1
DNS Extensions Working Group G. Sisson
2
Internet-Draft B. Laurie
3
Expires: January 11, 2006 Nominet
7
Derivation of DNS Name Predecessor and Successor
8
draft-ietf-dnsext-dns-name-p-s-00
12
By submitting this Internet-Draft, each author represents that any
13
applicable patent or other IPR claims of which he or she is aware
14
have been or will be disclosed, and any of which he or she becomes
15
aware will be disclosed, in accordance with Section 6 of BCP 79.
17
Internet-Drafts are working documents of the Internet Engineering
18
Task Force (IETF), its areas, and its working groups. Note that
19
other groups may also distribute working documents as Internet-
22
Internet-Drafts are draft documents valid for a maximum of six months
23
and may be updated, replaced, or obsoleted by other documents at any
24
time. It is inappropriate to use Internet-Drafts as reference
25
material or to cite them other than as "work in progress."
27
The list of current Internet-Drafts can be accessed at
28
http://www.ietf.org/ietf/1id-abstracts.txt.
30
The list of Internet-Draft Shadow Directories can be accessed at
31
http://www.ietf.org/shadow.html.
33
This Internet-Draft will expire on January 11, 2006.
37
Copyright (C) The Internet Society (2005).
41
This document describes two methods for deriving the canonically-
42
ordered predecessor and successor of a DNS name. These methods may
43
be used for dynamic NSEC resource record synthesis, enabling
44
security-aware name servers to provide authenticated denial of
45
existence without disclosing other owner names in a DNSSEC-secured
52
Sisson & Laurie Expires January 11, 2006 [Page 1]
54
Internet-Draft DNS Name Predecessor and Successor July 2005
59
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
60
2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3
61
3. Absolute Method . . . . . . . . . . . . . . . . . . . . . . . 4
62
3.1. Derivation of DNS Name Predecessor . . . . . . . . . . . . 4
63
3.2. Derivation of DNS Name Successor . . . . . . . . . . . . . 4
64
4. Modified Method . . . . . . . . . . . . . . . . . . . . . . . 5
65
4.1. Derivation of DNS Name Predecessor . . . . . . . . . . . . 6
66
4.2. Derivation of DNS Name Successor . . . . . . . . . . . . . 6
67
5. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
68
5.1. Case Considerations . . . . . . . . . . . . . . . . . . . 7
69
5.2. Choice of Range . . . . . . . . . . . . . . . . . . . . . 7
70
5.3. Wild Card Considerations . . . . . . . . . . . . . . . . . 8
71
5.4. Possible Modifications . . . . . . . . . . . . . . . . . . 8
72
5.4.1. Restriction of Effective Maximum DNS Name Length . . . 8
73
5.4.2. Use of Modified Method With Zones Containing
74
SRV RRs . . . . . . . . . . . . . . . . . . . . . . . 9
75
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
76
6.1. Examples of Immediate Predecessors Using Absolute
77
Method . . . . . . . . . . . . . . . . . . . . . . . . . . 10
78
6.2. Examples of Immediate Successors Using Absolute Method . . 13
79
6.3. Examples of Predecessors Using Modified Method . . . . . . 19
80
6.4. Examples of Successors Using Modified Method . . . . . . . 20
81
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
82
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
83
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
84
10.1. Normative References . . . . . . . . . . . . . . . . . . . 22
85
10.2. Informative References . . . . . . . . . . . . . . . . . . 22
86
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21
87
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 22
88
A.1. Changes from sisson-02 to ietf-00 . . . . . . . . . . . . 22
89
A.2. Changes from sisson-01 to sisson-02 . . . . . . . . . . . 23
90
A.3. Changes from sisson-00 to sisson-01 . . . . . . . . . . . 23
91
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
92
Intellectual Property and Copyright Statements . . . . . . . . . . 25
108
Sisson & Laurie Expires January 11, 2006 [Page 2]
110
Internet-Draft DNS Name Predecessor and Successor July 2005
115
One of the proposals for avoiding the exposure of zone information
116
during the deployment DNSSEC is dynamic NSEC resource record (RR)
117
synthesis. This technique is described in [I-D.ietf-dnsext-dnssec-
118
trans] and [I-D.ietf-dnsext-dnssec-online-signing], and involves the
119
generation of NSEC RRs that just span the query name for non-existent
120
owner names. In order to do this, the DNS names which would occur
121
just prior to and just following a given query name must be
122
calculated in real time, as maintaining a list of all possible owner
123
names that might occur in a zone would be impracticable.
125
Section 6.1 of [RFC4034] defines canonical DNS name order. This
126
document does not amend or modify this definition. However, the
127
derivation of immediate predecessor and successor, while trivial, is
128
non-obvious. Accordingly, several methods are described here as an
129
aid to implementors and a reference to other interested parties.
131
This document describes two methods:
133
1. An ``absolute method'', which returns the immediate predecessor
134
or successor of a domain name such that no valid DNS name could
135
exist between that DNS name and the predecessor or successor.
