DNS Scoped Data Through "Underscore" Naming
of Attribute LeavesBrandenburg InternetWorking675 Spruce Dr.SunnyvaleCA94086USA+1.408.246.8253dcrocker@bbiw.nethttp://bbiw.net/dnsopDNSDomain Name System> Formally, any DNS resource record may occur under any domain name.
However some services have defined an operational convention, which
applies to DNS leaf nodes that are under a DNS branch having one or
more reserved node names, each beginning with an _underscore. The
underscored naming construct defines a semantic scope for DNS record
types that are associated with the parent domain, above the
underscored branch. This specification explores the nature of this
DNS usage and defines the "DNS Global Underscore Scoped Entry
Registry" with IANA. The purpose of the Underscore registry is to
avoid collisions resulting from the use of the same underscore-based
name, for different services.The core Domain Name System (DNS) technical specifications assign no
semantics to domain names or their parts, and no constraints upon
which resource record (RR) types are permitted to be stored under
particular names , .
Over time, some leaf node names, such as "www" and "ftp" have come
to imply support for particular services, but this is a matter of
operational convention, rather than defined protocol semantics.
This freedom in the basic technology has permitted a wide range of
administrative and semantic policies to be used -- in parallel. DNS
data semantics have been limited to the specification of particular
resource record types, on the expectation that new ones would be
added as needed. Unfortunately, the addition of new resource record
types has proven extremely challenging, over the life of the DNS,
with significant adoption and use barriers. As an alternative to defining a new RR type, some DNS service
enhancements call for using an existing resource record type, but
specify a restricted scope for its occurrence. Scope is meant as
a static property, not one dependent on the nature of the query.
It is an artifact of the DNS name. That scope is a leaf node,
within which the uses of specific resource record sets can be
formally defined and constrained. The leaf occurs in a branch
having a distinguished naming convention: At the top of the
branch -- beneath the parent domain name to which the scope
applies -- one or more reserved DNS node names begin with an
underscore ("_"). Because the DNS rules for a
"host" (host name) do not allow use of the underscore
character, this distinguishes the underscored name from all legal
host names . Effectively, this convention
for leaf node naming creates a space for the listing of
"attributes" -- in the form of resource record types -- that are
associated with the parent domain, above the underscored
sub-branch. The scoping feature is particularly useful when generalized
resource record types are used -- notably
TXT, SRV,
and URI, , , . It provides
efficient separation of one use of them from others. Absent this
separation, an undifferentiated mass of these
RRsets is returned to the DNS client,
which then must parse through the internals of the records in the
hope of finding ones that are relevant. Worse, in some cases the
results are ambiguous because a record type might not adequately
self-identify its specific purpose. With underscore-based
scoping, only the relevant RRsetss
are returned.A simple example is DKIM , which
uses "_domainkey" for defining a place to hold a
TXT record containing signing
information for the parent domain. This specification formally defines how underscored labels are
used as "attribute" enhancements for their parent domain names.
For example, domain name "_domainkey.example." acts as an
attribute of the parent domain name "example." To avoid
collisions resulting from the use of the same underscore-based
labels for different applications using the same resource record
type, this document establishes the DNS Underscore Global Scoped
Entry IANA Registry. Use of such node names, which begin with
underscore, are reserved when they are the underscored name
closest to the DNS root; they are considered "global".
Underscore-based names that are farther down the hierarchy are
handled within the scope of the global underscore name. Discussion about this draft
should be directed to the dnsop@ietf.org
mailing list.Please remove
"Discussion Venue" paragraph prior to
publication.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
.Some resource record types are used in a fashion that can create
scaling problems, if an entire RRset associated with a domain
name is aggregated in the leaf node for that name. An
increasingly-popular approach, with excellent scaling properties,
places the RRset under a specially named branch, which is in turn
under the node name that would otherwise contain the RRset. The
rules for naming that branch define the context for interpreting
the RRset. That is, rather than: the arrangement is: A direct lookup to the subordinate leaf node produces
only the desired record types, at no greater cost than a typical
DNS lookup. As defined in the DNS uses names
organized in a tree-structured, or hierarchical fashion. A domain
name might have multiple node names that begin with an
_underscore. A "global" underscored node name is the one that is
closest to the root of the DNS hierarchy, also called the
highest-level or top-most. In the presentation convention
described in Section 3.1 of this is the
right-most name beginning with an underscore. In other
presentation environments it might be positioned differently. To
avoid concern for the presentation variations, the qualifier
"global" is used here.DNS wildcards interact poorly with underscored names in two ways.
