1 Network Working Group E. Lewis
2 Request for Comments: 4592 NeuStar
3 Updates: 1034, 2672 July 2006
4 Category: Standards Track
5
6
7 The Role of Wildcards
8 in the Domain Name System
9
10 Status of This Memo
11
12 This document specifies an Internet standards track protocol for the
13 Internet community, and requests discussion and suggestions for
14 improvements. Please refer to the current edition of the "Internet
15 Official Protocol Standards" (STD 1) for the standardization state
16 and status of this protocol. Distribution of this memo is unlimited.
17
18 Copyright Notice
19
20 Copyright (C) The Internet Society (2006).
21
22 Abstract
23
24 This is an update to the wildcard definition of RFC 1034. The
25 interaction with wildcards and CNAME is changed, an error condition
26 is removed, and the words defining some concepts central to wildcards
27 are changed. The overall goal is not to change wildcards, but to
28 refine the definition of RFC 1034.
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52 Lewis Standards Track [Page 1]
53 RFC 4592 DNSEXT WCARD July 2006
54
55
56 Table of Contents
57
58 1. Introduction ....................................................3
59 1.1. Motivation .................................................3
60 1.2. The Original Definition ....................................3
61 1.3. Roadmap to This Document ...................................4
62 1.3.1. New Terms ...........................................5
63 1.3.2. Changed Text ........................................5
64 1.3.3. Considerations with Special Types ...................5
65 1.4. Standards Terminology ......................................6
66 2. Wildcard Syntax .................................................6
67 2.1. Identifying a Wildcard .....................................6
68 2.1.1. Wildcard Domain Name and Asterisk Label .............6
69 2.1.2. Asterisks and Other Characters ......................7
70 2.1.3. Non-terminal Wildcard Domain Names ..................7
71 2.2. Existence Rules ............................................7
72 2.2.1. An Example ..........................................8
73 2.2.2. Empty Non-terminals .................................9
74 2.2.3. Yet Another Definition of Existence ................10
75 2.3. When Is a Wildcard Domain Name Not Special? ...............10
76 3. Impact of a Wildcard Domain Name on a Response .................10
77 3.1. Step 2 ....................................................11
78 3.2. Step 3 ....................................................11
79 3.3. Part 'c' ..................................................12
80 3.3.1. Closest Encloser and the Source of Synthesis .......12
81 3.3.2. Closest Encloser and Source of Synthesis Examples ..13
82 3.3.3. Type Matching ......................................13
83 4. Considerations with Special Types ..............................14
84 4.1. SOA RRSet at a Wildcard Domain Name .......................14
85 4.2. NS RRSet at a Wildcard Domain Name ........................14
86 4.2.1. Discarded Notions ..................................15
87 4.3. CNAME RRSet at a Wildcard Domain Name .....................16
88 4.4. DNAME RRSet at a Wildcard Domain Name .....................16
89 4.5. SRV RRSet at a Wildcard Domain Name .......................17
90 4.6. DS RRSet at a Wildcard Domain Name ........................17
91 4.7. NSEC RRSet at a Wildcard Domain Name ......................18
92 4.8. RRSIG at a Wildcard Domain Name ...........................18
93 4.9. Empty Non-terminal Wildcard Domain Name ...................18
94 5. Security Considerations ........................................18
95 6. References .....................................................18
96 6.1. Normative References ......................................18
97 6.2. Informative References ....................................19
98 7. Others Contributing to the Document ............................19
99
100
101
102
103
104
105
106
107 Lewis Standards Track [Page 2]
108 RFC 4592 DNSEXT WCARD July 2006
109
110
111 1. Introduction
112
113 In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
114 synthesis of answers from special resource records (RRs) called
115 wildcards. The definition in RFC 1034 is incomplete and has proven
116 to be confusing. This document describes the wildcard synthesis by
117 adding to the discussion and making limited modifications.
118 Modifications are made to close inconsistencies that have led to
119 interoperability issues. This description does not expand the
120 service intended by the original definition.
121
122 Staying within the spirit and style of the original documents, this
123 document avoids specifying rules for DNS implementations regarding
124 wildcards. The intention is to only describe what is needed for
125 interoperability, not restrict implementation choices. In addition,
126 consideration is given to minimize any backward-compatibility issues
127 with implementations that comply with RFC 1034's definition.
128
129 This document is focused on the concept of wildcards as defined in
130 RFC 1034. Nothing is implied regarding alternative means of
131 synthesizing resource record sets (RRSets), nor are alternatives
132 discussed.
133
134 1.1. Motivation
135
136 Many DNS implementations diverge, in different ways, from the
137 original definition of wildcards. Although there is clearly a need
138 to clarify the original documents in light of this alone, the impetus
139 for this document lay in the engineering of the DNS security
140 extensions [RFC4033]. With an unclear definition of wildcards, the
141 design of authenticated denial became entangled.
142
143 This document is intended to limit its changes, documenting only
144 those deemed necessary based on implementation experience, and to
145 remain as close to the original document as possible. To reinforce
146 that this document is meant to clarify and adjust and not redefine
147 wildcards, relevant sections of RFC 1034 are repeated verbatim to
148 facilitate comparison of the old and new text.
