5 of [RFC1034] specifies that "while upper and lower case 160 letters are allowed in [DNS] names, no significance is attached to 161 the case". Additionally, Section 6.1 of 162 [I-D.ietf-dnsext-dnssec-records] states that when determining 163 canonical DNS name order, "upper case US-ASCII letters are treated as 164 if they were lower case US-ASCII letters". Consequently, values 165 corresponding to US-ASCII upper-case letters must be skipped when 166 decrementing and incrementing octets in the derivations described in 167 Section 2 and Section 3. 169 The following pseudo-code is illustrative: 171 Decrementing the value of an octet: 173 if (octet == '[') // '[' is just after upper-case 'Z' 174 octet = '@'; // '@' is just prior to upper-case 'A' 175 else 176 octet--; 178 Incrementing the value of an octet: 180 if (octet == '@') // '@' is just prior to upper-case 'A' 181 octet = '['; // '[' is just after upper-case 'Z' 182 else 183 octet++; 185 4.2 Choice of Range 187 [RFC2181] makes the clarification that "any binary string whatever 188 can be used as the label of any resource record". Consequently the 189 minimum sort value may be set as 0x00 and the maximum sort value as 190 0xff, and the range of possible values will be any DNS name which 191 contains octets of any value other than those corresponding to 192 upper-case US-ASCII letters. 194 However, if all owner names in a zone are in the letter-digit-hyphen, 195 or LDH, format specified in [RFC1034], it may be desirable to 196 restrict the range of possible values to DNS names containing only 197 LDH values. This has the effect of: 199 1. making the output of tools such as `dig' and `nslookup' less 200 potentially confusing; 202 2. minimising the impact that NSEC RRs containing DNS names with 203 non-LDH values (or non-printable values) might have on faulty DNS 204 resolver implementations; and 206 3. preventing the possibility of results which are wild card DNS 207 names (see Section 4.3). 209 This may be accomplished by using a minimum sort value of 0x1f 210 (US-ASCII character `-') and a maximum sort value of 0x7a (US-ASCII 211 character lower-case `z'), and then skipping non-LDH, non-lower-case 212 values when incrementing or decrementing octets. 214 4.3 Wild Card Considerations 216 Neither derivation avoids the possibility that the result may be a 217 DNS name containing a wild card label, i.e. a label containing a 218 single octet with the value 0x2a (US-ASCII character `*'). With 219 additional tests, wild card DNS names may be explicitly avoided; 220 alternatively, if the range of octet values can be restricted to 221 those corresponding to letter-digit-hyphen, or LDH, characters (see 222 Section 4.2), such DNS names will not occur. 224 Note that it is improbable that a result which is a wild card DNS 225 name will occur unintentionally; even if one does occur either as the 226 owner name of, or in the RDATA of an NSEC RR, it is treated as a 227 literal DNS name with no special meaning. 229 4.4 Potential Optimisations 231 4.4.1 Omission of Step 233 When the derivation of immediate predecessor is used only for the 234 synthesis of NSEC RRs, step 1 of the derivation may be omitted as the 235 existence of the owner name of the apex should never need to be 236 denied. This eliminates one condition that would otherwise always be 237 tested during the derivation of the immediate predecessor. 