DNS Extensions Working Group G. Sisson
Internet-Draft B. Laurie
Expires: June 1, 2005 Nominet
December 1, 2004
Derivation of DNS Name Predecessor and Successor
draft-sisson-dnsext-dns-name-p-s-01
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 1, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
This document describes a method for deriving the canonically-ordered
predecessor and successor of a DNS name. This is expected to be
useful for real-time NSEC resource record synthesis, which may be
used in alterative implementations of DNSSEC-enabled DNS servers.
Sisson & Laurie Expires June 1, 2005 [Page 1]
Internet-Draft DNS Name Predecessor and Successor December 2004
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Derivation of DNS Name Predecessor . . . . . . . . . . . . . . 3
3. Derivation of DNS Name Successor . . . . . . . . . . . . . . . 4
4. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1 Case Considerations . . . . . . . . . . . . . . . . . . . 4
4.2 Choice of Range . . . . . . . . . . . . . . . . . . . . . 5
4.3 Wild Card Considerations . . . . . . . . . . . . . . . . . 6
4.4 Potential Optimisations . . . . . . . . . . . . . . . . . 6
4.4.1 Omission of Step . . . . . . . . . . . . . . . . . . . 6
4.4.2 Restriction of Effective Maximum DNS Name Length . . . 6
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1 Examples of Immediate Predecessors . . . . . . . . . . . . 8
5.2 Examples of Immediate Successors . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 16
9.2 Informative References . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 16
A. Change History . . . . . . . . . . . . . . . . . . . . . . . . 17
A.1 Changes from -00 to -01 . . . . . . . . . . . . . . . . . 17
Intellectual Property and Copyright Statements . . . . . . . . 18
Sisson & Laurie Expires June 1, 2005 [Page 2]
Internet-Draft DNS Name Predecessor and Successor December 2004
1. Introduction
One of the proposals for avoiding the exposure of zone information
while deploying DNSSEC is dynamic NSEC synthesis. This technique is
described in [I-D.ietf-dnsext-dnssec-trans] and
[I-D.weiler-dnsext-dnssec-online-signing], and involves the
generation of NSEC RRs which just span the query name for
non-existent owner names. In order to do this, the DNS names which
would occur just prior to and just following a given query name must
be calculated in real time, as maintaining a list of all possible
owner names that might occur in a zone would normally be prohibitive.
Section 6.1 of [I-D.ietf-dnsext-dnssec-records] defines canonical DNS
name order. This document does not amend or modify this definition.
However, the derivation of immediate predecessor and successor, while
trivial, is non-obvious. Accordingly, the method is described here
as an aid to implementors and a reference to other interested
parties.
2. Derivation of DNS Name Predecessor
This derivation assumes that all upper-case US-ASCII letters in the
DNS name have already been replaced by their corresponding lower-case
equivalents.
To derive the immediate predecessor of a DNS name:
1. If the DNS name is the same as the owner name of the apex,
prepend the DNS name repeatedly with labels of the maximum length
possible consisting of octets of the maximum sort value (e.g.
0xff) until the DNS name is the maximum length possible;
otherwise continue to the next step.
2. If the least significant (left-most) label consists of a single
octet of the minimum sort value (e.g. 0x00), remove that label;
otherwise continue to the next step.
3. If the least significant (right-most) octet in the least
significant (left-most) label is the minimum sort value, remove
that octet and continue with step 5.
4. Decrement the value of the least significant (right-most) octet,
skipping any values which correspond to upper-case US-ASCII
letters, and then append the label with as many octets as
possible of the maximum sort value. Continue to the next step.
5. Prepend the DNS name repeatedly with labels of as long a length
as possible consisting of octets of the maximum sort value until
Sisson & Laurie Expires June 1, 2005 [Page 3]
Internet-Draft DNS Name Predecessor and Successor December 2004
the DNS name is the maximum length possible.
