Network Working Group G. Sisson
Request for Comments: 4471 B. Laurie
Category: Experimental Nominet
September 2006
Network Working Group G. Sisson
Request for Comments: 4471 B. Laurie
Category: Experimental Nominet
September 2006
Derivation of DNS Name Predecessor and Successor
DNS名称前置和后续的派生
Status of This Memo
关于下段备忘
This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.
这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
Abstract
摘要
This document describes two methods for deriving the canonically-ordered predecessor and successor of a DNS name. These methods may be used for dynamic NSEC resource record synthesis, enabling security-aware name servers to provide authenticated denial of existence without disclosing other owner names in a DNSSEC secured zone.
本文档描述了两种方法,用于派生DNS名称的规范顺序的前一个和后一个。这些方法可用于动态NSEC资源记录合成,使具有安全意识的名称服务器能够提供经过身份验证的拒绝存在,而无需披露DNSSEC安全区域中的其他所有者名称。
Table of Contents
目录
1. Introduction ....................................................2
2. Notational Conventions ..........................................3
3. Derivations .....................................................3
3.1. Absolute Method ............................................3
3.1.1. Derivation of DNS Name Predecessor ..................3
3.1.2. Derivation of DNS Name Successor ....................4
3.2. Modified Method ............................................4
3.2.1. Derivation of DNS Name Predecessor ..................5
3.2.2. Derivation of DNS Name Successor ....................6
4. Notes ...........................................................6
4.1. Test for Existence .........................................6
4.2. Case Considerations ........................................7
4.3. Choice of Range ............................................7
4.4. Wild Card Considerations ...................................8
4.5. Possible Modifications .....................................8
4.5.1. Restriction of Effective Maximum DNS Name Length ....8
4.5.2. Use of Modified Method with Zones Containing
1. Introduction ....................................................2
2. Notational Conventions ..........................................3
3. Derivations .....................................................3
3.1. Absolute Method ............................................3
3.1.1. Derivation of DNS Name Predecessor ..................3
3.1.2. Derivation of DNS Name Successor ....................4
3.2. Modified Method ............................................4
3.2.1. Derivation of DNS Name Predecessor ..................5
3.2.2. Derivation of DNS Name Successor ....................6
4. Notes ...........................................................6
4.1. Test for Existence .........................................6
4.2. Case Considerations ........................................7
4.3. Choice of Range ............................................7
4.4. Wild Card Considerations ...................................8
4.5. Possible Modifications .....................................8
4.5.1. Restriction of Effective Maximum DNS Name Length ....8
4.5.2. Use of Modified Method with Zones Containing
SRV RRs .............................................8
5. Examples ........................................................9
5.1. Examples of Immediate Predecessors Using Absolute Method ..10
5.2. Examples of Immediate Successors Using Absolute Method ....14
5.3. Examples of Predecessors Using Modified Method ............19
5.4. Examples of Successors Using Modified Method ..............20
6. Security Considerations ........................................21
7. Acknowledgements ...............................................21
8. References .....................................................21
8.1. Normative References ......................................21
8.2. Informative References ....................................22
SRV RRs .............................................8
5. Examples ........................................................9
5.1. Examples of Immediate Predecessors Using Absolute Method ..10
5.2. Examples of Immediate Successors Using Absolute Method ....14
5.3. Examples of Predecessors Using Modified Method ............19
5.4. Examples of Successors Using Modified Method ..............20
6. Security Considerations ........................................21
7. Acknowledgements ...............................................21
8. References .....................................................21
8.1. Normative References ......................................21
8.2. Informative References ....................................22
One of the proposals for avoiding the exposure of zone information during the deployment DNSSEC is dynamic NSEC resource record (RR) synthesis. This technique is described in [DNSSEC-TRANS] and [RFC4470], and involves the generation of NSEC RRs that just span the query name for non-existent owner names. In order to do this, the DNS names that would occur just prior to and just following a given query name must be calculated in real time, as maintaining a list of all possible owner names that might occur in a zone would be impracticable.
避免在部署DNSSEC期间暴露区域信息的建议之一是动态NSEC资源记录(RR)合成。该技术在[DNSSEC-TRANS]和[RFC4470]中进行了描述,涉及到生成NSEC RRs,该RRs仅跨越不存在的所有者名称的查询名称。为此,必须实时计算在给定查询名称之前和之后出现的DNS名称,因为维护区域中可能出现的所有可能所有者名称的列表是不可行的。
Section 6.1 of [RFC4034] defines canonical DNS name order. This document does not amend or modify this definition. However, the derivation of immediate predecessor and successor, although trivial, is non-obvious. Accordingly, several methods are described here as an aid to implementors and a reference to other interested parties.
[RFC4034]第6.1节定义了规范DNS名称顺序。本文件不修订或修改本定义。然而,直接前任和继任者的推导虽然微不足道,但并不明显。因此,这里描述了几种方法,作为对实现者的帮助和对其他相关方的参考。
This document describes two methods:
本文件描述了两种方法:
1. An "absolute method", which returns the immediate predecessor or successor of a domain name such that no valid DNS name could exist between that DNS name and the predecessor or successor.
