Derivation of DNS Name Predecessor and Successor
RFC 4471
Document Type RFC - Experimental (September 2006; No errata)
Last updated 2015-10-14
Replaces draft-sisson-dnsext-dns-name-p-s
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4471 (Experimental)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Mark Townsley
Send notices to olaf@nlnetlabs.nl
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          G. Sisson
Request for Comments: 4471                                     B. Laurie
Category: Experimental                                           Nominet
                                                          September 2006

            Derivation of DNS Name Predecessor and Successor

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes two methods for deriving the canonically-
   ordered predecessor and successor of a DNS name.  These methods may
   be used for dynamic NSEC resource record synthesis, enabling
   security-aware name servers to provide authenticated denial of
   existence without disclosing other owner names in a DNSSEC secured
   zone.

Table of Contents

   1. Introduction ....................................................2
   2. Notational Conventions ..........................................3
   3. Derivations .....................................................3
      3.1. Absolute Method ............................................3
           3.1.1. Derivation of DNS Name Predecessor ..................3
           3.1.2. Derivation of DNS Name Successor ....................4
      3.2. Modified Method ............................................4
           3.2.1. Derivation of DNS Name Predecessor ..................5
           3.2.2. Derivation of DNS Name Successor ....................6
   4. Notes ...........................................................6
      4.1. Test for Existence .........................................6
      4.2. Case Considerations ........................................7
      4.3. Choice of Range ............................................7
      4.4. Wild Card Considerations ...................................8
      4.5. Possible Modifications .....................................8
           4.5.1. Restriction of Effective Maximum DNS Name Length ....8
           4.5.2. Use of Modified Method with Zones Containing

Sisson & Laurie               Experimental                      [Page 1]
RFC 4471           DNS Name Predecessor and Successor     September 2006

                  SRV RRs .............................................8
   5. Examples ........................................................9
      5.1. Examples of Immediate Predecessors Using Absolute Method ..10
      5.2. Examples of Immediate Successors Using Absolute Method ....14
      5.3. Examples of Predecessors Using Modified Method ............19
      5.4. Examples of Successors Using Modified Method ..............20
   6. Security Considerations ........................................21
   7. Acknowledgements ...............................................21
   8. References .....................................................21
      8.1. Normative References ......................................21
      8.2. Informative References ....................................22

1.  Introduction

   One of the proposals for avoiding the exposure of zone information
   during the deployment DNSSEC is dynamic NSEC resource record (RR)
   synthesis.  This technique is described in [DNSSEC-TRANS] and
   [RFC4470], and involves the generation of NSEC RRs that just span the
   query name for non-existent owner names.  In order to do this, the
   DNS names that would occur just prior to and just following a given
   query name must be calculated in real time, as maintaining a list of
   all possible owner names that might occur in a zone would be
   impracticable.

   Section 6.1 of [RFC4034] defines canonical DNS name order.  This
   document does not amend or modify this definition.  However, the
   derivation of immediate predecessor and successor, although trivial,
   is non-obvious.  Accordingly, several methods are described here as
   an aid to implementors and a reference to other interested parties.

   This document describes two methods:

   1.  An "absolute method", which returns the immediate predecessor or
       successor of a domain name such that no valid DNS name could
       exist between that DNS name and the predecessor or successor.

   2.  A "modified method", which returns a predecessor and successor
       that are more economical in size and computation.  This method is
       restricted to use with zones consisting exclusively of owner
       names that contain no more than one label more than the owner
       name of the apex, where the longest possible owner name (i.e.,
       one with a maximum length left-most label) would not exceed the
       maximum DNS name length.  This is, however, the type of zone for
       which the technique of online signing is most likely to be used.
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools