idnits 2.17.1 draft-sury-dnsext-cname-at-apex-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) -- The draft header indicates that this document updates RFC1034, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC1034, updated by this document, for RFC5378 checks: 1987-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 18, 2010) is 4972 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Unknown state RFC: RFC 1033 Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSext Working Group O. Sury 3 Internet-Draft CZ.NIC 4 Updates: 1034 (if approved) August 18, 2010 5 Intended status: Standards Track 6 Expires: February 19, 2011 8 CNAME at the zone apex 9 draft-sury-dnsext-cname-at-apex-00 11 Abstract 13 This document proposes a modification to CNAME record to coexist with 14 SOA and NS records at the zone apex. This proposal will improve 15 aliasing in the DNS system. The users are often forced to manually 16 add duplicate A, AAAA and MX records by copying data from the target 17 zone to the aliased zone. This forces zone owner to keep track of 18 target domain name since the mismatch in the data could cause 19 failures. This administrative burden will be eliminated by allowing 20 CNAME to coexist with NS and SOA resource records. 22 Status of this Memo 24 This Internet-Draft is submitted to IETF in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 This Internet-Draft will expire on February 19, 2011. 45 Copyright Notice 47 Copyright (c) 2010 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 64 1.2. Requirements Language . . . . . . . . . . . . . . . . . . . 3 65 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3. CNAME at the apex . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Query processing . . . . . . . . . . . . . . . . . . . . . . . 4 68 4.1. Processing by Authoritative Servers . . . . . . . . . . . . 4 69 4.2. Processing by Recursive Servers . . . . . . . . . . . . . . 5 70 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 71 6. Normative References . . . . . . . . . . . . . . . . . . . . . 5 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 74 1. Introduction 76 RFC 1033 [RFC1033] defines CNAME resource record for cases when there 77 are multiple names for single host. A CNAME resource record 78 identifies its owner name as an alias, and specifies the 79 corresponding canonical name in the RDATA section of the resource 80 record. If a CNAME resource record is present at a node, no other 81 data MUST be present; this ensures that the data for a canonical name 82 and its aliases cannot be different. This rule also insures that a 83 cached CNAME can be used without checking with an authoritative 84 server for other resource record types. 86 However there are already existing exceptions to this rule. RFC 4034 87 [RFC4034] defines exception to RRSIG and NSEC records, which MUST 88 exist for the same name as a CNAME resource record in a signed zone. 90 RFC 1034 [RFC1034] defines the data that defines the top node of the 91 zone. They are logically part of the authoritative data, the RRs 92 that describe the top node of the zone are especially important to 93 the zone's management. These RRs are of two types: name server RRs 94 that list, one per RR, all of the servers for the zone, and a single 95 SOA RR that describes zone management parameters. 97 The Start Of Authority (SOA) record designates the start of a zone. 98 It must be present in the zone apex. 100 The NS (Name Server) record lists the name of a machine the provides 101 domain service for a particular zone. The NS record is placed both 102 in the parent and the child zone and should be same. The NS 103 record(s) are also mandatory in the zone. 105 1.1. Terminology 107 All the basic terms used in this specification are defined in the 108 documents RFC 1033 [RFC1033], RFC 1034 [RFC1034]. 110 1.2. Requirements Language 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 114 document are to be interpreted as described in RFC 2119 [RFC2119]. 116 2. Motivation 118 The aliasing in the DNS system is usually done by placing CNAME for 119 each individual record which needs to be aliased. There is one 120 notable exception - the zone apex which has to include the SOA and NS 121 RRs. Because of that the zone owner is unable to place CNAME record 122 there and this can lead to several failure conditions. Either the 123 data in the apex is copied by hand and new administrative burden is 124 created to keep the data in the sync, or there is no alias in the 125 apex at all. 127 The aliases zone is prone to several types of errors when the copy 128 method is used. The target domain can change the data and while 129 subdomains (like www.example.net) still works the zone apex A record 130 (example.net) doesn't work. This could go overlooked for some time 131 if the zone owner doesn't do regular checks. Same condition can 132 happen with MX records causing failure to deliver email or it could 133 even lead to malicious use if the bad guys happen to own previous 134 manually copied MX records. Also there could be a semi-failures, 135 f.e. if the target zone adds AAAA record for IPv6, it will not be 136 copied to aliased zone automatically causing IPv6 resolution 137 failures. 139 3. CNAME at the apex 141 This proposal defines new rules for the CNAME record. RFC 1033 142 [RFC1034] defines that: 144 There must not be any other RRs associated with a nickname of the 145 same class. 147 This rule is changed with full compliance with DNSSEC RFCs to: 149 There must not be any other RRs with the same owner as the CNAME RR 150 with the exception of NS, SOA, DNSKEY, RRSIG and NSEC RRs. 152 4. Query processing 154 Because of the change of the existing behaviour in the CNAME 155 processing there is a need to add a signaling bit for the queries 156 issued by resolvers understanding CNAME at the zone apex. 158 4.1. Processing by Authoritative Servers 160 The authoritative server implementations MUST allow CNAME resource 161 record in the zone apex to coexist with NS, SOA, DNSKEY, RRSIG and 162 NSEC resource records. They MUST NOT allow any other resource record 163 types in the zone apex when the CNAME resource record is placed in 164 the zone apex. 166 The authoritative server will return an answer containing specific 167 resource record type when asked for SOA, NS, DNSKEY, RRSIG or NSEC RR 168 type. The authoritative server will return an answer containing the 169 CNAME if any other RR type is requested in the query. If the query 170 contains the CNAME-at-apex signaling bit then the authoritative 171 server will use correct TTL in the zone for the requests in the zone 172 apex. If the query doesn't contain the CNAME-at-apex signaling bit 173 then the authoritative server will override TTL in the zone and will 174 return answer with 0 TTL for all resource requests in the zone. This 175 should prevent the resolvers to store the result in the cache and 176 thus breaking the internal rules for the CNAME. 178 4.2. Processing by Recursive Servers 180 The resolver compliant with this proposal will issue a query which 181 has the CNAME-at-apex signaling bit. Such resolver MUST NOT deny 182 CNAME if it already has other resource record in the cache with the 183 same owner with the SOA, NS, DNSKEY, RRSIG or NSEC resource record 184 type. It MUST NOT deny SOA, NS, DNSKEY, RRSIG or NSEC resource 185 records if it already has a CNAME resource record in the cache. The 186 compliant resolver SHOULD NOT deny CNAME in the case it has any other 187 RR type in the cache and it SHOULD NOT deny any other RR types if it 188 already has CNAME records in the cache. 190 The rules for the authoritative server is same for the compliant 191 resolver acting as an upstream cache. 193 5. Security Considerations 195 The author is not aware of any security consideration, but he is 196 aware that this proposal could create problems for the name servers 197 not following the Robustness principle - Be conservative in what you 198 send; be liberal in what you accept. 200 6. Normative References 202 [RFC1033] Lottor, M., "Domain administrators operations guide", 203 RFC 1033, November 1987. 205 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 206 STD 13, RFC 1034, November 1987. 208 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 209 Requirement Levels", BCP 14, RFC 2119, March 1997. 211 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 212 Rose, "Resource Records for the DNS Security Extensions", 213 RFC 4034, March 2005. 215 Author's Address 217 Ondrej Sury 218 CZ.NIC 219 Americka 23 220 120 00 Praha 2 221 CZ 223 Phone: +420 222 745 110 224 Email: ondrej.sury@nic.cz