137
2. A ``modified method'', which returns a predecessor and successor
138
which are more economical in size and computation. This method
139
is restricted to use with zones consisting only of single-label
140
owner names where a maximum-length owner name would not result in
141
a DNS name exceeding the maximum DNS name length. This is,
142
however, the type of zone for which the technique of online-
143
signing is most likely to be used.
146
2. Notational Conventions
148
The following notational conventions are used in this document for
149
economy of expression:
151
N: An unspecified DNS name.
153
P(N): Immediate predecessor to N (absolute method).
155
S(N): Immediate successor to N (absolute method).
157
P'(N): Predecessor to N (modified method).
164
Sisson & Laurie Expires January 11, 2006 [Page 3]
166
Internet-Draft DNS Name Predecessor and Successor July 2005
169
S'(N): Successor to N (modified method).
174
These derivations assume that all uppercase US-ASCII letters in N
175
have already been replaced by their corresponding lowercase
176
equivalents. Unless otherwise specified, processing stops after the
177
first step in which a condition is met.
179
3.1. Derivation of DNS Name Predecessor
183
1. If N is the same as the owner name of the zone apex, prepend N
184
repeatedly with labels of the maximum length possible consisting
185
of octets of the maximum sort value (e.g. 0xff) until N is the
186
maximum length possible; otherwise continue to the next step.
188
2. If the least significant (left-most) label of N consists of a
189
single octet of the minimum sort value (e.g. 0x00), remove that
190
label; otherwise continue to the next step.
192
3. If the least significant (right-most) octet in the least
193
significant (left-most) label of N is the minimum sort value,
194
remove the least significant octet and continue with step 5.
196
4. Decrement the value of the least significant (right-most) octet,
197
skipping any values that correspond to uppercase US-ASCII
198
letters, and then append the label with as many octets as
199
possible of the maximum sort value. Continue to the next step.
201
5. Prepend N repeatedly with labels of as long a length as possible
202
consisting of octets of the maximum sort value until N is the
203
maximum length possible.
205
3.2. Derivation of DNS Name Successor
209
1. If N is two or more octets shorter than the maximum DNS name
210
length, prepend N with a label containing a single octet of the
211
minimum sort value (e.g. 0x00); otherwise continue to the next
214
2. If N is one or more octets shorter than the maximum DNS name
215
length and the least significant (left-most) label is one or more
216
octets shorter than the maximum label length, append an octet of
220
Sisson & Laurie Expires January 11, 2006 [Page 4]
222
Internet-Draft DNS Name Predecessor and Successor July 2005
225
the minimum sort value to the least significant label; otherwise
226
continue to the next step.
228
3. Increment the value of the least significant (right-most) octet
229
in the least significant (left-most) label that is less than the
230
maximum sort value (e.g. 0xff), skipping any values that
231
correspond to uppercase US-ASCII letters, and then remove any
232
octets to the right of that one. If all octets in the label are
233
the maximum sort value, then continue to the next step.
235
4. Remove the least significant (left-most) label. If N is now the
236
same as the owner name of the zone apex, do nothing. (This will
237
occur only if N is the maximum possible name in canonical DNS
238
name order, and thus has wrapped to the owner name of zone apex.)
239
Otherwise repeat starting at step 2.
244
This method is for use with zones consisting only of single-label
245
owner names where an owner name consisting of label of maximum length
246
would not result in a DNS name which exceeded the maximum DNS name
247
length. This method is computationally simpler and returns values
248
which are more economical in size than the absolute method. It
249
differs from the absolute method detailed above in the following
252
1. Step 1 of the derivation P(N) has been omitted as the existence
253
of the owner name of the zone apex never requires denial.
255
2. A new step 1 has been introduced which removes unnecessary
258
3. Step 4 of the derivation P(N) has been omitted as it is only
259
necessary for zones containing owner names consisting of more
260
than one label. This omission generally results in a significant
261
reduction of the length of derived predecessors.
263
4. Step 1 of the derivation S(N) had been omitted as it is only
264
necessary for zones containing owner names consisting of more
265
than one label. This omission results in a tiny reduction of the
266
length of derived successors, and maintains consistency with the
267
modification of step 4 of the derivation P(N) described above.
269
5. Steps 2 and 4 of the derivation S(N) have been modified to
270
eliminate checks for maximum DNS name length, as it is an
271
assumption of this method that no DNS name in the zone can exceed
272
the maximum DNS name length.
276
Sisson & Laurie Expires January 11, 2006 [Page 5]
278
Internet-Draft DNS Name Predecessor and Successor July 2005
281
These derivations assume that all uppercase US-ASCII letters in N
282
have already been replaced by their corresponding lowercase
283
equivalents. Unless otherwise specified, processing stops after the
284
first step in which a condition is met.
286
4.1. Derivation of DNS Name Predecessor
290
1. If N has more labels than the number of labels in the owner name
291
of the apex + 1, repeatedly remove the least significant (left-
292
most) label until N has no more labels than the number of labels
293
in the owner name of the apex + 1; otherwise continue to next
296
2. If the least significant (left-most) label of N consists of a
297
single octet of the minimum sort value (e.g. 0x00), remove that
298
label; otherwise continue to the next step.
300
3. If the least significant (right-most) octet in the least
301
significant (left-most) label of N is the minimum sort value,
302
remove the least significant octet.
