Difference between revisions of "RFC3123"
Line 5: | Line 5: | ||
A DNS RR Type for Lists of Address Prefixes (APL RR) | A DNS RR Type for Lists of Address Prefixes (APL RR) | ||
− | Status of this Memo | + | '''Status of this Memo''' |
This memo defines an Experimental Protocol for the Internet | This memo defines an Experimental Protocol for the Internet | ||
Line 12: | Line 12: | ||
Distribution of this memo is unlimited. | Distribution of this memo is unlimited. | ||
− | Copyright Notice | + | '''Copyright Notice''' |
Copyright (C) The Internet Society (2001). All Rights Reserved. | Copyright (C) The Internet Society (2001). All Rights Reserved. | ||
− | Abstract | + | '''Abstract''' |
The Domain Name System (DNS) is primarily used to translate domain | The Domain Name System (DNS) is primarily used to translate domain | ||
Line 27: | Line 27: | ||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | ||
− | document are to be interpreted as described in [RFC2119]. | + | document are to be interpreted as described in [[RFC2119]]. |
Domain names herein are for explanatory purposes only and should not | Domain names herein are for explanatory purposes only and should not | ||
− | be expected to lead to useful information in real life [RFC2606]. | + | be expected to lead to useful information in real life [[RFC2606]]. |
== Background == | == Background == | ||
− | The Domain Name System [RFC1034], [RFC1035] provides a mechanism to | + | The Domain Name System [[RFC1034]], [[RFC1035]] provides a mechanism to |
associate addresses and other Internet infrastructure elements with | associate addresses and other Internet infrastructure elements with | ||
hierarchically built domain names. Various types of resource records | hierarchically built domain names. Various types of resource records | ||
− | have been defined, especially those for IPv4 and IPv6 [RFC2874] | + | have been defined, especially those for IPv4 and IPv6 [[RFC2874]] |
− | addresses. In [RFC1101] a method is described to publish information | + | addresses. In [[RFC1101]] a method is described to publish information |
about the address space allocated to an organisation. In older BIND | about the address space allocated to an organisation. In older BIND | ||
versions, a weak form of controlling access to zone data was | versions, a weak form of controlling access to zone data was | ||
Line 84: | Line 84: | ||
The encoding of an IPv4 address (address family 1) follows the | The encoding of an IPv4 address (address family 1) follows the | ||
− | encoding specified for the A RR by [RFC1035], section 3.4.1. | + | encoding specified for the A RR by [[RFC1035]], section 3.4.1. |
PREFIX specifies the number of bits of the IPv4 address starting at | PREFIX specifies the number of bits of the IPv4 address starting at | ||
Line 92: | Line 92: | ||
semantic difference between 10.0.0.0/16 and 10/16) in an address | semantic difference between 10.0.0.0/16 and 10/16) in an address | ||
prefix, so the shortest possible AFDLENGTH can be used to encode it. | prefix, so the shortest possible AFDLENGTH can be used to encode it. | ||
− | However, for DNSSEC [RFC2535] a single wire encoding must be used by | + | However, for DNSSEC [[RFC2535]] a single wire encoding must be used by |
all. Therefore the sender MUST NOT include trailing zero octets in | all. Therefore the sender MUST NOT include trailing zero octets in | ||
Line 141: | Line 141: | ||
The representation of an IPv6 address in the <address> part of an | The representation of an IPv6 address in the <address> part of an | ||
− | <apitem> follows [RFC2373], section 2.2. Legal values for <prefix> | + | <apitem> follows [[RFC2373]], section 2.2. Legal values for <prefix> |
are from the interval 0..128 (decimal). | are from the interval 0..128 (decimal). | ||
Line 184: | Line 184: | ||
Possible applications include the publication of address ranges | Possible applications include the publication of address ranges | ||
− | similar to [RFC1101], description of zones built following [RFC2317] | + | similar to [[RFC1101]], description of zones built following [[RFC2317]] |
and in-band access control to limit general access or zone transfer | and in-band access control to limit general access or zone transfer | ||
(AXFR) availability for zone data held in DNS servers. | (AXFR) availability for zone data held in DNS servers. | ||
Line 198: | Line 198: | ||
application does exist now or will exist in the future. | application does exist now or will exist in the future. | ||
− | ; RFC 1101-like announcement of address ranges for foo.example | + | ; [[RFC1101|RFC 1101]]-like announcement of address ranges for foo.example |
foo.example. IN APL 1:192.168.32.0/21 !1:192.168.38.0/28 | foo.example. IN APL 1:192.168.32.0/21 !1:192.168.38.0/28 | ||
