mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2004-03-10 22:56:58 +00:00
parent 58e0b35a3b
commit 43d1c96a30
1 changed files with 87 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

176
doc/draft/draft-ietf-dnsext-nsec-rdata-03.txt → doc/draft/draft-ietf-dnsext-nsec-rdata-04.txt
View File

@@ -1,13 +1,11 @@
DNS Extensions Working Group J. Schlyter, Ed. DNS Extensions Working Group J. Schlyter, Ed.
Internet-Draft December 19, 2003 Internet-Draft March 3, 2004
Updates: RFC 2535, RFC TCR (if approved) Updates: RFC 2535, RFC TCR
Expires: June 18, 2004 Expires: September 1, 2004
DNSSEC NSEC RDATA Format DNSSEC NSEC RDATA Format
draft-ietf-dnsext-nsec-rdata-03.txt draft-ietf-dnsext-nsec-rdata-04.txt
Status of this Memo Status of this Memo
@@ -29,16 +27,17 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 18, 2004. This Internet-Draft will expire on September 1, 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
This document defines updates the NSEC resource record RDATA format This document redefines the wire format of the "Type Bit Map" field
to cover all type codes. in the NSEC resource record RDATA format to cover the full RR type
space.
@@ -50,10 +49,9 @@ Abstract
Schlyter Expires September 1, 2004 [Page 1]
Schlyter Expires June 18, 2004 [Page 1] Internet-Draft DNSSEC NSEC RDATA Format March 2004
Internet-Draft DNSSEC NSEC RDATA Format December 2003
Table of Contents Table of Contents
@@ -65,7 +63,7 @@ Table of Contents
2.1.2 The List of Type Bit Map(s) Field . . . . . . . . . . . . . 4 2.1.2 The List of Type Bit Map(s) Field . . . . . . . . . . . . . 4
2.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . . . . 5 2.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . . . . 5
2.2 The NSEC RR Presentation Format . . . . . . . . . . . . . . 5 2.2 The NSEC RR Presentation Format . . . . . . . . . . . . . . 5
2.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . . 5 2.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . . 6
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . 6 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . 6
Normative References . . . . . . . . . . . . . . . . . . . . 6 Normative References . . . . . . . . . . . . . . . . . . . . 6
@@ -107,19 +105,20 @@ Table of Contents
Schlyter Expires June 18, 2004 [Page 2] Schlyter Expires September 1, 2004 [Page 2]
Internet-Draft DNSSEC NSEC RDATA Format December 2003 Internet-Draft DNSSEC NSEC RDATA Format March 2004
1. Introduction 1. Introduction
The NSEC [5] Resource Record (RR) is used for authenticated proof of The NSEC [5] Resource Record (RR) is used for authenticated proof of
the non-existence of DNS owner names and types. The RDATA format for the non-existence of DNS owner names and types. The NSEC RR is based
the NSEC RR, as described in RFC 2535 [2], had a limitation in that, on the NXT RR as described in RFC 2535 [2], and is similar except for
without using a yet undefined extension mechanism, the the RDATA the name and typecode. The RDATA format for the NXT RR had a
could only carry information about the existence of the first 127 limitation in that, without using a yet undefined extension
types. mechanism, the the RDATA could only carry information about the
existence of the first 127 types.
To prevent the introduction of an extension mechanism into a deployed To prevent the introduction of an extension mechanism into a deployed
base of DNSSEC aware servers and resolvers, once the first 127 type base of DNSSEC aware servers and resolvers, once the first 127 type
@@ -129,10 +128,10 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
This document introduces a new format for the type bit map. The This document introduces a new format for the type bit map. The
properties of the type bit map format are that it can cover the full properties of the type bit map format are that it can cover the full
possible range of typecodes; that it is relatively economic in the possible range of typecodes, that it is relatively economic in the
amount of space it uses for the common case of a few types with an amount of space it uses for the common case of a few types with an
owner name; that it can represent owner names with all possible type owner name, that it can represent owner names with all possible types
present in packets of approximately 8.5 kilobytes; that the present in packets of approximately 8.5 kilobytes and that the
representation is simple to implement. Efficient searching of the representation is simple to implement. Efficient searching of the
type bitmap for the presence of certain types is not a requirement. type bitmap for the presence of certain types is not a requirement.