304
4. Decrement the value of the least significant (right-most) octet,
305
skipping any values which correspond to uppercase US-ASCII
306
letters, and then append the label with as many octets as
307
possible of the maximum sort value.
309
4.2. Derivation of DNS Name Successor
313
1. If N has more labels than the number of labels in the owner name
314
of the apex + 1, repeatedly remove the least significant (left-
315
most) label until N has no more labels than the number of labels
316
in the owner name of the apex + 1. Continue to next step.
318
2. If the least significant (left-most) label of N is one or more
319
octets shorter than the maximum label length, append an octet of
320
the minimum sort value to the least significant label; otherwise
321
continue to the next step.
323
3. Increment the value of the least significant (right-most) octet
324
in the least significant (left-most) label that is less than the
325
maximum sort value (e.g. 0xff), skipping any values which
326
correspond to uppercase US-ASCII letters, and then remove any
327
octets to the right of that one. If all octets in the label are
328
the maximum sort value, then continue to the next step.
332
Sisson & Laurie Expires January 11, 2006 [Page 6]
334
Internet-Draft DNS Name Predecessor and Successor July 2005
337
4. Remove the least significant (left-most) label. (This will occur
338
only if the least significant label is the maximum label length
339
and consists entirely of octets of the maximum sort value, and
340
thus has wrapped to the owner name of the zone apex.)
345
5.1. Case Considerations
347
Section 3.5 of [RFC1034] specifies that "while upper and lower case
348
letters are allowed in [DNS] names, no significance is attached to
349
the case". Additionally, Section 6.1 of [RFC4034] states that when
350
determining canonical DNS name order, "uppercase US-ASCII letters are
351
treated as if they were lowercase US-ASCII letters". Consequently,
352
values corresponding to US-ASCII uppercase letters must be skipped
353
when decrementing and incrementing octets in the derivations
354
described in Section 3.1 and Section 3.2.
356
The following pseudo-code is illustrative:
358
Decrement the value of an octet:
360
if (octet == '[') // '[' is just after uppercase 'Z'
361
octet = '@'; // '@' is just prior to uppercase 'A'
365
Increment the value of an octet:
367
if (octet == '@') // '@' is just prior to uppercase 'A'
368
octet = '['; // '[' is just after uppercase 'Z'
374
[RFC2181] makes the clarification that "any binary string whatever
375
can be used as the label of any resource record". Consequently the
376
minimum sort value may be set as 0x00 and the maximum sort value as
377
0xff, and the range of possible values will be any DNS name which
378
contains octets of any value other than those corresponding to
379
uppercase US-ASCII letters.
381
However, if all owner names in a zone are in the letter-digit-hyphen,
382
or LDH, format specified in [RFC1034], it may be desirable to
383
restrict the range of possible values to DNS names containing only
384
LDH values. This has the effect of:
388
Sisson & Laurie Expires January 11, 2006 [Page 7]
390
Internet-Draft DNS Name Predecessor and Successor July 2005
393
1. making the output of tools such as `dig' and `nslookup' less
394
subject to confusion;
396
2. minimising the impact that NSEC RRs containing DNS names with
397
non-LDH values (or non-printable values) might have on faulty DNS
398
resolver implementations; and
400
3. preventing the possibility of results which are wildcard DNS
401
names (see Section 5.3).
403
This may be accomplished by using a minimum sort value of 0x1f (US-
404
ASCII character `-') and a maximum sort value of 0x7a (US-ASCII
405
character lowercase `z'), and then skipping non-LDH, non-lowercase
406
values when incrementing or decrementing octets.
408
5.3. Wild Card Considerations
410
Neither derivation avoids the possibility that the result may be a
411
DNS name containing a wildcard label, i.e. a label containing a
412
single octet with the value 0x2a (US-ASCII character `*'). With
413
additional tests, wildcard DNS names may be explicitly avoided;
414
alternatively, if the range of octet values can be restricted to
415
those corresponding to letter-digit-hyphen, or LDH, characters (see
416
Section 5.2), such DNS names will not occur.
418
Note that it is improbable that a result which is a wildcard DNS name
419
will occur unintentionally; even if one does occur either as the
420
owner name of, or in the RDATA of an NSEC RR, it is treated as a
421
literal DNS name with no special meaning.
423
5.4. Possible Modifications
425
5.4.1. Restriction of Effective Maximum DNS Name Length
427
[RFC1034] specifies that "the total number of octets that represent a
428
[DNS] name (i.e., the sum of all label octets and label lengths) is
429
limited to 255", including the null (zero-length) label which
430
represents the root. For the purpose of deriving predecessors and
431
successors during NSEC RR synthesis, the maximum DNS name length may
432
be effectively restricted to the length of the longest DNS name in
433
the zone. This will minimise the size of responses containing
434
synthesised NSEC RRs but, especially in the case of the modified
435
method, may result in some additional computational complexity.
437
Note that this modification will have the effect of revealing
438
information about the longest name in the zone. Moreover, when the
439
contents of the zone changes, e.g. during dynamic updates and zone
440
transfers, care must be taken to ensure that the effective maximum
444
Sisson & Laurie Expires January 11, 2006 [Page 8]
446
Internet-Draft DNS Name Predecessor and Successor July 2005
449
DNS name length agrees with the new contents.