Line 217: | Line 217: | ||
Any information obtained from the DNS should be regarded as unsafe | Any information obtained from the DNS should be regarded as unsafe | ||
− | unless techniques specified in [RFC2535] or [RFC2845] were used. The | + | unless techniques specified in [[RFC2535]] or [[RFC2845]] were used. The |
definition of a new RR type does not introduce security problems into | definition of a new RR type does not introduce security problems into | ||
the DNS, but usage of information made available by APL RRs may | the DNS, but usage of information made available by APL RRs may | ||
Line 226: | Line 226: | ||
10. IANA Considerations | 10. IANA Considerations | ||
− | This section is to be interpreted as following [RFC2434]. | + | This section is to be interpreted as following [[RFC2434]]. |
This document does not define any new namespaces. It uses the 16 bit | This document does not define any new namespaces. It uses the 16 bit | ||
Line 242: | Line 242: | ||
12. References | 12. References | ||
− | [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", | + | [[RFC1034]] Mockapetris, P., "Domain Names - Concepts and Facilities", |
− | STD 13, RFC 1034, November 1987. | + | [[STD13|STD 13]], [[RFC1034|RFC 1034]], November 1987. |
− | [RFC1035] Mockapetris, P., "Domain Names - Implementation and | + | [[RFC1035]] Mockapetris, P., "Domain Names - Implementation and |
− | Specification", STD 13, RFC 1035, November 1987. | + | Specification", [[STD13|STD 13]], [[RFC1035|RFC 1035]], November 1987. |
− | [RFC1101] Mockapetris, P., "DNS Encoding of Network Names and Other | + | [[RFC1101]] Mockapetris, P., "DNS Encoding of Network Names and Other |
− | Types", RFC 1101, April 1989. | + | Types", [[RFC1101|RFC 1101]], April 1989. |
− | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | + | [[RFC2119]] Bradner, S., "Key words for use in RFCs to Indicate |
− | Requirement Levels", BCP 14, RFC 2119, March 1997. | + | Requirement Levels", [[BCP14|BCP 14]], [[RFC2119|RFC 2119]], March 1997. |
− | [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | + | [[RFC2181]] Elz, R. and R. Bush, "Clarifications to the DNS |
− | Specification", RFC 2181, July 1997. | + | Specification", [[RFC2181|RFC 2181]], July 1997. |
− | [RFC2317] Eidnes, H., de Groot, G. and P. Vixie, "Classless IN- | + | [[RFC2317]] Eidnes, H., de Groot, G. and P. Vixie, "Classless IN- |
− | ADDR.ARPA delegation", BCP 20, RFC 2317, March 1998. | + | ADDR.ARPA delegation", [[BCP20|BCP 20]], [[RFC2317|RFC 2317]], March 1998. |
− | [RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing | + | [[RFC2373]] Hinden, R. and S. Deering, "IP Version 6 Addressing |
− | Architecture", RFC 2373, July 1998. | + | Architecture", [[RFC2373|RFC 2373]], July 1998. |
− | [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an | + | [[RFC2434]] Narten, T. and H. Alvestrand, "Guidelines for Writing an |
− | IANA Considerations Section in RFCs", BCP 26, RFC 2434, | + | IANA Considerations Section in RFCs", [[BCP26|BCP 26]], [[RFC2434|RFC 2434]], |
October 1998. | October 1998. | ||
− | [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC | + | [[RFC2535]] Eastlake, D., "Domain Name System Security Extensions", RFC |
2535, March 1999. | 2535, March 1999. | ||
− | [RFC2606] Eastlake, D. and A. Panitz, "Reserved Top Level DNS Names", | + | [[RFC2606]] Eastlake, D. and A. Panitz, "Reserved Top Level DNS Names", |
− | BCP 32, RFC 2606, June 1999. | + | [[BCP32|BCP 32]], [[RFC2606|RFC 2606]], June 1999. |
− | [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, | + | [[RFC2845]] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, |
"Secret Key Transaction Authentication for DNS (TSIG)", RFC | "Secret Key Transaction Authentication for DNS (TSIG)", RFC | ||
2845, May 2000. | 2845, May 2000. | ||
− | [RFC2874] Crawford, M. and C. Huitema, "DNS Extensions to Support | + | [[RFC2874]] Crawford, M. and C. Huitema, "DNS Extensions to Support |
− | IPv6 Address Aggregation and Renumbering", RFC 2874, July | + | IPv6 Address Aggregation and Renumbering", [[RFC2874|RFC 2874]], July |
2000. | 2000. | ||
Line 326: | Line 326: | ||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | ||
Internet Society. | Internet Society. | ||
+ | |||
+ | [[Category:Experimental]] |
Latest revision as of 19:58, 3 October 2020
Network Working Group P. Koch Request for Comments: 3123 Universitaet Bielefeld Category: Experimental June 2001
A DNS RR Type for Lists of Address Prefixes (APL RR)
Status of this Memo
This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
The Domain Name System (DNS) is primarily used to translate domain names into IPv4 addresses using A RRs (Resource Records). Several approaches exist to describe networks or address ranges. This document specifies a new DNS RR type "APL" for address prefix lists.