@@ -141,9 +140,6 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
[2] and as updated by RFC TCR [5], thereby not introducing changes [2] and as updated by RFC TCR [5], thereby not introducing changes
except for the syntax of the type bit map. except for the syntax of the type bit map.
[Editors note: this is the text that is to be copied into
draft-ietf-dnssec-dnssec-records]
This document updates RFC 2535 [2] and RFC TCR [5]. This document updates RFC 2535 [2] and RFC TCR [5].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@@ -153,23 +149,23 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
2. The NSEC Resource Record 2. The NSEC Resource Record
The NSEC resource record lists two separate things: the owner name of The NSEC resource record lists two separate things: the owner name of
the next authoritative RRset in the canonical ordering of the zone, the next RRset in the canonical ordering of the zone, and the set of
and the set of RR types present at the NSEC RR's owner name. The RR types present at the NSEC RR's owner name. The complete set of
complete set of NSEC RRs in a zone both indicate which authoritative NSEC RRs in a zone both indicate which RRsets exist in a zone and
RRsets exist in a zone and also form a chain of authoritative owner also form a chain of owner names in the zone. This information is
names in the zone. This information is used to provide authenticated used to provide authenticated denial of existence for DNS data, as
denial of existence for DNS data, as described in RFC 2535 [2]. described in RFC 2535 [2].
Schlyter Expires June 18, 2004 [Page 3]
Internet-Draft DNSSEC NSEC RDATA Format December 2003
The type value for the NSEC RR is 47. The type value for the NSEC RR is 47.
Schlyter Expires September 1, 2004 [Page 3]
Internet-Draft DNSSEC NSEC RDATA Format March 2004
The NSEC RR RDATA format is class independent and defined for all The NSEC RR RDATA format is class independent and defined for all
classes. classes.
@@ -190,10 +186,19 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
2.1.1 The Next Domain Name Field 2.1.1 The Next Domain Name Field
The Next Domain Name field contains the owner name of the next The Next Domain Name field contains the owner name of the next RR in
authoritative RRset in the canonical ordering of the zone. The value the canonical ordering of the zone. The value of the Next Domain
of the Next Domain Name field in the last NSEC record in the zone is Name field in the last NSEC record in the zone is the name of the
the name of the zone apex (the owner name of the zone's SOA RR). zone apex (the owner name of the zone's SOA RR).
A sender MUST NOT use DNS name compression on the Next Domain Name
field when transmitting an NSEC RR. A receiver which receives an
NSEC RR containing a compressed Next Domain Name field SHOULD
decompress the field value.
Owner names of RRsets not authoritative for the given zone (such as
glue records) MUST NOT be listed in the Next Domain Name unless at
least one authoritative RRset exists at the same owner name.
2.1.2 The List of Type Bit Map(s) Field 2.1.2 The List of Type Bit Map(s) Field
@@ -209,6 +214,14 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
"|" denotes concatenation "|" denotes concatenation
Schlyter Expires September 1, 2004 [Page 4]
Internet-Draft DNSSEC NSEC RDATA Format March 2004
Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) + Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
Each bitmap encodes the low-order 8 bits of RR types within the Each bitmap encodes the low-order 8 bits of RR types within the
@@ -216,14 +229,6 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
to RR type 2 (NS), and so forth. For window block 1, bit 1 to RR type 2 (NS), and so forth. For window block 1, bit 1
corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to
Schlyter Expires June 18, 2004 [Page 4]
Internet-Draft DNSSEC NSEC RDATA Format December 2003
1, it indicates that an RRset of that type is present for the NSEC 1, it indicates that an RRset of that type is present for the NSEC
RR's owner name. If a bit is set to 0, it indicates that no RRset of RR's owner name. If a bit is set to 0, it indicates that no RRset of
that type is present for the NSEC RR's owner name. that type is present for the NSEC RR's owner name.