451
5.4.2. Use of Modified Method With Zones Containing SRV RRs
453
Normally the modified method cannot be used in zones that contain
454
SRV RRs [RFC2782], as SRV RRs have owner names which contain multiple
455
labels. However the use of SRV RRs can be accommodated by various
456
techniques. There are at least four possible ways to do this:
458
1. Use conventional NSEC RRs for the region of the zone that
459
contains first-level labels beginning with the underscore (`_')
460
character. For the purposes of generating these NSEC RRs, the
461
existence of (possibly fictional) ownernames `9{63}' and `a'
462
could be assumed, providing a lower and upper bound for this
463
region. Then all queries where the QNAME doesn't exist but
464
contains a first-level label beginning with an underscore could
465
be handled using the normal DNSSEC protocol.
467
This approach would make it possible to enumerate all DNS names
468
in the zone containing a first-level label beginning with
469
underscore, including all SRV RRs, but this may be of less a
470
concern to the zone administrator than incurring the overhead of
471
the absolute method or of the following variants of the modified
474
2. The absolute method could be used for synthesising NSEC RRs for
475
all queries where the QNAME contains a leading underscore.
476
However this re-introduces the susceptibility of the absolute
477
method to denial of service activity, as an attacker could send
478
queries for an effectively inexhaustible supply of domain names
479
beginning with a leading underscore.
481
3. A variant of the modified method could be used for synthesising
482
NSEC RRs for all queries where the QNAME contains a leading
483
underscore. This variant would assume that all predecessors and
484
successors to queries where the QNAME contains a leading
485
underscore may consist of two lablels rather than only one. This
486
introduces a little additional complexity without incurring the
487
full increase in response size and computational complexity as
490
4. Finally, a variant the modified method which assumes that all
491
owner names in the zone consist of one or two labels could be
492
used. However this negates much of the reduction in response
493
size of the modified method and may be nearly as computationally
494
complex as the absolute method.
500
Sisson & Laurie Expires January 11, 2006 [Page 9]
502
Internet-Draft DNS Name Predecessor and Successor July 2005
507
In the following examples:
509
the owner name of the zone apex is "example.com.";
511
the range of octet values is 0x00 - 0xff excluding values
512
corresponding to uppercase US-ASCII letters; and
514
non-printable octet values are expressed as three-digit decimal
515
numbers preceded by a backslash (as specified in Section 5.1 of
518
6.1. Examples of Immediate Predecessors Using Absolute Method
520
Example of typical case:
522
P(foo.example.com.) =
524
\255\255\255\255\255\255\255\255\255\255\255\255
525
\255\255\255\255\255\255\255\255\255\255\255\255
526
\255\255\255\255\255\255\255\255\255\255\255\255
527
\255\255\255\255\255\255\255\255\255\255\255\255
528
\255.\255\255\255\255\255\255\255\255\255\255
529
\255\255\255\255\255\255\255\255\255\255\255\255
530
\255\255\255\255\255\255\255\255\255\255\255\255
531
\255\255\255\255\255\255\255\255\255\255\255\255
532
\255\255\255\255\255\255\255\255\255\255\255\255
533
\255\255\255\255\255.\255\255\255\255\255\255
534
\255\255\255\255\255\255\255\255\255\255\255\255
535
\255\255\255\255\255\255\255\255\255\255\255\255
536
\255\255\255\255\255\255\255\255\255\255\255\255
537
\255\255\255\255\255\255\255\255\255\255\255\255
538
\255\255\255\255\255\255\255\255\255.fon\255\255
539
\255\255\255\255\255\255\255\255\255\255\255\255
540
\255\255\255\255\255\255\255\255\255\255\255\255
541
\255\255\255\255\255\255\255\255\255\255\255\255
542
\255\255\255\255\255\255\255\255\255\255\255\255
543
\255\255\255\255\255\255\255\255\255\255.example.com.
545
or, in alternate notation:
547
\255{49}.\255{63}.\255{63}.fon\255{60}.example.com.
549
where {n} represents the number of repetitions of an octet.
556
Sisson & Laurie Expires January 11, 2006 [Page 10]
558
Internet-Draft DNS Name Predecessor and Successor July 2005
561
Example where least significant (left-most) label of DNS name
562
consists of a single octet of the minimum sort value:
564
P(\000.foo.example.com.) = foo.example.com.