Contents
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.
Domain names herein are for explanatory purposes only and should not be expected to lead to useful information in real life RFC2606.
Background
The Domain Name System RFC1034, RFC1035 provides a mechanism to associate addresses and other Internet infrastructure elements with hierarchically built domain names. Various types of resource records have been defined, especially those for IPv4 and IPv6 RFC2874 addresses. In RFC1101 a method is described to publish information about the address space allocated to an organisation. In older BIND versions, a weak form of controlling access to zone data was implemented using TXT RRs describing address ranges.
This document specifies a new RR type for address prefix lists.
APL RR Type
An APL record has the DNS type of "APL" and a numeric value of 42 [IANA]. The APL RR is defined in the IN class only. APL RRs cause no additional section processing.
APL RDATA format
The RDATA section consists of zero or more items (<apitem>) of the form
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ADDRESSFAMILY | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | PREFIX | N | AFDLENGTH | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ / AFDPART / | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
ADDRESSFAMILY 16 bit unsigned value as assigned by IANA (see IANA Considerations) PREFIX 8 bit unsigned binary coded prefix length. Upper and lower bounds and interpretation of this value are address family specific. N negation flag, indicates the presence of the "!" character in the textual format. It has the value "1" if the "!" was given, "0" else. AFDLENGTH length in octets of the following address family dependent part (7 bit unsigned). AFDPART address family dependent part. See below.
This document defines the AFDPARTs for address families 1 (IPv4) and 2 (IPv6). Future revisions may deal with additional address families.
AFDPART for IPv4
The encoding of an IPv4 address (address family 1) follows the encoding specified for the A RR by RFC1035, section 3.4.1.
PREFIX specifies the number of bits of the IPv4 address starting at the most significant bit. Legal values range from 0 to 32.
Trailing zero octets do not bear any information (e.g., there is no semantic difference between 10.0.0.0/16 and 10/16) in an address prefix, so the shortest possible AFDLENGTH can be used to encode it. However, for DNSSEC RFC2535 a single wire encoding must be used by
all. Therefore the sender MUST NOT include trailing zero octets in the AFDPART regardless of the value of PREFIX. This includes cases in which AFDLENGTH times 8 results in a value less than PREFIX. The AFDPART is padded with zero bits to match a full octet boundary.
An IPv4 AFDPART has a variable length of 0 to 4 octets.
AFDPART for IPv6
The 128 bit IPv6 address (address family 2) is encoded in network byte order (high-order byte first).
PREFIX specifies the number of bits of the IPv6 address starting at the most significant bit. Legal values range from 0 to 128.
With the same reasoning as in 4.1 above, the sender MUST NOT include trailing zero octets in the AFDPART regardless of the value of PREFIX. This includes cases in which AFDLENGTH times 8 results in a value less than PREFIX. The AFDPART is padded with zero bits to match a full octet boundary.
An IPv6 AFDPART has a variable length of 0 to 16 octets.
Zone File Syntax
The textual representation of an APL RR in a DNS zone file is as follows:
<owner> IN <TTL> APL {[!]afi:address/prefix}*
The data consists of zero or more strings of the address family indicator <afi>, immediately followed by a colon ":", an address, immediately followed by the "/" character, immediately followed by a decimal numeric value for the prefix length. Any such string may be preceded by a "!" character. The strings are separated by whitespace. The <afi> is the decimal numeric value of that particular address family.
Textual Representation of IPv4 Addresses
An IPv4 address in the <address> part of an <apitem> is in dotted quad notation, just as in an A RR. The <prefix> has values from the interval 0..32 (decimal).