1. 一种“绝对方法”,它返回域名的直接前置或后续名称,使得该DNS名称与前置或后续名称之间不存在有效的DNS名称。
2. A "modified method", which returns a predecessor and successor that are more economical in size and computation. This method is restricted to use with zones consisting exclusively of owner names that contain no more than one label more than the owner name of the apex, where the longest possible owner name (i.e., one with a maximum length left-most label) would not exceed the maximum DNS name length. This is, however, the type of zone for which the technique of online signing is most likely to be used.
2. 一种“修改的方法”,它返回在大小和计算上更经济的前置和后继。此方法仅限于用于仅由所有者名称组成的区域,这些所有者名称包含的标签不超过apex所有者名称的一个,其中可能的最长所有者名称(即,最左边标签的最大长度)不会超过最大DNS名称长度。然而,这是最有可能使用在线签名技术的区域类型。
The following notational conventions are used in this document for economy of expression:
为了节约表达,本文件中使用了以下符号约定:
N: An unspecified DNS name.
N:未指定的DNS名称。
P(N): Immediate predecessor to N (absolute method).
P(N):N(绝对法)的直接前置。
S(N): Immediate successor to N (absolute method).
S(N):N的直接后继(绝对法)。
P'(N): Predecessor to N (modified method).
P'(N):N的前置(修改方法)。
S'(N): Successor to N (modified method).
S'(N):N的后继(修改方法)。
These derivations assume that all uppercase US-ASCII letters in N have already been replaced by their corresponding lowercase equivalents. Unless otherwise specified, processing stops after the first step in which a condition is met.
这些派生假设N中的所有大写US-ASCII字母都已被相应的小写等效字母替换。除非另有规定,否则处理在满足条件的第一步之后停止。
The derivations make reference to maximum label length and maximum DNS name length; these are defined in Section 3.1 of [RFC1034] to be 63 and 255 octets, respectively.
派生引用最大标签长度和最大DNS名称长度;[RFC1034]第3.1节将其分别定义为63和255个八位字节。
To derive P(N):
导出P(N):
1. If N is the same as the owner name of the zone apex, prepend N repeatedly with labels of the maximum length possible consisting of octets of the maximum sort value (e.g., 0xff) until N is the maximum length possible; otherwise proceed to the next step.
1. 如果N与区域顶点的所有者名称相同,则重复在N前面加上由最大排序值(例如0xff)的八位字节组成的可能最大长度标签,直到N为可能的最大长度;否则继续下一步。
2. If the least significant (left-most) label of N consists of a single octet of the minimum sort value (e.g., 0x00), remove that label; otherwise proceed to the next step.
2. 如果N的最低有效(最左边)标签由最小排序值(例如0x00)的单个八位字节组成,则移除该标签;否则继续下一步。
3. If the least significant (right-most) octet in the least significant (left-most) label of N is the minimum sort value, remove the least significant octet and proceed to step 5.
3. 如果N的最低有效(最左侧)标签中的最低有效(最右侧)八位字节是最小排序值,请删除最低有效八位字节并继续执行步骤5。
4. Decrement the value of the least significant (right-most) octet of the least significant (left-most) label, skipping any values that correspond to uppercase US-ASCII letters, and then append
4. 递减最低有效(最左侧)标签的最低有效(最右侧)八位字节的值,跳过与大写US-ASCII字母对应的任何值,然后追加
the least significant (left-most) label with as many octets as possible of the maximum sort value. Proceed to the next step.
具有最大排序值的尽可能多的八位字节的最低有效(最左边)标签。继续下一步。
5. Prepend N repeatedly with labels of as long a length as possible consisting of octets of the maximum sort value until N is the maximum length possible.
5. 重复使用长度尽可能长的标签(由最大排序值的八位字节组成)预加N,直到N为可能的最大长度。
To derive S(N):
N(S):
1. If N is two or more octets shorter than the maximum DNS name length, prepend N with a label containing a single octet of the minimum sort value (e.g., 0x00); otherwise proceed to the next step.
1. 如果N是比最大DNS名称长度短两个或多个八位字节,则在N前面加上包含最小排序值(例如0x00)的单个八位字节的标签;否则继续下一步。
2. If N is one octet shorter than the maximum DNS name length and the least significant (left-most) label is one or more octets shorter than the maximum label length, append an octet of the minimum sort value to the least significant label; otherwise proceed to the next step.
2. 如果N是比最大DNS名称长度短一个八位字节,并且最低有效(最左侧)标签是比最大标签长度短一个或多个八位字节,则将最小排序值的八位字节附加到最低有效标签;否则继续下一步。
3. Increment the value of the least significant (right-most) octet in the least significant (left-most) label that is less than the maximum sort value (e.g., 0xff), skipping any values that correspond to uppercase US-ASCII letters, and then remove any octets to the right of that one. If all octets in the label are the maximum sort value, then proceed to the next step.