566
Example where least significant (right-most) octet of least
567
significant (left-most) label has the minimum sort value:
569
P(foo\000.example.com.) =
571
\255\255\255\255\255\255\255\255\255\255\255\255
572
\255\255\255\255\255\255\255\255\255\255\255\255
573
\255\255\255\255\255\255\255\255\255\255\255\255
574
\255\255\255\255\255\255\255\255\255.\255\255
575
\255\255\255\255\255\255\255\255\255\255\255\255
576
\255\255\255\255\255\255\255\255\255\255\255\255
577
\255\255\255\255\255\255\255\255\255\255\255\255
578
\255\255\255\255\255\255\255\255\255\255\255\255
579
\255\255\255\255\255\255\255\255\255\255\255\255
580
\255.\255\255\255\255\255\255\255\255\255\255
581
\255\255\255\255\255\255\255\255\255\255\255\255
582
\255\255\255\255\255\255\255\255\255\255\255\255
583
\255\255\255\255\255\255\255\255\255\255\255\255
584
\255\255\255\255\255\255\255\255\255\255\255\255
585
\255\255\255\255\255.\255\255\255\255\255\255
586
\255\255\255\255\255\255\255\255\255\255\255\255
587
\255\255\255\255\255\255\255\255\255\255\255\255
588
\255\255\255\255\255\255\255\255\255\255\255\255
589
\255\255\255\255\255\255\255\255\255\255\255\255
590
\255\255\255\255\255\255\255\255\255.foo.example.com.
592
or, in alternate notation:
594
\255{45}.\255{63}.\255{63}.\255{63}.foo.example.com.
612
Sisson & Laurie Expires January 11, 2006 [Page 11]
614
Internet-Draft DNS Name Predecessor and Successor July 2005
617
Example where DNS name contains an octet which must be decremented by
618
skipping values corresponding to US-ASCII uppercase letters:
620
P(fo\[.example.com.) =
622
\255\255\255\255\255\255\255\255\255\255\255\255
623
\255\255\255\255\255\255\255\255\255\255\255\255
624
\255\255\255\255\255\255\255\255\255\255\255\255
625
\255\255\255\255\255\255\255\255\255\255\255\255
626
\255.\255\255\255\255\255\255\255\255\255\255
627
\255\255\255\255\255\255\255\255\255\255\255\255
628
\255\255\255\255\255\255\255\255\255\255\255\255
629
\255\255\255\255\255\255\255\255\255\255\255\255
630
\255\255\255\255\255\255\255\255\255\255\255\255
631
\255\255\255\255\255.\255\255\255\255\255\255
632
\255\255\255\255\255\255\255\255\255\255\255\255
633
\255\255\255\255\255\255\255\255\255\255\255\255
634
\255\255\255\255\255\255\255\255\255\255\255\255
635
\255\255\255\255\255\255\255\255\255\255\255\255
636
\255\255\255\255\255\255\255\255\255.fo\@\255
637
\255\255\255\255\255\255\255\255\255\255\255\255
638
\255\255\255\255\255\255\255\255\255\255\255\255
639
\255\255\255\255\255\255\255\255\255\255\255\255
640
\255\255\255\255\255\255\255\255\255\255\255\255
641
\255\255\255\255\255\255\255\255\255\255\255.example.com.
643
or, in alternate notation:
645
\255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com.
647
where {n} represents the number of repetitions of an octet.
668
Sisson & Laurie Expires January 11, 2006 [Page 12]
670
Internet-Draft DNS Name Predecessor and Successor July 2005
673
Example where DNS name is the owner name of the zone apex, and
674
consequently wraps to the DNS name with the maximum possible sort
679
\255\255\255\255\255\255\255\255\255\255\255\255
680
\255\255\255\255\255\255\255\255\255\255\255\255
681
\255\255\255\255\255\255\255\255\255\255\255\255
682
\255\255\255\255\255\255\255\255\255\255\255\255
683
\255.\255\255\255\255\255\255\255\255\255\255
684
\255\255\255\255\255\255\255\255\255\255\255\255
685
\255\255\255\255\255\255\255\255\255\255\255\255
686
\255\255\255\255\255\255\255\255\255\255\255\255
687
\255\255\255\255\255\255\255\255\255\255\255\255
688
\255\255\255\255\255.\255\255\255\255\255\255
689
\255\255\255\255\255\255\255\255\255\255\255\255
690
\255\255\255\255\255\255\255\255\255\255\255\255
691
\255\255\255\255\255\255\255\255\255\255\255\255
692
\255\255\255\255\255\255\255\255\255\255\255\255
693
\255\255\255\255\255\255\255\255\255.\255\255
694
\255\255\255\255\255\255\255\255\255\255\255\255
695
\255\255\255\255\255\255\255\255\255\255\255\255
696
\255\255\255\255\255\255\255\255\255\255\255\255
697
\255\255\255\255\255\255\255\255\255\255\255\255
698
\255\255\255\255\255\255\255\255\255\255\255\255
701
or, in alternate notation:
703
\255{49}.\255{63}.\255{63}.\255{63}.example.com.
705
6.2. Examples of Immediate Successors Using Absolute Method
707
Example of typical case:
709
S(foo.example.com.) = \000.foo.example.com.
724
Sisson & Laurie Expires January 11, 2006 [Page 13]
726
Internet-Draft DNS Name Predecessor and Successor July 2005
729
Example where DNS name is one octet short of the maximum DNS name
732
N = fooooooooooooooooooooooooooooooooooooooooooooooo
733
.ooooooooooooooooooooooooooooooooooooooooooooooo
734
oooooooooooooooo.ooooooooooooooooooooooooooooooo
735
oooooooooooooooooooooooooooooooo.ooooooooooooooo
736
oooooooooooooooooooooooooooooooooooooooooooooooo.example.com.
