Brandenburg InternetWorking

675 Spruce Dr. Sunnyvale CA 94086 United States of America +1.408.246.8253 dcrocker@bbiw.net http://bbiw.net/

dnsop DNS Domain Name System> Formally, any DNS Resource Record (RR) may occur under any domain name. However, some services use an operational convention for defining specific interpretations of an RRset by locating the records in a DNS branch under the parent domain to which the RRset actually applies. The top of this subordinate branch is defined by a naming convention that uses a reserved node name, which begins with the underscore character (e.g., "_name"). The underscored naming construct defines a semantic scope for DNS record types that are associated with the parent domain above the underscored branch. This specification explores the nature of this DNS usage and defines the "Underscored and Globally Scoped DNS Node Names" registry with IANA. The purpose of this registry is to avoid collisions resulting from the use of the same underscored name for different services.

Introduction The core Domain Name System (DNS) technical specifications ( and ) assign no semantics to domain names or their parts, and no constraints upon which resource record (RR) types are permitted to be stored under particular names . Over time, some leaf node names, such as www and ftp, have come to imply support for particular services, but this is a matter of operational convention rather than defined protocol semantics. This freedom in the basic technology has permitted a wide range of administrative and semantic policies to be used -- in parallel. DNS data semantics have been limited to the specification of particular resource record types on the expectation that new resource record types would be added as needed. Unfortunately, the addition of new resource record types has proven extremely challenging, with significant adoption and use barriers occurring over the life of the DNS.

Underscore-Based Scoping As an alternative to defining a new RR TYPE, some DNS service enhancements call for using an existing resource record type but specifying a restricted scope for its occurrence. Scope is meant as a static property, not one dependent on the nature of the query. It is an artifact of the DNS name. That scope is a leaf node containing the specific resource record sets that are formally defined and constrained. Specifically:

• The leaf occurs in a branch having a distinguished naming convention: there is a parent domain name to which the scoped data applies. The branch is under this name. The sub-branch is indicated by a sequence of one or more reserved DNS node names; at least the first (highest) of these names begins with an underscore (e.g., "_name").

Because the DNS rules for a "host" (host name) do not allow use of the underscore character, the underscored name is distinguishable from all legal host names . Effectively, this convention for naming leaf nodes creates a space for the listing of "attributes" -- in the form of resource record types -- that are associated with the parent domain above the underscored sub-branch. The scoping feature is particularly useful when generalized resource record types are used -- notably TXT, SRV, and URI . It provides efficient separation of one use of them from others. Absent this separation, an undifferentiated mass of these RRsets is returned to the DNS client, which then must parse through the internals of the records in the hope of finding ones that are relevant. Worse, in some cases, the results are ambiguous because a record type might not adequately self-identify its specific purpose. With underscore-based scoping, only the relevant RRsets are returned. A simple example is DomainKeys Identified Mail (DKIM), which uses _domainkey to define a place to hold a TXT record containing signing information for the parent domain. This specification formally defines how underscored names are used as "attribute" enhancements for their parent domain names. For example, the domain name "_domainkey.example." acts as an attribute of the parent domain name "example.". To avoid collisions resulting from the use of the same underscored names for different applications using the same resource record type, this document establishes the "Underscored and Globally Scoped DNS Node Names" registry with IANA. Use of such node names, which begin with an underscore character, is reserved when they are the underscored name closest to the DNS root; as in that case, they are considered "global". Underscored names that are farther down the hierarchy are handled within the scope of the global underscored node name. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Scaling Benefits Some resource record types are used in a fashion that can create scaling problems if an entire RRset associated with a domain name is aggregated in the leaf node for that name. An increasingly popular approach, with excellent scaling properties, places the RRset under a specially named branch, which is in turn under the node name that would otherwise contain the RRset. The rules for naming that branch define the context for interpreting the RRset. That is, rather than: the arrangement is: A direct lookup to the subordinate leaf node produces only the desired record types, at no greater cost than a typical DNS lookup.

Global Underscored Node Names As defined in , the DNS uses names organized in a tree-structured or hierarchical fashion. A domain name might have multiple node names that begin with the underscore character (e.g., "_name"). A global underscored node name is the one that is closest to the root of the DNS hierarchy, also called the highest level or topmost. In the presentation convention described in Section 3.1 of , this is the rightmost name beginning with an underscore. In other presentation environments, it might be positioned differently. To avoid concern for the presentation variations, the qualifier "global" is used here.

Interaction with DNS Wildcards DNS wildcards interact poorly with underscored names in two ways: Since wildcards are only interpreted as leaf names, one cannot create the equivalent of a wildcard name for prefixed names. A name such as label.*.example.com is not a wildcard. Conversely, a wildcard such as *.example.com can match any name including an underscored name. So, a wildcard might match an underscored name, returning a record that is the type controlled by the underscored name but is not intended to be used in the underscored context and does not conform to its rules.

