Network Working Group Internet Architecture Board Request for Comments: 2826 May 2000 Category: Informational
Network Working Group Internet Architecture Board Request for Comments: 2826 May 2000 Category: Informational
IAB Technical Comment on the Unique DNS Root
IAB对唯一DNS根目录的技术评论
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Summary
总结
To remain a global network, the Internet requires the existence of a globally unique public name space. The DNS name space is a hierarchical name space derived from a single, globally unique root. This is a technical constraint inherent in the design of the DNS. Therefore it is not technically feasible for there to be more than one root in the public DNS. That one root must be supported by a set of coordinated root servers administered by a unique naming authority.
为了保持全球网络,互联网需要全球唯一的公共名称空间。DNS名称空间是从单个全局唯一根派生的分层名称空间。这是DNS设计中固有的技术约束。因此,在公共DNS中有多个根在技术上是不可行的。一个根目录必须由一组由唯一命名机构管理的协调根目录服务器支持。
Put simply, deploying multiple public DNS roots would raise a very strong possibility that users of different ISPs who click on the same link on a web page could end up at different destinations, against the will of the web page designers.
简言之,部署多个公共DNS根目录将极有可能导致不同ISP的用户点击网页上的同一链接,最终到达不同的目的地,这与网页设计者的意愿背道而驰。
This does not preclude private networks from operating their own private name spaces, but if they wish to make use of names uniquely defined for the global Internet, they have to fetch that information from the global DNS naming hierarchy, and in particular from the coordinated root servers of the global DNS naming hierarchy.
这并不排除专用网络操作其自己的专用名称空间,但如果它们希望使用为全球互联网唯一定义的名称,则必须从全球DNS命名层次结构中获取该信息,特别是从全球DNS命名层次结构的协调根服务器中获取该信息。
There are several distinct reasons why the DNS requires a single root in order to operate properly.
DNS需要单个根目录才能正常运行有几个明显的原因。
Effective communications between two parties requires two essential preconditions:
双方之间的有效沟通需要两个基本先决条件:
- The existence of a common symbol set, and
- 公共符号集的存在,以及
- The existence of a common semantic interpretation of these symbols.
- 这些符号存在共同的语义解释。
Failure to meet the first condition implies a failure to communicate at all, while failure to meet the second implies that the meaning of the communication is lost.
不满足第一个条件意味着根本无法沟通,而不满足第二个条件意味着沟通的意义丧失。
In the case of a public communications system this condition of a common symbol set with a common semantic interpretation must be further strengthened to that of a unique symbol set with a unique semantic interpretation. This condition of uniqueness allows any party to initiate a communication that can be received and understood by any other party. Such a condition rules out the ability to define a symbol within some bounded context. In such a case, once the communication moves out of the context of interpretation in which it was defined, the meaning of the symbol becomes lost.
在公共通信系统中,必须将具有共同语义解释的共同符号集的条件进一步强化为具有独特语义解释的独特符号集的条件。这种唯一性条件允许任何一方发起可被任何其他方接收和理解的通信。这样的条件排除了在某些有界上下文中定义符号的能力。在这种情况下,一旦通信脱离了定义它的解释上下文,符号的意义就会丢失。
Within public digital communications networks such as the Internet this requirement for a uniquely defined symbol set with a uniquely defined meaning exists at many levels, commencing with the binary encoding scheme, extending to packet headers and payload formats and the protocol that an application uses to interact. In each case a variation of the symbol set or a difference of interpretation of the symbols being used within the interaction causes a protocol failure, and the communication fails. The property of uniqueness allows a symbol to be used unambiguously in any context, allowing the symbol to be passed on, referred to, and reused, while still preserving the meaning of the original use.
在公共数字通信网络(如互联网)中,对具有唯一定义含义的唯一定义符号集的要求存在于多个层次,从二进制编码方案开始,扩展到包头和有效负载格式以及应用程序用于交互的协议。在每种情况下,符号集的变化或在交互中使用的符号的解释的差异导致协议失败,并且通信失败。唯一性属性允许在任何上下文中明确使用符号,允许符号被传递、引用和重用,同时仍保留原始使用的含义。
The DNS fulfills an essential role within the Internet protocol environment, allowing network locations to be referred to using a label other than a protocol address. As with any other such symbol set, DNS names are designed to be globally unique, that is, for any one DNS name at any one time there must be a single set of DNS records uniquely describing protocol addresses, network resources and services associated with that DNS name. All of the applications deployed on the Internet which use the DNS assume this, and Internet users expect such behavior from DNS names. Names are then constant symbols, whose interpretation does not specifically require knowledge of the context of any individual party. A DNS name can be passed from one party to another without altering the semantic intent of the name.
