Download
1 / 17
170 likes | 172 Views
wcard draft. Ed Lewis, editor 62nd IETF March 9, 2005. State of the Document. -05 is in the Internet Draft repository Recent changes Title (removed "Clarifications") Lots of reorganization of text Inclusion of DNSSEC vs. Wildcards More work on special types (since -05)
E N D
wcard draft Ed Lewis, editor 62nd IETF March 9, 2005 ed.lewis@neustar.biz
State of the Document • -05 is in the Internet Draft repository • Recent changes • Title (removed "Clarifications") • Lots of reorganization of text • Inclusion of DNSSEC vs. Wildcards • More work on special types (since -05) • Not ready for last call! ed.lewis@neustar.biz
What's (Still) Important • Clears up definition of "wildcard" • Defines "asterisk label", "wild card domain name", "closest encloser", and "source of synthesis" • Cleans up text in RFC 1034 and others • Changes "* CNAME" • Will be in -06: changes to signing (!!!) ed.lewis@neustar.biz
Oh my! Changes to signing? • And more... • Discussed on Monday here - New rule: • If a wild card domain name owns EITHER an NS RRSet OR a DNAME RRSet • It is NEVER a source of synthesis • Queries return NXDOMAIN • The RRSIG label count treats the records as non-wildcards ed.lewis@neustar.biz
Normal Example $ORIGIN example. @ SOA … NS … … * TXT "this is a wildcard" ... ed.lewis@neustar.biz
NS Example $ORIGIN example. @ SOA … NS … … * NS ... * DS ... ... ed.lewis@neustar.biz
"* NS" • Legal because you can have a zone with an asterisk label in the name • www.*.example. "works" • Synthesis is cancelled by the zone boundary • Regardless of QTYPE (NS, ANY, DS, ....) • Message return code = name error • Became a protocol problem with DNSSEC, as opposed to operational annoyance ed.lewis@neustar.biz
E.x., QNAME, QTYPE • QNAME=a.example. QTYPE=NS • assume no "a.example." in zone • Answer is NXDOMAIN • Even though you "might" have thought it would be an expansion of *.example ed.lewis@neustar.biz
Canceling Synthesis • c. If at some label, a match is impossible (i.e., the corresponding label does not exist), look to see if a the "*" label exists AND DOES NOT OWN AN NS RRSET NOR A DNAME RRSET. • Treat a * NS (or * DNAME) as "not there." ed.lewis@neustar.biz
Why NXDOMAIN? • NXDOMAIN or No Error/No Data • Both are negative, both have same user experience • NXDOMAIN will let caches retain this "failure" (NCACHE) • This is why NXDOMAIN won the debate ed.lewis@neustar.biz
What about the DS in the ex.? • DS can not be there without NS • DS and NS - the DS is not synthesized either, NXDOMAIN is also returned ed.lewis@neustar.biz
DNAME Example $ORIGIN example. @ SOA … NS … … * DNAME ... * TXT ... ... ed.lewis@neustar.biz
* DNAME • Problem lays in inconsistency of how queries are made and what happens at a cache • IMHO, possibly at most one person in the world really understands this (and it isn't me) • Treat this just like * NS... ed.lewis@neustar.biz
So what about signing? • RFC TBD (-protocols), section 3.1.3 • "The value of the Labels field MUST NOT count ... the wildcard label (if present). .... For example, ... "*.example.com." has a Labels field value of 2...." ed.lewis@neustar.biz
Change to that text • Maybe not literal - but the "*" is no longer ALWAYS a wildcard label. • We could say the definition is "correct" but the example is then misleading • Either way, this will be documented ed.lewis@neustar.biz
Other changes • Blurb on SRV record • Prompted by confusion over "Name" and domain name in that RFC • This has surfaced recently in the IETF ed.lewis@neustar.biz
Answers? • Anyone have some (more)? ed.lewis@neustar.biz