3. Derivation of DNS Name Successor
This derivation assumes that all upper-case US-ASCII letters in the
DNS name have already been replaced by their corresponding lower-case
equivalents.
To derive the immediate successor of a DNS name:
1. If the DNS name is two or more octets shorter than the maximum
DNS name length, prepend the DNS name with a label containing a
single octet of the minimum sort value (e.g. 0x00); otherwise
continue to the next step.
2. If the DNS name is one or more octets shorter than the maximum
DNS name length and the least significant (left-most) label is
one or more octets shorter than the maximum label length, append
an octet of the minimum sort value to the least significant
label; otherwise continue to the next step.
3. Increment the value of the least significant (right-most) octet
in the least significant (left-most) label that is less than the
maximum sort value (e.g. 0xff), skipping any values which
correspond to upper-case US-ASCII letters, and then remove any
octets to the right of that one. If all octets in the label are
the maximum sort value, then continue to the next step.
4. Remove the least significant (left-most) label. If the DNS name
is now the same as the owner name of the apex, do nothing. (This
will occur only if the DNS name was the maximum possible in
canonical DNS name order, and thus has wrapped to the apex.)
Otherwise repeat starting at Step 2.
4. Notes
4.1 Case Considerations
Section 3.5 of [RFC1034] specifies that "while upper and lower case
letters are allowed in [DNS] names, no significance is attached to
the case". Additionally, Section 6.1 of
[I-D.ietf-dnsext-dnssec-records] states that when determining
canonical DNS name order, "upper case US-ASCII letters are treated as
if they were lower case US-ASCII letters". Consequently, values
corresponding to US-ASCII upper-case letters must be skipped when
decrementing and incrementing octets in the derivations described in
Sisson & Laurie Expires June 1, 2005 [Page 4]
Internet-Draft DNS Name Predecessor and Successor December 2004
Section 2 and Section 3.
The following pseudo-code is illustrative:
Decrementing the value of an octet:
if (octet == '[') // '[' is just after upper-case 'Z'
octet = '@'; // '@' is just prior to upper-case 'A'
else
octet--;
Incrementing the value of an octet:
if (octet == '@') // '@' is just prior to upper-case 'A'
octet = '['; // '[' is just after upper-case 'Z'
else
octet++;
4.2 Choice of Range
[RFC2181] makes the clarification that "any binary string whatever
can be used as the label of any resource record". Consequently the
minimum sort value may be set as 0x00 and the maximum sort value as
0xff, and the range of possible values will be any DNS name which
contains octets of any value other than those corresponding to
upper-case US-ASCII letters.
However, if all owner names in a zone are in the letter-digit-hyphen,
or LDH, format specified in [RFC1034], it may be desirable to
restrict the range of possible values to DNS names containing only
LDH values. This has the effect of:
1. making the output of tools such as `dig' and `nslookup' less
potentially confusing;
2. minimising the impact that NSEC RRs containing DNS names with
non-LDH values (or non-printable values) might have on faulty DNS
resolver implementations; and
3. preventing the possibility of results which are wild card DNS
names (see Section 4.3).
This may be accomplished by using a minimum sort value of 0x1f
(US-ASCII character `-') and a maximum sort value of 0x7a (US-ASCII
character lower-case `z'), and then skipping non-LDH, non-lower-case
values when incrementing or decrementing octets.
Sisson & Laurie Expires June 1, 2005 [Page 5]
Internet-Draft DNS Name Predecessor and Successor December 2004
4.3 Wild Card Considerations
Neither derivation avoids the possibility that the result may be a
DNS name containing a wild card label, i.e. a label containing a
single octet with the value 0x2a (US-ASCII character `*'). With
additional tests, wild card DNS names may be explicitly avoided;
alternatively, if the range of octet values can be restricted to
those corresponding to letter-digit-hyphen, or LDH, characters (see
Section 4.2), such DNS names will not occur.
Note that it is improbable that a result which is a wild card DNS
name will occur unintentionally; even if one does occur either as the
owner name of, or in the RDATA of an NSEC RR, it is treated as a
literal DNS name with no special meaning.
