DNAME Redirection in the DNS NIST 100 Bureau Dr.Gaithersburg20899MDUSA+1-301-975-8439+1-301-975-6238 scottr.nist@gmail.com NLnet Labs Science Park 1401098 XGAmsterdamThe Netherlands+31-20-888-4551 wouter@nlnetlabs.nl
Internet Area
DNS Extensions Working Group DNSDNAME
The DNAME record provides redirection for a sub-tree of the domain
name tree in the DNS system. That is, all names that
end with a particular suffix are redirected to another part of
the DNS.
This is a revision to the original specification in RFC 2672 (which this document obsoletes) as well as
updating RFC 3363 and RFC 4294 to align with this revision.
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED" "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in RFC 2119.
DNAME is a DNS Resource Record type originally defined in
RFC 2672 . DNAME provides redirection from
a part of the DNS name tree to another part of the DNS name tree.
The DNAME RR and the CNAME RR cause a
lookup to (potentially) return data corresponding to a domain name
different from the queried domain name. The difference between
the two resource records is that the CNAME RR directs the lookup
of data at its owner to another single name, a DNAME RR directs
lookups for data at descendants of its owner's name to
corresponding names under a different (single) node of the tree.
Take for example, looking through a zone (see
RFC 1034, section 4.3.2, step 3) for
the domain name "foo.example.com" and a DNAME resource record
is found at "example.com" indicating that all queries under
"example.com" be directed to "example.net". The lookup process
will return to step 1 with the new query name of "foo.example.net".
Had the query name been "www.foo.example.com" the new query name
would be "www.foo.example.net".
This document is a revision of the original specification of DNAME
in RFC 2672.
DNAME was conceived to help with the problem of maintaining
address-to-name mappings in a context of network renumbering.
With a careful set-up, a renumbering event in the network
causes no change to the authoritative server that has the
address-to-name mappings. Examples in practice are classless
reverse address space delegations.
Another usage of DNAME lies in aliasing of name spaces. For
example, a zone administrator may want sub-trees of the DNS to
contain the same information. Examples include punycode alternates for
domain spaces.
This revision of the DNAME specification does not change the wire format or the
handling of DNAME Resource Records.
Discussion is added on problems that may be encountered
when using DNAME.
The DNAME RR has mnemonic DNAME and type code 39 (decimal).
It is not class-sensitive.
Details of the substitution process, methods to avoid conflicting
resource records, and rules for specific corner cases are given in
the following subsections.
When following RFC 1034 , section 4.3.2's
algorithm's third step, "start matching down, label by label, in
the zone" and a node is found to own a DNAME resource record
a DNAME substitution occurs. The name being sought may be the
original query name or a name that is the result of a CNAME
resource record being followed or a previously encountered DNAME.
As in the case when finding a CNAME resource record or NS resource
record set, the processing of a DNAME will happen prior to finding
the desired domain name.
A DNAME substitution is performed by replacing the suffix labels
of the name being sought matching the owner name of the DNAME
resource record with the string of labels in the RDATA field.
The matching labels end with the root label in all cases.
Only whole labels are replaced. See the table of examples for
common cases and corner cases.
It is possible for DNAMEs to form loops, just as
CNAMEs can form loops. DNAMEs and CNAMEs can chain together to
form loops. A single corner case DNAME can form a loop. Resolvers
and servers should be cautious in devoting resources to a query,
but be aware that fairly long chains of DNAMEs may be valid.
Zone content administrators should take care to insure that there
are no loops that could occur when using DNAME or DNAME/CNAME
redirection.
The domain name can get too long during substitution. For example, suppose the
target name of the DNAME RR is 250 octets in length (multiple labels), if
an incoming QNAME that has a first label over 5 octets in length, the result
would be a name over 255 octets. If this occurs the
server returns an RCODE of YXDOMAIN . The DNAME
record and its signature (if the zone is signed) are included in the answer as proof
for the YXDOMAIN (value 6) RCODE.
Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its
owner name; the owner name of a DNAME is not redirected itself.
The domain name that owns a DNAME record is allowed to have other
resource record types at that domain name, except DNAMEs, CNAMEs
or other types that have restrictions on what they can co-exist with.
