Network Working Group D. Lawrence Request for Comments: 3425 Nominum Updates: 1035 November 2002 Category: Standards Track
Network Working Group D. Lawrence Request for Comments: 3425 Nominum Updates: 1035 November 2002 Category: Standards Track
Obsoleting IQUERY
废弃水禽
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
Abstract
摘要
The IQUERY method of performing inverse DNS lookups, specified in RFC 1035, has not been generally implemented and has usually been operationally disabled where it has been implemented. Both reflect a general view in the community that the concept was unwise and that the widely-used alternate approach of using pointer (PTR) queries and reverse-mapping records is preferable. Consequently, this document deprecates the IQUERY operation, declaring it entirely obsolete. This document updates RFC 1035.
RFC 1035中规定的执行反向DNS查找的IQUERY方法尚未普遍实现,并且通常在已实现的地方被禁用。两者都反映了社区的普遍观点,即该概念是不明智的,并且广泛使用的替代方法(使用指针(PTR)查询和反向映射记录)更可取。因此,本文档不推荐IQUERY操作,并声明它已完全过时。本文件更新了RFC1035。
1 - Introduction
1-导言
As specified in RFC 1035 (section 6.4), the IQUERY operation for DNS queries is used to look up the name(s) which are associated with the given value. The value being sought is provided in the query's answer section and the response fills in the question section with one or more 3-tuples of type, name and class.
如RFC 1035(第6.4节)所述,DNS查询的IQUERY操作用于查找与给定值关联的名称。查询的答案部分提供了要查找的值,而回答则用一个或多个类型、名称和类的三元组填充问题部分。
As noted in [RFC1035], section 6.4.3, inverse query processing can put quite an arduous burden on a server. A server would need to perform either an exhaustive search of its database or maintain a separate database that is keyed by the values of the primary database. Both of these approaches could strain system resource use, particularly for servers that are authoritative for millions of names.
如[RFC1035]第6.4.3节所述,反向查询处理会给服务器带来相当沉重的负担。服务器需要对其数据库执行彻底搜索,或者维护一个由主数据库的值键入的单独数据库。这两种方法都可能导致系统资源使用紧张,特别是对于拥有数百万个名称的权威服务器。
Response packets from these megaservers could be exceptionally large, and easily run into megabyte sizes. For example, using IQUERY to find every domain that is delegated to one of the nameservers of a large ISP could return tens of thousands of 3-tuples in the question section. This could easily be used to launch denial of service attacks.
来自这些兆服务器的响应数据包可能非常大,并且很容易达到兆字节大小。例如,使用IQUERY查找委托给大型ISP的一个名称服务器的每个域可能会在问题部分返回数万个3元组。这很容易被用来发起拒绝服务攻击。
Operators of servers that do support IQUERY in some form (such as very old BIND 4 servers) generally opt to disable it. This is largely due to bugs in insufficiently-exercised code, or concerns about exposure of large blocks of names in their zones by probes such as inverse MX queries.
确实以某种形式支持IQUERY的服务器的操作员(例如非常旧的BIND 4服务器)通常会选择禁用IQUERY。这主要是由于未充分执行的代码中存在bug,或者担心反向MX查询等探测会暴露其区域中的大块名称。
IQUERY is also somewhat inherently crippled by being unable to tell a requester where it needs to go to get the information that was requested. The answer is very specific to the single server that was queried. This is sometimes a handy diagnostic tool, but apparently not enough so that server operators like to enable it, or request implementation where it is lacking.
IQUERY也有点天生的缺陷,因为它无法告诉请求者它需要去哪里才能获得请求的信息。答案非常特定于所查询的单个服务器。这有时是一个方便的诊断工具,但显然还不够,服务器操作员喜欢启用它,或者在缺少它的地方请求实现。
No known clients use IQUERY to provide any meaningful service. The only common reverse mapping support on the Internet, mapping address records to names, is provided through the use of pointer (PTR) records in the in-addr.arpa tree and has served the community well for many years.
没有已知的客户使用IQUERY提供任何有意义的服务。Internet上唯一常见的反向映射支持,即将地址记录映射到名称,是通过使用in-addr.arpa树中的指针(PTR)记录提供的,多年来一直为社区提供良好的服务。
Based on all of these factors, this document recommends that the IQUERY operation for DNS servers be officially obsoleted.
