Derivation of DNS Name Predecessor and Successor
RFC 4471
Document | Type | RFC - Experimental (September 2006; No errata) | |
---|---|---|---|
Authors | Ben Laurie , Geoffrey Sisson | ||
Last updated | 2015-10-14 | ||
Replaces | draft-sisson-dnsext-dns-name-p-s | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4471 (Experimental) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Mark Townsley | ||
Send notices to | olaf@nlnetlabs.nl |
Network Working Group G. Sisson Request for Comments: 4471 B. Laurie Category: Experimental Nominet September 2006 Derivation of DNS Name Predecessor and Successor Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes two methods for deriving the canonically- ordered predecessor and successor of a DNS name. These methods may be used for dynamic NSEC resource record synthesis, enabling security-aware name servers to provide authenticated denial of existence without disclosing other owner names in a DNSSEC secured zone. Table of Contents 1. Introduction ....................................................2 2. Notational Conventions ..........................................3 3. Derivations .....................................................3 3.1. Absolute Method ............................................3 3.1.1. Derivation of DNS Name Predecessor ..................3 3.1.2. Derivation of DNS Name Successor ....................4 3.2. Modified Method ............................................4 3.2.1. Derivation of DNS Name Predecessor ..................5 3.2.2. Derivation of DNS Name Successor ....................6 4. Notes ...........................................................6 4.1. Test for Existence .........................................6 4.2. Case Considerations ........................................7 4.3. Choice of Range ............................................7 4.4. Wild Card Considerations ...................................8 4.5. Possible Modifications .....................................8 4.5.1. Restriction of Effective Maximum DNS Name Length ....8 4.5.2. Use of Modified Method with Zones Containing Sisson & Laurie Experimental [Page 1] RFC 4471 DNS Name Predecessor and Successor September 2006 SRV RRs .............................................8 5. Examples ........................................................9 5.1. Examples of Immediate Predecessors Using Absolute Method ..10 5.2. Examples of Immediate Successors Using Absolute Method ....14 5.3. Examples of Predecessors Using Modified Method ............19 5.4. Examples of Successors Using Modified Method ..............20 6. Security Considerations ........................................21 7. Acknowledgements ...............................................21 8. References .....................................................21 8.1. Normative References ......................................21 8.2. Informative References ....................................22 1. Introduction One of the proposals for avoiding the exposure of zone information during the deployment DNSSEC is dynamic NSEC resource record (RR) synthesis. This technique is described in [DNSSEC-TRANS] and [RFC4470], and involves the generation of NSEC RRs that just span the query name for non-existent owner names. In order to do this, the DNS names that would occur just prior to and just following a given query name must be calculated in real time, as maintaining a list of all possible owner names that might occur in a zone would be impracticable. Section 6.1 of [RFC4034] defines canonical DNS name order. This document does not amend or modify this definition. However, the derivation of immediate predecessor and successor, although trivial, is non-obvious. Accordingly, several methods are described here as an aid to implementors and a reference to other interested parties. This document describes two methods: 1. An "absolute method", which returns the immediate predecessor or successor of a domain name such that no valid DNS name could exist between that DNS name and the predecessor or successor. 2. A "modified method", which returns a predecessor and successor that are more economical in size and computation. This method is restricted to use with zones consisting exclusively of owner names that contain no more than one label more than the owner name of the apex, where the longest possible owner name (i.e., one with a maximum length left-most label) would not exceed the maximum DNS name length. This is, however, the type of zone for which the technique of online signing is most likely to be used.Show full document text