When there is a match of the QTYPE to a type (or types) also owned by
the owner name the response is sourced from the owner name. E.g., a
QTYPE of ANY would return the (available) types at the owner name, not
the target name.
DNAME RRs MUST NOT appear at the same owner name as an NS RR unless
the owner name is the zone apex as this would constitute data below a
zone cut.
If a DNAME record is present at the zone apex, there is still a need
to have the customary SOA and NS resource records there as well. Such
a DNAME cannot be used to mirror a zone completely, as it does not
mirror the zone apex.
These rules also allow DNAME records to be queried through RFC 1034
compliant, DNAME-unaware caches.
Resource records MUST NOT exist at any sub-domain of
the owner of a DNAME RR. To get the contents for names
subordinate to that owner name, the DNAME redirection must be invoked
and the resulting target queried. A server MAY refuse to load
a zone that has data at a sub-domain of a domain name
owning a DNAME RR. If the server does load the zone, those names
below the DNAME RR will be occluded as described in
RFC 2136 , section 7.18.
Also a server SHOULD refuse to load
a zone subordinate to the owner of a DNAME record in the ancestor zone.
See for further discussion
related to dynamic update.
DNAME is a singleton type, meaning only one DNAME is allowed per
name. The owner name of a DNAME can only have one DNAME RR, and
no CNAME RRs can exist at that name.
These rules make sure that for a single domain name only one
redirection exists, and thus no confusion which one to follow.
A server SHOULD refuse to load a zone that violates these rules.
The DNAME owner name can be compressed like any other owner name.
The DNAME RDATA target name MUST NOT be sent out in
compressed form and MUST be downcased for DNSSEC validation.
Although the previous DNAME specification
(that is obsoleted by this specification) talked about signaling
to allow compression of the target name, such signaling has never
been specified and this document also does not specify this signaling
behavior.
RFC 2672 (obsoleted by this document) stated that the EDNS version
had a meaning for understanding of DNAME and DNAME target name
compression. This document revises RFC 2672, in that there is no
EDNS version signaling for DNAME.
When preparing a response, a server performing a DNAME
substitution will in all cases include the relevant DNAME RR in the
answer section. Relevant cases includes the following:
The DNAME is being employed as a substitution instruction.The DNAME itself matches the QTYPE and the owner name matches QNAME.
When the owner name name matches the QNAME and the QTYPE matches another
type owned there, the DNAME is not included in the answer.
A CNAME RR with TTL equal to the corresponding DNAME RR is synthesized
and included in the answer section when the DNAME is employed as a
substitution instruction. The owner name of the CNAME is the QNAME
of the query. The DNSSEC specification , ,
says that the
synthesized CNAME does not have to be signed. The signed DNAME has an RRSIG
and a validating resolver can check the CNAME against the DNAME
record and validate the signature over the DNAME RR.
Servers MUST be able to answer a query for a synthesized CNAME. Like
other query types this invokes the DNAME, and then the server synthesizes the CNAME
and places it into the answer section. If the server in question is a cache, the synthesized
CNAME's TTL SHOULD be equal to the decremented TTL of the cached DNAME.
Resolvers MUST be able to handle a synthesized CNAME TTL of zero or
equal to the TTL of the corresponding DNAME record (as some older
authoritative server implementations set the TTL of synthesized
CNAMEs to zero). A TTL of zero
means that the CNAME can be discarded immediately after processing
the answer.
Below is the server algorithm, which appeared in RFC 2672 Section 4.1.
Set or clear the value of recursion available in the response
depending on whether the name server is willing to provide
recursive service. If recursive service is available and
requested via the RD bit in the query, go to step 5, otherwise
step 2.
Search the available zones for the zone which is the nearest
ancestor to QNAME. If such a zone is found, go to step 3,
otherwise step 4.
Start matching down, label by label, in the zone. The matching
process can terminate several ways:
If the whole of QNAME is matched, we have found the node.
If the data at the node is a CNAME, and QTYPE does not match
CNAME, copy the CNAME RR into the answer section of the
response, change QNAME to the canonical name in the CNAME RR,
and go back to step 1.
Otherwise, copy all RRs which match QTYPE into the answer
section and go to step 6.
If a match would take us out of the authoritative data, we have
a referral. This happens when we encounter a node with NS RRs
marking cuts along the bottom of a zone.