基于所有这些因素,本文档建议正式淘汰DNS服务器的iquiry操作。
2 - Requirements
2-要求
The key word "SHOULD" in this document is to be interpreted as described in BCP 14, RFC 2119, namely that there may exist valid reasons to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
本文件中的关键词“应该”应按照BCP 14、RFC 2119中的描述进行解释,即可能存在忽略特定项目的有效理由,但在选择不同课程之前,必须理解并仔细权衡其全部含义。
3 - Effect on RFC 1035
3-对RFC 1035的影响
The effect of this document is to change the definition of opcode 1 from that originally defined in section 4.1.1 of RFC 1035, and to entirely supersede section 6.4 (including subsections) of RFC 1035.
本文件的作用是改变RFC 1035第4.1.1节中最初定义的操作码1的定义,并完全取代RFC 1035第6.4节(包括小节)。
The definition of opcode 1 is hereby changed to:
操作码1的定义在此更改为:
"1 an inverse query (IQUERY) (obsolete)"
“1反向查询(IQUERY)(过时)”
The text in section 6.4 of RFC 1035 is now considered obsolete. The following is an applicability statement regarding the IQUERY opcode:
RFC 1035第6.4节中的文本现已被视为过时。以下是关于IQUERY操作码的适用性声明:
Inverse queries using the IQUERY opcode were originally described as the ability to look up the names that are associated with a particular Resource Record (RR). Their implementation was optional and never achieved widespread use. Therefore IQUERY is now obsolete, and name servers SHOULD return a "Not Implemented" error when an IQUERY request is received.
使用IQUERY操作码的反向查询最初被描述为能够查找与特定资源记录(RR)关联的名称。它们的实现是可选的,从未得到广泛使用。因此IQUERY现在已经过时,当接收到IQUERY请求时,名称服务器应该返回“未实现”错误。
4 - Security Considerations
4-安全考虑
Since this document obsoletes an operation that was once available, it is conceivable that someone was using it as the basis of a security policy. However, since the most logical course for such a policy to take in the face of a lack of positive response from a server is to deny authentication/authorization, it is highly unlikely that removing support for IQUERY will open any new security holes.
由于本文档废弃了一个曾经可用的操作,可以想象有人将其用作安全策略的基础。但是,由于在服务器没有正面响应的情况下,这种策略最合理的做法是拒绝身份验证/授权,因此删除对IQUERY的支持不太可能会打开任何新的安全漏洞。
Note that if IQUERY is not obsoleted, securing the responses with DNS Security (DNSSEC) is extremely difficult without out-on-the-fly digital signing.
请注意,如果IQUERY没有被淘汰,那么如果没有即时数字签名,使用DNS安全性(DNSSEC)保护响应是极其困难的。
5 - IANA Considerations
5-IANA考虑因素
The IQUERY opcode of 1 should be permanently retired, not to be assigned to any future opcode.
IQUERY操作码1应永久失效,而不是分配给任何未来的操作码。
6 - Acknowledgments
6-致谢
Olafur Gudmundsson instigated this action. Matt Crawford, John Klensin, Erik Nordmark and Keith Moore contributed some improved wording in how to handle obsoleting functionality described by an Internet Standard.
奥拉弗尔·古德蒙德森煽动了这一行动。Matt Crawford、John Klesins、Erik Nordmark和Keith Moore在如何处理互联网标准描述的淘汰功能方面做出了一些改进。
7 - References
7-参考文献
[RFC1035] Mockapetris, P., "Domain Names - Implementation and Specification", STD 13, RFC 1035, November 1987.
[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,1987年11月。
[RFC2026] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996.
[RFC2026]Bradner,S.,“互联网标准过程——第3版”,BCP 9,RFC 2026,1996年10月。
[RFC2119] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
8 - Author's Address
8-作者地址
David C Lawrence Nominum, Inc. 2385 Bay Rd Redwood City CA 94063 USA
David C Lawrence Nominum,Inc.美国加利福尼亚州红木市海湾路2385号,邮编94063
Phone: +1.650.779.6042 EMail: tale@nominum.com
Phone: +1.650.779.6042 EMail: tale@nominum.com
9 - Full Copyright Statement
9-完整版权声明
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。