149
150 1.2. The Original Definition
151
152 The definition of the wildcard concept is comprised by the
153 documentation of the algorithm by which a name server prepares a
154 response (in RFC 1034's section 4.3.2) and the way in which a
155 resource record (set) is identified as being a source of synthetic
156 data (section 4.3.3).
157
158
159
160
161
162 Lewis Standards Track [Page 3]
163 RFC 4592 DNSEXT WCARD July 2006
164
165
166 This is the definition of the term "wildcard" as it appears in RFC
167 1034, section 4.3.3.
168
169 # In the previous algorithm, special treatment was given to RRs with
170 # owner names starting with the label "*". Such RRs are called
171 # wildcards. Wildcard RRs can be thought of as instructions for
172 # synthesizing RRs. When the appropriate conditions are met, the
173 # name server creates RRs with an owner name equal to the query name
174 # and contents taken from the wildcard RRs.
175
176 This passage follows the algorithm in which the term wildcard is
177 first used. In this definition, wildcard refers to resource records.
178 In other usage, wildcard has referred to domain names, and it has
179 been used to describe the operational practice of relying on
180 wildcards to generate answers. It is clear from this that there is a
181 need to define clear and unambiguous terminology in the process of
182 discussing wildcards.
183
184 The mention of the use of wildcards in the preparation of a response
185 is contained in step 3, part 'c' of RFC 1034's section 4.3.2,
186 entitled "Algorithm". Note that "wildcard" does not appear in the
187 algorithm, instead references are made to the "*" label. The portion
188 of the algorithm relating to wildcards is deconstructed in detail in
189 section 3 of this document; this is the beginning of the relevant
190 portion of the "Algorithm".
191
192 # c. If at some label, a match is impossible (i.e., the
193 # corresponding label does not exist), look to see if [...]
194 # the "*" label exists.
195
196 The scope of this document is the RFC 1034 definition of wildcards
197 and the implications of updates to those documents, such as DNS
198 Security (DNSSEC). Alternate schemes for synthesizing answers are
199 not considered. (Note that there is no reference listed. No
200 document is known to describe any alternate schemes, although there
201 has been some mention of them in mailing lists.)
202
203 1.3. Roadmap to This Document
204
205 This document accomplishes these three tasks.
206
207 o Defines new terms
208
209 o Makes minor changes to avoid conflicting concepts
210
211 o Describes the actions of certain resource records as wildcards
212
213
214
215
216
217 Lewis Standards Track [Page 4]
218 RFC 4592 DNSEXT WCARD July 2006
219
220
221 1.3.1. New Terms
222
223 To help in discussing what resource records are wildcards, two terms
224 will be defined: "asterisk label" and "wildcard domain name". These
225 are defined in section 2.1.1.
226
227 To assist in clarifying the role of wildcards in the name server
228 algorithm in RFC 1034, section 4.3.2, "source of synthesis" and
229 "closest encloser" are defined. These definitions are in section
230 3.3.1. "Label match" is defined in section 3.2.
231
232 The new terms are used to make discussions of wildcards clearer.
233 Terminology does not directly have an impact on implementations.
234
235 1.3.2. Changed Text
236
237 The definition of "existence" is changed superficially. This change
238 will not be apparent to implementations; it is needed to make
239 descriptions more precise. The change appears in section 2.2.3.
240
241 RFC 1034, section 4.3.3, seems to prohibit having two asterisk labels
242 in a wildcard owner name. With this document, the restriction is
243 removed entirely. This change and its implications are in section
244 2.1.3.
245
246 The actions when a source of synthesis owns a CNAME RR are changed to
247 mirror the actions if an exact match name owns a CNAME RR. This is
248 an addition to the words in RFC 1034, section 4.3.2, step 3, part
249 'c'. The discussion of this is in section 3.3.3.
250
251 Only the latter change represents an impact to implementations. The
252 definition of existence is not a protocol impact. The change to the
253 restriction on names is unlikely to have an impact, as RFC 1034
254 contained no specification on when and how to enforce the
255 restriction.
256
257 1.3.3. Considerations with Special Types
258
259 This document describes semantics of wildcard RRSets for
260 "interesting" types as well as empty non-terminal wildcards.
261 Understanding these situations in the context of wildcards has been
262 clouded because these types incur special processing if they are the
263 result of an exact match. This discussion is in section 4.
264
265 These discussions do not have an implementation impact; they cover
266 existing knowledge of the types, but to a greater level of detail.
267
268
269
270
271
272 Lewis Standards Track [Page 5]
273 RFC 4592 DNSEXT WCARD July 2006
274
275
276 1.4. Standards Terminology
277
278 This document does not use terms as defined in "Key words for use in
279 RFCs to Indicate Requirement Levels" [RFC2119].
280
281 Quotations of RFC 1034 are denoted by a '#' at the start of the line.
282 References to section "4.3.2" are assumed to refer to RFC 1034's
283 section 4.3.2, simply titled "Algorithm".
284
285 2. Wildcard Syntax
286
287 The syntax of a wildcard is the same as any other DNS resource
288 record, across all classes and types. The only significant feature
289 is the owner name.
290
291 Because wildcards are encoded as resource records with special names,
292 they are included in zone transfers and incremental zone transfers
293 [RFC1995] just as non-wildcard resource records are. This feature
294 has been under appreciated until discussions on alternative
295 approaches to wildcards appeared on mailing lists.