DNS在Internet协议环境中发挥着重要作用,允许使用协议地址以外的标签来引用网络位置。与任何其他此类符号集一样,DNS名称被设计为全局唯一的,即,对于任何一个DNS名称,在任何时间都必须有一组唯一描述与该DNS名称相关联的协议地址、网络资源和服务的DNS记录。部署在Internet上的所有使用DNS的应用程序都假定了这一点,Internet用户期望DNS名称具有这种行为。因此,名称是不变的符号,其解释并不特别需要了解任何一方的上下文。DNS名称可以在不改变名称语义意图的情况下从一方传递到另一方。
Since the DNS is hierarchically structured into domains, the uniqueness requirement for DNS names in their entirety implies that each of the names (sub-domains) defined within a domain has a unique
由于DNS按层次结构划分为多个域,因此DNS名称的整体唯一性要求意味着域中定义的每个名称(子域)都具有唯一性
meaning (i.e., set of DNS records) within that domain. This is as true for the root domain as for any other DNS domain. The requirement for uniqueness within a domain further implies that there be some mechanism to prevent name conflicts within a domain. In DNS this is accomplished by assigning a single owner or maintainer to every domain, including the root domain, who is responsible for ensuring that each sub-domain of that domain has the proper records associated with it. This is a technical requirement, not a policy choice.
在该域内的含义(即DNS记录集)。这对于根域和任何其他DNS域都是如此。对域内唯一性的要求进一步意味着存在某种机制来防止域内的名称冲突。在DNS中,这是通过为每个域(包括根域)分配一个所有者或维护者来实现的,该所有者或维护者负责确保该域的每个子域都有与其相关联的正确记录。这是一项技术要求,而不是政策选择。
Both the design and implementations of the DNS protocol are heavily based on the assumption that there is a single owner or maintainer for every domain, and that any set of resources records associated with a domain is modified in a single-copy serializable fashion. That is, even assuming that a single domain could somehow be "shared" by uncooperating parties, there is no means within the DNS protocol by which a user or client could discover, and choose between, conflicting definitions of a DNS name made by different parties. The client will simply return the first set of resource records that it finds that matches the requested domain, and assume that these are valid. This protocol is embedded in the operating software of hundreds of millions of computer systems, and is not easily updated to support a shared domain scenario.
DNS协议的设计和实现都在很大程度上基于这样的假设:每个域都有一个所有者或维护者,并且与域关联的任何一组资源记录都是以单拷贝可序列化的方式修改的。也就是说,即使假设单个域可以被不合作方以某种方式“共享”,在DNS协议中也没有任何方式可以让用户或客户端发现并在不同方对DNS名称的冲突定义之间进行选择。客户端只需返回它找到的与请求域匹配的第一组资源记录,并假设这些记录是有效的。该协议嵌入在数亿计算机系统的操作软件中,不易更新以支持共享域方案。
Moreover, even supposing that some other means of resolving conflicting definitions could be provided in the future, it would have to be based on objective rules established in advance. For example, zone A.B could declare that naming authority Y had been delegated all subdomains of A.B with an odd number of characters, and that naming authority Z had been delegated authority to define subdomains of A.B with an even number of characters. Thus, a single set of rules would have to be agreed to prevent Y and Z from making conflicting assignments, and with this train of actions a single unique space has been created in any case. Even this would not allow multiple non-cooperating authorities to assign arbitrary sub-domains within a single domain.
此外,即使假设将来可以提供解决冲突定义的其他方法,也必须以事先制定的客观规则为基础。例如,区域A.B可以声明命名权限Y已被授予具有奇数个字符的A.B的所有子域,命名权限Z已被授予定义具有偶数个字符的A.B子域的权限。因此,必须商定一套规则,以防止Y和Z进行相互冲突的分配,并且在任何情况下,通过这一系列操作都会创建一个唯一的空间。即使这样,也不允许多个不合作的机构在单个域中分配任意子域。
It seems that a degree of cooperation and agreed technical rules are required in order to guarantee the uniqueness of names. In the DNS, these rules are established independently for each part of the naming hierarchy, and the root domain is no exception. Thus, there must be a generally agreed single set of rules for the root.
为了保证名称的唯一性,似乎需要一定程度的合作和商定的技术规则。在DNS中,这些规则是为命名层次结构的每个部分独立建立的,根域也不例外。因此,必须有一套通用的根目录规则。
There is one specific technical respect in which the root zone differs from all other DNS zones: the addresses of the name servers for the root zone come primarily from out-of-band information. This out-of-band information is often poorly maintained and, unlike all other data in the DNS, the out-of-band information has no automatic timeout mechanism. It is not uncommon for this information to be years out of date at many sites.