4.4 Potential Optimisations
4.4.1 Omission of Step
When the derivation of immediate predecessor is used only for the
synthesis of NSEC RRs, step 1 of the derivation may be omitted as the
existence of the owner name of the apex should never need to be
denied. This eliminates one condition that would otherwise always be
tested during the derivation of the immediate predecessor.
4.4.2 Restriction of Effective Maximum DNS Name Length
[RFC1034] specifies that "the total number of octets that represent a
[DNS] name (i.e., the sum of all label octets and label lengths) is
limited to 255", including the null (zero-length) label which
represents the root. For the purpose of deriving the immediate
predecessor and successor during NSEC RR synthesis, the maximum DNS
name length may be effectively restricted to the length of the
longest DNS name in the zone. This will minimise the size of
responses containing synthesised NSEC RRs.
Note that this optimisation will have the effect of revealing
information about the longest name in the zone. Moreover, when the
contents of the zone changes, e.g. during dynamic updates and zone
transfers, care must be taken to ensure that the effective maximum
DNS name length agrees with the new contents.
A modified version of this optimisation will realise most of its
benefit while mitigating these exposures: if the length of unqulified
owner names of empty non-terminals in a zone is restricted to 64
octets in wire format, then the effective maximum DNS name length may
be restricted to 64 + the length of the owner name of the apex. This
will prevent the discovery of the longest single label in the zone,
Sisson & Laurie Expires June 1, 2005 [Page 6]
Internet-Draft DNS Name Predecessor and Successor December 2004
which is of more concern to most zone operators who are concerned
about owner name elaboration.
5. Examples
In the following examples:
the owner name of the apex is "example.com.";
the range of octet values is 0x00 - 0xff excluding values
corresponding to upper-case US-ASCII letters; and
non-printable octet values are expressed as three-digit decimal
numbers preceded by a backslash (as specified in Section 5.1 of
[RFC1035]).
Sisson & Laurie Expires June 1, 2005 [Page 7]
Internet-Draft DNS Name Predecessor and Successor December 2004
5.1 Examples of Immediate Predecessors
Example of typical case:
x = foo.example.com.
x' = \255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255.\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255.fon\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255.example.com.
or, in alternate notation:
\255{49}.\255{63}.\255{63}.fon\255{60}.example.com.
where {n} represents the number of repetitions of an octet.
Example where least significant (left-most) label of DNS name
consists of a single octet of the minimum sort value:
x = \000.foo.example.com.
x' = foo.example.com.
Sisson & Laurie Expires June 1, 2005 [Page 8]
Internet-Draft DNS Name Predecessor and Successor December 2004
Example where least significant (right-most) octet of least
significant (left-most) label has the minimum sort value:
x = foo\000.example.com.
x' = \255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255.\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255.\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255.foo.example.com.
or, in alternate notation:
\255{45}.\255{63}.\255{63}.\255{63}.foo.example.com.
Sisson & Laurie Expires June 1, 2005 [Page 9]
Internet-Draft DNS Name Predecessor and Successor December 2004
Example where DNS name contains an octet which must be decremented by
skipping values corresponding to US-ASCII upper-case letters:
x = fo\[.example.com.
x' = \255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255.\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255.fo\@\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255.example.com.
or, in alternate notation:
\255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com.
where {n} represents the number of repetitions of an octet.
Sisson & Laurie Expires June 1, 2005 [Page 10]
Internet-Draft DNS Name Predecessor and Successor December 2004
Example where DNS name is the owner name of the apex, and
consequently wraps to the DNS name with the maximum possible sort
order in the zone:
x = example.com.
x' = \255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255.\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255.\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.example.com.
or, in alternate notation:
\255{49}.\255{63}.\255{63}.\255{63}.example.com.
5.2 Examples of Immediate Successors
Example of typical case:
y = foo.example.com.
y' = \000.foo.example.com.
