DNS Scoped Data Through "Underscore" Naming of Attribute
LeavesBrandenburg InternetWorking675 Spruce Dr.SunnyvaleCA94086USA+1.408.246.8253dcrocker@bbiw.nethttp://bbiw.net/dnsopDNSDomain Name System> Formally, any DNS resource record may occur under any domain name. However some
services use an operational convention for defining specific interpretations of an
RRset, by locating the records in a DNS branch, under the parent domain to which the
RRset actually applies. The top of this subordinate branch is defined by a naming
convention that uses a reserved node name, which begins with an _underscore. The
underscored naming construct defines a semantic scope for DNS record types that are
associated with the parent domain, above the underscored branch. This specification
explores the nature of this DNS usage and defines the "DNS Global Underscore Scoped
Entry Registry" with IANA. The purpose of the Underscore registry is to avoid collisions
resulting from the use of the same underscore-based name, for different services.The core Domain Name System (DNS) technical specifications assign no semantics to domain
names or their parts, and no constraints upon which resource record (RR) types are
permitted to be stored under particular names , . Over time, some leaf node names, such as "www" and "ftp" have
come to imply support for particular services, but this is a matter of operational
convention, rather than defined protocol semantics.
This freedom in the basic technology has permitted a wide range of administrative and
semantic policies to be used -- in parallel. DNS data semantics have been limited to the
specification of particular resource record types, on the expectation that new resource
record types would be added as needed. Unfortunately, the addition of new resource
record types has proven extremely challenging, over the life of the DNS, with
significant adoption and use barriers. As an alternative to defining a new RR type, some DNS service enhancements call for
using an existing resource record type, but specify a restricted scope for its
occurrence. Scope is meant as a static property, not one dependent on the nature of
the query. It is an artifact of the DNS name. That scope is a leaf node, within which
the uses of specific resource record sets can be formally defined and constrained.
The leaf occurs in a branch having a distinguished naming convention: At the top of
the branch -- beneath the parent domain name to which the scope applies -- one or
more reserved DNS node names begin with an underscore ("_"). Because the
DNS rules for a "host" (host name) do not allow use of the underscore
character, this distinguishes the underscored name from all legal host names . Effectively, this convention for leaf node naming creates a
space for the listing of "attributes" -- in the form of resource record types -- that
are associated with the parent domain, above the underscored sub-branch. The scoping feature is particularly useful when generalized resource record types are
used -- notably TXT, SRV, and URI, , , . It provides efficient separation of one use of them from
others. Absent this separation, an undifferentiated mass of these
RRsets is returned to the DNS client, which then must
parse through the internals of the records in the hope of finding ones that are
relevant. Worse, in some cases the results are ambiguous because a record type might
not adequately self-identify its specific purpose. With underscore-based scoping,
only the relevant RRsetss are returned.A simple example is DKIM , which uses "_domainkey" for
defining a place to hold a TXT record containing signing
information for the parent domain. This specification formally defines how underscored labels are used as "attribute"
enhancements for their parent domain names. For example, domain name
"_domainkey.example." acts as an attribute of the parent domain name "example." To
avoid collisions resulting from the use of the same underscore-based labels for
different applications using the same resource record type, this document establishes
the DNS Underscore Global Scoped Entry IANA Registry. Use of such node names, which
begin with underscore, are reserved when they are the underscored name closest to the
DNS root; they are considered "global". Underscore-based names that are farther down
the hierarchy are handled within the scope of the global underscore name. Discussion about this draft should be directed
to the dnsop@ietf.org mailing
list.Please remove "Discussion Venue"
paragraph prior to publication.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to
be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
appear in all capitals, as shown here.Some resource record types are used in a fashion that can create scaling problems, if
an entire RRset associated with a domain name is aggregated in the leaf node for that
name. An increasingly-popular approach, with excellent scaling properties, places the
RRset under a specially named branch, which is in turn under the node name that would
otherwise contain the RRset. The rules for naming that branch define the context for
interpreting the RRset. That is, rather than: the arrangement is: A direct lookup to the subordinate leaf node produces only the desired
record types, at no greater cost than a typical DNS lookup. As defined in the DNS uses names organized in a
tree-structured, or hierarchical fashion. A domain name might have multiple node
names that begin with an _underscore. A "global" underscored node name is the one
that is closest to the root of the DNS hierarchy, also called the highest-level or
top-most. In the presentation convention described in Section 3.1 of this is the right-most name beginning with an underscore. In
other presentation environments it might be positioned differently. To avoid concern
for the presentation variations, the qualifier "global" is used here.DNS wildcards interact poorly with underscored names in two ways. Since wildcards
only are interpreted as leaf names, one cannot create the equivalent of a wildcard
name for prefixed names. A name such as label.*.example.com is not a wildcard. Conversely, a wildcard such as *.example.com can match any name including an
underscored name. So, a wildcard might match an underscored name, returning a record
that is the type controlled by the underscored name but is not intended to be used in
the underscored context and does not conform to its rules. A registry for "global" DNS node names that begin with an underscore is defined here.