History Originally, different uses of underscored node names developed largely without coordination. For TXT records, there is no consistent, internal syntax that permits distinguishing among the different uses. In the case of the SRV RR and URI RR, distinguishing among different types of use was part of the design (see and ). The SRV and URI specifications serve as templates, defining RRs that might only be used for specific applications when there is an additional specification. The template definition included reference to two levels of tables of names from which underscored names should be drawn. The lower-level (local scope) set of _service names is defined in terms of other IANA tables, namely any table with symbolic names. The upper-level (global scope) SRV naming field is _proto, although its pool of names is not explicitly defined. The aggregate effect of these independent efforts was a long list of underscored names that were reserved without coordination, which invites an eventual name-assignment collision. The remedy is this base document and a companion document (), which define a registry for these names and attempt to register all those already in use as well as to direct changes to the pre-registry specifications that used global underscored node names.

"Underscored and Globally Scoped DNS Node Names" Registry A registry for global DNS node names that begin with an underscore is defined here. The purpose of the "Underscored and Globally Scoped DNS Node Names" registry is to avoid collisions resulting from the use of the same underscored name for different applications.

• If a public specification calls for use of an underscored node name, the global underscored node name -- the underscored name that is closest to the DNS root -- MUST be entered into this registry.

An underscored name defines the scope of use for specific resource record types, which are associated with the domain name that is the "parent" to the branch defined by the underscored name. A given name defines a specific, constrained context for one or more RR TYPEs, where use of such record types conforms to the defined constraints.

• Within a leaf that is underscore scoped, other RRsets that are not specified as part of the scope MAY be used.

Structurally, the registry is defined as a single, flat table of RR TYPEs, under node names beginning with underscore. In some cases, such as for use of an SRV record, the full scoping name might be multi-part, as a sequence of underscored names. Semantically, that sequence represents a hierarchical model, and it is theoretically reasonable to allow reuse of a subordinate underscored name in a different, global underscored context; that is, a subordinate name is meaningful only within the scope of the global underscored node name. Therefore, they are ignored by this "Underscored and Globally Scoped DNS Node Names" registry. This registry is for the definition of highest-level -- that is, global -- underscored node name used. Examples of Underscored Names

NAME
_service1
_protoB._service2
_protoB._service3
_protoC._service3
_useX._protoD._service4
_protoE._region._authority

Only global underscored node names are registered in the "Underscored and Globally Scoped DNS Node Names" registry. From the example above, that would mean _service1, _service2, _service3, _service 4, and _authority would be listed in the IANA registry.

• The use of underscored node names is specific to each RR TYPE that is being scoped. Each name defines a place but does not define the rules for what appears underneath that place, either as additional underscored naming or as a leaf node with resource records. Details for those rules are provided by specifications for individual RR TYPEs. The sections below describe the way that existing underscored names are used with the RR TYPEs that they name.
• Definition and registration of subordinate underscored node names are the responsibility of the specification that creates the global underscored node name registry entry.

That is, if a scheme using a global underscored node name has one or more subordinate levels of underscored node naming, the namespaces from which names for those lower levels are chosen are controlled by the parent underscored node name. Each registered global underscored node name owns a distinct, subordinate namespace.

Guidance for Registering RRset Use This section provides guidance for specification writers, with a basic template they can use, to register new entries in the "Underscored and Globally Scoped DNS Node Names" registry. The text can be added to specifications using RR TYPE / _NODE NAME combinations that have not already been registered:

• Per RFC 8552, please add the following entry to the "Underscored and Globally Scoped DNS Node Names" registry:

Template for Entries in the "Underscored and Globally Scoped DNS Node Names" Registry

RR Type	_NODE NAME	Reference
{RR TYPE}	_{DNS global node name}	{citation for the document making the addition.}

IANA Considerations IANA has established the "Underscored and Globally Scoped DNS Node Names" registry. This section describes the registry, the definitions, the initial entries, the use of_ta and _example, and the use of as guidance for expert review. IANA has also updated the "Enumservices Registrations" registry with a pointer to this document.

"Underscored and Globally Scoped DNS Node Names" Registry The "Underscored and Globally Scoped DNS Node Names" registry includes any DNS node name that begins with the underscore character ("_", ASCII 0x5F) and is the underscored node name closest to the root; that is, it defines the highest level of a DNS branch under a "parent" domain name.

• This registry operates under the IANA rules for "Expert Review" registration; see .
• The contents of each entry in the registry are defined in .
• Each entry in the registry MUST contain values for all of the fields specified in .
• Within the registry, the combination of RR Type and _NODE NAME MUST be unique.
• The table is to be maintained with entries sorted by the first column (RR Type) and, within that, the second column (_NODE NAME).
• The required Reference for an entry MUST have a stable resolution to the organization controlling that registry entry.