296
297 2.1. Identifying a Wildcard
298
299 To provide a more accurate description of wildcards, the definition
300 has to start with a discussion of the domain names that appear as
301 owners. Two new terms are needed, "asterisk label" and "wildcard
302 domain name".
303
304 2.1.1. Wildcard Domain Name and Asterisk Label
305
306 A "wildcard domain name" is defined by having its initial (i.e.,
307 leftmost or least significant) label be, in binary format:
308
309 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
310
311 The first octet is the normal label type and length for a 1-octet-
312 long label, and the second octet is the ASCII representation [RFC20]
313 for the '*' character.
314
315 A descriptive name of a label equaling that value is an "asterisk
316 label".
317
318 RFC 1034's definition of wildcard would be "a resource record owned
319 by a wildcard domain name".
320
321
322
323
324
325
326
327 Lewis Standards Track [Page 6]
328 RFC 4592 DNSEXT WCARD July 2006
329
330
331 2.1.2. Asterisks and Other Characters
332
333 No label values other than that in section 2.1.1 are asterisk labels,
334 hence names beginning with other labels are never wildcard domain
335 names. Labels such as 'the*' and '**' are not asterisk labels, so
336 these labels do not start wildcard domain names.
337
338 2.1.3. Non-terminal Wildcard Domain Names
339
340 In section 4.3.3, the following is stated:
341
342 # .......................... The owner name of the wildcard RRs is
343 # of the form "*.<anydomain>", where <anydomain> is any domain name.
344 # <anydomain> should not contain other * labels......................
345
346 The restriction is now removed. The original documentation of it is
347 incomplete and the restriction does not serve any purpose given years
348 of operational experience.
349
350 There are three possible reasons for putting the restriction in
351 place, but none of the three has held up over time. One is that the
352 restriction meant that there would never be subdomains of wildcard
353 domain names, but the restriction as stated still permits
354 "example.*.example." for instance. Another is that wildcard domain
355 names are not intended to be empty non-terminals, but this situation
356 does not disrupt the algorithm in 4.3.2. Finally, "nested" wildcard
357 domain names are not ambiguous once the concept of the closest
358 encloser had been documented.
359
360 A wildcard domain name can have subdomains. There is no need to
361 inspect the subdomains to see if there is another asterisk label in
362 any subdomain.
363
364 A wildcard domain name can be an empty non-terminal. (See the
365 upcoming sections on empty non-terminals.) In this case, any lookup
366 encountering it will terminate as would any empty non-terminal match.
367
368 2.2. Existence Rules
369
370 The notion that a domain name 'exists' is mentioned in the definition
371 of wildcards. In section 4.3.3 of RFC 1034:
372
373 # Wildcard RRs do not apply:
374 #
375 ...
376 # - When the query name or a name between the wildcard domain and
377 # the query name is know[n] to exist. . . .
378
379
380
381
382 Lewis Standards Track [Page 7]
383 RFC 4592 DNSEXT WCARD July 2006
384
385
386 "Existence" is therefore an important concept in the understanding of
387 wildcards. Unfortunately, the definition of what exists, in RFC
388 1034, is unclear. So, in sections 2.2.2. and 2.2.3, another look is
389 taken at the definition of existence.
390
391 2.2.1. An Example
392
393 To illustrate what is meant by existence consider this complete zone:
394
395 $ORIGIN example.
396 example. 3600 IN SOA <SOA RDATA>
397 example. 3600 NS ns.example.com.
398 example. 3600 NS ns.example.net.
399 *.example. 3600 TXT "this is a wildcard"
400 *.example. 3600 MX 10 host1.example.
401 sub.*.example. 3600 TXT "this is not a wildcard"
402 host1.example. 3600 A 192.0.2.1
403 _ssh._tcp.host1.example. 3600 SRV <SRV RDATA>
404 _ssh._tcp.host2.example. 3600 SRV <SRV RDATA>
405 subdel.example. 3600 NS ns.example.com.
406 subdel.example. 3600 NS ns.example.net.
407
408 A look at the domain names in a tree structure is helpful:
409
410 |
411 -------------example------------
412 / / \ \
413 / / \ \
414 / / \ \
415 * host1 host2 subdel
416 | | |
417 | | |
418 sub _tcp _tcp
419 | |
420 | |
421 _ssh _ssh
422
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.
This RFC is implemented in BIND 9.18 (all versions).
423 The following responses would be synthesized from one of the
424 wildcards in the zone:
425
426 QNAME=host3.example. QTYPE=MX, QCLASS=IN
427 the answer will be a "host3.example. IN MX ..."
428
429 QNAME=host3.example. QTYPE=A, QCLASS=IN
430 the answer will reflect "no error, but no data"
431 because there is no A RR set at '*.example.'
432
433
434
435
436
437 Lewis Standards Track [Page 8]
438 RFC 4592 DNSEXT WCARD July 2006
439
440
441 QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
442 the answer will be "foo.bar.example. IN TXT ..."
443 because bar.example. does not exist, but the wildcard
444 does.
