TOC 
DNS Extensions Working GroupS. Rose
Internet-DraftNIST
Updates: 2672, 3363, 4294W. Wijngaards
(if approved)NLnet Labs
Intended status: Standards TrackMarch 25, 2008
Expires: September 26, 2008 


Update to DNAME Redirection in the DNS
draft-ietf-dnsext-rfc2672bis-dname-11

Status of This Memo

By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on September 26, 2008.

Abstract

The DNAME record provides redirection for a sub-tree of the domain name tree in the DNS system. That is, all names that end with a particular suffix are redirected to another part of the DNS. This is an update to the original specification in RFC 2672, also aligning RFC 3363 and RFC 4294 with this revision.

Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].



Table of Contents

1.  Introduction

2.  The DNAME Resource Record
    2.1.  Format
    2.2.  The DNAME Substitution
    2.3.  DNAME Apex not Redirected itself
    2.4.  Names Next to and Below a DNAME Record
    2.5.  Compression of the DNAME record.

3.  Processing
    3.1.  Wildcards
    3.2.  CNAME synthesis
    3.3.  Acceptance and Intermediate Storage
    3.4.  Server algorithm

4.  DNAME Discussions in Other Documents

5.  Other Issues with DNAME
    5.1.  MX, NS and PTR Records Must Point to Target of DNAME
    5.2.  Dynamic Update and DNAME
    5.3.  DNSSEC and DNAME
        5.3.1.  DNAME bit in NSEC type map
        5.3.2.  Validators Must Understand DNAME
            5.3.2.1.  DNAME in Bitmap Causes Invalid Name Error
            5.3.2.2.  Valid Name Error Response Involving DNAME in Bitmap
            5.3.2.3.  Response With Synthesized CNAME

6.  IANA Considerations

7.  Security Considerations

8.  Acknowledgments

9.  References
    9.1.  Normative References
    9.2.  Informative References




 TOC 

1.  Introduction

DNAME is a DNS Resource Record type. DNAME provides redirection from a part of the DNS name tree to another part of the DNS name tree.

Take for example, looking through a zone (see RFC 1034 (Mockapetris, P., “Domain names - concepts and facilities,” November 1987.) [RFC1034], section 4.3.2, step 3) for the domain name "foo.example.com" and a DNAME resource record is found at "example.com" indicating that all queries under "example.com" be directed to "example.net". The lookup process will return to step 1 with the new query name of "foo.example.net". Had the query name been "www.foo.example.com" the new query name would be "www.foo.example.net".

The DNAME RR is similar to the CNAME RR in that it provides redirection. The CNAME RR only provides redirection for exactly one name while the DNAME RR provides redirection for all names in a sub-tree of the DNS name tree.

This document is an update to the original specification of DNAME in RFC 2672 (Crawford, M., “Non-Terminal DNS Name Redirection,” August 1999.) [RFC2672]. DNAME was conceived to help with the problem of maintaining address-to-name mappings in a context of network renumbering. With a careful set-up, a renumbering event in the network causes no change to the authoritative server that has the address-to-name mappings. Examples in practice are classless reverse address space delegations and punycode alternates for domain spaces.

Another usage of DNAME lies in redirection of name spaces. For example, a zone administrator may want sub-trees of the DNS to contain the same information. DNAME is also used for the redirection of ENUM domains to another maintaining party.

This update to DNAME does not change the wire format or the handling of DNAME Resource Records by existing software. A new UD (Understand Dname) bit in the EDNS flags field can be used to signal that CNAME synthesis is not needed. Discussion is added on problems that may be encountered when using DNAME.



 TOC 

2.  The DNAME Resource Record



 TOC 

2.1.  Format

The DNAME RR has mnemonic DNAME and type code 39 (decimal).

The format of the DNAME record has not changed from the original specification in RFC 2672. DNAME has the following format:

        <owner> <ttl> <class> DNAME <target>

The format is not class-sensitive. All fields are required. The RDATA field target is a domain name. The RDATA field target name MUST be sent uncompressed [RFC3597] (Gustafsson, A., “Handling of Unknown DNS Resource Record (RR) Types,” September 2003.).

The DNAME RR causes type NS additional section processing.