Since wildcards only are interpreted as leaf names, one cannot
create the equivalent of a wildcard name for prefixed names. A
name such as label.*.example.com is not a wildcard. Conversely, a wildcard such as *.example.com can match any name
including an underscored name. So, a wildcard might match an
underscored name, returning a record that is the type controlled
by the underscored name but is not intended to be used in the
underscored context and does not conform to its rules. A registry for "global" DNS nodes names that begin with an
underscore is defined here. The purpose of the Underscore Global
Registry is to avoid collisions resulting from the use of the same
underscore-based name, for different applications. If a public specification calls for use of an
underscore-prefixed domain node name, the "global" underscored
name -- the underscored name that is closest to the DNS root
-- MUST be entered into this registry.An underscored name defines scope of use for specific resource
record types, which are associated with the domain name that is the
"parent" to the branch defined by the underscored name. A given name
defines a specific, constrained context for one or more RR types,
where use of such record types conforms to the defined constraints.
Within an underscore scoped leaf, other RRsets that are not
specified as part of the scope MAY be used.Structurally, the registry is defined as a single, flat table of RR
types, under node names beginning with underscore. In some cases,
such as for use of an SRV record, the
full scoping name might be multi-part, as a sequence of underscored
names. Semantically, that sequence represents a hierarchical model
and it is theoretically reasonable to allow re-use of a subordinate
underscored name in a different, global underscored context; that
is, a subordinate name is meaningful only within the scope of the
global underscored name. Therefore they are ignored by this DNS
Underscore Global Scoped Entry Registry. This registry is for the
definition of highest-level -- ie, global -- underscored node name
used.NAME_service1._protoB._service2_protoB._service3_protoC._service3_useX._protoD._service4_protoE._region._authorityOnly global underscored names are registered in the IANA Underscore
Global table. The use of underscored node names is specific to each RRTYPE
that is being scoped. Each name defines a place, but does not
define the rules for what appears underneath that place,
either as additional underscored naming or as a leaf node with
resource records. Details for those rules are provided by
specifications for individual RRTYPEs. The sections below
describe the way that existing underscore labels are used with
the RRTYPEs that they name.Definition and registration of subordinate, underscore node
names is the responsibility of the specification that creates
the global registry entry.That is, if a scheme using a global underscore node name has one or
more subordinate levels of underscore node naming, the namespaces
from which names for those lower levels are chosen are controlled by
the parent underscore node name. Each globally-registered underscore
name owns a distinct, subordinate name space.This section provides a basic template that can be used to register
new entries in the IANA DNS Underscore Global Scoped Entry Registry,
if the global underscored name above the RRTYPE is not already
registered. The text can be added to specifications using
RRTYPE/_Node-name combinations that have not already been
registered.Per {RFC Attrleaf} please add the following entry to the DNS
Underscore Global Scoped Entry Registry:Please replace the above "{RFC
Attrleaf}" text with a reference to this document's RFC
number. /dRR Type_NODE NAME REFERENCE{RRTYPE}_{DNS global node name} {citation for the document making the addition.} Per , IANA is requested to establish the:DNS Underscore Global Scoped Entry RegistryThis section describes actions requested of IANA. The
guidance in is used.The DNS Global Underscore Scoped Entry Registry is any DNS node
name that begin with the underscore character ("_",
ASCII 0x5F) and is the underscored node name closest to the root;
that is it defines the highest-level of a DNS branch, under a
"parent" domain name. This registry is to operate under the IANA rules for
"Expert Review" registration; see .The contents of each entry in the Global registry are
defined in .Each entry in the registry MUST contain values for all of
the fields specified in .Within the registry, the combination of RR Type and _Node
Name MUST be unique.The table is to be maintained with entries sorted by the
first column (RR Type) and, within that, the second column
(_Node Name).The required Reference for an entry MUST have a stable
resolution to the organization controlling that registry
entry.A registry entry contains: Lists an RR type that is defined for
use within this scopeSpecifies a single, underscored
name that defines a reserved name; this name is the
"global" entry name for the scoped resource record types
that are associated with that name Lists specification that defines a
record type and its use under this Name. The organization
producing the specification retains control over the
registry entry for the _Node Name Each RR type that is to be used MUST have a separate
registry entry. Initial entries in the registry are:RR Type_NODE NAME REFERENCEOPENPGPKEY_openpgpkeySMIMEA _smimecertSRV_dccpSRV_sctpSRV_tcpSRV_udpTLSA_sctpTLSA_tcpTLSA_udpTXT_mta-stsTXT_acme-challengeTXT_dmarcTXT_domainkeyTXT_spfTXT_vouchURI_iaxURI_acctURI_dccpURI_emailURI_emsURI_faxURI_ftURI_h323URI_ical-schedURI_ical-accessURI_ifaxURI_imURI_mmsURI_presURI_pstnURI_sctpURI_sipURI_smsURI_tcpURI_udpURI_unifmsgURI_vcardURI_videomsgURI_voiceURI_voicemsgURI_vpimURI_xmpThis section provides guidance for expert review of registration
requests in the of DNS Underscore Global Scoped Entry Registry.This review is solely to determine adequacy of a requested
entry in this Registry, and does not include review of other
aspects of the document specifying that entry. For example
such a document might also contain a definition of the
resource record type that is referenced by the requested
entry. Any required review of that definition is separate from
the expert review required here. The review is for the purposes of ensuring that:The details for creating the registry entry are sufficiently
clear, precise and completeThe combination of the underscored name, under which the
listed resource record type is used, and the resource record
type, is unique in the tableFor the purposes of this Expert Review, other matters of the
specification's technical quality, adequacy or the like are outside
of scope. This memo raises no security issues.DNS wildcards interact poorly with underscored names in two ways.
