Internet Engineering Task Force (IETF)                   D. Eastlake 3rd
Request for Comments: 6604                                        Huawei
Updates: 1035, 2308, 2672                                     April 2012
Category: Standards Track
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                   D. Eastlake 3rd
Request for Comments: 6604                                        Huawei
Updates: 1035, 2308, 2672                                     April 2012
Category: Standards Track
ISSN: 2070-1721
        

xNAME RCODE and Status Bits Clarification

xNAME RCODE和状态位说明

Abstract

摘要

The Domain Name System (DNS) has long provided means, such as the CNAME (Canonical Name), whereby a DNS query can be redirected to a different name. A DNS response header has an RCODE (Response Code) field, used for indicating errors, and response status bits. This document clarifies, in the case of such redirected queries, how the RCODE and status bits correspond to the initial query cycle (where the CNAME or the like was detected) and subsequent or final query cycles.

域名系统(DNS)长期以来提供了一些方法,例如CNAME(规范名称),通过这种方法,DNS查询可以重定向到不同的名称。DNS响应头有一个RCODE(响应代码)字段,用于指示错误和响应状态位。本文档澄清了在这种重定向查询的情况下,RCODE和状态位如何对应于初始查询周期(其中检测到CNAME等)以及后续或最终查询周期。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6604.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6604.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
      1.1. Conventions Used in This Document ..........................3
   2. Restatement of Status Bits and What They Mean ...................3
      2.1. The Authoritative Answer Bit ...............................3
      2.2. The Authentic Data Bit .....................................3
   3. RCODE Clarification .............................................3
   4. Security Considerations .........................................4
   5. References ......................................................4
      5.1. Normative References .......................................4
      5.2. Informative References .....................................5
        
   1. Introduction ....................................................2
      1.1. Conventions Used in This Document ..........................3
   2. Restatement of Status Bits and What They Mean ...................3
      2.1. The Authoritative Answer Bit ...............................3
      2.2. The Authentic Data Bit .....................................3
   3. RCODE Clarification .............................................3
   4. Security Considerations .........................................4
   5. References ......................................................4
      5.1. Normative References .......................................4
      5.2. Informative References .....................................5
        
1. Introduction
1. 介绍

The Domain Name System (DNS) has long provided means, such as the CNAME (Canonical Name [RFC1035]) and DNAME [RFC2672] RRs (Resource Records), whereby a DNS query can be redirected to a different name. In particular, CNAME normally causes a query to its owner name to be redirected, while DNAME normally causes a query to any lower-level name to be redirected. There has been a proposal for another redirection RR. In addition, as specified in [RFC2672], redirection through a DNAME also results in the synthesis of a CNAME RR in the response. In this document, we will refer to all RRs causing such redirection as xNAME RRs.

域名系统(DNS)长期以来提供了CNAME(规范名称[RFC1035])和DNAME[RFC2672]RRs(资源记录)等手段,通过这些手段,DNS查询可以重定向到不同的名称。特别是,CNAME通常会重定向对其所有者名称的查询,而DNAME通常会重定向对任何较低级别名称的查询。有人提议再改一个方向。此外,如[RFC2672]中所述,通过DNAME重定向也会导致响应中CNAME RR的合成。在本文档中,我们将引用所有导致此类重定向的RRs,如xNAME RRs。

xNAME RRs can be explicitly retrieved by querying for the xNAME type. When a different type is queried and an xNAME RR is encountered, the xNAME RR (and possibly a synthesized CNAME) is added to the answer in the response, DNS Security Extensions (DNSSEC) [RFC4035] RRs applicable to the xNAME RR may be added to the response, and the query is restarted with the name to which it was redirected.