 TOC 

2.2.  The DNAME Substitution

DNAMEs cause a name substitution to happen to query names. This is called the DNAME substitution. The portion of the QNAME ending with the root label that matches the owner name of the DNAME RR is replaced with the contents of the DNAME RR's RDATA. The owner name of the DNAME is not itself redirected, only domain names below the owner name are redirected. Only whole labels are replaced. A name is considered below the owner name if it has more labels than the owner name, and the labels of the owner name appear at the end of the query name. See the table of examples for common cases and corner cases.



In the table below, the QNAME refers to the query name. The owner is the DNAME owner domain name, and the target refers to the target of the DNAME record. The result is the resulting name after performing the DNAME substitution on the query name. "no match" means that the query did not match the DNAME and thus no substitution is performed and a possible error message is returned (if no other result is possible). In the examples below, 'cyc' and 'shortloop' contain loops.

 QNAME            owner  DNAME   target         result
 ---------------- -------------- -------------- -----------------
 com.             example.com.   example.net.   <no match>
 example.com.     example.com.   example.net.   <no match>
 a.example.com.   example.com.   example.net.   a.example.net.
 a.b.example.com. example.com.   example.net.   a.b.example.net.
 ab.example.com.  b.example.com. example.net.   <no match>
 foo.example.com. example.com.   example.net.   foo.example.net.
 a.x.example.com. x.example.com. example.net.   a.example.net.
 a.example.com.   example.com.   y.example.net. a.y.example.net.
 cyc.example.com. example.com.   example.com.   cyc.example.com.
 cyc.example.com. example.com.   c.example.com. cyc.c.example.com.
 shortloop.x.x.   x.             .              shortloop.x.
 shortloop.x.     x.             .              shortloop.

 Table 1. DNAME Substitution Examples. 

It is possible for DNAMEs to form loops, just as CNAMEs can form loops. DNAMEs and CNAMEs can chain together to form loops. A single corner case DNAME can form a loop. Resolvers and servers should be cautious in devoting resources to a query, but be aware that fairly long chains of DNAMEs may be valid. Zone content administrators should take care to insure that there are no loops that could occur when using DNAME or DNAME/CNAME redirection.

The domain name can get too long during substitution. For example, suppose the target name of the DNAME RR is 250 octets in length (multiple labels), if an incoming QNAME that has a first label over 5 octets in length, the result of the result would be a name over 255 octets. If this occurs the server returns an RCODE of YXDOMAIN [RFC2136] (Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, “Dynamic Updates in the Domain Name System (DNS UPDATE),” April 1997.). The DNAME record and its signature (if the zone is signed) are included in the answer as proof for the YXDOMAIN (value 6) RCODE.



 TOC 

2.3.  DNAME Apex not Redirected itself

The owner name of a DNAME is not redirected itself. The reason for the original decision was that one can have a DNAME at the zone apex without problem. Then use this DNAME at the zone apex to point queries to the target zone. There still is a need to have the customary SOA and NS resource records at the zone apex. This means that DNAME does not mirror a zone completely, as it does not mirror the zone apex.

Another reason for excluding the DNAME owner from the DNAME substitution is that one can then query for the DNAME through RFC 1034 [RFC1034] (Mockapetris, P., “Domain names - concepts and facilities,” November 1987.) caches.

This means that DNAME RRs are not allowed at the parent side of a delegation point but are allowed at a zone apex.



 TOC 

2.4.  Names Next to and Below a DNAME Record

Other resource records MUST NOT exist at a domain name subordinate to the owner of a DNAME RR. To get the contents for names subordinate to that owner, the DNAME redirection must be invoked and the resulting target queried. A server MAY refuse to load a zone that has data at a domain name subordinate to a domain name owning a DNAME RR. If the server does load the zone, those names below the DNAME RR will be occluded. Also a server SHOULD refuse to load a zone subordinate to the owner of a DNAME record in the ancestor zone. See Section 5.2 (Dynamic Update and DNAME) for further discussion related to dynamic update.

DNAME is a singleton type, meaning only one DNAME is allowed per name. The owner name of a DNAME can only have one DNAME RR, and no CNAME RRs can exist at that name. These rules make sure that for a single domain name only one redirection exists, and thus no confusion which one to follow. A server SHOULD refuse to load a zone that violates these rules.

