Internet Engineering Task Force (IETF)                           S. Rose
Request for Comments: 6672                                          NIST
Obsoletes: 2672                                            W. Wijngaards
Updates: 3363                                                 NLnet Labs
Category: Standards Track                                      June 2012
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                           S. Rose
Request for Comments: 6672                                          NIST
Obsoletes: 2672                                            W. Wijngaards
Updates: 3363                                                 NLnet Labs
Category: Standards Track                                      June 2012
ISSN: 2070-1721
        

DNAME Redirection in the DNS

DNS中的DNAME重定向

Abstract

摘要

The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS. This document obsoletes the original specification in RFC 2672 as well as updates the document on representing IPv6 addresses in DNS (RFC 3363).

DNAME记录为DNS中域名树的子树提供重定向。也就是说,所有以特定后缀结尾的名称都会重定向到DNS的另一部分。本文档废除了RFC 2672中的原始规范,并更新了在DNS中表示IPv6地址的文档(RFC 3363)。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6672.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6672.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.

本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Requirements Language  . . . . . . . . . . . . . . . . . .  4
   2.  The DNAME Resource Record  . . . . . . . . . . . . . . . . . .  5
     2.1.  Format . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     2.2.  The DNAME Substitution . . . . . . . . . . . . . . . . . .  5
     2.3.  DNAME Owner Name Matching the QNAME  . . . . . . . . . . .  6
     2.4.  Names next to and below a DNAME Record . . . . . . . . . .  7
     2.5.  Compression of the DNAME Record  . . . . . . . . . . . . .  7
   3.  Processing . . . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.1.  CNAME Synthesis  . . . . . . . . . . . . . . . . . . . . .  8
     3.2.  Server Algorithm . . . . . . . . . . . . . . . . . . . . .  9
     3.3.  Wildcards  . . . . . . . . . . . . . . . . . . . . . . . . 10
     3.4.  Acceptance and Intermediate Storage  . . . . . . . . . . . 11
       3.4.1.  Resolver Algorithm . . . . . . . . . . . . . . . . . . 11
   4.  DNAME Discussions in Other Documents . . . . . . . . . . . . . 12
   5.  Other Issues with DNAME  . . . . . . . . . . . . . . . . . . . 13
     5.1.  Canonical Hostnames Cannot Be below DNAME Owners . . . . . 13
     5.2.  Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 13
     5.3.  DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 14
       5.3.1.  Signed DNAME, Unsigned Synthesized CNAME . . . . . . . 14
       5.3.2.  DNAME Bit in NSEC Type Map . . . . . . . . . . . . . . 14
       5.3.3.  DNAME Chains as Strong as the Weakest Link . . . . . . 14
       5.3.4.  Validators Must Understand DNAME . . . . . . . . . . . 14
         5.3.4.1.  Invalid Name Error Response Caused by DNAME in
                   Bitmap . . . . . . . . . . . . . . . . . . . . . . 15
         5.3.4.2.  Valid Name Error Response Involving DNAME in
                   Bitmap . . . . . . . . . . . . . . . . . . . . . . 15
         5.3.4.3.  Response with Synthesized CNAME  . . . . . . . . . 16
   6.  Examples of DNAME Use in a Zone  . . . . . . . . . . . . . . . 16
     6.1.  Organizational Renaming  . . . . . . . . . . . . . . . . . 16
     6.2.  Classless Delegation of Shorter Prefixes . . . . . . . . . 17
     6.3.  Network Renumbering Support  . . . . . . . . . . . . . . . 17
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 18
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 18
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