445
446 The following responses would not be synthesized from any of the
447 wildcards in the zone:
448
449 QNAME=host1.example., QTYPE=MX, QCLASS=IN
450 because host1.example. exists
451
452 QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
453 because sub.*.example. exists
454
455 QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
456 because _tcp.host1.example. exists (without data)
457
458 QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
459 because subdel.example. exists (and is a zone cut)
460
461 QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
462 because *.example. exists
463
464 The final example highlights one common misconception about
465 wildcards. A wildcard "blocks itself" in the sense that a wildcard
466 does not match its own subdomains. That is, "*.example." does not
467 match all names in the "example." zone; it fails to match the names
468 below "*.example.". To cover names under "*.example.", another
469 wildcard domain name is needed--"*.*.example."--which covers all but
470 its own subdomains.
471
472 2.2.2. Empty Non-terminals
473
474 Empty non-terminals [RFC2136, section 7.16] are domain names that own
475 no resource records but have subdomains that do. In section 2.2.1,
476 "_tcp.host1.example." is an example of an empty non-terminal name.
477 Empty non-terminals are introduced by this text in section 3.1 of RFC
478 1034:
479
480 # The domain name space is a tree structure. Each node and leaf on
481 # the tree corresponds to a resource set (which may be empty). The
482 # domain system makes no distinctions between the uses of the
483 # interior nodes and leaves, and this memo uses the term "node" to
484 # refer to both.
485
486 The parenthesized "which may be empty" specifies that empty non-
487 terminals are explicitly recognized and that empty non-terminals
488 "exist".
489
490
491
492 Lewis Standards Track [Page 9]
493 RFC 4592 DNSEXT WCARD July 2006
494
495
496 Pedantically reading the above paragraph can lead to an
497 interpretation that all possible domains exist--up to the suggested
498 limit of 255 octets for a domain name [RFC1035]. For example,
499 www.example. may have an A RR, and as far as is practically
500 concerned, is a leaf of the domain tree. But the definition can be
501 taken to mean that sub.www.example. also exists, albeit with no data.
502 By extension, all possible domains exist, from the root on down.
503
(1) [improper/misleading wording] In the explanations to the Example in Section 2.2.1, RFC 4592 (near the top of page 9) says: | The following responses would not be synthesized from any of the | wildcards in the zone: This wording is improper/misleading. Perhaps, the RFC should better say: | The following queries would not cause RRs to be synthesized for the | answer from any of the wildcards in the zone:
504 As RFC 1034 also defines "an authoritative name error indicating that
505 the name does not exist" in section 4.3.1, so this apparently is not
506 the intent of the original definition, justifying the need for an
507 updated definition in the next section.
508
509 2.2.3. Yet Another Definition of Existence
510
511 RFC 1034's wording is fixed by the following paragraph:
512
513 The domain name space is a tree structure. Nodes in the tree either
514 own at least one RRSet and/or have descendants that collectively own
515 at least one RRSet. A node may exist with no RRSets only if it has
516 descendants that do; this node is an empty non-terminal.
517
518 A node with no descendants is a leaf node. Empty leaf nodes do not
519 exist.
520
521 Note that at a zone boundary, the domain name owns data, including
522 the NS RR set. In the delegating zone, the NS RR set is not
523 authoritative, but that is of no consequence here. The domain name
524 owns data; therefore, it exists.
525
526 2.3. When Is a Wildcard Domain Name Not Special?
527
528 When a wildcard domain name appears in a message's query section, no
529 special processing occurs. An asterisk label in a query name only
530 matches a single, corresponding asterisk label in the existing zone
531 tree when the 4.3.2 algorithm is being followed.
532
533 When a wildcard domain name appears in the resource data of a record,
534 no special processing occurs. An asterisk label in that context
535 literally means just an asterisk.
536
537 3. Impact of a Wildcard Domain Name on a Response
538
539 RFC 1034's description of how wildcards impact response generation is
540 in its section 4.3.2. That passage contains the algorithm followed
541 by a server in constructing a response. Within that algorithm, step
542 3, part 'c' defines the behavior of the wildcard.
543
544
545
546
547 Lewis Standards Track [Page 10]
548 RFC 4592 DNSEXT WCARD July 2006
549
550
551 The algorithm in section 4.3.2 is not intended to be pseudo-code;
552 that is, its steps are not intended to be followed in strict order.
553 The "algorithm" is a suggested means of implementing the
554 requirements. As such, in step 3, parts 'a', 'b', and 'c' do not
555 have to be implemented in that order, provided that the result of the
556 implemented code is compliant with the protocol's specification.
557
558 3.1. Step 2
559
560 Step 2 of section 4.3.2 reads:
561
562 # 2. Search the available zones for the zone which is the nearest
563 # ancestor to QNAME. If such a zone is found, go to step 3,
564 # otherwise step 4.
565
566 In this step, the most appropriate zone for the response is chosen.
567 The significance of this step is that it means all of step 3 is being
568 performed within one zone. This has significance when considering
569 whether or not an SOA RR can ever be used for synthesis.
570
571 3.2. Step 3
572
573 Step 3 is dominated by three parts, labeled 'a', 'b', and 'c'. But
574 the beginning of the step is important and needs explanation.