3. 递增最低有效(最左侧)标签中低于最大排序值(例如0xff)的最低有效(最右侧)八位字节的值,跳过对应于大写US-ASCII字母的任何值,然后删除该八位字节右侧的任何八位字节。如果标签中的所有八位字节都是最大排序值,则继续下一步。
4. Remove the least significant (left-most) label. Unless N is now the same as the owner name of the zone apex (this will occur only if N was the maximum possible name in canonical DNS name order, and thus has wrapped to the owner name of zone apex), repeat starting at step 2.
4. 删除最低有效(最左侧)标签。除非N现在与区域顶点的所有者名称相同(仅当N是规范DNS名称顺序中的最大可能名称,因此已包装到区域顶点的所有者名称时,才会发生这种情况),否则从步骤2开始重复。
This method is for use with zones consisting only of single-label owner names where an owner name consisting of label of maximum length would not result in a DNS name that exceeded the maximum DNS name length. This method is computationally simpler and returns values that are more economical in size than the absolute method. It differs from the absolute method detailed above in the following ways:
此方法用于仅由单个标签所有者名称组成的区域,其中由最大长度标签组成的所有者名称不会导致DNS名称超过最大DNS名称长度。该方法计算简单,返回的值比绝对法更经济。它与上述绝对法的不同之处在于:
1. Step 1 of the derivation P(N) has been omitted as the existence of the owner name of the zone apex never requires denial.
1. 推导P(N)的步骤1已被省略,因为区域顶点的所有者名称的存在从不需要拒绝。
2. A new step 1 has been introduced that removes unnecessary labels.
2. 引入了新的步骤1,删除了不必要的标签。
3. Step 4 of the derivation P(N) has been omitted as it is only necessary for zones containing owner names consisting of more than one label. This omission generally results in a significant reduction of the length of derived predecessors.
3. 省略了推导P(N)的步骤4,因为它仅对包含由多个标签组成的所有者名称的区域是必需的。这种省略通常导致派生前辈的长度显著缩短。
4. Step 1 of the derivation S(N) had been omitted as it is only necessary for zones containing owner names consisting of more than one label. This omission results in a tiny reduction of the length of derived successors, and maintains consistency with the modification of step 4 of the derivation P(N) described above.
4. 推导S(N)的步骤1已被省略,因为它仅适用于包含由多个标签组成的所有者名称的区域。这种省略导致派生后继序列的长度的微小减少,并与上述派生P(N)的步骤4的修改保持一致。
5. Steps 2 and 4 of the derivation S(N) have been modified to eliminate checks for maximum DNS name length, as it is an assumption of this method that no DNS name in the zone can exceed the maximum DNS name length.
5. 已修改派生S(N)的步骤2和4,以消除对最大DNS名称长度的检查,因为此方法假设区域中的DNS名称不能超过最大DNS名称长度。
To derive P'(N):
导出P'(N):
1. If N is two or more labels longer than the owner name of the apex, repeatedly remove the least significant (left-most) label until N is only one label longer than the owner name of the apex; otherwise proceed to the next step.
1. 如果N比顶点的所有者名称长两个或多个标签,则重复移除最低有效(最左侧)标签,直到N仅比顶点的所有者名称长一个标签;否则继续下一步。
2. If the least significant (left-most) label of N consists of a single octet of the minimum sort value (e.g., 0x00), remove that label; otherwise proceed to the next step. (If this condition is met, P'(N) is the owner name of the apex.)
2. 如果N的最低有效(最左边)标签由最小排序值(例如0x00)的单个八位字节组成,则移除该标签;否则继续下一步。(如果满足此条件,P’(N)是顶点的所有者名称。)
3. If the least significant (right-most) octet in the least significant (left-most) label of N is the minimum sort value, remove the least significant octet.
3. 如果N的最低有效(最左侧)标签中的最低有效(最右侧)八位字节是最小排序值,请删除最低有效八位字节。
4. Decrement the value of the least significant (right-most) octet, skipping any values that correspond to uppercase US-ASCII letters, and then append the label with as many octets as possible of the maximum sort value.
4. 递减最低有效(最右边)八位字节的值,跳过与大写US-ASCII字母对应的任何值,然后在标签上附加尽可能多的最大排序值八位字节。
To derive S'(N):
要导出S'(N):
1. If N is two or more labels longer than the owner name of the apex, repeatedly remove the least significant (left-most) label until N is only one label longer than the owner name of the apex. Proceed to the next step.
1. 如果N比顶点的所有者名称长两个或多个标签,则重复删除最低有效(最左侧)标签,直到N仅比顶点的所有者名称长一个标签。继续下一步。
2. If the least significant (left-most) label of N is one or more octets shorter than the maximum label length, append an octet of the minimum sort value to the least significant label; otherwise proceed to the next step.
