Derivation of DNS Name Predecessor and Successor
RFC 4471
|
| Document |
Type |
|
RFC - Experimental
(September 2006; No errata)
|
|
Last updated |
|
2015-10-14
|
|
Replaces |
|
draft-sisson-dnsext-dns-name-p-s
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
htmlized
bibtex
|
| Stream |
WG state
|
|
(None)
|
|
Document shepherd |
|
No shepherd assigned
|
| IESG |
IESG state |
|
RFC 4471 (Experimental)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Mark Townsley
|
|
Send notices to |
|
olaf@nlnetlabs.nl
|
Network Working Group G. Sisson
Request for Comments: 4471 B. Laurie
Category: Experimental Nominet
September 2006
Derivation of DNS Name Predecessor and Successor
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes two methods for deriving the canonically-
ordered predecessor and successor of a DNS name. These methods may
be used for dynamic NSEC resource record synthesis, enabling
security-aware name servers to provide authenticated denial of
existence without disclosing other owner names in a DNSSEC secured
zone.
Table of Contents
1. Introduction ....................................................2
2. Notational Conventions ..........................................3
3. Derivations .....................................................3
3.1. Absolute Method ............................................3
3.1.1. Derivation of DNS Name Predecessor ..................3
3.1.2. Derivation of DNS Name Successor ....................4
3.2. Modified Method ............................................4
3.2.1. Derivation of DNS Name Predecessor ..................5
3.2.2. Derivation of DNS Name Successor ....................6
4. Notes ...........................................................6
4.1. Test for Existence .........................................6
4.2. Case Considerations ........................................7
4.3. Choice of Range ............................................7
4.4. Wild Card Considerations ...................................8
4.5. Possible Modifications .....................................8
4.5.1. Restriction of Effective Maximum DNS Name Length ....8
4.5.2. Use of Modified Method with Zones Containing
Sisson & Laurie Experimental [Page 1]
RFC 4471 DNS Name Predecessor and Successor September 2006
SRV RRs .............................................8
5. Examples ........................................................9
5.1. Examples of Immediate Predecessors Using Absolute Method ..10
5.2. Examples of Immediate Successors Using Absolute Method ....14
5.3. Examples of Predecessors Using Modified Method ............19
5.4. Examples of Successors Using Modified Method ..............20
6. Security Considerations ........................................21
7. Acknowledgements ...............................................21
8. References .....................................................21
8.1. Normative References ......................................21
8.2. Informative References ....................................22
1. Introduction
One of the proposals for avoiding the exposure of zone information
during the deployment DNSSEC is dynamic NSEC resource record (RR)
synthesis. This technique is described in [DNSSEC-TRANS] and
[RFC4470], and involves the generation of NSEC RRs that just span the
query name for non-existent owner names. In order to do this, the
DNS names that would occur just prior to and just following a given
query name must be calculated in real time, as maintaining a list of
all possible owner names that might occur in a zone would be
impracticable.
Section 6.1 of [RFC4034] defines canonical DNS name order. This
document does not amend or modify this definition. However, the
derivation of immediate predecessor and successor, although trivial,
is non-obvious. Accordingly, several methods are described here as
an aid to implementors and a reference to other interested parties.
This document describes two methods:
1. An "absolute method", which returns the immediate predecessor or
successor of a domain name such that no valid DNS name could
exist between that DNS name and the predecessor or successor.
2. A "modified method", which returns a predecessor and successor
that are more economical in size and computation. This method is
restricted to use with zones consisting exclusively of owner
names that contain no more than one label more than the owner
name of the apex, where the longest possible owner name (i.e.,
one with a maximum length left-most label) would not exceed the
maximum DNS name length. This is, however, the type of zone for
which the technique of online signing is most likely to be used.
Show full document text