可以通过查询xNAME类型显式检索xNAME RRs。当查询不同类型且遇到xNAME RR时,xNAME RR(可能还有一个合成的CNAME)会添加到响应中的答案中,适用于xNAME RR的DNS安全扩展(DNSSEC)[RFC4035]RRs会添加到响应中,并使用其重定向到的名称重新启动查询。

An xNAME may redirect a query to a name at which there is another xNAME and so on. In this document, we use "xNAME chain" to refer to a series of one or more xNAMEs each of which refers to another xNAME except the last, which refers to a non-xNAME or results in an error.

xNAME可以将查询重定向到存在另一个xNAME的名称,以此类推。在本文档中,我们使用“xNAME链”来指代一系列一个或多个xNAME,每个xNAME都指代另一个xNAME,但最后一个xNAME指代非xNAME或导致错误。

A DNS response header has an RCODE (Response Code) field, used for indicating errors, and status bits that indicate whether an answer is authoritative and/or authentic. This document clarifies, in the case of such redirected queries, how the RCODE and status bits correspond to the initial query cycle (where the (first) xNAME was detected) and subsequent or final query cycles.

DNS响应头具有用于指示错误的RCODE(响应代码)字段和指示应答是否权威和/或真实的状态位。本文档澄清了在这种重定向查询的情况下,RCODE和status位如何对应于初始查询周期(检测到(第一个)xNAME)以及后续或最终查询周期。

1.1. Conventions Used in This Document
1.1. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

2. Restatement of Status Bits and What They Mean
2. 状态位及其含义的重述

There are two status bits returned in query responses for which a question could arise as to how, in the case of an xNAME chain, they relate to the first, possible intermediate, and/or last queries, as below. Note that the following is unchanged from [RFC1035] and [RFC4035]. The meaning of these bits is simply restated here for clarity, because of observations of released implementations that did not follow these meanings.

查询响应中返回了两个状态位,对于这两个状态位,可能会出现一个问题,即在xNAME链的情况下,它们与第一个、可能的中间和/或最后一个查询的关系如何,如下所示。请注意,以下内容与[RFC1035]和[RFC4035]中的内容相同。为了清楚起见,这里简单地重述了这些位的含义,因为对发布的实现的观察没有遵循这些含义。

2.1. The Authoritative Answer Bit
2.1. 权威的答案是

The AA, or Authoritative Answer bit, in the DNS response header indicates that the answer returned is from a DNS server authoritative for the zone containing that answer. For an xNAME chain, this "authoritative" status could be different for each answer in that chain.

DNS响应标头中的AA或权威应答位表示返回的应答来自对包含该应答的区域具有权威性的DNS服务器。对于xNAME链,该链中的每个答案的“权威”状态可能不同。

[RFC1035] states that the AA bit is to be set based on whether the server providing the answer with the first owner name in the answer section is authoritative. This specification of the AA bit has not been changed.

[RFC1035]表示,AA位将根据在应答部分提供第一个所有者名称的应答的服务器是否具有权威性来设置。AA位的此规格尚未更改。

2.2. The Authentic Data Bit
2.2. 真实数据位

The AD, or Authentic Data bit, indicates that the response returned is authentic according to the dictates of DNSSEC [RFC4035]. [RFC4035] unambiguously states that the AD bit is to be set in a DNS response header only if the DNSSEC-enabled server believes all RRs in the answer and authority sections of that response to be authentic. This specification of the AD bit has not been changed.

AD或真实数据位表示根据DNSSEC[RFC4035]的指示返回的响应是真实的。[RFC4035]明确指出,只有在启用DNSSEC的服务器认为响应的应答和授权部分中的所有RRs都是可信的情况下,才会在DNS响应头中设置AD位。AD位的此规格尚未更改。

3. RCODE Clarification
3. RCODE澄清

The RCODE field in a DNS query response header is non-zero to indicate an error. Section 4.3.2 of [RFC1034] has a resolution algorithm that includes CNAME processing but has been found to be unclear concerning the ultimate setting of RCODE in the case of such redirection. Section 2.1 of [RFC2308] implies that the RCODE should be set based on the last query cycle in the case of an xNAME chain, but Section 2.2.1 of [RFC2308] says that some servers don't do that!

DNS查询响应标头中的RCODE字段为非零以指示错误。[RFC1034]第4.3.2节有一个包含CNAME处理的解析算法,但发现在这种重定向情况下,关于RCODE的最终设置不清楚。[RFC2308]的第2.1节暗示,对于xNAME链,RCODE应该基于最后一个查询周期进行设置,但是[RFC2308]的第2.2.1节说,有些服务器不这样做!