     10.2. Informative References . . . . . . . . . . . . . . . . . . 20
   Appendix A.  Changes from RFC 2672 . . . . . . . . . . . . . . . . 21
     A.1.  Changes to Server Behavior . . . . . . . . . . . . . . . . 21
     A.2.  Changes to Client Behavior . . . . . . . . . . . . . . . . 21
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Requirements Language  . . . . . . . . . . . . . . . . . .  4
   2.  The DNAME Resource Record  . . . . . . . . . . . . . . . . . .  5
     2.1.  Format . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     2.2.  The DNAME Substitution . . . . . . . . . . . . . . . . . .  5
     2.3.  DNAME Owner Name Matching the QNAME  . . . . . . . . . . .  6
     2.4.  Names next to and below a DNAME Record . . . . . . . . . .  7
     2.5.  Compression of the DNAME Record  . . . . . . . . . . . . .  7
   3.  Processing . . . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.1.  CNAME Synthesis  . . . . . . . . . . . . . . . . . . . . .  8
     3.2.  Server Algorithm . . . . . . . . . . . . . . . . . . . . .  9
     3.3.  Wildcards  . . . . . . . . . . . . . . . . . . . . . . . . 10
     3.4.  Acceptance and Intermediate Storage  . . . . . . . . . . . 11
       3.4.1.  Resolver Algorithm . . . . . . . . . . . . . . . . . . 11
   4.  DNAME Discussions in Other Documents . . . . . . . . . . . . . 12
   5.  Other Issues with DNAME  . . . . . . . . . . . . . . . . . . . 13
     5.1.  Canonical Hostnames Cannot Be below DNAME Owners . . . . . 13
     5.2.  Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 13
     5.3.  DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 14
       5.3.1.  Signed DNAME, Unsigned Synthesized CNAME . . . . . . . 14
       5.3.2.  DNAME Bit in NSEC Type Map . . . . . . . . . . . . . . 14
       5.3.3.  DNAME Chains as Strong as the Weakest Link . . . . . . 14
       5.3.4.  Validators Must Understand DNAME . . . . . . . . . . . 14
         5.3.4.1.  Invalid Name Error Response Caused by DNAME in
                   Bitmap . . . . . . . . . . . . . . . . . . . . . . 15
         5.3.4.2.  Valid Name Error Response Involving DNAME in
                   Bitmap . . . . . . . . . . . . . . . . . . . . . . 15
         5.3.4.3.  Response with Synthesized CNAME  . . . . . . . . . 16
   6.  Examples of DNAME Use in a Zone  . . . . . . . . . . . . . . . 16
     6.1.  Organizational Renaming  . . . . . . . . . . . . . . . . . 16
     6.2.  Classless Delegation of Shorter Prefixes . . . . . . . . . 17
     6.3.  Network Renumbering Support  . . . . . . . . . . . . . . . 17
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 18
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 18
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
     10.2. Informative References . . . . . . . . . . . . . . . . . . 20
   Appendix A.  Changes from RFC 2672 . . . . . . . . . . . . . . . . 21
     A.1.  Changes to Server Behavior . . . . . . . . . . . . . . . . 21
     A.2.  Changes to Client Behavior . . . . . . . . . . . . . . . . 21
        
1. Introduction
1. 介绍

DNAME is a DNS resource record type originally defined in RFC 2672 [RFC2672]. DNAME provides redirection from a part of the DNS name tree to another part of the DNS name tree.

DNAME是最初在RFC 2672[RFC2672]中定义的DNS资源记录类型。DNAME提供从DNS名称树的一部分到DNS名称树的另一部分的重定向。

The DNAME RR and the CNAME RR [RFC1034] cause a lookup to (potentially) return data corresponding to a domain name different from the queried domain name. The difference between the two resource records is that the CNAME RR directs the lookup of data at its owner to another single name, whereas a DNAME RR directs lookups for data at descendants of its owner's name to corresponding names under a different (single) node of the tree.