根区域不同于所有其他DNS区域的一个特定技术方面是:根区域的名称服务器的地址主要来自带外信息。这种带外信息通常维护得很差,并且与DNS中的所有其他数据不同,带外信息没有自动超时机制。在许多网站上,这些信息过时多年并不罕见。
Like any other zone, the root zone contains a set of "name server" resource records listing its servers, but a resolver with no valid addresses for the current set of root servers will never be able to obtain these records. More insidiously, a resolver that has a mixed set of partially valid and partially stale out-of-band configuration information will not be able to tell which are the "real" root servers if it gets back conflicting answers; thus, it is very difficult to revoke the status of a malicious root server, or even to route around a buggy root server.
与任何其他区域一样,根区域包含一组列出其服务器的“名称服务器”资源记录,但是没有当前根服务器组的有效地址的解析程序将永远无法获取这些记录。更隐晦的是,如果冲突解决程序返回了冲突的答案,那么它将无法分辨哪些是“真正的”根服务器,因为它混合了一组部分有效和部分过时的带外配置信息;因此,很难撤销恶意根服务器的状态,甚至很难绕过有缺陷的根服务器。
In effect, every full-service resolver in the world "delegates" the root of the public tree to the public root server(s) of its choice.
实际上,世界上的每个全服务解析器都将公共树的根“委托”给其选择的公共根服务器。
As a direct consequence, any change to the list of IP addresses that specify the public root zone is significantly more difficult than changing any other aspect of the DNS delegation chain. Thus, stability of the system calls for extremely conservative and cautious management of the public root zone: the frequency of updates to the root zone must be kept low, and the servers for the root zone must be closely coordinated.
作为直接结果,对指定公共根区域的IP地址列表的任何更改都比更改DNS委派链的任何其他方面要困难得多。因此,系统的稳定性要求对公共根区域进行极其保守和谨慎的管理:根区域的更新频率必须保持较低,根区域的服务器必须密切协调。
These problems can be ameliorated to some extent by the DNS Security Extensions [DNSSEC], but a similar out-of-band configuration problem exists for the cryptographic signature key to the root zone, so the root zone still requires tight coupling and coordinated management even in the presence of DNSSEC.
DNS安全扩展[DNSSEC]可以在一定程度上改善这些问题,但根区域的加密签名密钥也存在类似的带外配置问题,因此即使存在DNSSEC,根区域仍然需要紧密耦合和协调管理。
The DNS type of unique naming and name-mapping system may not be ideal for a number of purposes for which it was never designed, such a locating information when the user doesn't precisely know the correct names. As the Internet continues to expand, we would expect directory systems to evolve which can assist the user in dealing with vague or ambiguous references. To preserve the many important features of the DNS and its multiple record types -- including the Internet's equivalent of telephone number portability -- we would expect the result of directory lookups and identification of the
DNS类型的唯一命名和名称映射系统可能不适合许多从未设计过的用途,例如当用户不确切知道正确名称时的定位信息。随着互联网的不断发展,我们期望目录系统能够帮助用户处理模糊或模棱两可的引用。为了保留DNS及其多种记录类型的许多重要功能——包括互联网上相当于电话号码可移植性的功能——我们期望目录查找和身份验证的结果
correct names for a particular purpose to be unique DNS names that are then resolved normally, rather than having directory systems "replace" the DNS.
将特定用途的名称更正为唯一的DNS名称,然后正常解析,而不是让目录系统“替换”DNS。
There is no getting away from the unique root of the public DNS.
无法摆脱公共DNS的唯一根。
This memo does not introduce any new security issues, but it does attempt to identify some of the problems inherent in a family of recurring technically naive proposals.
这份备忘录没有提出任何新的安全问题,但它确实试图确定一系列重复出现的技术上幼稚的提案中固有的一些问题。
This memo is not intended to create any new issues for IANA.
本备忘录无意为IANA创造任何新问题。
[DNS-CONCEPTS] Mockapetris, P., "Domain Names - Concepts and Facilities", STD 13, RFC 1034, November 1987.
[DNS-CONCEPTS]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月。
[DNS-IMPLEMENTATION] Mockapetris, P., "Domain Names - Implementation and Specification", STD 13, RFC 1035, November 1987.
[DNS-实施]Mockapetris,P.,“域名-实施和规范”,STD 13,RFC 1035,1987年11月。
[DNSSEC] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999.
[DNSSEC]Eastlake,D.,“域名系统安全扩展”,RFC 25351999年3月。
Internet Architecture Board
互联网架构委员会
EMail: iab@iab.org
EMail: iab@iab.org
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。