The domain name that owns a DNAME record is allowed to have other resource record types at that domain name, except DNAMEs or CNAMEs.

These rules allow DNAME records to be queried through DNAME unaware caches.



 TOC 

2.5.  Compression of the DNAME record.

The DNAME owner name can be compressed like any other owner name. The DNAME RDATA target name MUST NOT be sent out in compressed form, so that a DNAME RR can be treated as an unknown type.

Although the previous specification [RFC2672] (Crawford, M., “Non-Terminal DNS Name Redirection,” August 1999.) talked about signaling to allow compression of the target name, no such signaling is explicitly specified.

RFC 2672 stated that the EDNS version had a meaning for understanding of DNAME and DNAME target name compression. This document updates RFC 2672, in that there is no EDNS version signaling for DNAME as of yet. However, the flags section of EDNS(0) is updated with a Understand-DNAME flag by this document (See Section 3.2).



 TOC 

3.  Processing



 TOC 

3.1.  Wildcards

The use of DNAME in conjunction with wildcards is discouraged [RFC4592] (Lewis, E., “The Role of Wildcards in the Domain Name System,” July 2006.). Thus records of the form "*.example.com DNAME example.net" SHOULD NOT be used.

The interaction between the expansion of the wildcard and the redirection of the DNAME is non-deterministic. Because the processing is non-deterministic, DNSSEC validating resolvers may not be able to validate a wildcarded DNAME.

A server MAY give a warning that the behavior is unspecified if such a wildcarded DNAME is loaded. The server MAY refuse it, refuse to load or refuse dynamic update.



 TOC 

3.2.  CNAME synthesis

On the server side, the DNAME RR record is always included in the answer section of a query, when one is encountered. A CNAME RR record with TTL equal to the corresponding DNAME RR is synthesized for old resolvers, specifically for the QNAME in the query. DNSSEC [RFC4033] (Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “DNS Security Introduction and Requirements,” March 2005.), [RFC4034] (Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “Resource Records for the DNS Security Extensions,” March 2005.), [RFC4035] (Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “Protocol Modifications for the DNS Security Extensions,” March 2005.) says that the synthesized CNAME does not have to be signed. The DNAME has an RRSIG and a validating resolver can check the CNAME against the DNAME record and validate the DNAME record.

Resolvers MUST be able to handle a synthesized CNAME TTL of zero or equal to the TTL of the corresponding DNAME record. A TTL of zero means that the CNAME can be discarded immediately after processing the answer. DNAME aware resolvers can set the Understand-DNAME (UD bit) to receive a response with only the DNAME RR and no synthesized CNAMEs.

The UD bit is part of the EDNS extended RCODE and Flags field. It is used to omit server processing, transmission and resolver processing of unsigned synthesized CNAMEs. Resolvers can set this in a query to request omission of the synthesized CNAMEs. Servers copy the UD bit to the response, and can omit synthesized CNAMEs from the answer. Older resolvers do not set the UD bit, and older servers do not copy the UD bit to the answer, and will not omit synthesized CNAMEs.

Updated EDNS extended RCODE and Flags field.

            +0 (MSB)                +1 (LSB)
   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
0: |   EXTENDED-RCODE      |       VERSION         |
   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
2: |DO|UD|                 Z                       |
   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Servers MUST be able to answer a query for a synthesized CNAME. Like other query types this invokes the DNAME, and synthesizes the CNAME into the answer.



 TOC 

3.3.  Acceptance and Intermediate Storage

DNS caches can encounter data at names below the owner name of a DNAME RR, due to a change at the authoritative server where data from before and after the change resides in the cache. This conflict situation is a transitional phase, that ends when the old data times out. The cache can opt to store both old and new data and treat each as if the other did not exist, or drop the old data, or drop the longer domain name. In any approach, consistency returns after the older data TTL times out.

DNS caches MUST perform CNAME synthesis on behalf of DNAME-ignorant clients. A DNS cache that understands DNAMEs can send out queries on behalf of clients with the UD bit set. After receiving the answers the DNS cache sends replies to DNAME ignorant clients that include DNAMEs and synthesized CNAMEs.



 TOC 

3.4.  Server algorithm

Below the server algorithm, which appeared in RFC 2672 Section 4.1, is expanded to handle the UD bit.