738
or, in alternate notation:
740
fo{47}.o{63}.o{63}.o{63}.example.com.
744
fooooooooooooooooooooooooooooooooooooooooooooooo
745
\000.ooooooooooooooooooooooooooooooooooooooooooo
746
oooooooooooooooooooo.ooooooooooooooooooooooooooo
747
oooooooooooooooooooooooooooooooooooo.ooooooooooo
748
oooooooooooooooooooooooooooooooooooooooooooooooo
751
or, in alternate notation:
753
fo{47}\000.o{63}.o{63}.o{63}.example.com.
780
Sisson & Laurie Expires January 11, 2006 [Page 14]
782
Internet-Draft DNS Name Predecessor and Successor July 2005
785
Example where DNS name is the maximum DNS name length:
787
N = fooooooooooooooooooooooooooooooooooooooooooooooo
788
o.oooooooooooooooooooooooooooooooooooooooooooooo
789
ooooooooooooooooo.oooooooooooooooooooooooooooooo
790
ooooooooooooooooooooooooooooooooo.oooooooooooooo
791
oooooooooooooooooooooooooooooooooooooooooooooooo
794
or, in alternate notation:
796
fo{48}.o{63}.o{63}.o{63}.example.com.
800
fooooooooooooooooooooooooooooooooooooooooooooooo
801
p.oooooooooooooooooooooooooooooooooooooooooooooo
802
ooooooooooooooooo.oooooooooooooooooooooooooooooo
803
ooooooooooooooooooooooooooooooooo.oooooooooooooo
804
oooooooooooooooooooooooooooooooooooooooooooooooo
807
or, in alternate notation:
809
fo{47}p.o{63}.o{63}.o{63}.example.com.
836
Sisson & Laurie Expires January 11, 2006 [Page 15]
838
Internet-Draft DNS Name Predecessor and Successor July 2005
841
Example where DNS name is the maximum DNS name length and the least
842
significant (left-most) label has the maximum sort value:
844
N = \255\255\255\255\255\255\255\255\255\255\255\255
845
\255\255\255\255\255\255\255\255\255\255\255\255
846
\255\255\255\255\255\255\255\255\255\255\255\255
847
\255\255\255\255\255\255\255\255\255\255\255\255
848
\255.ooooooooooooooooooooooooooooooooooooooooooo
849
oooooooooooooooooooo.ooooooooooooooooooooooooooo
850
oooooooooooooooooooooooooooooooooooo.ooooooooooo
851
oooooooooooooooooooooooooooooooooooooooooooooooo
854
or, in alternate notation:
856
\255{49}.o{63}.o{63}.o{63}.example.com.
860
oooooooooooooooooooooooooooooooooooooooooooooooo
861
oooooooooooooop.oooooooooooooooooooooooooooooooo
862
ooooooooooooooooooooooooooooooo.oooooooooooooooo
863
ooooooooooooooooooooooooooooooooooooooooooooooo.
866
or, in alternate notation:
868
o{62}p.o{63}.o{63}.example.com.
892
Sisson & Laurie Expires January 11, 2006 [Page 16]
894
Internet-Draft DNS Name Predecessor and Successor July 2005
897
Example where DNS name is the maximum DNS name length and the eight
898
least significant (right-most) octets of the least significant (left-
899
most) label have the maximum sort value:
901
N = foooooooooooooooooooooooooooooooooooooooo\255
902
\255\255\255\255\255\255\255.ooooooooooooooooooo
903
oooooooooooooooooooooooooooooooooooooooooooo.ooo
904
oooooooooooooooooooooooooooooooooooooooooooooooo
905
oooooooooooo.ooooooooooooooooooooooooooooooooooo
906
oooooooooooooooooooooooooooo.example.com.
908
or, in alternate notation:
910
fo{40}\255{8}.o{63}.o{63}.o{63}.example.com.
914
fooooooooooooooooooooooooooooooooooooooop.oooooo
915
oooooooooooooooooooooooooooooooooooooooooooooooo
916
ooooooooo.oooooooooooooooooooooooooooooooooooooo
917
ooooooooooooooooooooooooo.oooooooooooooooooooooo
918
ooooooooooooooooooooooooooooooooooooooooo.example.com.
920
or, in alternate notation:
922
fo{39}p.o{63}.o{63}.o{63}.example.com.
948
Sisson & Laurie Expires January 11, 2006 [Page 17]
950
Internet-Draft DNS Name Predecessor and Successor July 2005
953
Example where DNS name is the maximum DNS name length and contains an
954
octet which must be incremented by skipping values corresponding to
955
US-ASCII uppercase letters:
957
N = fooooooooooooooooooooooooooooooooooooooooooooooo
958
\@.ooooooooooooooooooooooooooooooooooooooooooooo
959
oooooooooooooooooo.ooooooooooooooooooooooooooooo
960
oooooooooooooooooooooooooooooooooo.ooooooooooooo
961
oooooooooooooooooooooooooooooooooooooooooooooooo
964
or, in alternate notation:
966
fo{47}\@.o{63}.o{63}.o{63}.example.com.