239 4.4.2 Restriction of Effective Maximum DNS Name Length 241 [RFC1034] specifies that "the total number of octets that represent a 242 [DNS] name (i.e., the sum of all label octets and label lengths) is 243 limited to 255", including the null (zero-length) label which 244 represents the root. For the purpose of deriving the immediate 245 predecessor and successor during NSEC RR synthesis, the maximum DNS 246 name length may be effectively restricted to the length of the 247 longest DNS name in the zone. This will minimise the size of 248 responses containing synthesised NSEC RRs. 250 Note that this optimisation will have the effect of revealing 251 information about the longest name in the zone. Moreover, when the 252 contents of the zone changes, e.g. during dynamic updates and zone 253 transfers, care must be taken to ensure that the effective maximum 254 DNS name length agrees with the new contents. 256 A modified version of this optimisation will realise most of its 257 benefit while mitigating these exposures: if the length of unqulified 258 owner names of empty non-terminals in a zone is restricted to 64 259 octets in wire format, then the effective maximum DNS name length may 260 be restricted to 64 + the length of the owner name of the apex. This 261 will prevent the discovery of the longest single label in the zone, 262 which is of more concern to most zone operators who are concerned 263 about owner name elaboration. 265 5. Examples 267 In the following examples: 269 the owner name of the apex is "example.com."; 271 the range of octet values is 0x00 - 0xff excluding values 272 corresponding to upper-case US-ASCII letters; and 274 non-printable octet values are expressed as three-digit decimal 275 numbers preceded by a backslash (as specified in Section 5.1 of 276 [RFC1035]). 278 5.1 Examples of Immediate Predecessors 280 Example of typical case: 282 x = foo.example.com. 284 x' = \255\255\255\255\255\255\255\255\255\255\255\255\ 285 \255\255\255\255\255\255\255\255\255\255\255\255\ 286 \255\255\255\255\255\255\255\255\255\255\255\255\ 287 \255\255\255\255\255\255\255\255\255\255\255\255\ 288 \255.\255\255\255\255\255\255\255\255\255\255\ 289 \255\255\255\255\255\255\255\255\255\255\255\255\ 290 \255\255\255\255\255\255\255\255\255\255\255\255\ 291 \255\255\255\255\255\255\255\255\255\255\255\255\ 292 \255\255\255\255\255\255\255\255\255\255\255\255\ 293 \255\255\255\255\255.\255\255\255\255\255\255\ 294 \255\255\255\255\255\255\255\255\255\255\255\255\ 295 \255\255\255\255\255\255\255\255\255\255\255\255\ 296 \255\255\255\255\255\255\255\255\255\255\255\255\ 297 \255\255\255\255\255\255\255\255\255\255\255\255\ 298 \255\255\255\255\255\255\255\255\255.fon\255\255\ 299 \255\255\255\255\255\255\255\255\255\255\255\255\ 300 \255\255\255\255\255\255\255\255\255\255\255\255\ 301 \255\255\255\255\255\255\255\255\255\255\255\255\ 302 \255\255\255\255\255\255\255\255\255\255\255\255\ 303 \255\255\255\255\255\255\255\255\255\255.example.com. 305 or, in alternate notation: 307 \255{49}.\255{63}.\255{63}.fon\255{60}.example.com. 309 where {n} represents the number of repetitions of an octet. 311 Example where least significant (left-most) label of DNS name 312 consists of a single octet of the minimum sort value: 314 x = \000.foo.example.com. 316 x' = foo.example.com. 318 Example where least significant (right-most) octet of least 319 significant (left-most) label has the minimum sort value: 321 x = foo\000.example.com. 323 x' = \255\255\255\255\255\255\255\255\255\255\255\255\ 324 \255\255\255\255\255\255\255\255\255\255\255\255\ 325 \255\255\255\255\255\255\255\255\255\255\255\255\ 326 \255\255\255\255\255\255\255\255\255.