The purpose of the Underscore Global Registry is to avoid collisions resulting from the
use of the same underscore-based name, for different applications. If a public specification calls for use of an underscore-prefixed domain node
name, the "global" underscored name -- the underscored name that is closest to the
DNS root -- MUST be entered into this registry.An underscored name defines the scope of use for specific resource record types, which
are associated with the domain name that is the "parent" to the branch defined by the
underscored name. A given name defines a specific, constrained context for one or more
RR types, where use of such record types conforms to the defined constraints. Within an underscore scoped leaf, other RRsets that are not specified as part of
the scope MAY be used.Structurally, the registry is defined as a single, flat table of RR types, under node
names beginning with underscore. In some cases, such as for use of an
SRV record, the full scoping name might be multi-part, as a
sequence of underscored names. Semantically, that sequence represents a hierarchical
model and it is theoretically reasonable to allow re-use of a subordinate underscored
name in a different, global underscored context; that is, a subordinate name is
meaningful only within the scope of the global underscored name. Therefore they are
ignored by this DNS Underscore Global Scoped Entry Registry. This registry is for the
definition of highest-level -- ie, global -- underscored node name used.NAME_service1_protoB._service2_protoB._service3_protoC._service3_useX._protoD._service4_protoE._region._authorityOnly global underscored names are registered in the IANA Underscore Global table. (From
the example, that would mean registering _service1, _service2, _service3, _service 4,
and _authority.) The use of underscored node names is specific to each RRTYPE that is being scoped.
Each name defines a place, but does not define the rules for what appears
underneath that place, either as additional underscored naming or as a leaf node
with resource records. Details for those rules are provided by specifications for
individual RRTYPEs. The sections below describe the way that existing underscore
labels are used with the RRTYPEs that they name.Definition and registration of subordinate, underscore node names is the
responsibility of the specification that creates the global registry entry.That is, if a scheme using a global underscore node name has one or more subordinate
levels of underscore node naming, the namespaces from which names for those lower levels
are chosen are controlled by the parent underscore node name. Each globally-registered
underscore name owns a distinct, subordinate name space.This section provides a basic template that can be used to register new entries in the
IANA DNS Underscore Global Scoped Entry Registry, if the global underscored name above
the RRTYPE is not already registered. The text can be added to specifications using
RRTYPE/_Node-name combinations that have not already been registered.Per {RFC Attrleaf} please add the following entry to the DNS
Underscore Global Scoped Entry Registry:Please replace the above "{RFC Attrleaf}" text
with a reference to this document's RFC number. /dRR Type_NODE NAME REFERENCE{RRTYPE}_{DNS global node name} {citation for the document making the addition.} Per , IANA is requested to establish the:DNS Underscore Global Scoped Entry RegistryThis section describes actions requested of IANA. The guidance in is used.The DNS Global Underscore Scoped Entry Registry is any DNS node name that begin with
the underscore character ("_", ASCII 0x5F) and is the underscored node name
closest to the root; that is it defines the highest-level of a DNS branch, under a
"parent" domain name. This registry is to operate under the IANA rules for "Expert Review"
registration; see .The contents of each entry in the Global registry are defined in .Each entry in the registry MUST contain values for all of the fields specified
in .Within the registry, the combination of RR Type and _Node Name MUST be
unique.The table is to be maintained with entries sorted by the first column (RR Type)