DNAME RR和CNAME RR[RFC1034]导致查找(可能)返回与查询域名不同的域名对应的数据。两个资源记录之间的区别在于,CNAME RR将所有者的数据查找定向到另一个单一名称,而DNAME RR将所有者名称的后代的数据查找定向到树的不同(单一)节点下的相应名称。

For example, take looking through a zone (see RFC 1034 [RFC1034], Section 4.3.2, step 3) for the domain name "foo.example.com", and a DNAME resource record is found at "example.com" indicating that all queries under "example.com" be directed to "example.net". The lookup process will return to step 1 with the new query name of "foo.example.net". Had the query name been "www.foo.example.com", the new query name would be "www.foo.example.net".

例如,查看域名“foo.example.com”的区域(参见RFC 1034[RFC1034],第4.3.2节,步骤3),在“example.com”中找到一条DNAME资源记录,指示“example.com”下的所有查询都指向“example.net”。查找过程将返回到步骤1,新查询名为“foo.example.net”。如果查询名称是“www.foo.example.com”,那么新的查询名称将是“www.foo.example.net”。

This document is a revision of the original specification of DNAME in RFC 2672 [RFC2672]. DNAME was conceived to help with the problem of maintaining address-to-name mappings in a context of network renumbering. With a careful setup, a renumbering event in the network causes no change to the authoritative server that has the address-to-name mappings. Examples in practice are classless reverse address space delegations.

本文件是RFC 2672[RFC2672]中DNAME原始规范的修订版。DNAME旨在帮助解决在网络重新编号的环境中维护地址到名称映射的问题。仔细设置后,网络中的重新编号事件不会对具有地址到名称映射的权威服务器造成任何更改。实践中的例子是无类反向地址空间委托。

Another usage of DNAME lies in aliasing of name spaces. For example, a zone administrator may want subtrees of the DNS to contain the same information. Examples include punycode [RFC3492] alternates for domain spaces.

DNAME的另一个用法在于名称空间的别名。例如,区域管理员可能希望DNS子树包含相同的信息。示例包括域空间的punycode[RFC3492]替代。

This revision of the DNAME specification does not change the wire format or the handling of DNAME resource records. Discussion is added on problems that may be encountered when using DNAME.

此版本的DNAME规范不会更改连线格式或DNAME资源记录的处理。添加了关于使用DNAME时可能遇到的问题的讨论。

1.1. Requirements Language
1.1. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED" "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照RFC 2119[RFC2119]中的说明进行解释。

2. The DNAME Resource Record
2. DNAME资源记录
2.1. Format
2.1. 总体安排

The DNAME RR has mnemonic DNAME and type code 39 (decimal). It is CLASS-insensitive.

DNAME RR具有助记DNAME和类型代码39(十进制)。它对类不敏感。

Its RDATA is comprised of a single field, <target>, which contains a fully qualified domain name that MUST be sent in uncompressed form [RFC1035] [RFC3597]. The <target> field MUST be present. The presentation format of <target> is that of a domain name [RFC1035]. The presentation format of the RR is as follows:

其RDATA由单个字段组成,<target>,其中包含必须以未压缩格式[RFC1035][RFC3597]发送的完全限定域名。<target>字段必须存在。<target>的表示格式是域名[RFC1035]的表示格式。RR的演示格式如下:

           <owner> <ttl> <class> DNAME <target>
        
           <owner> <ttl> <class> DNAME <target>
        

The effect of the DNAME RR is the substitution of the record's <target> for its owner name, as a suffix of a domain name. This substitution is to be applied for all names below the owner name of the DNAME RR. This substitution has to be applied for every DNAME RR found in the resolution process, which allows fairly lengthy valid chains of DNAME RRs.

DNAME RR的作用是将记录的<target>替换为其所有者名称,作为域名的后缀。此替换将应用于DNAME RR所有者名称以下的所有名称。此替换必须应用于解析过程中发现的每个DNAME RR,这允许相当长的DNAME RR有效链。

Details of the substitution process, methods to avoid conflicting resource records, and rules for specific corner cases are given in the following subsections.