\255\255\ 327 \255\255\255\255\255\255\255\255\255\255\255\255\ 328 \255\255\255\255\255\255\255\255\255\255\255\255\ 329 \255\255\255\255\255\255\255\255\255\255\255\255\ 330 \255\255\255\255\255\255\255\255\255\255\255\255\ 331 \255\255\255\255\255\255\255\255\255\255\255\255\ 332 \255.\255\255\255\255\255\255\255\255\255\255\ 333 \255\255\255\255\255\255\255\255\255\255\255\255\ 334 \255\255\255\255\255\255\255\255\255\255\255\255\ 335 \255\255\255\255\255\255\255\255\255\255\255\255\ 336 \255\255\255\255\255\255\255\255\255\255\255\255\ 337 \255\255\255\255\255.\255\255\255\255\255\255\ 338 \255\255\255\255\255\255\255\255\255\255\255\255\ 339 \255\255\255\255\255\255\255\255\255\255\255\255\ 340 \255\255\255\255\255\255\255\255\255\255\255\255\ 341 \255\255\255\255\255\255\255\255\255\255\255\255\ 342 \255\255\255\255\255\255\255\255\255.foo.example.com. 344 or, in alternate notation: 346 \255{45}.\255{63}.\255{63}.\255{63}.foo.example.com. 348 Example where DNS name contains an octet which must be decremented by 349 skipping values corresponding to US-ASCII upper-case letters: 351 x = fo\[.example.com. 353 x' = \255\255\255\255\255\255\255\255\255\255\255\255\ 354 \255\255\255\255\255\255\255\255\255\255\255\255\ 355 \255\255\255\255\255\255\255\255\255\255\255\255\ 356 \255\255\255\255\255\255\255\255\255\255\255\255\ 357 \255.\255\255\255\255\255\255\255\255\255\255\ 358 \255\255\255\255\255\255\255\255\255\255\255\255\ 359 \255\255\255\255\255\255\255\255\255\255\255\255\ 360 \255\255\255\255\255\255\255\255\255\255\255\255\ 361 \255\255\255\255\255\255\255\255\255\255\255\255\ 362 \255\255\255\255\255.\255\255\255\255\255\255\ 363 \255\255\255\255\255\255\255\255\255\255\255\255\ 364 \255\255\255\255\255\255\255\255\255\255\255\255\ 365 \255\255\255\255\255\255\255\255\255\255\255\255\ 366 \255\255\255\255\255\255\255\255\255\255\255\255\ 367 \255\255\255\255\255\255\255\255\255.fo\@\255\ 368 \255\255\255\255\255\255\255\255\255\255\255\255\ 369 \255\255\255\255\255\255\255\255\255\255\255\255\ 370 \255\255\255\255\255\255\255\255\255\255\255\255\ 371 \255\255\255\255\255\255\255\255\255\255\255\255\ 372 \255\255\255\255\255\255\255\255\255\255\255.example.com. 374 or, in alternate notation: 376 \255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com. 378 where {n} represents the number of repetitions of an octet. 380 Example where DNS name is the owner name of the apex, and 381 consequently wraps to the DNS name with the maximum possible sort 382 order in the zone: 384 x = example.com. 386 x' = \255\255\255\255\255\255\255\255\255\255\255\255\ 387 \255\255\255\255\255\255\255\255\255\255\255\255\ 388 \255\255\255\255\255\255\255\255\255\255\255\255\ 389 \255\255\255\255\255\255\255\255\255\255\255\255\ 390 \255.\255\255\255\255\255\255\255\255\255\255\ 391 \255\255\255\255\255\255\255\255\255\255\255\255\ 392 \255\255\255\255\255\255\255\255\255\255\255\255\ 393 \255\255\255\255\255\255\255\255\255\255\255\255\ 394 \255\255\255\255\255\255\255\255\255\255\255\255\ 395 \255\255\255\255\255.\255\255\255\255\255\255\ 396 \255\255\255\255\255\255\255\255\255\255\255\255\ 397 \255\255\255\255\255\255\255\255\255\255\255\255\ 398 \255\255\255\255\255\255\255\255\255\255\255\255\ 399 \255\255\255\255\255\255\255\255\255\255\255\255\ 400 \255\255\255\255\255\255\255\255\255.\255\255\ 401 \255\255\255\255\255\255\255\255\255\255\255\255\ 402 \255\255\255\255\255\255\255\255\255\255\255\255\ 403 \255\255\255\255\255\255\255\255\255\255\255\255\ 404 \255\255\255\255\255\255\255\255\255\255\255\255\ 405 \255\255\255\255\255\255\255\255\255\255\255\255\ 406 \255.example.com. 408 or, in alternate notation: 410 \255{49}.