Sisson & Laurie Expires June 1, 2005 [Page 11]
Internet-Draft DNS Name Predecessor and Successor December 2004
Example where DNS name is one octet short of the maximum DNS name
length:
y = fooooooooooooooooooooooooooooooooooooooooooooooo\
.ooooooooooooooooooooooooooooooooooooooooooooooo\
oooooooooooooooo.ooooooooooooooooooooooooooooooo\
oooooooooooooooooooooooooooooooo.ooooooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo.example.com.
or, in alternate notation:
fo{47}.o{63}.o{63}.o{63}.example.com.
y' = fooooooooooooooooooooooooooooooooooooooooooooooo\
\000.ooooooooooooooooooooooooooooooooooooooooooo\
oooooooooooooooooooo.ooooooooooooooooooooooooooo\
oooooooooooooooooooooooooooooooooooo.ooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
oooo.example.com.
or, in alternate notation:
fo{47}\000.o{63}.o{63}.o{63}.example.com.
Example where DNS name is the maximum DNS name length:
y = fooooooooooooooooooooooooooooooooooooooooooooooo\
o.oooooooooooooooooooooooooooooooooooooooooooooo\
ooooooooooooooooo.oooooooooooooooooooooooooooooo\
ooooooooooooooooooooooooooooooooo.oooooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
o.example.com.
or, in alternate notation:
fo{48}.o{63}.o{63}.o{63}.example.com.
y' = fooooooooooooooooooooooooooooooooooooooooooooooo\
p.oooooooooooooooooooooooooooooooooooooooooooooo\
ooooooooooooooooo.oooooooooooooooooooooooooooooo\
ooooooooooooooooooooooooooooooooo.oooooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
o.example.com.
or, in alternate notation:
fo{47}p.o{63}.o{63}.o{63}.example.com.
Sisson & Laurie Expires June 1, 2005 [Page 12]
Internet-Draft DNS Name Predecessor and Successor December 2004
Example where DNS name is the maximum DNS name length and the least
significant (left-most) label has the maximum sort value:
y = \255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.ooooooooooooooooooooooooooooooooooooooooooo\
oooooooooooooooooooo.ooooooooooooooooooooooooooo\
oooooooooooooooooooooooooooooooooooo.ooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
oooo.example.com.
or, in alternate notation:
\255{49}.o{63}.o{63}.o{63}.example.com.
y' = oooooooooooooooooooooooooooooooooooooooooooooooo\
oooooooooooooop.oooooooooooooooooooooooooooooooo\
ooooooooooooooooooooooooooooooo.oooooooooooooooo\
ooooooooooooooooooooooooooooooooooooooooooooooo.\
example.com.
or, in alternate notation:
o{62}p.o{63}.o{63}.example.com.
Sisson & Laurie Expires June 1, 2005 [Page 13]
Internet-Draft DNS Name Predecessor and Successor December 2004
Example where DNS name is the maximum DNS name length and the eight
least significant (right-most) octets of the least significant
(left-most) label have the maximum sort value:
y = foooooooooooooooooooooooooooooooooooooooo\255\
\255\255\255\255\255\255\255.ooooooooooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooo.ooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
oooooooooooo.ooooooooooooooooooooooooooooooooooo\
oooooooooooooooooooooooooooo.example.com.
or, in alternate notation:
fo{40}\255{8}.o{63}.o{63}.o{63}.example.com.
y' = fooooooooooooooooooooooooooooooooooooooop.oooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
ooooooooo.oooooooooooooooooooooooooooooooooooooo\
ooooooooooooooooooooooooo.oooooooooooooooooooooo\
ooooooooooooooooooooooooooooooooooooooooo.example.com.
or, in alternate notation:
fo{39}p.o{63}.o{63}.o{63}.example.com.