2. 如果N的最低有效(最左侧)标签比最大标签长度短一个或多个八位字节,则将最小排序值的八位字节附加到最低有效标签;否则继续下一步。
3. Increment the value of the least significant (right-most) octet in the least significant (left-most) label that is less than the maximum sort value (e.g., 0xff), skipping any values that correspond to uppercase US-ASCII letters, and then remove any octets to the right of that one. If all octets in the label are the maximum sort value, then proceed to the next step.
3. 递增最低有效(最左侧)标签中低于最大排序值(例如0xff)的最低有效(最右侧)八位字节的值,跳过对应于大写US-ASCII字母的任何值,然后删除该八位字节右侧的任何八位字节。如果标签中的所有八位字节都是最大排序值,则继续下一步。
4. Remove the least significant (left-most) label. (This will occur only if the least significant label is the maximum label length and consists entirely of octets of the maximum sort value, and thus has wrapped to the owner name of the zone apex.)
4. 删除最低有效(最左侧)标签。(只有当最低有效标签是最大标签长度并且完全由最大排序值的八位字节组成,并且因此已包装到区域顶点的所有者名称时,才会发生这种情况。)
Before using the result of P(N) or P'(N) as the owner name of an NSEC RR in a DNS response, a name server should test to see whether the name exists. If it does, either a standard non-synthesised NSEC RR should be used, or the synthesised NSEC RR should reflect the RRset types that exist at the NSEC RR's owner name in the Type Bit Map field as specified by Section 4.1.2 of [RFC4034]. Implementors will likely find it simpler to use a non-synthesised NSEC RR. For further details, see Section 2 of [RFC4470].
在DNS响应中将P(N)或P'(N)的结果用作NSEC RR的所有者名称之前,名称服务器应测试该名称是否存在。如果是,则应使用标准非合成NSEC RR,或合成NSEC RR应反映[RFC4034]第4.1.2节规定的类型位图字段中NSEC RR所有者名称处存在的RRset类型。实现者可能会发现使用非综合NSEC RR更简单。有关更多详细信息,请参见[RFC4470]第2节。
Section 3.5 of [RFC1034] specifies that "while upper and lower case letters are allowed in names, no significance is attached to the case". Additionally, Section 6.1 of [RFC4034] states that when determining canonical DNS name order, "uppercase US-ASCII letters are treated as if they were lowercase US-ASCII letters". Consequently, values corresponding to US-ASCII uppercase letters must be skipped when decrementing and incrementing octets in the derivations described in Section 3.
[RFC1034]第3.5节规定,“虽然名称中允许使用大写和小写字母,但大小写不具有任何意义”。此外,[RFC4034]第6.1节规定,在确定规范DNS名称顺序时,“大写US-ASCII字母被视为小写US-ASCII字母”。因此,当在第3节中描述的派生中递减和递增八位字节时,必须跳过对应于US-ASCII大写字母的值。
The following pseudo-code is illustrative:
以下伪代码是说明性的:
Decrement the value of an octet:
减小八位字节的值:
if (octet == '[') // '[' is just after uppercase 'Z'
octet = '@'; // '@' is just prior to uppercase 'A'
else
octet--;
if (octet == '[') // '[' is just after uppercase 'Z'
octet = '@'; // '@' is just prior to uppercase 'A'
else
octet--;
Increment the value of an octet:
增加八位字节的值:
if (octet == '@') // '@' is just prior to uppercase 'A'
octet = '['; // '[' is just after uppercase 'Z'
else
octet++;
if (octet == '@') // '@' is just prior to uppercase 'A'
octet = '['; // '[' is just after uppercase 'Z'
else
octet++;
[RFC2181] makes the clarification that "any binary string whatever can be used as the label of any resource record". Consequently, the minimum sort value may be set as 0x00 and the maximum sort value as 0xff, and the range of possible values will be any DNS name that contains octets of any value other than those corresponding to uppercase US-ASCII letters.
[RFC2181]澄清了“任何二进制字符串都可以用作任何资源记录的标签”。因此,可以将最小排序值设置为0x00,将最大排序值设置为0xff,并且可能值的范围将是任何DNS名称,该DNS名称包含除对应于大写US-ASCII字母外的任何值的八位字节。
However, if all owner names in a zone are in the letter-digit-hyphen, or LDH, format specified in [RFC1034], it may be desirable to restrict the range of possible values to DNS names containing only LDH values. This has the effect of
但是,如果区域中的所有所有者名称均采用[RFC1034]中指定的字母数字连字符或LDH格式,则可能需要将可能值的范围限制为仅包含LDH值的DNS名称。这具有以下效果:
1. making the output of tools such as `dig' and `nslookup' less subject to confusion,
1. 使“dig”和“nslookup”等工具的输出不易混淆,
2. minimising the impact that NSEC RRs containing DNS names with non-LDH values (or non-printable values) might have on faulty DNS resolver implementations, and
2. 最小化包含具有非LDH值(或不可打印值)的DNS名称的NSEC RRs对错误DNS解析程序实现的影响,以及
3. preventing the possibility of results that are wildcard DNS names (see Section 4.4).