以下小节给出了替换过程的详细信息、避免资源记录冲突的方法以及特定角落案例的规则。

2.2. The DNAME Substitution
2.2. DNAME替换

When following step 3 of the algorithm in RFC 1034 [RFC1034], Section 4.3.2, "start matching down, label by label, in the zone" and a node is found to own a DNAME resource record, a DNAME substitution occurs. The name being sought may be the original query name or a name that is the result of a CNAME resource record being followed or a previously encountered DNAME. As in the case when finding a CNAME resource record or NS resource record set, the processing of a DNAME will happen prior to finding the desired domain name.

当遵循RFC 1034[RFC1034]第4.3.2节“在区域内逐个标签开始向下匹配”中的算法步骤3,并且发现节点拥有DNAME资源记录时,会发生DNAME替换。正在查找的名称可以是原始查询名称,也可以是跟随CNAME资源记录的结果名称,或者是以前遇到的DNAME。与查找CNAME资源记录或NS资源记录集时一样,DNAME的处理将在查找所需域名之前进行。

A DNAME substitution is performed by replacing the suffix labels of the name being sought matching the owner name of the DNAME resource record with the string of labels in the RDATA field. The matching labels end with the root label in all cases. Only whole labels are replaced. See the table of examples for common cases and corner cases.

通过使用RDATA字段中的标签字符串替换与DNAME资源记录的所有者名称匹配的要查找的名称的后缀标签来执行DNAME替换。在所有情况下,匹配的标签都以根标签结尾。只替换整个标签。常见情况和拐角情况见示例表。

In the table below, the QNAME refers to the query name. The owner is the DNAME owner domain name, and the target refers to the target of the DNAME record. The result is the resulting name after performing the DNAME substitution on the query name. "no match" means that the

在下表中,QNAME指的是查询名称。所有者是DNAME所有者域名,目标是指DNAME记录的目标。结果是对查询名称执行DNAME替换后的结果名称。“不匹配”意味着

query did not match the DNAME, and thus no substitution is performed and a possible error message is returned (if no other result is possible). Thus, every line contains one example substitution. In the examples below, 'cyc' and 'shortloop' contain loops.

查询与DNAME不匹配,因此不会执行任何替换,并返回可能的错误消息(如果不可能有其他结果)。因此,每行包含一个替换示例。在下面的示例中,“cyc”和“shortloop”包含循环。

    QNAME            owner  DNAME   target         result
    ---------------- -------------- -------------- -----------------
    com.             example.com.   example.net.   <no match>
    example.com.     example.com.   example.net.   [0]
    a.example.com.   example.com.   example.net.   a.example.net.
    a.b.example.com. example.com.   example.net.   a.b.example.net.
    ab.example.com.  b.example.com. example.net.   <no match>
    foo.example.com. example.com.   example.net.   foo.example.net.
    a.x.example.com. x.example.com. example.net.   a.example.net.
    a.example.com.   example.com.   y.example.net. a.y.example.net.
    cyc.example.com. example.com.   example.com.   cyc.example.com.
    cyc.example.com. example.com.   c.example.com. cyc.c.example.com.
    shortloop.x.x.   x.             .              shortloop.x.
    shortloop.x.     x.             .              shortloop.
        
    QNAME            owner  DNAME   target         result
    ---------------- -------------- -------------- -----------------
    com.             example.com.   example.net.   <no match>
    example.com.     example.com.   example.net.   [0]
    a.example.com.   example.com.   example.net.   a.example.net.
    a.b.example.com. example.com.   example.net.   a.b.example.net.
    ab.example.com.  b.example.com. example.net.   <no match>
    foo.example.com. example.com.   example.net.   foo.example.net.
    a.x.example.com. x.example.com. example.net.   a.example.net.
    a.example.com.   example.com.   y.example.net. a.y.example.net.
    cyc.example.com. example.com.   example.com.   cyc.example.com.
    cyc.example.com. example.com.   c.example.com. cyc.c.example.com.
    shortloop.x.x.   x.             .              shortloop.x.
    shortloop.x.     x.             .              shortloop.
        