Contents of an Entry in the "Underscored and Globally Scoped DNS Node Names" Registry A registry entry contains:

• RR Type:

  Lists an RR TYPE that is defined for use within this scope.

  _NODE NAME:

  Specifies a single, underscored name that defines a reserved name; this name is the global entry name for the scoped resource record types that are associated with that name. For characters in the name that have an uppercase form and a lowercase form, the character MUST be recorded as lowercase to simplify name comparisons.

  Reference:

  Lists the specification that defines a record type and its use under this _Node Name. The organization producing the specification retains control over the registry entry for the _Node Name.

Each RR TYPE that is to be used with a _Node Name MUST have a separate registry entry.

Initial Node Names The initial entries in the registry are as follows: Initial Contents of the "Underscored and Globally Scoped DNS Node Names" Registry

RR Type	_NODE NAME	Reference
*	_example
NULL	_ta-* {}
OPENPGPKEY	_openpgpkey
SMIMEA	_smimecert
SRV	_dccp
SRV	_http
SRV	_ipv6
SRV	_ldap
SRV	_ocsp
SRV	_sctp
SRV	_sip
SRV	_tcp
SRV	_udp
SRV	_xmpp
TLSA	_dane
TLSA	_sctp
TLSA	_tcp
TLSA	_udp
TXT	_acme-challenge
TXT	_dmarc
TXT	_domainkey
TXT	_mta-sts
TXT	_spf
TXT	_sztp
TXT	_tcp
TXT	_udp
TXT	_vouch
URI	_acct
URI	_dccp
URI	_email
URI	_ems
URI	_fax
URI	_ft
URI	_h323
URI	_iax
URI	_ical-access
URI	_ical-sched
URI	_ifax
URI	_im
URI	_mms
URI	_pres
URI	_pstn
URI	_sctp
URI	_sip
URI	_sms
URI	_tcp
URI	_udp
URI	_unifmsg
URI	_vcard
URI	_videomsg
URI	_voice
URI	_voicemsg
URI	_vpim
URI	_web
URI	_xmpp

_ta Under the NULL RR Type, the entry _ta-* denotes all node names beginning with the string _ta-*. It does NOT refer to a DNS wildcard specification.

_example The node name _example is reserved across all RRsets.

Guidance for Expert Review This section provides guidance for expert review of registration requests in the "Underscored and Globally Scoped DNS Node Names" registry.

• This review is solely to determine adequacy of a requested entry in this registry, and it does not include review of other aspects of the document specifying that entry. For example, such a document might also contain a definition of the resource record type that is referenced by the requested entry. Any required review of that definition is separate from the expert review required here.

The review is for the purposes of ensuring that:

• The details for creating the registry entry are sufficiently clear, precise, and complete
• The combination of the underscored name, under which the listed resource record type is used, and the resource record type is unique in the table

For the purposes of this expert review, other matters of the specification's technical quality, adequacy, or the like are outside of scope.

Enumservices Registrations Registry The following note has been added to the "Enumservice Registrations" registry:

• When adding an entry to this registry, strong consideration should be given to also adding an entry to the "Underscored and Globally Scoped DNS Node Names" registry.

Security Considerations This memo raises no security issues.