\255{63}.\255{63}.\255{63}.example.com. 412 5.2 Examples of Immediate Successors 414 Example of typical case: 416 y = foo.example.com. 418 y' = \000.foo.example.com. 420 Example where DNS name is one octet short of the maximum DNS name 421 length: 423 y = fooooooooooooooooooooooooooooooooooooooooooooooo\ 424 .ooooooooooooooooooooooooooooooooooooooooooooooo\ 425 oooooooooooooooo.ooooooooooooooooooooooooooooooo\ 426 oooooooooooooooooooooooooooooooo.ooooooooooooooo\ 427 oooooooooooooooooooooooooooooooooooooooooooooooo.example.com. 429 or, in alternate notation: 431 fo{47}.o{63}.o{63}.o{63}.example.com. 433 y' = fooooooooooooooooooooooooooooooooooooooooooooooo\ 434 \000.ooooooooooooooooooooooooooooooooooooooooooo\ 435 oooooooooooooooooooo.ooooooooooooooooooooooooooo\ 436 oooooooooooooooooooooooooooooooooooo.ooooooooooo\ 437 oooooooooooooooooooooooooooooooooooooooooooooooo\ 438 oooo.example.com. 440 or, in alternate notation: 442 fo{47}\000.o{63}.o{63}.o{63}.example.com. 444 Example where DNS name is the maximum DNS name length: 446 y = fooooooooooooooooooooooooooooooooooooooooooooooo\ 447 o.oooooooooooooooooooooooooooooooooooooooooooooo\ 448 ooooooooooooooooo.oooooooooooooooooooooooooooooo\ 449 ooooooooooooooooooooooooooooooooo.oooooooooooooo\ 450 oooooooooooooooooooooooooooooooooooooooooooooooo\ 451 o.example.com. 453 or, in alternate notation: 455 fo{48}.o{63}.o{63}.o{63}.example.com. 457 y' = fooooooooooooooooooooooooooooooooooooooooooooooo\ 458 p.oooooooooooooooooooooooooooooooooooooooooooooo\ 459 ooooooooooooooooo.oooooooooooooooooooooooooooooo\ 460 ooooooooooooooooooooooooooooooooo.oooooooooooooo\ 461 oooooooooooooooooooooooooooooooooooooooooooooooo\ 462 o.example.com. 464 or, in alternate notation: 466 fo{47}p.o{63}.o{63}.o{63}.example.com. 468 Example where DNS name is the maximum DNS name length and the least 469 significant (left-most) label has the maximum sort value: 471 y = \255\255\255\255\255\255\255\255\255\255\255\255\ 472 \255\255\255\255\255\255\255\255\255\255\255\255\ 473 \255\255\255\255\255\255\255\255\255\255\255\255\ 474 \255\255\255\255\255\255\255\255\255\255\255\255\ 475 \255.ooooooooooooooooooooooooooooooooooooooooooo\ 476 oooooooooooooooooooo.ooooooooooooooooooooooooooo\ 477 oooooooooooooooooooooooooooooooooooo.ooooooooooo\ 478 oooooooooooooooooooooooooooooooooooooooooooooooo\ 479 oooo.example.com. 481 or, in alternate notation: 483 \255{49}.o{63}.o{63}.o{63}.example.com. 485 y' = oooooooooooooooooooooooooooooooooooooooooooooooo\ 486 oooooooooooooop.oooooooooooooooooooooooooooooooo\ 487 ooooooooooooooooooooooooooooooo.oooooooooooooooo\ 488 ooooooooooooooooooooooooooooooooooooooooooooooo.\ 489 example.com. 491 or, in alternate notation: 493 o{62}p.o{63}.o{63}.example.com. 495 Example where DNS name is the maximum DNS name length and the eight 496 least significant (right-most) octets of the least significant 497 (left-most) label have the maximum sort value: 499 y = foooooooooooooooooooooooooooooooooooooooo\255\ 500 \255\255\255\255\255\255\255.ooooooooooooooooooo\ 501 oooooooooooooooooooooooooooooooooooooooooooo.ooo\ 502 oooooooooooooooooooooooooooooooooooooooooooooooo\ 503 oooooooooooo.ooooooooooooooooooooooooooooooooooo\ 504 oooooooooooooooooooooooooooo.example.com. 506 or, in alternate notation: 508 fo{40}\255{8}.o{63}.o{63}.o{63}.example.com. 510 y' = fooooooooooooooooooooooooooooooooooooooop.oooooo\ 