Example where DNS name is the maximum DNS name length and contains an
octet which must be incremented by skipping values corresponding to
US-ASCII upper-case letters:
y = fooooooooooooooooooooooooooooooooooooooooooooooo\
\@.ooooooooooooooooooooooooooooooooooooooooooooo\
oooooooooooooooooo.ooooooooooooooooooooooooooooo\
oooooooooooooooooooooooooooooooooo.ooooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
oo.example.com.
or, in alternate notation:
fo{47}\@.o{63}.o{63}.o{63}.example.com.
y' = fooooooooooooooooooooooooooooooooooooooooooooooo\
\[.ooooooooooooooooooooooooooooooooooooooooooooo\
oooooooooooooooooo.ooooooooooooooooooooooooooooo\
oooooooooooooooooooooooooooooooooo.ooooooooooooo\
oooooooooooooooooooooooooooooooooooooooooooooooo\
oo.example.com.
or, in alternate notation:
Sisson & Laurie Expires June 1, 2005 [Page 14]
Internet-Draft DNS Name Predecessor and Successor December 2004
fo{47}\[.o{63}.o{63}.o{63}.example.com.
Example where DNS name has the maximum possible sort order in the
zone, and consequently wraps to the owner name of the apex:
y = \255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255.\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255.\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255\255\255\255\255\255\255\255\255\255\255\255\
\255.example.com.
or, in alternate notation:
\255{49}.\255{63}.\255{63}.\255{63}.example.com.
y' = example.com.
6. Security Considerations
The derivation of some predecessors/successors requires the testing
of more conditions than others. Consequently the effectiveness of a
denial-of-service attack may be enhanced by sending queries that
require more conditions to be tested.
7. IANA Considerations
This document does not create any IANA considerations.
8. Acknowledgments
The authors would like to thank Olaf Kolkman and Niall O'Reilly for
Sisson & Laurie Expires June 1, 2005 [Page 15]
Internet-Draft DNS Name Predecessor and Successor December 2004
their review and input.
9. References
9.1 Normative References
[I-D.ietf-dnsext-dnssec-records]
Arends, R., Austein, R., Larson, M., Massey, D. and S.
Rose, "Resource Records for the DNS Security Extensions",
draft-ietf-dnsext-dnssec-records-11 (work in progress),
October 2004.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997.
9.2 Informative References
[I-D.ietf-dnsext-dnssec-trans]
Arends, R., Koch, P. and J. Schlyter, "Evaluating DNSSEC
Transition Mechanisms", draft-ietf-dnsext-dnssec-trans-01
(work in progress), October 2004.
[I-D.weiler-dnsext-dnssec-online-signing]
Weiler, S. and J. Ihren, "Minimally Covering NSEC Records
and DNSSEC On-line Signing",
draft-weiler-dnsext-dnssec-online-signing-00 (work in
progress), October 2004.
Authors' Addresses
Geoffrey Sisson
Nominet
Sandford Gate
Sandy Lane West
Oxford
OX4 6LB
GB
Phone: +44 1865 332339
EMail: geoff@nominet.org.uk
Sisson & Laurie Expires June 1, 2005 [Page 16]
Internet-Draft DNS Name Predecessor and Successor December 2004
Ben Laurie
Nominet
17 Perryn Road
London
W3 7LR
GB
Phone: +44 20 8735 0686
EMail: ben@algroup.co.uk
Appendix A. Change History
A.1 Changes from -00 to -01
o Split step 3 of derivation of DNS name predecessor into two
distinct steps for clarity.
o Added clarifying text and examples related to the requirement to
avoid upper-case characters when decrementing or incrementing
octets.
o Added optimisation using restriction of effective maximum DNS name
length.
o Changed examples to use decimal rather than octal notation as per
[RFC1035].
o Corrected DNS name length of some examples.
o Added reference to weiler-dnsext-dnssec-online-signing.
o Miscellaneous minor changes to text.
Sisson & Laurie Expires June 1, 2005 [Page 17]
Internet-Draft DNS Name Predecessor and Successor December 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Sisson & Laurie Expires June 1, 2005 [Page 18]