Copy the NS RRs for the sub-zone into the authority section of
the reply. Put whatever addresses are available into the
additional section, using glue RRs if the addresses are not
available from authoritative data or the cache. Go to step 4.
If at some label, a match is impossible (i.e., the
corresponding label does not exist), look to see whether the
last label matched has a DNAME record.
If a DNAME record exists at that point, copy that record into
the answer section. If substitution of its <target> for its
<owner> in QNAME would overflow the legal size for a <domain-
name>, set RCODE to YXDOMAIN and exit;
otherwise
perform the substitution and continue.
The server MUST synthesize a CNAME
record as described above and include it in the answer section.
Go back to step 1.
If there was no DNAME record, look to see if the "*" label
exists.
If the "*" label does not exist, check whether the name we are
looking for is the original QNAME in the query or a name we
have followed due to a CNAME or DNAME. If the name is original, set an
authoritative name error in the response and exit. Otherwise
just exit.
If the "*" label does exist, match RRs at that node against
QTYPE. If any match, copy them into the answer section, but
set the owner of the RR to be QNAME, and not the node with
the "*" label. If the data at the node with the "*" label is a CNAME,
and QTYPE doesn't match CNAME, copy the CNAME RR into the answer
section of the response changing the owner name to the QNAME,
change QNAME to the canonical name in the CNAME RR, and go back to
step 1. Otherwise, Go to step 6.
Start matching down in the cache. If QNAME is found in the cache,
copy all RRs attached to it that match QTYPE into the answer
section. If QNAME is not found in the cache but a DNAME record is
present at an ancestor of QNAME, copy that DNAME record into the
answer section. If there was no delegation from authoritative
data, look for the best one from the cache, and put it in the
authority section. Go to step 6.
Use the local resolver or a copy of its algorithm
to answer the query. Store the results,
including any intermediate CNAMEs and DNAMEs, in the answer
section of the response.
Using local data only, attempt to add other RRs which may be
useful to the additional section of the query. Exit.
Note that there will be at most one ancestor with a DNAME as
described in step 4 unless some zone's data is in violation of the
no-descendants limitation in section 3. An implementation might take
advantage of this limitation by stopping the search of step 3c or
step 4 when a DNAME record is encountered.
The use of DNAME in conjunction with wildcards is discouraged
. Thus records of the form
"*.example.com DNAME example.net" SHOULD NOT be used.
The interaction between the expansion of the wildcard and the
redirection of the DNAME is non-deterministic.
Because the processing is non-deterministic, DNSSEC validating
resolvers may not be able to validate a wildcarded DNAME.
A server MAY give a warning that the behavior is unspecified
if such a wildcarded DNAME is loaded. The server MAY refuse it,
refuse to load the zone or refuse dynamic updates.
Recursive caching name servers can encounter data at names below the owner name of a
DNAME RR, due to a change at the authoritative server where data from
before and after the change resides in the cache. This conflict
situation is a transitional phase that ends when the old data
times out. The caching name server can opt to store both old and new data and
treat each as if the other did not exist, or drop the old data, or
drop the longer domain name. In any approach, consistency returns
after the older data TTL times out.
Recursive caching name servers MUST perform CNAME synthesis on behalf of
clients.
If a recursive caching name server encounters a DNSSEC validated DNAME RR which
contradicts information already in the cache (excluding CNAME
records), it SHOULD cache the DNAME RR, but it MAY cache the
CNAME record received along with it, subject to the rules for CNAME. If the
DNAME RR cannot be validated via DNSSEC (i.e. not BOGUS, but not able to validate), the recursive caching server SHOULD
NOT cache the DNAME RR but MAY cache the CNAME record received along with it,
subject to the rules of CNAME.
A resolver algorithm likewise changes to handle DNAME processing.
The complete algorithm becomes:
See if the answer is in local information or can be synthesized from a cached DNAME, and if so return it to
the client.
Find the best servers to ask.
Send queries until one returns a response.
Analyze the response, either:
If the response answers the question or contains a name error,
cache the data as well as returning it back to the client.
If the response contains a better delegation to other servers,
cache the delegation information, and go to step 2.
If the response shows a CNAME and that is not the answer
itself, cache the CNAME, change the SNAME to the canonical name
in the CNAME RR and go to step 1.
