Presentation is loading. Please wait.

Presentation is loading. Please wait.

15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt1 Wildcard Clarify draft-ietf-dnsext-wcard-clarify-00.txt.

Published byElmer Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt1 Wildcard Clarify draft-ietf-dnsext-wcard-clarify-00.txt."— Presentation transcript:

1 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt1 Wildcard Clarify draft-ietf-dnsext-wcard-clarify-00.txt

2 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt2 Outline (of Doc) 1 Introduction 2 Defining the Wild Card Domain Name 3 Defining Existence 4 Impact of a Wild Card Domain In a Query Msg 5 Impact of a Wild Card Domain On a Response 6 Authenticated Denial and Wild Cards 7 Analytical Proof... Apdx A: Subdomains of W C Domain Names

3 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt3 Since last time With "last time" = March/SF Meeting These have been done –Became a WG document –Addition of a proof to formalize the notion/definition of the closest encloser

4 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt4 Proposal Split Document Pre-DNSSEC and DNSSEC parts –"NXT" appears just once in s1 (as reason for the work) –"NXT" appears only in s6 and s7 besides that Therefore –1-5 and Appendix A a clarification to RFC 1034 –6, 7 to NXT place (draft ? part of protocolbis)

5 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt5 Clarifying 1034 (Pre-DNSSEC) Existence statement already in document Impact of Wild Card domain name owning –CNAME –NS –DNAME –SOA Related to CNAME - change to 4.3.2.-3c

6 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt6 Requirements against 1034 R2.1 A domain name... MUST begin R2.2 A server MUST treat a WC... R3.1 An authoritative server MUST treat a domain name as existing... R3.2 An authoritative server MUST treat a domain name that has neither... R4.1 A WC domain name acting as a QNAME... R4.2 A WC domain name appearing... RDATA...

7 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt7 DNSSEC part Rules for NXT's as part of authenticated denial as it relates to wild card Fix up the proof Add "recipe" resulting from proof Question - where/how will this text appear? –Is this a clarification or a change - that's the question...

8 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt8 Req's against DNSSEC R6.1...authenticated denial MUST reveal... R6.2 If a zone is signed... R6.3 When synthesizing a positive answer... R6.4 When synthesizing a negative answer... R6.5...an authoritative name error, the answer... R6.6...in which there is an exact match of the... R6.7 A resolver MUST confirm... R6.8 A resolver MUST confirm... R6.9 A resolver MUST confirm...

9 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt9 Existence 1034's words on existence are too vague (everything exists) yet defines a "name error" for non-existence Adjusted definition in new draft, previously discussed

10 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt10 * IN 900 CNAME blah According to 4.3.2, there is no problem, although most implementations do not follow specification A CNAME at a wcard ought to return the CNAME iff the CNAME was asked for So - no problem here, but we will revisit 4.3.2-3.c later because of this

11 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt11 * IN 900 NS blah MAY? SHOULD? MUST? reject zone on "load" –Suggestion seems to be "no" to all User confusion –Document why this doesn't work –Puts pressure on step 2 of algorithm Do * NS's make other data at * "glue"?

12 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt12 * IN 900 DNAME blah DNAME (specification) has problems Nothing special in the wild card case Can essentially treat DNAME as a CNAME generator

13 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt13 * IN 900 SOA........ Don't think this needs discussion Anyone else?

14 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt14 Change to 4.3.2-3.c Says (basically) when a QNAME matches a '*', return the records that match QTYPE Does not say "if there's a CNAME, chase it" but apparently many implementations do Proposed change (to 1034) - add CNAME chasing to this step

15 15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt15 Summary "Actions" Split Existence (as written) "* NS" add text to make it clear Modify step 3.c of 4.3.2 (in 1034) to chase CNAME's at WC match Move other text to DNSSEC doc Add "recipe" resulting from proof, edit proof

Download ppt "15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt1 Wildcard Clarify draft-ietf-dnsext-wcard-clarify-00.txt."

Similar presentations

Before and During!. You cant just show up at a conference! There are things we need to do to get ready. BEFORE.

Before and During!. You cant just show up at a conference! There are things we need to do to get ready. BEFORE.
IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.

IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.
Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.
DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
IETF-751 Olafur Gudmundsson Andrew Sullivan.

IETF-751 Olafur Gudmundsson Andrew Sullivan.
Section 10.2.

Section 10.2.
Welcome to KU 121, Unit 7 Seminar

Welcome to KU 121, Unit 7 Seminar
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.

DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
© Janice Regan, CMPT 102, Sept. 2006 0 CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.

© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.
1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Lecturer: Fintan Costello Welcome to Hdip 001 Introduction to Programming.

Lecturer: Fintan Costello Welcome to Hdip 001 Introduction to Programming.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Improving Achievement The CPC Way © 2004. James M. Furukawa, J.D., Ph.D.

Improving Achievement The CPC Way © James M. Furukawa, J.D., Ph.D.
Introduction to the Adjective/Noun Theme. © 2012 Math As A Second Language All Rights Reserved next #1 Taking the Fear out of Math.

Introduction to the Adjective/Noun Theme. © 2012 Math As A Second Language All Rights Reserved next #1 Taking the Fear out of Math.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Similar presentations

Ads by Google