[0] The result depends on the QTYPE. If the QTYPE = DNAME, then the result is "example.com.", else "<no match>".

[0] 结果取决于QTYPE。如果QTYPE=DNAME,则结果为“example.com.”,否则为“<no match>”。

Table 1. DNAME Substitution Examples

表1。DNAME替换示例

It is possible for DNAMEs to form loops, just as CNAMEs can form loops. DNAMEs and CNAMEs can chain together to form loops. A single corner case DNAME can form a loop. Resolvers and servers should be cautious in devoting resources to a query, but be aware that fairly long chains of DNAMEs may be valid. Zone content administrators should take care to ensure that there are no loops that could occur when using DNAME or DNAME/CNAME redirection.

DNAMEs可以形成循环,就像CNAMEs可以形成循环一样。DNAMEs和CNAMEs可以链在一起形成环。一个角盒DNAME可以形成一个循环。解析程序和服务器在将资源用于查询时应谨慎,但请注意,相当长的DNAME链可能是有效的。区域内容管理员应注意确保在使用DNAME或DNAME/CNAME重定向时不会出现循环。

The domain name can get too long during substitution. For example, suppose the target name of the DNAME RR is 250 octets in length (multiple labels), if an incoming QNAME that has a first label over 5 octets in length, the result would be a name over 255 octets. If this occurs, the server returns an RCODE of YXDOMAIN [RFC2136]. The DNAME record and its signature (if the zone is signed) are included in the answer as proof for the YXDOMAIN (value 6) RCODE.

域名在替换过程中可能过长。例如,假设DNAME RR的目标名称长度为250个八位字节(多个标签),如果传入QNAME的第一个标签长度超过5个八位字节,则结果将是名称长度超过255个八位字节。如果发生这种情况,服务器将返回一个RCODE为YXDOMAIN[RFC2136]。答案中包括DNAME记录及其签名(如果区域已签名),作为YXDOMAIN(值6)RCODE的证据。

2.3. DNAME Owner Name Matching the QNAME
2.3. 与QNAME匹配的DNAME所有者名称

Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its owner name; the owner name of a DNAME is not redirected itself. The domain name that owns a DNAME record is allowed to have other resource record types at that domain name, except DNAMEs, CNAMEs, or other types that have restrictions on what they can coexist with.

与CNAME RR不同,DNAME RR重定向从属于其所有者名称的DNS名称;DNAME的所有者名称本身不会重定向。允许拥有DNAME记录的域名在该域名上具有其他资源记录类型,但DNAMEs、CNAMEs或其他对它们可以共存的内容有限制的类型除外。

When there is a match of the QTYPE to a type (or types) also owned by the owner name, the response is sourced from the owner name. For example, a QTYPE of ANY would return the (available) types at the owner name, not the target name.

当QTYPE与同样由所有者名称拥有的类型(或多个类型)匹配时,响应来源于所有者名称。例如,ANY的QTYPE将返回所有者名称处的(可用)类型,而不是目标名称。

DNAME RRs MUST NOT appear at the same owner name as an NS RR unless the owner name is the zone apex; if it is not the zone apex, then the NS RR signifies a delegation point, and the DNAME RR must in that case appear below the zone cut at the zone apex of the child zone.

DNAME RRs不得与NS RR出现在同一所有者名称下,除非所有者名称为区域顶点;如果不是分区顶点,则NS RR表示委派点,在这种情况下,DNAME RR必须出现在子分区的分区顶点处的分区切割下方。

If a DNAME record is present at the zone apex, there is still a need to have the customary SOA and NS resource records there as well. Such a DNAME cannot be used to mirror a zone completely, as it does not mirror the zone apex.