When there is an xNAME chain, the RCODE field is set as follows:

当存在xNAME链时,RCODE字段设置如下:

When an xNAME chain is followed, all but the last query cycle necessarily had no error. The RCODE in the ultimate DNS response MUST BE set based on the final query cycle leading to that response. If the xNAME chain was terminated by an error, it will be that error code. If the xNAME chain terminated without error, it will be zero.

当遵循xNAME链时,除了最后一个查询周期之外,所有查询周期都必须没有错误。最终DNS响应中的RCODE必须根据导致该响应的最终查询周期进行设置。如果xNAME链因错误而终止,则将是该错误代码。如果xNAME链在没有错误的情况下终止,它将为零。

4. Security Considerations
4. 安全考虑

The AA header flag bit is not protected by DNSSEC [RFC4033]. To secure it, secure communications are needed between the querying resolver and the DNS server. Such security can be provided by DNS transaction security, either TSIG [RFC2845] or SIG(0) [RFC2931].

AA标头标志位不受DNSSEC[RFC4033]的保护。为了确保安全,需要在查询解析器和DNS服务器之间进行安全通信。这种安全性可以由DNS事务安全性(TSIG[RFC2845]或SIG(0)[RFC2931]提供。

An AD header flag bit and the RCODE in a response are not, in general, protected by DNSSEC, so the same conditions as stated in the previous paragraph generally apply to them; however, this is not always true. In particular, if the following apply, then the AD bit and an NXDOMAIN RCODE are protected by DNSSEC in the sense that the querier can calculate whether they are correct:

一般来说,响应中的AD报头标志位和RCODE不受DNSSEC保护,因此上一段中所述的相同条件通常适用于它们;然而,这并不总是正确的。特别是,如果以下条件适用,则AD位和NXDOMAIN RCODE受DNSSEC保护,即查询者可以计算它们是否正确:

1. The zone where an NXDOMAIN RCODE occurs or all the zones where the data whose authenticity would be indicated by the AD flag bit are signed zones.

1. 出现NXDOMAIN RCODE的区域,或AD标志位指示其真实性的数据为有符号区域的所有区域。

2. The query or queries involved indicate that DNSSEC RRs are OK in responses.

2. 所涉及的一个或多个查询表明DNSSEC RRs的响应正常。

3. The responses providing these indications are from servers that include the additional DNSSEC RRs required by DNSSEC.

3. 提供这些指示的响应来自包括DNSSEC要求的附加DNSSEC RRs的服务器。

4. The querier has appropriate trust anchor(s) and appropriately validates and processes the DNSSEC RRs in the response.

4. 查询者拥有适当的信任锚,并在响应中适当验证和处理DNSSEC RRs。

5. References
5. 工具书类
5.1. Normative References
5.1. 规范性引用文件

[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.

[RFC1034]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月。

[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.

[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,1987年11月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC 2672, August 1999.

[RFC2672]克劳福德,M.,“非终端DNS名称重定向”,RFC 26721999年8月。

[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.

[RFC4035]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月。

5.2. Informative References
5.2. 资料性引用

[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998.

[RFC2308]Andrews,M.,“DNS查询的反向缓存(DNS NCACHE)”,RFC 2308,1998年3月。

[RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000.

[RFC2845]Vixie,P.,Gudmundsson,O.,Eastlake 3rd,D.,和B.Wellington,“DNS秘密密钥交易认证(TSIG)”,RFC 28452000年5月。

[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures ( SIG(0)s )", RFC 2931, September 2000.

[RFC2931]Eastlake 3rd,D.,“DNS请求和事务签名(SIG(0)s)”,RFC 29312000年9月。

[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.

[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。

Author's Address

作者地址

Donald E. Eastlake 3rd Huawei R&D USA 155 Beaver Street Milford, MA 01757

Donald E.Eastlake 3rd Huawei R&D USA马萨诸塞州米尔福德海狸街155号01757

   Phone: +1-508-333-2270
   EMail: d3e3e3@gmail.com
        
   Phone: +1-508-333-2270
   EMail: d3e3e3@gmail.com