3. 防止结果可能是通配符DNS名称(参见第4.4节)。
This may be accomplished by using a minimum sort value of 0x1f (US-ASCII character `-') and a maximum sort value of 0x7a (US-ASCII character lowercase `z'), and then skipping non-LDH, non-lowercase values when incrementing or decrementing octets.
这可以通过使用最小排序值0x1f(US-ASCII字符“-”)和最大排序值0x7a(US-ASCII字符小写“z”),然后在递增或递减八位字节时跳过非LDH、非小写值来实现。
Neither derivation avoids the possibility that the result may be a DNS name containing a wildcard label, i.e., a label containing a single octet with the value 0x2a (US-ASCII character `*'). With additional tests, wildcard DNS names may be explicitly avoided; alternatively, if the range of octet values can be restricted to those corresponding to letter-digit-hyphen, or LDH, characters (see Section 4.3), such DNS names will not occur.
这两种派生都无法避免结果可能是包含通配符标签的DNS名称,即包含值为0x2a(US-ASCII字符`*')的单个八位字节的标签。通过附加测试,可以明确避免使用通配符DNS名称;或者,如果八位字节值的范围可以限制为与字母数字连字符或LDH字符相对应的字符(参见第4.3节),则不会出现此类DNS名称。
Note that it is improbable that a result that is a wildcard DNS name will occur unintentionally; even if one does occur either as the owner name of, or in the RDATA of an NSEC RR, it is treated as a literal DNS name with no special meaning.
注意,不可能无意中出现通配符DNS名称的结果;即使一个出现在NSEC RR的所有者名称或RDATA中,它也被视为没有特殊意义的文字DNS名称。
[RFC1034] specifies that "the total number of octets that represent a name (i.e., the sum of all label octets and label lengths) is limited to 255", including the null (zero-length) label that represents the root. For the purpose of deriving predecessors and successors during NSEC RR synthesis, the maximum DNS name length may be effectively restricted to the length of the longest DNS name in the zone. This will minimise the size of responses containing synthesised NSEC RRs but, especially in the case of the modified method, may result in some additional computational complexity.
[RFC1034]指定“表示名称的八位字节总数(即所有标签八位字节和标签长度之和)限制为255”,包括表示根的null(零长度)标签。为了在NSEC RR合成期间导出前辈和后辈,最大DNS名称长度可以有效地限制为区域中最长DNS名称的长度。这将最小化包含合成NSEC RRs的响应的大小,但特别是在修改方法的情况下,可能会导致一些额外的计算复杂性。
Note that this modification will have the effect of revealing information about the longest name in the zone. Moreover, when the contents of the zone changes, e.g., during dynamic updates and zone transfers, care must be taken to ensure that the effective maximum DNS name length agrees with the new contents.
请注意,此修改将显示区域中最长名称的相关信息。此外,当区域内容发生变化时,例如在动态更新和区域传输期间,必须注意确保有效的最大DNS名称长度与新内容一致。
Normally, the modified method cannot be used in zones that contain Service Record (SRV) RRs [RFC2782], as SRV RRs have owner names that contain multiple labels. However, the use of SRV RRs can be
通常,修改后的方法不能用于包含服务记录(SRV)RRs[RFC2782]的区域,因为SRV RRs具有包含多个标签的所有者名称。但是,SRV RRs的使用可以
accommodated by various techniques. There are at least four possible ways to do this:
被各种技术所适应。至少有四种可能的方法可以做到这一点:
1. Use conventional NSEC RRs for the region of the zone that contains first-level labels beginning with the underscore (`_') character. For the purposes of generating these NSEC RRs, the existence of (possibly fictional) ownernames `9{63}' and `a' could be assumed, providing a lower and upper bound for this region. Then all queries where the QNAME does not exist but contains a first-level label beginning with an underscore could be handled using the normal DNSSEC protocol.
1. 对于包含以下划线(` `)字符开头的一级标签的分区区域,请使用常规NSEC RRs。为了生成这些NSEC RRs,可以假设(可能是虚构的)所有者名称“9{63}”和“a”的存在,从而为该区域提供一个下限和上限。然后,QNAME不存在但包含以下划线开头的第一级标签的所有查询都可以使用正常的DNSSEC协议进行处理。
This approach would make it possible to enumerate all DNS names in the zone containing a first-level label beginning with underscore, including all SRV RRs, but this may be of less a concern to the zone administrator than incurring the overhead of the absolute method or of the following variants of the modified method.