970
fooooooooooooooooooooooooooooooooooooooooooooooo
971
\[.ooooooooooooooooooooooooooooooooooooooooooooo
972
oooooooooooooooooo.ooooooooooooooooooooooooooooo
973
oooooooooooooooooooooooooooooooooo.ooooooooooooo
974
oooooooooooooooooooooooooooooooooooooooooooooooo
977
or, in alternate notation:
979
fo{47}\[.o{63}.o{63}.o{63}.example.com.
1004
Sisson & Laurie Expires January 11, 2006 [Page 18]
1006
Internet-Draft DNS Name Predecessor and Successor July 2005
1009
Example where DNS name has the maximum possible sort order in the
1010
zone, and consequently wraps to the owner name of the zone apex:
1012
N = \255\255\255\255\255\255\255\255\255\255\255\255
1013
\255\255\255\255\255\255\255\255\255\255\255\255
1014
\255\255\255\255\255\255\255\255\255\255\255\255
1015
\255\255\255\255\255\255\255\255\255\255\255\255
1016
\255.\255\255\255\255\255\255\255\255\255\255
1017
\255\255\255\255\255\255\255\255\255\255\255\255
1018
\255\255\255\255\255\255\255\255\255\255\255\255
1019
\255\255\255\255\255\255\255\255\255\255\255\255
1020
\255\255\255\255\255\255\255\255\255\255\255\255
1021
\255\255\255\255\255.\255\255\255\255\255\255
1022
\255\255\255\255\255\255\255\255\255\255\255\255
1023
\255\255\255\255\255\255\255\255\255\255\255\255
1024
\255\255\255\255\255\255\255\255\255\255\255\255
1025
\255\255\255\255\255\255\255\255\255\255\255\255
1026
\255\255\255\255\255\255\255\255\255.\255\255
1027
\255\255\255\255\255\255\255\255\255\255\255\255
1028
\255\255\255\255\255\255\255\255\255\255\255\255
1029
\255\255\255\255\255\255\255\255\255\255\255\255
1030
\255\255\255\255\255\255\255\255\255\255\255\255
1031
\255\255\255\255\255\255\255\255\255\255\255\255
1034
or, in alternate notation:
1036
\255{49}.\255{63}.\255{63}.\255{63}.example.com.
1040
6.3. Examples of Predecessors Using Modified Method
1042
Example of typical case:
1044
P'(foo.example.com.) =
1046
fon\255\255\255\255\255\255\255\255\255\255\255
1047
\255\255\255\255\255\255\255\255\255\255\255\255
1048
\255\255\255\255\255\255\255\255\255\255\255\255
1049
\255\255\255\255\255\255\255\255\255\255\255\255
1050
\255\255\255\255\255\255\255\255\255\255\255\255
1053
or, in alternate notation:
1055
fon\255{60}.example.com.
1060
Sisson & Laurie Expires January 11, 2006 [Page 19]
1062
Internet-Draft DNS Name Predecessor and Successor July 2005
1065
Example where DNS name contains more labels than DNS names in the
1068
P'(bar.foo.example.com.) = foo.example.com.
1070
Example where least significant (right-most) octet of least
1071
significant (left-most) label has the minimum sort value:
1073
P'(foo\000.example.com.) = foo.example.com.
1075
Example where least significant (left-most) label has the minimum
1078
P'(\000.example.com.) = example.com.
1080
Example where DNS name is the owner name of the zone apex, and
1081
consequently wraps to the DNS name with the maximum possible sort
1086
\255\255\255\255\255\255\255\255\255\255\255\255
1087
\255\255\255\255\255\255\255\255\255\255\255\255
1088
\255\255\255\255\255\255\255\255\255\255\255\255
1089
\255\255\255\255\255\255\255\255\255\255\255\255
1090
\255\255\255\255\255\255\255\255\255\255\255\255
1091
\255\255\255.example.com.
1093
or, in alternate notation:
1095
\255{63}.example.com.
1097
6.4. Examples of Successors Using Modified Method
1099
Example of typical case:
1101
S'(foo.example.com.) = foo\000.example.com.
1103
Example where DNS name contains more labels than DNS names in the
1106
S'(bar.foo.example.com.) = foo\000.example.com.
1116
Sisson & Laurie Expires January 11, 2006 [Page 20]
1118
Internet-Draft DNS Name Predecessor and Successor July 2005
1121
Example where least significant (left-most) label has the maximum
1122
sort value, and consequently wraps to the owner name of the zone
1125
N = \255\255\255\255\255\255\255\255\255\255\255\255
1126
\255\255\255\255\255\255\255\255\255\255\255\255
1127
\255\255\255\255\255\255\255\255\255\255\255\255
1128
\255\255\255\255\255\255\255\255\255\255\255\255
1129
\255\255\255\255\255\255\255\255\255\255\255\255
1130
\255\255\255.example.com.
1132
or, in alternate notation:
1134
\255{63}.example.com.
1136
S'(N) = example.com.
1139
7. Security Considerations
1141
The derivation of some predecessors/successors requires the testing
1142
of more conditions than others. Consequently the effectiveness of a
1143
denial-of-service attack may be enhanced by sending queries that
1144
require more conditions to be tested. The modified method involves
1145
the testing of fewer conditions than the absolute method and
1146
consequently is somewhat less susceptible to this exposure.