If the response shows a DNAME and that is not the answer
itself, cache the DNAME (upon successful DNSSEC validation if the client is a validating resolver).
If substitution of the DNAME's
target name for its owner name in the SNAME would overflow the legal
size for a domain name, return an implementation-dependent
error to the application; otherwise perform the substitution
and go to step 1.
If the response shows a server failure or other bizarre
contents, delete the server from the SLIST and go back to step
3.
In , in Section 10.3., the discussion
on MX and NS records touches on redirection by CNAMEs, but this
also holds for DNAMEs.
The DNAME RR is discussed in RFC 3363, section 4, on A6 and DNAME.
The opening premise of this section is demonstrably wrong, and so
the conclusion based on that premise is wrong. In particular,
deprecates the use of DNAME in the IPv6
reverse tree, which is then carried forward as a recommendation in
. Based on the experience gained in the
meantime, is revised, dropping all
constraints on having DNAME RRs in these zones. This would greatly
improve the manageability of the IPv6 reverse tree. These changes
are made explicit below.
There are several issues to be aware of about the use of DNAME.
The names listed as target names of MX, NS, PTR and SRV
records must
be canonical hostnames. This means no CNAME or DNAME redirection
may be present during DNS lookup of the address records for the host.
This is discussed in RFC 2181 ,
section 10.3, and RFC 1912 , section 2.4.
For SRV see RFC 2782 page 4.
The upshot of this is that although the lookup of a PTR record can
involve DNAMEs, the name listed in the PTR record can not fall under
a DNAME. The same holds for NS, SRV and MX records. For example,
when punycode alternates for a zone use DNAME then the
NS, MX, SRV and PTR records that point to that zone must use names
without punycode in their RDATA.
What must be done then is to have the domain names with DNAME
substitution already applied to it as the MX, NS, PTR, SRV data.
These are valid canonical hostnames.
DNAME records can be added, changed and removed in a zone using
dynamic update transactions. Adding a DNAME RR to a zone occludes
any domain names that may exist under the added DNAME.
If a dynamic update message attempts to add a DNAME with a given
owner name but a CNAME is
associated with that name, then the server MUST ignore the DNAME. If a
DNAME is already associated with that name, then it is replaced with the new DNAME.
Otherwise, add the DNAME. If a CNAME is added with a given owner name but a DNAME is associated
with that name, then the CNAME MUST be ignored. This is similar behavior
for dynamic updates to an owner name of a CNAME RR .
The following subsections specify the behavior of implementations that understand both DNSSEC and DNAME (synthesis).
In any response, a signed DNAME RR indicates a non-terminal
redirection of the query. There might or might not be a server
synthesized CNAME in the answer section; if there is, the CNAME
will never be signed. For a DNSSEC validator, verification
of the DNAME RR and then checking that the CNAME was properly
synthesized is sufficient proof.
In any negative response, the NSEC or NSEC3
record type bit map SHOULD be checked to see that there was no
DNAME that could have been applied. If the DNAME bit in the type
bit map is set and the query name is a sub-domain of the closest
encloser that is asserted, then DNAME substitution should have
been done, but the substitution has not been done as specified.
A response can contain a chain of DNAME and CNAME redirections.
That chain can end in a positive answer or a negative (no name error or
no data error) reply. Each step in that chain results in resource
records added to the answer or authority section of the response.
Only if all steps are secure can the AD bit be set for the response.
If one of the steps is bogus, the result is bogus.
Below are examples of why DNSSEC validators MUST understand DNAME.
In the examples below, SOA records, wildcard denial NSECs and
other material not under discussion has been omitted or shortened.
If this is the received response, then only by understanding that the
DNAME bit in the NSEC bitmap means that foo.bar.example.com needed to have been
redirected by the DNAME, the validator can see that it is a BOGUS reply
from an attacker that collated existing records from the DNS
to create a confusing reply.
If the DNAME bit had not been set in the NSEC record above then
the answer would have validated as a correct name error response.
This response has the same NSEC records as the example above,
but with this query name (cee.example.com),
the answer is validated, because 'cee' does
not get redirected by the DNAME at 'bar'.
The response shown above has the synthesized CNAME included.
However, the CNAME has no signature, since the server does not
sign online. So this response cannot be trusted. It could be altered by
an attacker to be foo.bar.example.com CNAME bla.bla.example.