这种方法可以枚举包含以下划线开头的一级标签的区域中的所有DNS名称,包括所有SRV RRs,但对于区域管理员来说,这与其说是引起绝对方法的开销,还不如说是引起修改方法的以下变体的开销。
2. The absolute method could be used for synthesising NSEC RRs for all queries where the QNAME contains a leading underscore. However, this re-introduces the susceptibility of the absolute method to denial of service activity, as an attacker could send queries for an effectively inexhaustible supply of domain names beginning with a leading underscore.
2. 对于QNAME包含前导下划线的所有查询,可以使用绝对方法合成NSEC RRs。但是,这重新引入了绝对方法对拒绝服务活动的敏感性,因为攻击者可以发送查询,以获取以前导下划线开头的有效的、取之不尽的域名。
3. A variant of the modified method could be used for synthesising NSEC RRs for all queries where the QNAME contains a leading underscore. This variant would assume that all predecessors and successors to queries where the QNAME contains a leading underscore may consist of two labels rather than only one. This introduces a little additional complexity without incurring the full increase in response size and computational complexity as the absolute method.
3. 对于QNAME包含前导下划线的所有查询,可以使用修改后方法的变体来合成NSEC RRs。此变体假定QNAME包含前导下划线的查询的所有前导和后继可能由两个标签组成,而不是仅由一个标签组成。这引入了一点额外的复杂性,而不会像绝对方法那样导致响应大小和计算复杂性的完全增加。
4. Finally, a variant of the modified method that assumes that all owner names in the zone consist of one or two labels could be used. However, this negates much of the reduction in response size of the modified method and may be nearly as computationally complex as the absolute method.
4. 最后,可以使用修改后方法的一个变体,该变体假定分区中的所有所有者名称都由一个或两个标签组成。然而,这否定了改进方法响应大小的大部分减少,并且可能与绝对方法在计算上一样复杂。
In the following examples,
在以下示例中,
the owner name of the zone apex is "example.com.",
区域顶点的所有者名称为“example.com”,
the range of octet values is 0x00 - 0xff excluding values corresponding to uppercase US-ASCII letters, and
八位字节值的范围为0x00-0xff,不包括对应于大写US-ASCII字母的值,以及
non-printable octet values are expressed as three-digit decimal numbers preceded by a backslash (as specified in Section 5.1 of [RFC1035]).
不可打印的八位字节值表示为三位十进制数字,前面加反斜杠(如[RFC1035]第5.1节所述)。
Example of a typical case:
典型案例示例:
P(foo.example.com.) =
P(foo.example.com.)=
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.fon\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255.example.com.
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.com。
or, in alternate notation:
或者,用另一种表示法:
\255{49}.\255{63}.\255{63}.fon\255{60}.example.com.
\255{49}.\255{63}.\255{63}.fon\255{60}.example.com。
where {n} represents the number of repetitions of an octet.
其中{n}表示八位字节的重复次数。
Example where least significant (left-most) label of DNS name consists of a single octet of the minimum sort value:
DNS名称的最低有效(最左边)标签由最小排序值的单个八位字节组成的示例:
P(\000.foo.example.com.) = foo.example.com.
P(\000.foo.example.com.)=foo.example.com。
Example where least significant (right-most) octet of least significant (left-most) label has the minimum sort value:
最低有效(最左侧)标签的最低有效(最右侧)八位字节具有最小排序值的示例:
P(foo\000.example.com.) =
P(foo\000.example.com.)=
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.foo.example.com.
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.foo.example.com。
or, in alternate notation:
或者,用另一种表示法:
\255{45}.\255{63}.\255{63}.\255{63}.foo.example.com.
\255{45}.\255{63}.\255{63}.\255{63}.foo.example.com。
Example where DNS name contains an octet that must be decremented by skipping values corresponding to US-ASCII uppercase letters:
DNS名称包含必须通过跳过对应于US-ASCII大写字母的值来递减的八位字节的示例:
P(fo\[.example.com.) =
P(fo\[.example.com.)=
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.fo\@\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255.example.com.
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.fo\@\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255。
or, in alternate notation:
或者,用另一种表示法:
\255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com.
\255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com。
where {n} represents the number of repetitions of an octet.
其中{n}表示八位字节的重复次数。
Example where DNS name is the owner name of the zone apex, and consequently wraps to the DNS name with the maximum possible sort order in the zone:
示例,其中DNS名称是区域顶点的所有者名称,因此以区域中可能的最大排序顺序包装到DNS名称:
P(example.com.) =
P(example.com.)=
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.example.com.
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.com。
or, in alternate notation:
或者,用另一种表示法:
\255{49}.\255{63}.\255{63}.\255{63}.example.com.
\255{49}.\255{63}.\255{63}.\255{63}.example.com。
Example of typical case:
典型案例示例:
S(foo.example.com.) = \000.foo.example.com.
S(foo.example.com.)=\000.foo.example.com。
Example where DNS name is one octet short of the maximum DNS name length:
DNS名称比最大DNS名称长度短一个八位字节的示例:
N = fooooooooooooooooooooooooooooooooooooooooooooooo .ooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooo.ooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooo.ooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo.example.com.