575
576 # 3. Start matching down, label by label, in the zone. The
577 # matching process can terminate several ways:
578
579 The word 'matching' refers to label matching. The concept is based
580 in the view of the zone as the tree of existing names. The query
581 name is considered to be an ordered sequence of labels--as if the
582 name were a path from the root to the owner of the desired data
583 (which it is--3rd paragraph of RFC 1034, section 3.1).
584
585 The process of label matching a query name ends in exactly one of
586 three choices, the parts 'a', 'b', and 'c'. Either the name is
587 found, the name is below a cut point, or the name is not found.
588
589 Once one of the parts is chosen, the other parts are not considered
590 (e.g., do not execute part 'c' and then change the execution path to
591 finish in part 'b'). The process of label matching is also done
592 independent of the query type (QTYPE).
593
594 Parts 'a' and 'b' are not an issue for this clarification as they do
595 not relate to record synthesis. Part 'a' is an exact match that
596 results in an answer; part 'b' is a referral.
597
598
599
600
601
602 Lewis Standards Track [Page 11]
603 RFC 4592 DNSEXT WCARD July 2006
604
605
606 3.3. Part 'c'
607
608 The context of part 'c' is that the process of label matching the
609 labels of the query name has resulted in a situation in which there
610 is no corresponding label in the tree. It is as if the lookup has
611 "fallen off the tree".
612
613 # c. If at some label, a match is impossible (i.e., the
614 # corresponding label does not exist), look to see if [...]
615 # the "*" label exists.
616
617 To help describe the process of looking 'to see if [...] the "*"
618 label exists' a term has been coined to describe the last domain
619 (node) matched. The term is "closest encloser".
620
621 3.3.1. Closest Encloser and the Source of Synthesis
622
623 The closest encloser is the node in the zone's tree of existing
624 domain names that has the most labels matching the query name
625 (consecutively, counting from the root label downward). Each match
626 is a "label match" and the order of the labels is the same.
627
628 The closest encloser is, by definition, an existing name in the zone.
629 The closest encloser might be an empty non-terminal or even be a
630 wildcard domain name itself. In no circumstances is the closest
631 encloser to be used to synthesize records for the current query.
632
633 The source of synthesis is defined in the context of a query process
634 as that wildcard domain name immediately descending from the closest
635 encloser, provided that this wildcard domain name exists.
636 "Immediately descending" means that the source of synthesis has a
637 name of the form:
638
639 <asterisk label>.<closest encloser>.
640
(2) [typo] The last paragraph of Section 2.2.2, on page 10, says: As RFC 1034 also defines "an authoritative name error indicating that | the name does not exist" in section 4.3.1, so this apparently is not the intent of the original definition, justifying the need for an updated definition in the next section. "As ..., so ..." is redundant. Thus, the RFC should say instead: As RFC 1034 also defines "an authoritative name error indicating that | the name does not exist" in section 4.3.1,sothis apparently is not the intent of the original definition, justifying the need for an updated definition in the next section.
641 A source of synthesis does not guarantee having a RRSet to use for
642 synthesis. The source of synthesis could be an empty non-terminal.
643
644 If the source of synthesis does not exist (not on the domain tree),
645 there will be no wildcard synthesis. There is no search for an
646 alternate.
647
648 The important concept is that for any given lookup process, there is
649 at most one place at which wildcard synthetic records can be
650 obtained. If the source of synthesis does not exist, the lookup
651 terminates, and the lookup does not look for other wildcard records.
652
653
654
655
656
657 Lewis Standards Track [Page 12]
658 RFC 4592 DNSEXT WCARD July 2006
659
660
661 3.3.2. Closest Encloser and Source of Synthesis Examples
662
663 To illustrate, using the example zone in section 2.2.1 of this
664 document, the following chart shows QNAMEs and the closest enclosers.
665
666 QNAME Closest Encloser Source of Synthesis
667 host3.example. example. *.example.
668 _telnet._tcp.host1.example. _tcp.host1.example. no source
669 _dns._udp.host2.example. host2.example. no source
670 _telnet._tcp.host3.example. example. *.example.
671 _chat._udp.host3.example. example. *.example.
672 foobar.*.example. *.example. no source
673
674 3.3.3. Type Matching
675
676 RFC 1034 concludes part 'c' with this:
677
678 # If the "*" label does not exist, check whether the name
679 # we are looking for is the original QNAME in the query
680 # or a name we have followed due to a CNAME. If the name
681 # is original, set an authoritative name error in the
682 # response and exit. Otherwise just exit.
683 #
684 # If the "*" label does exist, match RRs at that node
685 # against QTYPE. If any match, copy them into the answer
686 # section, but set the owner of the RR to be QNAME, and
687 # not the node with the "*" label. Go to step 6.
688
689 The final paragraph covers the role of the QTYPE in the lookup
690 process.
691
692 Based on implementation feedback and similarities between part 'a'
693 and part 'c', a change to this passage has been made.
694
695 The change is to add the following text to part 'c' prior to the
696 instructions to "go to step 6":
697
698 If the data at the source of synthesis is a CNAME, and QTYPE
699 doesn't match CNAME, copy the CNAME RR into the answer section of
700 the response changing the owner name to the QNAME, change QNAME to
701 the canonical name in the CNAME RR, and go back to step 1.