The DNAME record does have its signature included, since it
does not change. The validator must verify
the DNAME signature and then recursively resolve further to
query for the foo.bar.example.net A record.
Below are some examples of the use of DNAME in a zone. These examples are by no means exhaustive.
If an organization with domain name FROBOZZ.EXAMPLE.NET became part of an
organization with domain name ACME.EXAMPLE.COM, it might ease transition
by placing information such as this in its old zone.
The response to an extended recursive query for www.frobozz.example.net
would contain, in the answer section, the DNAME record shown above
and the relevant RRs for www.frobozz-division.acme.example.com.
If an organization wants to have aliases for names, for a different spelling or language,
the same example applies. Note that the MX RR at the zone apex is not redirected
and has to be repeated in the target zone. Also note that the services at mailhub or
www.frobozz-division.acme.example.com. have to recognize and handle the aliases.
The classless scheme for in-addr.arpa delegation can be
extended to prefixes shorter than 24 bits by use of the DNAME record.
For example, the prefix 192.0.8.0/22 can be delegated by the
following records.
A typical entry in the resulting reverse zone for some host with
address 192.0.9.33 might be
The same advisory remarks concerning the choice of the "/" character
apply here as in .
If IPv4 network renumbering were common, maintenance of address space
delegation could be simplified by using DNAME records instead of NS
records to delegate.
This would allow the address space 190.189.0.0/16 assigned to the ISP
"example.net" to be changed without the necessity of altering the
zone files describing the use of that space by the ISP and its
customers.
Renumbering IPv4 networks is currently so arduous a task that
updating the DNS is only a small part of the labor, so this scheme
may have a low value. But it is hoped that in IPv6 the renumbering
task will be quite different and the DNAME mechanism may play a
useful part.
The DNAME Resource Record type code 39 (decimal) originally has been
registered by [RFC2672] in the DNS Resource Record (RR) Types registry table at
http://www.iana.org/assignments/dns-parameters. IANA should update the DNS resource record
registry to point to this document for RR type 39.
DNAME redirects queries elsewhere, which may impact security based
on policy and the security status of the zone with the DNAME and
the redirection zone's security status. For validating resolvers,
the lowest security status of the links in the chain of CNAME and
DNAME redirections is applied to the result.
If a validating resolver accepts wildcarded DNAMEs, this creates
security issues. Since the processing of a wildcarded DNAME is
non-deterministic and the CNAME that was substituted by the
server has no signature, the resolver may choose a different
result than what the server meant, and consequently end up at
the wrong destination. Use of wildcarded DNAMEs is discouraged in
any case .
A validating resolver MUST understand DNAME, according to
. The examples in
illustrate this need.
The authors of this draft would like to acknowledge Matt Larson
for beginning this effort to address the issues related to the
DNAME RR type. The authors would also like to acknowledge Paul Vixie,
Ed Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly, Sam Weiler,
Alfred Hoenes and Kevin Darcy
for their review and comments on this document.
Major changes to server behavior from the original DNAME specification are summarized below:
The rules for DNAME substitution have been clarified in Section 2.
The EDNS option to signal DNAME understanding and compression has never been specified, and this
document clarifies that there is no signaling method (Section 2.5).
The TTL for synthesized CNAME RR's is now set to the TTL of the DNAME, not zero (Section 3.1).
Caching recursive servers MUST perform CNAME synthesis on behalf of clients (Section 3.4).
The revised server algorithm is detailed in Section 3.2.
Rules for dynamic update messages adding a DNAME or CNAME RR to a zone where a CNAME or DNAME already exists
is detailed in Section 5.2
Major changes to client behavior from the original DNAME specification are summarized below:
Clients MUST be able to accept synthesized CNAME RR's with a TTL of either zero or the TTL of
the DNAME RR that accompanies the CNAME RR.
DNSSEC aware clients SHOULD cache DNAME RR's and MAY cache synthesized CNAME RR's it receives in
the same response. DNSSEC aware clients SHOULD also check the NSEC/NSEC3 type bitmap to verify
that DNAME redirection is to be done. DNSSEC validators MUST understand DNAME (Section 5.3).
The revised client algorithm is detailed in Section 3.4.1.