Since wildcards only are interpreted as leaf names, one cannot
create the equivalent of a wildcard name for prefixed names. A
name such as label.*.example.com is not a wildcard. Conversely, a wildcard such as *.example.com can match any name
including an underscored name. So, a wildcard might match an
underscored name, returning a record that is the type controlled
by the underscored name but is not intended to be used in the
underscored context and does not conform to its rules. SMTP MTA Strict Transport Security (MTA-STS)DOD Internet Host Table SpecificationDomain Names - Concepts and
FacilitiesUSC/ISI4676 Admiralty WayMarina del ReyCA90291US+1 213 822 1511Domain Names - Implementation
and SpecificationUSC/ISI4676 Admiralty WayMarina del ReyCA90291US+1 213 822 1511Key words for use in RFCs to
Indicate Requirement LevelsHarvard University1350 Mass. Ave.CambridgeMA 02138- +1 617 495 3864sob@harvard.edu
General
keyword In many standards track documents several words are used
to signify the requirements in the specification. These
words are often capitalized. This document defines these
words as they should be interpreted in IETF documents.
Authors who follow these guidelines should incorporate this
phrase near the beginning of their document: The key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in RFC 2119. Note that the force of these words is modified by the
requirement level of the document in which they are used.
Clarifications to the DNS SpecificationGuidelines for Writing an IANA Considerations Section in
RFCsPTIHuawei TechnologiesIBM CorporationA DNS RR for specifying the location
of services (DNS SRV)Troll TechWaldemar Thranes gate 98BOsloN-0175NO+47 22 806390+47 22 806380arnt@troll.noInternet Software Consortium950 Charter StreetRedwood CityCA94063US+1 650 779 7001Microsoft CorporationOne Microsoft WayRedmondWA98052USlevone@microsoft.comThis document describes a DNS
RR which specifies the location
of the server(s) for a specific protocol and domain.Vouch By ReferenceDomain Assurance CouncilDomain Assurance CouncilAlt-N Technologiesnternet Assigned Numbers Authority (IANA) Procedures for
the Management of the Service Name and Transport Protocol Port
Number RegistryDomainKeys Identified Mail (DKIM) SignaturesDomainKeys Identified Mail (DKIM) defines a domain-level
authentication framework for email using public-key
cryptography and key server technology to permit
verification of the source and contents of messages by
either Mail Transfer Agents (MTAs) or Mail User Agents
(MUAs). The ultimate goal of this framework is to permit a
signing domain to assert responsibility for a message, thus
protecting message signer identity and the integrity of the
messages they convey while retaining the functionality of
Internet email as it is known today. Protection of email
identity may assist in the global control of "spam" and
"phishing". [STANDARDS TRACK]The DNS-Based Authentication of Named Entities (DANE)
Transport Layer Security (TLS) Protocol: TLSASender Policy Framework (SPF) for Authorizing Use of
Domains in E-Mail, Version 1Domain-based Message Authentication, Reporting, and
Conformance (DMARC)The Uniform Resource Identifier (URI) DNS Resource
RecordNetnodISOCUsing Secure DNS to Associate Certificates with Domain
Names for S/MIMEAutomatic Certificate Management Environment
(ACME)Guidelines for Writing an IANA Considerations Section in
RFCsThanks go to Bill Fenner, Dick Franks, Tony Hansen, Martin Hoffmann,
Peter Koch, Olaf Kolkman, and Andrew Sullivan for diligent review of
the (much) earlier drafts. For the later enhancements, thanks to:
Stephane Bortzmeyer, Bob Harold, Warren Kumari, John Levine, Joel
Jaeggli, Petr Špaček, OndÅ™ej Surř, Paul Vixie, Tim
Wicinski, and Paul Wouters. Special thanks to Ray Bellis for his persistent encouragement to
continue this effort, as well as the suggestion for an essential
simplification to the registration model.