Textual Representation of IPv6 Addresses
The representation of an IPv6 address in the <address> part of an <apitem> follows RFC2373, section 2.2. Legal values for <prefix> are from the interval 0..128 (decimal).
APL RR usage
An APL RR with empty RDATA is valid and implements an empty list. Multiple occurrences of the same <apitem> in a single APL RR are allowed and MUST NOT be merged by a DNS server or resolver. <apitems> MUST be kept in order and MUST NOT be rearranged or aggregated.
A single APL RR may contain <apitems> belonging to different address families. The maximum number of <apitems> is upper bounded by the available RDATA space.
RRSets consisting of more than one APL RR are legal but the interpretation is left to the particular application.
Applicability Statement
The APL RR defines a framework without specifying any particular meaning for the list of prefixes. It is expected that APL RRs will be used in different application scenarios which have to be documented separately. Those scenarios may be distinguished by characteristic prefixes placed in front of the DNS owner name.
An APL application specification MUST include information on
o the characteristic prefix, if any
o how to interpret APL RRSets consisting of more than one RR
o how to interpret an empty APL RR
o which address families are expected to appear in the APL RRs for
that application
o how to deal with APL RR list elements which belong to other
address families, including those not yet defined
o the exact semantics of list elements negated by the "!" character
Possible applications include the publication of address ranges similar to RFC1101, description of zones built following RFC2317 and in-band access control to limit general access or zone transfer (AXFR) availability for zone data held in DNS servers.
The specification of particular application scenarios is out of the scope of this document.
Examples
The following examples only illustrate some of the possible usages outlined in the previous section. None of those applications are hereby specified nor is it implied that any particular APL RR based application does exist now or will exist in the future.
; RFC 1101-like announcement of address ranges for foo.example foo.example. IN APL 1:192.168.32.0/21 !1:192.168.38.0/28
; CIDR blocks covered by classless delegation 42.168.192.IN-ADDR.ARPA. IN APL ( 1:192.168.42.0/26 1:192.168.42.64/26 1:192.168.42.128/25 )
; Zone transfer restriction _axfr.sbo.example. IN APL 1:127.0.0.1/32 1:172.16.64.0/22
; List of address ranges for multicast multicast.example. IN APL 1:224.0.0.0/4 2:FF00:0:0:0:0:0:0:0/8
Note that since trailing zeroes are ignored in the first APL RR the AFDLENGTH of both <apitems> is three.
Security Considerations
Any information obtained from the DNS should be regarded as unsafe unless techniques specified in RFC2535 or RFC2845 were used. The definition of a new RR type does not introduce security problems into the DNS, but usage of information made available by APL RRs may compromise security. This includes disclosure of network topology information and in particular the use of APL RRs to construct access control lists.
10. IANA Considerations
This section is to be interpreted as following RFC2434.
This document does not define any new namespaces. It uses the 16 bit identifiers for address families maintained by IANA in http://www.iana.org/numbers.html.
The IANA assigned numeric RR type value 42 for APL [IANA].
11. Acknowledgements
The author would like to thank Mark Andrews, Olafur Gudmundsson, Ed Lewis, Thomas Narten, Erik Nordmark, and Paul Vixie for their review and constructive comments.
12. References
RFC1034 Mockapetris, P., "Domain Names - Concepts and Facilities",
STD 13, RFC 1034, November 1987.
RFC1035 Mockapetris, P., "Domain Names - Implementation and
Specification", STD 13, RFC 1035, November 1987.
RFC1101 Mockapetris, P., "DNS Encoding of Network Names and Other
Types", RFC 1101, April 1989.
RFC2119 Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
RFC2181 Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997.
RFC2317 Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
ADDR.ARPA delegation", BCP 20, RFC 2317, March 1998.
RFC2373 Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 2373, July 1998.
RFC2434 Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
RFC2535 Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999.
RFC2606 Eastlake, D. and A. Panitz, "Reserved Top Level DNS Names",
BCP 32, RFC 2606, June 1999.
RFC2845 Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
"Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000.
RFC2874 Crawford, M. and C. Huitema, "DNS Extensions to Support
IPv6 Address Aggregation and Renumbering", RFC 2874, July 2000.
[IANA] http://www.iana.org/assignments/dns-parameters
13. Author's Address
Peter Koch Universitaet Bielefeld Technische Fakultaet D-33594 Bielefeld Germany
Phone: +49 521 106 2902 EMail: [email protected]
14. Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the Internet Society.