511 oooooooooooooooooooooooooooooooooooooooooooooooo\ 512 ooooooooo.oooooooooooooooooooooooooooooooooooooo\ 513 ooooooooooooooooooooooooo.oooooooooooooooooooooo\ 514 ooooooooooooooooooooooooooooooooooooooooo.example.com. 516 or, in alternate notation: 518 fo{39}p.o{63}.o{63}.o{63}.example.com. 520 Example where DNS name is the maximum DNS name length and contains an 521 octet which must be incremented by skipping values corresponding to 522 US-ASCII upper-case letters: 524 y = fooooooooooooooooooooooooooooooooooooooooooooooo\ 525 \@.ooooooooooooooooooooooooooooooooooooooooooooo\ 526 oooooooooooooooooo.ooooooooooooooooooooooooooooo\ 527 oooooooooooooooooooooooooooooooooo.ooooooooooooo\ 528 oooooooooooooooooooooooooooooooooooooooooooooooo\ 529 oo.example.com. 531 or, in alternate notation: 533 fo{47}\@.o{63}.o{63}.o{63}.example.com. 535 y' = fooooooooooooooooooooooooooooooooooooooooooooooo\ 536 \[.ooooooooooooooooooooooooooooooooooooooooooooo\ 537 oooooooooooooooooo.ooooooooooooooooooooooooooooo\ 538 oooooooooooooooooooooooooooooooooo.ooooooooooooo\ 539 oooooooooooooooooooooooooooooooooooooooooooooooo\ 540 oo.example.com. 542 or, in alternate notation: 544 fo{47}\[.o{63}.o{63}.o{63}.example.com. 546 Example where DNS name has the maximum possible sort order in the 547 zone, and consequently wraps to the owner name of the apex: 549 y = \255\255\255\255\255\255\255\255\255\255\255\255\ 550 \255\255\255\255\255\255\255\255\255\255\255\255\ 551 \255\255\255\255\255\255\255\255\255\255\255\255\ 552 \255\255\255\255\255\255\255\255\255\255\255\255\ 553 \255.\255\255\255\255\255\255\255\255\255\255\ 554 \255\255\255\255\255\255\255\255\255\255\255\255\ 555 \255\255\255\255\255\255\255\255\255\255\255\255\ 556 \255\255\255\255\255\255\255\255\255\255\255\255\ 557 \255\255\255\255\255\255\255\255\255\255\255\255\ 558 \255\255\255\255\255.\255\255\255\255\255\255\ 559 \255\255\255\255\255\255\255\255\255\255\255\255\ 560 \255\255\255\255\255\255\255\255\255\255\255\255\ 561 \255\255\255\255\255\255\255\255\255\255\255\255\ 562 \255\255\255\255\255\255\255\255\255\255\255\255\ 563 \255\255\255\255\255\255\255\255\255.\255\255\ 564 \255\255\255\255\255\255\255\255\255\255\255\255\ 565 \255\255\255\255\255\255\255\255\255\255\255\255\ 566 \255\255\255\255\255\255\255\255\255\255\255\255\ 567 \255\255\255\255\255\255\255\255\255\255\255\255\ 568 \255\255\255\255\255\255\255\255\255\255\255\255\ 569 \255.example.com. 571 or, in alternate notation: 573 \255{49}.\255{63}.\255{63}.\255{63}.example.com. 575 y' = example.com. 577 6. Security Considerations 579 The derivation of some predecessors/successors requires the testing 580 of more conditions than others. Consequently the effectiveness of a 581 denial-of-service attack may be enhanced by sending queries that 582 require more conditions to be tested. 584 7. IANA Considerations 586 This document does not create any IANA considerations. 588 8. Acknowledgments 590 The authors would like to thank Olaf Kolkman and Niall O'Reilly for 591 their review and input. 593 9. References 595 9.1 Normative References 597 [I-D.ietf-dnsext-dnssec-records] 598 Arends, R., Austein, R., Larson, M., Massey, D. and S. 599 Rose, "Resource Records for the DNS Security Extensions", 600 draft-ietf-dnsext-dnssec-records-11 (work in progress), 601 October 2004. 603 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 604 STD 13, RFC 1034, November 1987. 606 [RFC1035] Mockapetris, P., "Domain names - implementation and 607 specification", STD 13, RFC 1035, November 1987. 