and, within that, the second column (_Node Name).The required Reference for an entry MUST have a stable resolution to the
organization controlling that registry entry.A registry entry contains: Lists an RR type that is defined for use within this
scopeSpecifies a single, underscored name that defines a
reserved name; this name is the "global" entry name for the scoped resource
record types that are associated with that name; for characters in the name
that have an upper-case form and a lower-case form, the character MUST be
recorded as lower-case, to simplify name comparisons. Lists specification that defines a record type and its
use under this Name. The organization producing the specification retains
control over the registry entry for the _Node Name Each RR type that is to be used MUST have a separate registry entry. Initial entries in the registry are:RR Type_NODE NAME REFERENCENULL_ta-* {see note}OPENPGPKEY_openpgpkeyPTR_tcpPTR_udpSMIMEA _smimecertSRV_dccpSRV_ipv6SRV_sipSRV_sctpSRV_tcpSRV_udpSRV_xmppTLSA_daneTLSA_sctpTLSA_tcpTLSA_udpTXT_mta-stsTXT_acme-challengeTXT_dmarcTXT_domainkeyTXT_spfTXT_vouchURI_iaxURI_acctURI_dccpURI_emailURI_emsURI_faxURI_ftURI_h323URI_ical-schedURI_ical-accessURI_ifaxURI_imURI_mmsURI_presURI_pstnURI_sctpURI_sipURI_smsURI_tcpURI_udpURI_unifmsgURI_vcardURI_videomsgURI_voiceURI_voicemsgURI_vpimURI_webURI_xmppUnder the NULL RR, the entry "_ta-*" is meant to denote all
node names beginning with the string "_ta-". It does NOT refer to a DNS
wildcard specification.This section provides guidance for expert review of registration requests in the DNS
Underscore Global Scoped Entry Registry.This review is solely to determine adequacy of a requested entry in this Registry,
and does not include review of other aspects of the document specifying that
entry. For example such a document might also contain a definition of the resource
record type that is referenced by the requested entry. Any required review of that
definition is separate from the expert review required here. The review is for the purposes of ensuring that:The details for creating the registry entry are sufficiently clear, precise and
completeThe combination of the underscored name, under which the listed resource record
type is used, and the resource record type, is unique in the tableFor the purposes of this Expert Review, other matters of the specification's technical
quality, adequacy or the like are outside of scope. This memo raises no security issues.SMTP MTA Strict Transport Security (MTA-STS)DOD Internet Host Table SpecificationDomain Names - Concepts and FacilitiesUSC/ISI4676 Admiralty WayMarina del ReyCA90291US+1 213 822 1511Domain Names - Implementation and
SpecificationUSC/ISI4676 Admiralty WayMarina del ReyCA90291US+1 213 822 1511Key words for use in RFCs to Indicate Requirement
LevelsHarvard University1350 Mass. Ave.CambridgeMA 02138- +1 617 495 3864sob@harvard.edu
General
keyword In many standards track documents several words are used to signify the
requirements in the specification. These words are often capitalized. This
document defines these words as they should be interpreted in IETF documents.
Authors who follow these guidelines should incorporate this phrase near the
beginning of their document: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119. Note that the force of these words is modified by the requirement level of the
document in which they are used. Clarifications to the DNS SpecificationGuidelines for Writing an IANA Considerations Section in RFCsPTIHuawei TechnologiesIBM CorporationA DNS RR for specifying the location of services (DNS
SRV)Troll TechWaldemar Thranes gate 98BOsloN-0175NO+47 22 806390+47 22 806380arnt@troll.noInternet Software Consortium950 Charter StreetRedwood CityCA94063US+1 650 779 7001Microsoft CorporationOne Microsoft WayRedmondWA98052USlevone@microsoft.comThis document describes a DNS RR which specifies
the location of the server(s) for a specific protocol and domain.Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and
PresenceThis memo describes extensions to and applications of the core features of the
Extensible Messaging and Presence Protocol (XMPP) that provide the basic
instant messaging (IM) and presence functionality defined in RFC 2779.