@@ -263,6 +268,16 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
type mnemonics. When the mnemonic is not known, the TYPE type mnemonics. When the mnemonic is not known, the TYPE
representation as described in RFC 3597 [4] (section 5) MUST be used. representation as described in RFC 3597 [4] (section 5) MUST be used.
Schlyter Expires September 1, 2004 [Page 5]
Internet-Draft DNSSEC NSEC RDATA Format March 2004
2.3 NSEC RR Example 2.3 NSEC RR Example
The following NSEC RR identifies the RRsets associated with The following NSEC RR identifies the RRsets associated with
@@ -272,18 +287,10 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC TYPE1234 alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC TYPE1234
The first four text fields specify the name, TTL, Class, and RR type The first four text fields specify the name, TTL, Class, and RR type
Schlyter Expires June 18, 2004 [Page 5]
Internet-Draft DNSSEC NSEC RDATA Format December 2003
(NSEC). The entry host.example.com. is the next authoritative name (NSEC). The entry host.example.com. is the next authoritative name
after alfa.example.com. in canonical order. The A, MX, RRSIG and NSEC after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC
mnemonics indicate there are A, MX, RRSIG, NSEC and TYPE1234 RRsets and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC and
associated with the name alfa.example.com. TYPE1234 RRsets associated with the name alfa.example.com.
The RDATA section of the NSEC RR above would be encoded as: The RDATA section of the NSEC RR above would be encoded as:
@@ -310,8 +317,8 @@ Internet-Draft DNSSEC NSEC RDATA Format December 2003
4. Security Considerations 4. Security Considerations
The change introducted here does not affect security, since it only The update of the RDATA format and encoding does not affect the
updates the RDATA format and encoding. security of the use of NSEC RRs.
Normative References Normative References
@@ -319,6 +326,14 @@ Normative References
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Eastlake, D., "Domain Name System Security Extensions", RFC [2] Eastlake, D., "Domain Name System Security Extensions", RFC
Schlyter Expires September 1, 2004 [Page 6]
Internet-Draft DNSSEC NSEC RDATA Format March 2004
2535, March 1999. 2535, March 1999.
[3] Eastlake, D., Brunner-Williams, E. and B. Manning, "Domain Name [3] Eastlake, D., Brunner-Williams, E. and B. Manning, "Domain Name
@@ -328,14 +343,6 @@ Normative References
[4] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR) [4] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
Types", RFC 3597, September 2003. Types", RFC 3597, September 2003.
Schlyter Expires June 18, 2004 [Page 6]
Internet-Draft DNSSEC NSEC RDATA Format December 2003
[5] Weiler, S., "Legacy Resolver Compatibility for Delegation [5] Weiler, S., "Legacy Resolver Compatibility for Delegation
Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work
in progress), October 2003. in progress), October 2003.
@@ -378,18 +385,9 @@ Appendix A. Acknowledgements
Schlyter Expires September 1, 2004 [Page 7]
Internet-Draft DNSSEC NSEC RDATA Format March 2004
Schlyter Expires June 18, 2004 [Page 7]
Internet-Draft DNSSEC NSEC RDATA Format December 2003
Intellectual Property Statement Intellectual Property Statement
@@ -417,7 +415,7 @@ Intellectual Property Statement
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
@@ -443,9 +441,9 @@ Full Copyright Statement
Schlyter Expires June 18, 2004 [Page 8] Schlyter Expires September 1, 2004 [Page 8]
Internet-Draft DNSSEC NSEC RDATA Format December 2003 Internet-Draft DNSSEC NSEC RDATA Format March 2004
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
@@ -499,5 +497,5 @@ Acknowledgment
Schlyter Expires June 18, 2004 [Page 9] Schlyter Expires September 1, 2004 [Page 9]