  1. Set or clear the value of recursion available in the response depending on whether the name server is willing to provide recursive service. If recursive service is available and requested via the RD bit in the query, go to step 5, otherwise step 2.

  2. Search the available zones for the zone which is the nearest ancestor to QNAME. If such a zone is found, go to step 3, otherwise step 4.

  3. Start matching down, label by label, in the zone. The matching process can terminate several ways:

    A.
    If the whole of QNAME is matched, we have found the node.
    If the data at the node is a CNAME, and QTYPE does not match CNAME, copy the CNAME RR into the answer section of the response, change QNAME to the canonical name in the CNAME RR, and go back to step 1.

    Otherwise, copy all RRs which match QTYPE into the answer section and go to step 6.

    B.
    If a match would take us out of the authoritative data, we have a referral. This happens when we encounter a node with NS RRs marking cuts along the bottom of a zone.
    Copy the NS RRs for the sub-zone into the authority section of the reply. Put whatever addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache. Go to step 4.

    C.
    If at some label, a match is impossible (i.e., the corresponding label does not exist), look to see whether the last label matched has a DNAME record.
    If a DNAME record exists at that point, copy that record into the answer section. If substitution of its <target> for its <owner> in QNAME would overflow the legal size for a <domain- name>, set RCODE to YXDOMAIN [RFC2136] (Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, “Dynamic Updates in the Domain Name System (DNS UPDATE),” April 1997.) and exit; otherwise perform the substitution and continue. If the EDNS OPT record is present in the query and the UD bit is set, the server MAY copy the UD bit to the answer EDNS OPT record, and omit CNAME synthesis. Else the server MUST synthesize a CNAME record as described above and include it in the answer section. Go back to step 1.

    If there was no DNAME record, look to see if the "*" label exists.

    If the "*" label does not exist, check whether the name we are looking for is the original QNAME in the query or a name we have followed due to a CNAME or DNAME. If the name is original, set an authoritative name error in the response and exit. Otherwise just exit.

    If the "*" label does exist, match RRs at that node against QTYPE. If any match, copy them into the answer section, but set the owner of the RR to be QNAME, and not the node with the "*" label. If the data at the node with the "*" label is a CNAME, and QTYPE doesn't match CNAME, copy the CNAME RR into the answer section of the response changing the owner name to the QNAME, change QNAME to the canonical name in the CNAME RR, and go back to step 1. Otherwise, Go to step 6.

  4. Start matching down in the cache. If QNAME is found in the cache, copy all RRs attached to it that match QTYPE into the answer section. If QNAME is not found in the cache but a DNAME record is present at an ancestor of QNAME, copy that DNAME record into the answer section. If there was no delegation from authoritative data, look for the best one from the cache, and put it in the authority section. Go to step 6.

  5. Use the local resolver or a copy of its algorithm to answer the query. Store the results, including any intermediate CNAMEs and DNAMEs, in the answer section of the response.

  6. Using local data only, attempt to add other RRs which may be useful to the additional section of the query. Exit.

Note that there will be at most one ancestor with a DNAME as described in step 4 unless some zone's data is in violation of the no-descendants limitation in section 3. An implementation might take advantage of this limitation by stopping the search of step 3c or step 4 when a DNAME record is encountered.



 TOC 

4.  DNAME Discussions in Other Documents

In [RFC2181] (Elz, R. and R. Bush, “Clarifications to the DNS Specification,” July 1997.), in Section 10.3., the discussion on MX and NS records touches on redirection by CNAMEs, but this also holds for DNAMEs.

Excerpt from 10.3. MX and NS records (in RFC 2181).

        The domain name used as the value of a NS resource record,
        or part of the value of a MX resource record must not be
        an alias.  Not only is the specification clear on this
        point, but using an alias in either of these positions
        neither works as well as might be hoped, nor well fulfills
        the ambition that may have led to this approach.  This
        domain name must have as its value one or more address
        records.  Currently those will be A records, however in
        the future other record types giving addressing
        information may be acceptable.  It can also have other
        RRs, but never a CNAME RR.