N=oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{47}.o{63}.o{63}.o{63}.example.com.
fo{47}.o{63}.o{63}.o{63}.example.com。
S(N) =
南(北)=
fooooooooooooooooooooooooooooooooooooooooooooooo \000.ooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooo.ooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooo.ooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo oooo.example.com.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{47}\000.o{63}.o{63}.o{63}.example.com.
fo{47}\000.o{63}.o{63}.o{63}.example.com。
Example where DNS name is the maximum DNS name length:
DNS名称为最大DNS名称长度的示例:
N = fooooooooooooooooooooooooooooooooooooooooooooooo o.oooooooooooooooooooooooooooooooooooooooooooooo ooooooooooooooooo.oooooooooooooooooooooooooooooo ooooooooooooooooooooooooooooooooo.oooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo o.example.com.
N=oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{48}.o{63}.o{63}.o{63}.example.com.
fo{48}.o{63}.o{63}.o{63}.example.com。
S(N) =
南(北)=
fooooooooooooooooooooooooooooooooooooooooooooooo p.oooooooooooooooooooooooooooooooooooooooooooooo ooooooooooooooooo.oooooooooooooooooooooooooooooo ooooooooooooooooooooooooooooooooo.oooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo o.example.com.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{47}p.o{63}.o{63}.o{63}.example.com.
fo{47}p.o{63}.o{63}.o{63}.example.com。
Example where DNS name is the maximum DNS name length and the least significant (left-most) label has the maximum sort value:
示例,其中DNS名称是最大DNS名称长度,最低有效(最左侧)标签具有最大排序值:
N = \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.ooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooo.ooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooo.ooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo oooo.example.com.
N=\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo.example.com。
or, in alternate notation:
或者,用另一种表示法:
\255{49}.o{63}.o{63}.o{63}.example.com.
\255{49}.o{63}.o{63}.o{63}.example.com。
S(N) =
南(北)=
oooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooop.oooooooooooooooooooooooooooooooo ooooooooooooooooooooooooooooooo.oooooooooooooooo ooooooooooooooooooooooooooooooooooooooooooooooo. example.com.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。example.com。
or, in alternate notation:
或者,用另一种表示法:
o{62}p.o{63}.o{63}.example.com.
o{62}p.o{63}.o{63}.example.com。
Example where DNS name is the maximum DNS name length and the eight least significant (right-most) octets of the least significant (left-most) label have the maximum sort value:
示例,其中DNS名称是最大DNS名称长度,并且最低有效(最左侧)标签的八个最低有效(最右侧)八位字节具有最大排序值:
N = foooooooooooooooooooooooooooooooooooooooo\255 \255\255\255\255\255\255\255.ooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooo.ooo oooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooo.ooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooo.example.com.
N=oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{40}\255{8}.o{63}.o{63}.o{63}.example.com.
fo{40}\255{8}.o{63}.o{63}.o{63}.example.com。
S(N) =
南(北)=
fooooooooooooooooooooooooooooooooooooooop.oooooo oooooooooooooooooooooooooooooooooooooooooooooooo ooooooooo.oooooooooooooooooooooooooooooooooooooo ooooooooooooooooooooooooo.oooooooooooooooooooooo ooooooooooooooooooooooooooooooooooooooooo.example.com.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{39}p.o{63}.o{63}.o{63}.example.com.
fo{39}p.o{63}.o{63}.o{63}.example.com。
Example where DNS name is the maximum DNS name length and contains an octet that must be incremented by skipping values corresponding to US-ASCII uppercase letters:
示例,其中DNS名称是最大DNS名称长度,并且包含必须通过跳过对应于US-ASCII大写字母的值来递增的八位字节:
N = fooooooooooooooooooooooooooooooooooooooooooooooo \@.ooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooo.ooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooo.ooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo oo.example.com.
N=oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{47}\@.o{63}.o{63}.o{63}.example.com.
fo{47}\@.o{63}.o{63}.o{63}.example.com。
S(N) =
南(北)=
fooooooooooooooooooooooooooooooooooooooooooooooo \[.ooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooo.ooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooo.ooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo oo.example.com.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo。
or, in alternate notation:
或者,用另一种表示法:
fo{47}\[.o{63}.o{63}.o{63}.example.com.
fo{47}\[.o{63}.o{63}.o{63}.example.com。
Example where DNS name has the maximum possible sort order in the zone, and consequently wraps to the owner name of the zone apex:
DNS名称在区域中具有最大可能排序顺序,并因此换行到区域顶点的所有者名称的示例:
N = \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255.\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.example.com.
N=\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255.\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.com。
or, in alternate notation:
或者,用另一种表示法:
\255{49}.\255{63}.\255{63}.\255{63}.example.com.
\255{49}.\255{63}.\255{63}.\255{63}.example.com。
S(N) = example.com.