References Normative References SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. This RFC is the official specification of the format of the Internet Host Table. This edition of the specification includes minor revisions to RFC-810 which brings it up to date. This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document considers some areas that have been identified as problems with the specification of the Domain Name System, and proposes remedies for the defects identified. [STANDARDS-TRACK] Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. This document describes a DNS RR which specifies the location of the server(s) for a specific protocol and domain. [STANDARDS-TRACK] This memo describes extensions to and applications of the core features of the Extensible Messaging and Presence Protocol (XMPP) that provide the basic instant messaging (IM) and presence functionality defined in RFC 2779. [STANDARDS-TRACK] This document defines a Public Key Infrastructure (PKI) repository locator service. The service makes use of DNS SRV records defined in accordance with RFC 2782. The service enables certificate-using systems to locate PKI repositories.This memo defines an Experimental Protocol for the Internet community. A Mobile IPv6 node requires a Home Agent address, a home address, and IPsec security associations with its Home Agent before it can start utilizing Mobile IPv6 service. RFC 3775 requires that some or all of these are statically configured. This document defines how a Mobile IPv6 node can bootstrap this information from non-topological information and security credentials pre-configured on the Mobile Node. The solution defined in this document solves the split scenario described in the Mobile IPv6 bootstrapping problem statement in RFC 4640. The split scenario refers to the case where the Mobile Node's mobility service is authorized by a different service provider than basic network access. The solution described in this document is also generically applicable to any bootstrapping case, since other scenarios are more specific realizations of the split scenario. [STANDARDS-TRACK] This document registers with IANA two new DNS SRV protocol labels for resolving Instant Messaging and Presence services with SIP. [STANDARDS TRACK] This document describes the Vouch By Reference (VBR) protocol. VBR is a protocol for adding third-party certification to email. It permits independent third parties to certify the owner of a domain name that is associated with received mail. [STANDARDS-TRACK] This document revises all Enumservices that were IANA registered under the now obsolete specification of the Enumservice registry defined in RFC 3761. [STANDARDS-TRACK] This document defines the procedures that the Internet Assigned Numbers Authority (IANA) uses when handling assignment and other requests related to the Service Name and Transport Protocol Port Number registry. It also discusses the rationale and principles behind these procedures and how they facilitate the long-term sustainability of the registry. This document updates IANA's procedures by obsoleting the previous UDP and TCP port assignment procedures defined in Sections 8 and 9.1 of the IANA Allocation Guidelines, and it updates the IANA service name and port assignment procedures for UDP-Lite, the Datagram Congestion Control Protocol (DCCP), and the Stream Control Transmission Protocol (SCTP). It also updates the DNS SRV specification to clarify what a service name is and how it is registered. This memo documents an Internet Best Current Practice. DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author's organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer's domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature. This memo obsoletes RFC 4871 and RFC 5672. [STANDARDS-TRACK] Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain's TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. [STANDARDS-TRACK] This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD. Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the "MAIL FROM" of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization. This document obsoletes RFC 4408. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling. Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse. DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection. This document describes the already registered DNS resource record (RR) type, called the Uniform Resource Identifier (URI) RR, that is used for publishing mappings from hostnames to URIs. This document registers an E.164 Number Mapping (ENUM) service for 'acct' URIs (Uniform Resource Identifiers). This document clarifies and updates the DNS-Based Authentication of Named Entities (DANE) TLSA specification (RFC 6698), based on subsequent implementation experience. It also contains guidance for implementers, operators, and protocol developers who want to use DANE records. OpenPGP is a message format for email (and file) encryption that lacks a standardized lookup mechanism to securely obtain OpenPGP public keys. DNS-Based Authentication of Named Entities (DANE) is a method for publishing public keys in DNS. This document specifies a DANE method for publishing and locating OpenPGP public keys in DNS for a specific email address using a new OPENPGPKEY DNS resource record. Security is provided via Secure DNS, however the OPENPGPKEY record is not a replacement for verification of authenticity via the "web of trust" or manual verification. The OPENPGPKEY record can be used to encrypt an email that would otherwise have to be sent unencrypted. The DNS Security Extensions (DNSSEC) were developed to provide origin authentication and integrity protection for DNS data by using digital signatures. These digital signatures can be verified by building a chain of trust starting from a trust anchor and proceeding down to a particular node in the DNS. This document specifies two different ways for validating resolvers to signal to a server which keys are referenced in their chain of trust. The data from such signaling allow zone administrators to monitor the progress of rollovers in a DNSSEC-signed zone. This document describes how to use secure DNS to associate an S/MIME user's certificate with the intended domain name, similar to the way that DNS-Based Authentication of Named Entities (DANE), RFC 6698, does for TLS. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. Informative References Original uses of an underscore character as a domain node name prefix, which creates a space for constrained interpretation of resource records, were specified without the benefit of an IANA registry. This produced an entirely uncoordinated set of name- creation activities, all drawing from the same namespace. A registry now has been defined. However the existing specifications that use underscore naming need to be modified, to be in line with the new registry. This document specifies those changes. The changes preserve existing software and operational practice, while adapting the specifications for those practices to the newer underscore registry model. This draft presents a technique to securely provision a networking device when it is booting in a factory-default state. Variations in the solution enables it to be used on both public and private networks. The provisioning steps are able to update the boot image, commit an initial configuration, and execute arbitrary scripts to address auxiliary needs. The updated device is subsequently able to establish secure connections with other systems. For instance, a device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040) connections with deployment-specific network management systems.

Acknowledgements Thanks go to Bill Fenner, Dick Franks, Tony Hansen, Martin Hoffmann, Paul Hoffman, Peter Koch, Olaf Kolkman, Murray Kucherawy, John Levine, Benno Overeinder, and Andrew Sullivan for diligent review of the (much) earlier draft versions. For the later enhancements, thanks to Stephane Bortzmeyer, Alissa Cooper, Bob Harold, Joel Jaeggli, Benjamin Kaduk, Mirja Kuehlewind, Warren Kumari, John Levine, Benno Overeinder, Eric Rescorla, Adam Roach, Petr Spacek, Ondrej Sury, Paul Vixie, Tim Wicinski, and Paul Wouters. Special thanks to Ray Bellis for his persistent encouragement to continue this effort, as well as the suggestion for an essential simplification to the registration model.