1149
8. IANA Considerations
1151
This document has no IANA actions.
1153
Note to RFC Editor: This section is included to make it clear during
1154
pre-publication review that this document has no IANA actions. It
1155
may therefore be removed should it be published as an RFC.
1160
The authors would like to thank Olaf Kolkman, Olafur Gudmundsson and
1161
Niall O'Reilly for their review and input.
1172
Sisson & Laurie Expires January 11, 2006 [Page 21]
1174
Internet-Draft DNS Name Predecessor and Successor July 2005
1177
10.1 Normative References
1179
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
1180
STD 13, RFC 1034, November 1987.
1182
[RFC1035] Mockapetris, P., "Domain names - implementation and
1183
specification", STD 13, RFC 1035, November 1987.
1185
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
1186
Specification", RFC 2181, July 1997.
1188
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
1189
specifying the location of services (DNS SRV)", RFC 2782,
1192
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1193
Rose, "Resource Records for the DNS Security Extensions",
1194
RFC 4034, March 2005.
1196
10.2 Informative References
1198
[I-D.ietf-dnsext-dnssec-online-signing]
1199
Ihren, J. and S. Weiler, "Minimally Covering NSEC Records
1200
and DNSSEC On-line Signing",
1201
draft-ietf-dnsext-dnssec-online-signing-00 (work in
1202
progress), May 2005.
1204
[I-D.ietf-dnsext-dnssec-trans]
1205
Arends, R., Koch, P., and J. Schlyter, "Evaluating DNSSEC
1206
Transition Mechanisms",
1207
draft-ietf-dnsext-dnssec-trans-02 (work in progress),
1211
Appendix A. Change History
1213
A.1. Changes from sisson-02 to ietf-00
1215
o Added notes on use of SRV RRs with modified method.
1217
o Changed reference from weiler-dnssec-online-signing to ietf-
1218
dnsext-dnssec-online-signing.
1220
o Changed reference from ietf-dnsext-dnssec-records to RFC 4034.
1222
o Miscellaneous minor changes to text.
1228
Sisson & Laurie Expires January 11, 2006 [Page 22]
1230
Internet-Draft DNS Name Predecessor and Successor July 2005
1233
A.2. Changes from sisson-01 to sisson-02
1235
o Added modified version of derivation (with supporting examples).
1237
o Introduced notational conventions N, P(N), S(N), P'(N) and S'(N).
1239
o Added clarification to derivations about when processing stops.
1241
o Miscellaneous minor changes to text.
1243
A.3. Changes from sisson-00 to sisson-01
1245
o Split step 3 of derivation of DNS name predecessor into two
1246
distinct steps for clarity.
1248
o Added clarifying text and examples related to the requirement to
1249
avoid uppercase characters when decrementing or incrementing
1252
o Added optimisation using restriction of effective maximum DNS name
1255
o Changed examples to use decimal rather than octal notation as per
1258
o Corrected DNS name length of some examples.
1260
o Added reference to weiler-dnssec-online-signing.
1262
o Miscellaneous minor changes to text.
1284
Sisson & Laurie Expires January 11, 2006 [Page 23]
1286
Internet-Draft DNS Name Predecessor and Successor July 2005
1299
Phone: +44 1865 332339
1300
Email: geoff@nominet.org.uk
1310
Phone: +44 20 8735 0686
1311
Email: ben@algroup.co.uk
1340
Sisson & Laurie Expires January 11, 2006 [Page 24]
1342
Internet-Draft DNS Name Predecessor and Successor July 2005
1345
Intellectual Property Statement
1347
The IETF takes no position regarding the validity or scope of any
1348
Intellectual Property Rights or other rights that might be claimed to
1349
pertain to the implementation or use of the technology described in
1350
this document or the extent to which any license under such rights
1351
might or might not be available; nor does it represent that it has
1352
made any independent effort to identify any such rights. Information
1353
on the procedures with respect to rights in RFC documents can be
1354
found in BCP 78 and BCP 79.
1356
Copies of IPR disclosures made to the IETF Secretariat and any
1357
assurances of licenses to be made available, or the result of an
1358
attempt made to obtain a general license or permission for the use of
1359
such proprietary rights by implementers or users of this
1360
specification can be obtained from the IETF on-line IPR repository at
1361
http://www.ietf.org/ipr.
1363
The IETF invites any interested party to bring to its attention any
1364
copyrights, patents or patent applications, or other proprietary
1365
rights that may cover technology that may be required to implement
1366
this standard. Please address the information to the IETF at
1370
Disclaimer of Validity
1372
This document and the information contained herein are provided on an
1373
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1374
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1375
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1376
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1377
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1378
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1383
Copyright (C) The Internet Society (2005). This document is subject
1384
to the rights, licenses and restrictions contained in BCP 78, and
1385
except as set forth therein, the authors retain all their rights.
1390
Funding for the RFC Editor function is currently provided by the
1396
Sisson & Laurie Expires January 11, 2006 [Page 25]