S(N)=example.com。
Example of a typical case:
典型案例示例:
P'(foo.example.com.) =
P'(foo.example.com.)=
fon\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255.example.com.
fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.example.com。
or, in alternate notation:
或者,用另一种表示法:
fon\255{60}.example.com.
fon\255{60}.example.com。
Example where DNS name contains more labels than DNS names in the zone:
DNS名称包含的标签多于区域中DNS名称的示例:
P'(bar.foo.example.com.) = foo.example.com.
P'(bar.foo.example.com.)=foo.example.com。
Example where least significant (right-most) octet of least significant (left-most) label has the minimum sort value:
最低有效(最左侧)标签的最低有效(最右侧)八位字节具有最小排序值的示例:
P'(foo\000.example.com.) = foo.example.com.
P'(foo\000.example.com.)=foo.example.com。
Example where least significant (left-most) label has the minimum sort value:
最不重要(最左侧)标签具有最小排序值的示例:
P'(\000.example.com.) = example.com.
P'(\000.example.com.)=example.com。
Example where DNS name is the owner name of the zone apex, and consequently wraps to the DNS name with the maximum possible sort order in the zone:
示例,其中DNS名称是区域顶点的所有者名称,因此以区域中可能的最大排序顺序包装到DNS名称:
P'(example.com.) =
P'(example.com.)=
\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255.example.com.
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.example.com。
or, in alternate notation:
或者,用另一种表示法:
\255{63}.example.com.
\255{63}.example.com。
Example of a typical case:
典型案例示例:
S'(foo.example.com.) = foo\000.example.com.
S'(foo.example.com.)=foo\000.example.com。
Example where DNS name contains more labels than DNS names in the zone:
DNS名称包含的标签多于区域中DNS名称的示例:
S'(bar.foo.example.com.) = foo\000.example.com.
S'(bar.foo.example.com.)=foo\000.example.com。
Example where least significant (left-most) label has the maximum sort value, and consequently wraps to the owner name of the zone apex:
最不重要(最左侧)标签具有最大排序值,并因此换行到区域顶点的所有者名称的示例:
N = \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255.example.com.
N=\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255.example.com。
or, in alternate notation:
或者,用另一种表示法:
\255{63}.example.com.
\255{63}.example.com。
S'(N) = example.com.
S'(N)=example.com。
The derivation of some predecessors/successors requires the testing of more conditions than others. Consequently, the effectiveness of a denial-of-service attack may be enhanced by sending queries that require more conditions to be tested. The modified method involves the testing of fewer conditions than the absolute method and consequently is somewhat less susceptible to this exposure.
某些前辈/后辈的衍生需要比其他人更多的条件测试。因此,通过发送需要测试更多条件的查询,可以增强拒绝服务攻击的有效性。与绝对法相比,改良法所涉及的试验条件更少,因此对这种暴露的敏感度较低。
The authors would like to thank Sam Weiler, Olaf Kolkman, Olafur Gudmundsson, and Niall O'Reilly for their review and input.
作者要感谢Sam Weiler、Olaf Kolkman、Olafur Gudmundsson和Niall O'Reilly的评论和投入。
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.
[RFC1034]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月。
[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.
[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,1987年11月。
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997.
[RFC2181]Elz,R.和R.Bush,“DNS规范的澄清”,RFC 21811997年7月。
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000.
[RFC2782]Gulbrandsen,A.,Vixie,P.和L.Esibov,“用于指定服务位置(DNS SRV)的DNS RR”,RFC 2782,2000年2月。
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.
[RFC4034]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 40342005年3月。
[RFC4470] Weiler, S. and J. Ihren, "Minimally Covering NSEC Records and DNSSEC On-line Signing", RFC 4470, April 2006.
[RFC4470]Weiler,S.和J.Ihren,“最低限度地覆盖NSEC记录和DNSSEC在线签名”,RFC 44702006年4月。
[DNSSEC-TRANS] Arends, R., Koch, P., and J. Schlyter, "Evaluating DNSSEC Transition Mechanisms", Work in Progress, February 2005.
[DNSSEC-TRANS]Arends,R.,Koch,P.,和J.Schlyter,“评估DNSSEC过渡机制”,正在进行的工作,2005年2月。
Authors' Addresses
作者地址
Geoffrey Sisson Nominet Sandford Gate Sandy Lane West Oxford OX4 6LB GB
Geoffrey Sisson Nominet Sandford Gate Sandy Lane西牛津OX4 6LB GB
Phone: +44 1865 332211
EMail: geoff@nominet.org.uk
Phone: +44 1865 332211
EMail: geoff@nominet.org.uk
Ben Laurie Nominet 17 Perryn Road London W3 7LR GB
伦敦佩林路17号Ben Laurie Nominet W3 7LR GB
Phone: +44 20 8735 0686
EMail: ben@algroup.co.uk
Phone: +44 20 8735 0686
EMail: ben@algroup.co.uk
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。