The DNAME RR is discussed in RFC 3363, section 4, on A6 and DNAME. The opening premise of this section is demonstrably wrong, and so the conclusion based on that premise is wrong. In particular, [RFC3363] (Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T. Hain, “Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS),” August 2002.) deprecates the use of DNAME in the IPv6 reverse tree, which is then carried forward as a recommendation in [RFC4294] (Loughney, J., “IPv6 Node Requirements,” April 2006.). Based on the experience gained in the meantime, [RFC3363] (Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T. Hain, “Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS),” August 2002.) should be revised, dropping all constraints on having DNAME RRs in these zones. This would greatly improve the manageability of the IPv6 reverse tree. These changes are made explicit below.

In [RFC3363] (Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T. Hain, “Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS),” August 2002.), the paragraph

   "The issues for DNAME in the reverse mapping tree appears to be
   closely tied to the need to use fragmented A6 in the main tree: if
   one is necessary, so is the other, and if one isn't necessary, the
   other isn't either.  Therefore, in moving RFC 2874 to experimental,
   the intent of this document is that use of DNAME RRs in the reverse
   tree be deprecated."

is to be replaced with the word "DELETED".

In [RFC4294] (Loughney, J., “IPv6 Node Requirements,” April 2006.), the reference to DNAME was left in as an editorial oversight. The paragraph

  "Those nodes are NOT RECOMMENDED to support the experimental A6 and
  DNAME Resource Records [RFC3363]."

is to be replaced by

  "Those nodes are NOT RECOMMENDED to support the experimental
  A6 Resource Record [RFC3363]."



 TOC 

5.  Other Issues with DNAME

There are several issues to be aware of about the use of DNAME.



 TOC 

5.1.  MX, NS and PTR Records Must Point to Target of DNAME

The names listed as target names of MX, NS and PTR records must be canonical hostnames. This means no CNAME or DNAME redirection may be present during DNS lookup of the address records for the host. This is discussed in RFC 2181 [RFC2181] (Elz, R. and R. Bush, “Clarifications to the DNS Specification,” July 1997.), section 10.3, and RFC 1912 [RFC1912] (Barr, D., “Common DNS Operational and Configuration Errors,” February 1996.), section 2.4.

The upshot of this is that although the lookup of a PTR record can involve DNAMEs, the name listed in the PTR record can not fall under a DNAME. The same holds for NS and MX records. For example, when punycode alternates for a zone use DNAME then the NS, MX and PTR records that point to that zone must use names without punycode in their RDATA. What must be done then is to have the domain names with DNAME substitution already applied to it as the MX, NS, PTR data. These are valid canonical hostnames.



 TOC 

5.2.  Dynamic Update and DNAME

DNAME records can be added, changed and removed in a zone using dynamic update transactions. Adding a DNAME RR to a zone occludes any domain names that may exist under the added DNAME.

A server MUST ignore a dynamic update message that attempts to add a DNAME RR at a name that already has a CNAME RR or another DNAME RR associated with that name.



 TOC 

5.3.  DNSSEC and DNAME



 TOC 

5.3.1.  DNAME bit in NSEC type map

When a validator checks the NSEC RRs returned on a name error response, it SHOULD check that the DNAME bit is not set. If the DNAME bit is set then the DNAME substitution should have been done, but has not.



 TOC 

5.3.2.  Validators Must Understand DNAME

Examples of why DNSSEC validators MUST understand DNAME.



 TOC 

5.3.2.1.  DNAME in Bitmap Causes Invalid Name Error

;; Header: QR AA DO RCODE=3(NXDOMAIN)
;; Question
foo.bar.example.com. IN A
;; Answer
bar.example.com. NSEC dub.example.com. A DNAME
bar.example.com. RRSIG NSEC [valid signature]

If this is the response, then only by understanding that the DNAME bit means that foo.bar.example.com needed to have been redirected by the DNAME, the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply.

If the DNAME bit had not been set in the NSEC record above then the answer would have validated as a correct name error response.



 TOC 

5.3.2.2.  Valid Name Error Response Involving DNAME in Bitmap

;; Header: QR AA DO RCODE=3(NXDOMAIN)
;; Question
cee.example.com. IN A
;; Answer
bar.example.com. NSEC dub.example.com. A DNAME
bar.example.com. RRSIG NSEC [valid signature]

This reply has the same NSEC records as the example above, but with this query name (cee.example.com), the answer is validated, because 'cee' does not get redirected by the DNAME at 'bar'.