702
(3) [typo] In Section 3.3.1, the 4th paragraph, on page 12, says: A source of synthesis does not guarantee having a RRSet to use for synthesis. The source of synthesis could be an empty non-terminal. It should say: | A source of synthesis does not guarantee having an RRSet to use for synthesis. The source of synthesis could be an empty non-terminal.
703 This is essentially the same text in part 'a' covering the processing
704 of CNAME RRSets.
705
706
707
708
709
710
711
712 Lewis Standards Track [Page 13]
713 RFC 4592 DNSEXT WCARD July 2006
714
715
716 4. Considerations with Special Types
717
718 Sections 2 and 3 of this document discuss wildcard synthesis with
719 respect to names in the domain tree and ignore the impact of types.
720 In this section, the implication of wildcards of specific types is
721 discussed. The types covered are those that have proven to be the
722 most difficult to understand. The types are SOA, NS, CNAME, DNAME,
723 SRV, DS, NSEC, RRSIG, and "none", that is, empty non-terminal
724 wildcard domain names.
725
726 4.1. SOA RRSet at a Wildcard Domain Name
727
728 A wildcard domain name owning an SOA RRSet means that the domain is
729 at the root of the zone (apex). The domain cannot be a source of
730 synthesis because that is, by definition, a descendant node (of the
731 closest encloser) and a zone apex is at the top of the zone.
732
733 Although a wildcard domain name owning an SOA RRSet can never be a
734 source of synthesis, there is no reason to forbid the ownership of an
735 SOA RRSet.
736
737 For example, given this zone:
738
739 $ORIGIN *.example.
740 @ 3600 IN SOA <SOA RDATA>
741 3600 NS ns1.example.com.
742 3600 NS ns1.example.net.
743 www 3600 TXT "the www txt record"
744
745 A query for www.*.example.'s TXT record would still find the "the www
746 txt record" answer. The asterisk label only becomes significant when
747 section 4.3.2, step 3, part 'c' is in effect.
748
749 Of course, there would need to be a delegation in the parent zone,
750 "example." for this to work too. This is covered in the next
751 section.
752
753 4.2. NS RRSet at a Wildcard Domain Name
754
755 With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now in
756 place, the semantics of a wildcard domain name owning an NS RRSet has
757 come to be poorly defined. The dilemma relates to a conflict between
758 the rules for synthesis in part 'c' and the fact that the resulting
759 synthesis generates a record for which the zone is not authoritative.
760 In a DNSSEC signed zone, the mechanics of signature management
761 (generation and inclusion in a message) have become unclear.
762
763
764
765
766
767 Lewis Standards Track [Page 14]
768 RFC 4592 DNSEXT WCARD July 2006
769
770
771 Salient points of the working group discussion on this topic are
772 summarized in section 4.2.1.
773
774 As a result of these discussions, there is no definition given for
775 wildcard domain names owning an NS RRSet. The semantics are left
776 undefined until there is a clear need to have a set defined, and
777 until there is a clear direction to proceed. Operationally,
778 inclusion of wildcard NS RRSets in a zone is discouraged, but not
779 barred.
780
781 4.2.1. Discarded Notions
782
783 Prior to DNSSEC, a wildcard domain name owning a NS RRSet appeared to
784 be workable, and there are some instances in which it is found in
785 deployments using implementations that support this. Continuing to
786 allow this in the specification is not tenable with DNSSEC. The
787 reason is that the synthesis of the NS RRSet is being done in a zone
788 that has delegated away the responsibility for the name. This
789 "unauthorized" synthesis is not a problem for the base DNS protocol,
790 but DNSSEC in affirming the authorization model for DNS exposes the
791 problem.
792
793 Outright banning of wildcards of type NS is also untenable as the DNS
794 protocol does not define how to handle "illegal" data.
795 Implementations may choose not to load a zone, but there is no
796 protocol definition. The lack of the definition is complicated by
797 having to cover dynamic update [RFC2136] and zone transfers, as well
798 as loading at the master server. The case of a client (resolver,
799 caching server) getting a wildcard of type NS in a reply would also
800 have to be considered.
801
802 Given the daunting challenge of a complete definition of how to ban
803 such records, dealing with existing implementations that permit the
804 records today is a further complication. There are uses of wildcard
805 domain name owning NS RRSets.
806
807 One compromise proposed would have redefined wildcards of type NS to
808 not be used in synthesis, this compromise fell apart because it would
809 have required significant edits to the DNSSEC signing and validation
810 work. (Again, DNSSEC catches unauthorized data.)
811
812 With no clear consensus forming on the solution to this dilemma, and
813 the realization that wildcards of type NS are a rarity in operations,
814 the best course of action is to leave this open-ended until "it
815 matters".
816
817
818
819
820
821
822 Lewis Standards Track [Page 15]
823 RFC 4592 DNSEXT WCARD July 2006
824
825
826 4.3. CNAME RRSet at a Wildcard Domain Name
827
828 The issue of a CNAME RRSet owned by a wildcard domain name has
829 prompted a suggested change to the last paragraph of step 3c of the
830 algorithm in 4.3.2. The changed text appears in section 3.3.3 of
831 this document.