[STANDARDS-TRACK]Mobile IPv6 Bootstrapping in Split ScenarioA Mobile IPv6 node requires a Home Agent address, a home address, and IPsec
security associations with its Home Agent before it can start utilizing Mobile
IPv6 service. RFC 3775 requires that some or all of these are statically
configured. This document defines how a Mobile IPv6 node can bootstrap this
information from non-topological information and security credentials
pre-configured on the Mobile Node. The solution defined in this document solves
the split scenario described in the Mobile IPv6 bootstrapping problem statement
in RFC 4640. The split scenario refers to the case where the Mobile Node's
mobility service is authorized by a different service provider than basic
network access. The solution described in this document is also generically
applicable to any bootstrapping case, since other scenarios are more specific
realizations of the split scenario. [STANDARDS-TRACK]Internet Assigned Numbers Authority (IANA) Registration of Instant Messaging
and Presence DNS SRV RRs for the Session Initiation Protocol (SIP)This document registers with IANA two new DNS SRV protocol labels for resolving
Instant Messaging and Presence services with SIP. [STANDARDS TRACK]Vouch By ReferenceDomain Assurance CouncilDomain Assurance CouncilAlt-N TechnologiesUpdate of Legacy IANA Registrations of EnumservicesThis document revises all Enumservices that were IANA registered under the now
obsolete specification of the Enumservice registry defined in RFC 3761.
[STANDARDS-TRACK]IANA Registration for Enumservice 'iax'This document registers an Enumservice for the Inter-Asterisk eXchange (IAX)
protocol according to the guidelines given in RFC 6117. This document is not an
Internet Standards Track specification; it is published for informational
purposes.Internet Assigned Numbers Authority (IANA) Procedures for the Management of
the Service Name and Transport Protocol Port Number RegistryDomainKeys Identified Mail (DKIM) SignaturesDomainKeys Identified Mail (DKIM) defines a domain-level authentication
framework for email using public-key cryptography and key server technology to
permit verification of the source and contents of messages by either Mail
Transfer Agents (MTAs) or Mail User Agents (MUAs). The ultimate goal of this
framework is to permit a signing domain to assert responsibility for a message,
thus protecting message signer identity and the integrity of the messages they
convey while retaining the functionality of Internet email as it is known
today. Protection of email identity may assist in the global control of "spam"
and "phishing". [STANDARDS TRACK]The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security
(TLS) Protocol: TLSADNS-Based Service DiscoveryThis document specifies how DNS resource records are named and structured to
facilitate service discovery. Given a type of service that a client is looking
for, and a domain in which the client is looking for that service, this
mechanism allows clients to discover a list of named instances of that desired
service, using standard DNS queries. This mechanism is referred to as DNS-based
Service Discovery, or DNS-SD.Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail,
Version 1Domain-based Message Authentication, Reporting, and Conformance
(DMARC)The Uniform Resource Identifier (URI) DNS Resource RecordNetnodISOCEnumservice Registration for 'acct' URIThis document registers an E.164 Number Mapping (ENUM) service for 'acct' URIs
(Uniform Resource Identifiers).The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and
Operational GuidanceThis document clarifies and updates the DNS-Based Authentication of Named
Entities (DANE) TLSA specification (RFC 6698), based on subsequent
implementation experience. It also contains guidance for implementers,
operators, and protocol developers who want to use DANE records.Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)Using Secure DNS to Associate Certificates with Domain Names for
S/MIMEAmbiguity of Uppercase vs Lowercase in RFC 2119 Key WordsAutomatic Certificate Management Environment (ACME)Guidelines for Writing an IANA Considerations Section in RFCsThanks go to Bill Fenner, Dick Franks, Tony Hansen, Martin Hoffmann, Paul Hoffman, Peter
Koch, Olaf Kolkman, Murray Kucherawy, John Levine, and Andrew Sullivan for diligent
review of the (much) earlier drafts. For the later enhancements, thanks to: Stephane
Bortzmeyer, Alissa Cooper, Bob Harold, Benjamin Kaduk, Mirja Kühlewind, Warren Kumari,
John Levine, Joel Jaeggli, Benno Overeinder, Eric Rescorla, Adam Roach, Petr
Špaček, Ondřej Surý, Paul Vixie, Tim Wicinski, and Paul Wouters. Special thanks to Ray Bellis for his persistent encouragement to continue this effort,
as well as the suggestion for an essential simplification to the registration model.