609 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 610 Specification", RFC 2181, July 1997. 612 9.2 Informative References 614 [I-D.ietf-dnsext-dnssec-trans] 615 Arends, R., Koch, P. and J. Schlyter, "Evaluating DNSSEC 616 Transition Mechanisms", draft-ietf-dnsext-dnssec-trans-01 617 (work in progress), October 2004. 619 [I-D.weiler-dnsext-dnssec-online-signing] 620 Weiler, S. and J. Ihren, "Minimally Covering NSEC Records 621 and DNSSEC On-line Signing", 622 draft-weiler-dnsext-dnssec-online-signing-00 (work in 623 progress), October 2004. 625 Authors' Addresses 627 Geoffrey Sisson 628 Nominet 629 Sandford Gate 630 Sandy Lane West 631 Oxford 632 OX4 6LB 633 GB 635 Phone: +44 1865 332339 636 EMail: geoff@nominet.org.uk 637 Ben Laurie 638 Nominet 639 17 Perryn Road 640 London 641 W3 7LR 642 GB 644 Phone: +44 20 8735 0686 645 EMail: ben@algroup.co.uk 647 Appendix A. Change History 649 A.1 Changes from -00 to -01 651 o Split step 3 of derivation of DNS name predecessor into two 652 distinct steps for clarity. 654 o Added clarifying text and examples related to the requirement to 655 avoid upper-case characters when decrementing or incrementing 656 octets. 658 o Added optimisation using restriction of effective maximum DNS name 659 length. 661 o Changed examples to use decimal rather than octal notation as per 662 [RFC1035]. 664 o Corrected DNS name length of some examples. 666 o Added reference to weiler-dnsext-dnssec-online-signing. 668 o Miscellaneous minor changes to text. 670 Intellectual Property Statement 672 The IETF takes no position regarding the validity or scope of any 673 Intellectual Property Rights or other rights that might be claimed to 674 pertain to the implementation or use of the technology described in 675 this document or the extent to which any license under such rights 676 might or might not be available; nor does it represent that it has 677 made any independent effort to identify any such rights. Information 678 on the procedures with respect to rights in RFC documents can be 679 found in BCP 78 and BCP 79. 681 Copies of IPR disclosures made to the IETF Secretariat and any 682 assurances of licenses to be made available, or the result of an 683 attempt made to obtain a general license or permission for the use of 684 such proprietary rights by implementers or users of this 685 specification can be obtained from the IETF on-line IPR repository at 686 http://www.ietf.org/ipr. 688 The IETF invites any interested party to bring to its attention any 689 copyrights, patents or patent applications, or other proprietary 690 rights that may cover technology that may be required to implement 691 this standard. Please address the information to the IETF at 692 ietf-ipr@ietf.org. 694 Disclaimer of Validity 696 This document and the information contained herein are provided on an 697 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 698 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 699 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 700 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 701 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 702 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 704 Copyright Statement 706 Copyright (C) The Internet Society (2004). This document is subject 707 to the rights, licenses and restrictions contained in BCP 78, and 708 except as set forth therein, the authors retain all their rights. 710 Acknowledgment 712 Funding for the RFC Editor function is currently provided by the 713 Internet Society.