832
833 4.4. DNAME RRSet at a Wildcard Domain Name
834
835 Ownership of a DNAME [RFC2672] RRSet by a wildcard domain name
836 represents a threat to the coherency of the DNS and is to be avoided
837 or outright rejected. Such a DNAME RRSet represents non-
838 deterministic synthesis of rules fed to different caches. As caches
839 are fed the different rules (in an unpredictable manner) the caches
840 will cease to be coherent. ("As caches are fed" refers to the
841 storage in a cache of records obtained in responses by recursive or
842 iterative servers.)
843
844 For example, assume one cache, responding to a recursive request,
845 obtains the following record:
846
847 "a.b.example. DNAME foo.bar.example.net."
848
849 and another cache obtains:
850
851 "b.example. DNAME foo.bar.example.net."
852
853 both generated from the record:
854
855 "*.example. DNAME foo.bar.example.net."
856
857 by an authoritative server.
858
(4) [typo] In Section 3.3.3, the last paragraph on page 13 says: This is essentially the same text in part 'a' covering the processing of CNAME RRSets. It should say: | This is essentially the same text as in part 'a' covering the processing of CNAME RRSets.
859 The DNAME specification is not clear on whether DNAME records in a
860 cache are used to rewrite queries. In some interpretations, the
861 rewrite occurs; in others, it does not. Allowing for the occurrence
862 of rewriting, queries for "sub.a.b.example. A" may be rewritten as
863 "sub.foo.bar.tld. A" by the former caching server and may be
864 rewritten as "sub.a.foo.bar.tld. A" by the latter. Coherency is
865 lost, and an operational nightmare ensues.
866
867 Another justification for a recommendation to avoid the use of
868 wildcard DNAME records is the observation that such a record could
869 synthesize a DNAME owned by "sub.foo.bar.example." and
870 "foo.bar.example.". There is a restriction in the DNAME definition
871 that no domain exist below a DNAME-owning domain; hence, the wildcard
872 DNAME is to be avoided.
873
874
875
876
877 Lewis Standards Track [Page 16]
878 RFC 4592 DNSEXT WCARD July 2006
879
880
881 4.5. SRV RRSet at a Wildcard Domain Name
882
883 The definition of the SRV RRset is RFC 2782 [RFC2782]. In the
884 definition of the record, there is some confusion over the term
885 "Name". The definition reads as follows:
886
887 # The format of the SRV RR
888 ...
889 # _Service._Proto.Name TTL Class SRV Priority Weight Port Target
890 ...
891 # Name
892 # The domain this RR refers to. The SRV RR is unique in that the
893 # name one searches for is not this name; the example near the end
894 # shows this clearly.
895
896 Do not confuse the definition "Name" with the owner name. That is,
897 once removing the _Service and _Proto labels from the owner name of
898 the SRV RRSet, what remains could be a wildcard domain name but this
899 is immaterial to the SRV RRSet.
900
901 For example, if an SRV record is the following:
902
903 _foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
904
905 *.example is a wildcard domain name and although it is the Name of
906 the SRV RR, it is not the owner (domain name). The owner domain name
907 is "_foo._udp.*.example.", which is not a wildcard domain name.
908
909 A query for the SRV RRSet of "_foo._udp.bar.example." (class IN),
910 will result in a match of the name "*.example." (assuming there is no
911 bar.example.) and not a match of the SRV record shown. If there is
912 no SRV RRSet at "*.example.", the answer section will reflect that
913 (be empty or a CNAME RRset).
914
915 The confusion is likely based on the mixture of the specification of
916 the SRV RR and the description of a "use case".
917
918 4.6. DS RRSet at a Wildcard Domain Name
919
920 A DS RRSet owned by a wildcard domain name is meaningless and
921 harmless. This statement is made in the context that an NS RRSet at
922 a wildcard domain name is undefined. At a non-delegation point, a DS
923 RRSet has no value (no corresponding DNSKEY RRSet will be used in
924 DNSSEC validation). If there is a synthesized DS RRSet, it alone
925 will not be very useful as it exists in the context of a delegation
926 point.
927
928
929
930
931
932 Lewis Standards Track [Page 17]
933 RFC 4592 DNSEXT WCARD July 2006
934
935
(5) [incomplete change in example?] In Section 4.4, the second-to-last paragraph on page 16 says: The DNAME specification is not clear on whether DNAME records in a cache are used to rewrite queries. In some interpretations, the rewrite occurs; in others, it does not. Allowing for the occurrence of rewriting, queries for "sub.a.b.example. A" may be rewritten as | "sub.foo.bar.tld. A" by the former caching server and may be | rewritten as "sub.a.foo.bar.tld. A" by the latter. Coherency is lost, and an operational nightmare ensues. "tld." does never appear in the preceding text; apparently it has been replaced there by "example.net." Therefore, the RFC should say instead: The DNAME specification is not clear on whether DNAME records in a cache are used to rewrite queries. In some interpretations, the rewrite occurs; in others, it does not. Allowing for the occurrence of rewriting, queries for "sub.a.b.example. A" may be rewritten as | "sub.foo.bar.tldexample.net. A" by the former caching server and may be | rewritten as "sub.a.foo.bar.tldexample.net. A" by the latter. Coherency is lost, and an operational nightmare ensues.