 TOC 

5.3.2.3.  Response With Synthesized CNAME

;; Header: QR AA DO RCODE=0(NOERROR)
;; Question
foo.bar.example.com. IN A
;; Answer
bar.example.com. DNAME bar.example.net.
bar.example.com. RRSIG DNAME [valid signature]
foo.bar.example.com. CNAME foo.bar.example.net.

The answer shown above has the synthesized CNAME included. However, the CNAME has no signature, since the server does not sign online. So it cannot be trusted. It could be altered by an attacker to be foo.bar.example.com CNAME bla.bla.example. The DNAME record does have its signature included, since it does not change for every query name. The validator must verify the DNAME signature and then recursively resolve further to query for the foo.bar.example.net A record.

 TOC 

6.  IANA Considerations

The main purpose of this draft is to discuss issues related to the use of DNAME RRs in a DNS zone. The original document registered the DNAME Resource Record type code 39 (decimal). IANA should update the DNS resource record registry by adding a pointer to this document for RR type 39.

This draft requests the second highest bit in the EDNS flags field for the Understand-DNAME (UD) flag.



 TOC 

7.  Security Considerations

DNAME redirects queries elsewhere, which may impact security based on policy and the security status of the zone with the DNAME and the redirection zone's security status.

If a validating resolver accepts wildcarded DNAMEs, this creates security issues. Since the processing of a wildcarded DNAME is non-deterministic and the CNAME that was substituted by the server has no signature, the resolver may choose a different result than what the server meant, and consequently end up at the wrong destination. Use of wildcarded DNAMEs is discouraged in any case [RFC4592] (Lewis, E., “The Role of Wildcards in the Domain Name System,” July 2006.).

A validating resolver MUST understand DNAME, according to [RFC4034] (Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “Resource Records for the DNS Security Extensions,” March 2005.). In Section 5.3.2 (Validators Must Understand DNAME) examples are given that illustrate this need.



 TOC 

8.  Acknowledgments

The authors of this draft would like to acknowledge Matt Larson for beginning this effort to address the issues related to the DNAME RR type. The authors would also like to acknowledge Paul Vixie, Ed Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly and Sam Weiler for their review and comments on this document.



 TOC 

9.  References



 TOC 

9.1. Normative References

[RFC1034] Mockapetris, P., “Domain names - concepts and facilities,” STD 13, RFC 1034, November 1987 (TXT).
[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, “Dynamic Updates in the Domain Name System (DNS UPDATE),” RFC 2136, April 1997 (TXT, HTML, XML).
[RFC2181] Elz, R. and R. Bush, “Clarifications to the DNS Specification,” RFC 2181, July 1997 (TXT, HTML, XML).
[RFC2672] Crawford, M., “Non-Terminal DNS Name Redirection,” RFC 2672, August 1999 (TXT).
[RFC3597] Gustafsson, A., “Handling of Unknown DNS Resource Record (RR) Types,” RFC 3597, September 2003 (TXT).
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “DNS Security Introduction and Requirements,” RFC 4033, March 2005 (TXT).
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “Resource Records for the DNS Security Extensions,” RFC 4034, March 2005 (TXT).
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “Protocol Modifications for the DNS Security Extensions,” RFC 4035, March 2005 (TXT).
[RFC4592] Lewis, E., “The Role of Wildcards in the Domain Name System,” RFC 4592, July 2006 (TXT).


 TOC 

9.2. Informative References

[RFC1912] Barr, D., “Common DNS Operational and Configuration Errors,” RFC 1912, February 1996 (TXT).
[RFC3363] Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T. Hain, “Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS),” RFC 3363, August 2002 (TXT).
[RFC4294] Loughney, J., “IPv6 Node Requirements,” RFC 4294, April 2006 (TXT).


 TOC 

Authors' Addresses

  Scott Rose
  NIST
  100 Bureau Dr.
  Gaithersburg, MD 20899
  USA
Phone:  +1-301-975-8439
Fax:  +1-301-975-6238
EMail:  scottr@nist.gov
  
  Wouter Wijngaards
  NLnet Labs
  Kruislaan 419
  Amsterdam 1098 VA
  The Netherlands
Phone:  +31-20-888-4551
EMail:  wouter@nlnetlabs.nl


 TOC 

Full Copyright Statement

Intellectual Property