936 4.7. NSEC RRSet at a Wildcard Domain Name
937
938 Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
939 Synthesis of these records will only occur when the query exactly
940 matches the record. Synthesized NSEC RRs will not be harmful as they
941 will never be used in negative caching or to generate a negative
942 response [RFC2308].
943
944 4.8. RRSIG at a Wildcard Domain Name
945
946 RRSIG records will be present at a wildcard domain name in a signed
947 zone and will be synthesized along with data sought in a query. The
948 fact that the owner name is synthesized is not a problem as the label
949 count in the RRSIG will instruct the verifying code to ignore it.
950
951 4.9. Empty Non-terminal Wildcard Domain Name
952
953 If a source of synthesis is an empty non-terminal, then the response
954 will be one of no error in the return code and no RRSet in the answer
955 section.
956
957 5. Security Considerations
958
959 This document is refining the specifications to make it more likely
960 that security can be added to DNS. No functional additions are being
961 made, just refining what is considered proper to allow the DNS,
962 security of the DNS, and extending the DNS to be more predictable.
963
964 6. References
965
966 6.1. Normative References
967
968 [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20,
969 October 1969.
970
971 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
972 STD 13, RFC 1034, November 1987.
973
974 [RFC1035] Mockapetris, P., "Domain names - implementation and
975 specification", STD 13, RFC 1035, November 1987.
976
977 [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
978 August 1996.
979
980 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
981 Requirement Levels", BCP 14, RFC 2119, March 1997.
982
983
984
985
986
987 Lewis Standards Track [Page 18]
988 RFC 4592 DNSEXT WCARD July 2006
989
990
991 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
992 NCACHE)", RFC 2308, March 1998.
993
994 [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC
995 2672, August 1999.
996
997 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
998 specifying the location of services (DNS SRV)", RFC 2782,
999 February 2000.
1000
1001 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1002 Rose, "DNS Security Introduction and Requirements", RFC
1003 4033, March 2005.
1004
1005 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1006 Rose, "Resource Records for the DNS Security Extensions",
1007 RFC 4034, March 2005.
1008
1009 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1010 Rose, "Protocol Modifications for the DNS Security
1011 Extensions", RFC 4035, March 2005.
1012
1013 6.2. Informative References
1014
1015 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
1016 Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
1017 April 1997.
1018
1019 7. Others Contributing to the Document
1020
1021 This document represents the work of a large working group. The
1022 editor merely recorded its collective wisdom.
1023
1024 Comments on this document can be sent to the editor or the mailing
1025 list for the DNSEXT WG, namedroppers@ops.ietf.org.
1026
1027 Editor's Address
1028
1029 Edward Lewis
1030 NeuStar
1031 46000 Center Oak Plaza
1032 Sterling, VA
1033 20166, US
1034
1035 Phone: +1-571-434-5468
1036 EMail: ed.lewis@neustar.biz
1037
1038
1039
1040
1041
1042 Lewis Standards Track [Page 19]
1043 RFC 4592 DNSEXT WCARD July 2006
1044
1045
1046 Full Copyright Statement
1047
1048 Copyright (C) The Internet Society (2006).
1049
1050 This document is subject to the rights, licenses and restrictions
1051 contained in BCP 78, and except as set forth therein, the authors
1052 retain all their rights.
1053
1054 This document and the information contained herein are provided on an
1055 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1056 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1057 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1058 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1059 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1060 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1061
1062 Intellectual Property
1063
1064 The IETF takes no position regarding the validity or scope of any
1065 Intellectual Property Rights or other rights that might be claimed to
1066 pertain to the implementation or use of the technology described in
1067 this document or the extent to which any license under such rights
1068 might or might not be available; nor does it represent that it has
1069 made any independent effort to identify any such rights. Information
1070 on the procedures with respect to rights in RFC documents can be
1071 found in BCP 78 and BCP 79.
1072
1073 Copies of IPR disclosures made to the IETF Secretariat and any
1074 assurances of licenses to be made available, or the result of an
1075 attempt made to obtain a general license or permission for the use of
1076 such proprietary rights by implementers or users of this
1077 specification can be obtained from the IETF on-line IPR repository at
1078 http://www.ietf.org/ipr.
1079
1080 The IETF invites any interested party to bring to its attention any
1081 copyrights, patents or patent applications, or other proprietary
1082 rights that may cover technology that may be required to implement
1083 this standard. Please address the information to the IETF at
1084 ietf-ipr@ietf.org.
1085
1086 Acknowledgement
1087
1088 Funding for the RFC Editor function is provided by the IETF
1089 Administrative Support Activity (IASA).
1090
1091
1092
1093
1094
1095
1096
1097 Lewis Standards Track [Page 20]
1098
4.7. NSEC RRSet at a Wildcard Domain Name Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet. Synthesis of these records will only occur when the query exactly matches the record. Synthesized NSEC RRs will not be harmful as they will never be used in negative caching or to generate a negative response [RFC2308].
4.7. NSEC RRSet at a Wildcard Domain Name Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.Synthesis of these records will only occur when the query exactly matches the record. Synthesized NSEC RRs will not be harmful as they will never be used in negative caching or to generate a negative response [RFC2308].NSEC RRSets must not be synthesized from this wildcard NSEC.