如果在区域顶点存在DNAME记录,那么仍然需要在那里有常规的SOA和NS资源记录。这样的DNAME不能用于完全镜像分区,因为它不能镜像分区顶点。

These rules also allow DNAME records to be queried through caches that are RFC 1034 [RFC1034] compliant and are DNAME unaware.

这些规则还允许通过符合RFC 1034[RFC1034]且不知道DNAME的缓存查询DNAME记录。

2.4. Names next to and below a DNAME Record
2.4. DNAME记录旁边和下面的名称

Resource records MUST NOT exist at any subdomain of the owner of a DNAME RR. To get the contents for names subordinate to that owner name, the DNAME redirection must be invoked and the resulting target queried. A server MAY refuse to load a zone that has data at a subdomain of a domain name owning a DNAME RR. If the server does load the zone, those names below the DNAME RR will be occluded as described in RFC 2136 [RFC2136], Section 7.18. Also, a server ought to refuse to load a zone subordinate to the owner of a DNAME record in the ancestor zone. See Section 5.2 for further discussion related to dynamic update.

资源记录不得存在于DNAME RR所有者的任何子域中。要获取从属于该所有者名称的名称的内容,必须调用DNAME重定向并查询结果目标。服务器可能会拒绝加载在拥有DNAME RR的域名的子域中包含数据的区域。如果服务器确实加载了区域,则将按照RFC 2136[RFC2136]第7.18节所述,屏蔽DNAME RR下方的名称。此外,服务器应该拒绝加载从属于祖先区域中DNAME记录所有者的区域。有关动态更新的进一步讨论,请参见第5.2节。

DNAME is a singleton type, meaning only one DNAME is allowed per name. The owner name of a DNAME can only have one DNAME RR, and no CNAME RRs can exist at that name. These rules make sure that for a single domain name, only one redirection exists; thus, there's no confusion about which one to follow. A server ought to refuse to load a zone that violates these rules.

DNAME是单例类型,这意味着每个名称只允许一个DNAME。DNAME的所有者名称只能有一个DNAME RR,并且该名称下不能存在CNAME RR。这些规则确保单个域名只存在一个重定向;因此,不存在关于遵循哪一个的混淆。服务器应该拒绝加载违反这些规则的区域。

2.5. Compression of the DNAME Record
2.5. DNAME记录的压缩

The DNAME owner name can be compressed like any other owner name. The DNAME RDATA target name MUST NOT be sent out in compressed form and MUST be downcased for DNS Security Extensions (DNSSEC) validation.

DNAME所有者名称可以像任何其他所有者名称一样进行压缩。DNAME RDATA目标名称不得以压缩形式发送,并且必须为DNS安全扩展(DNSSEC)验证设置下框。

Although the previous DNAME specification [RFC2672] (that is obsoleted by this specification) talked about signaling to allow compression of the target name, such signaling has never been specified, nor is it specified in this document.

尽管先前的DNAME规范[RFC2672](已被本规范淘汰)讨论了允许压缩目标名称的信令,但此类信令从未指定,本文档中也未指定。

RFC 2672 (obsoleted by this document) states that the Extended DNS (EDNS) version has a means for understanding DNAME and DNAME target name compression. This document revises RFC 2672, in that there is no EDNS version signaling for DNAME.

RFC 2672(已被本文件淘汰)指出,扩展DNS(EDNS)版本具有理解DNAME和DNAME目标名称压缩的方法。本文件修订了RFC 2672,因为没有针对DNAME的EDNS版本信令。

3. Processing
3. 处理
3.1. CNAME Synthesis
3.1. CNAME合成

When preparing a response, a server performing a DNAME substitution will, in all cases, include the relevant DNAME RR in the answer section. Relevant cases includes the following:

准备响应时,执行DNAME替换的服务器在所有情况下都会在应答部分包含相关的DNAME RR。有关个案包括:

1. The DNAME is being employed as a substitution instruction.

1. DNAME被用作替换指令。

2. The DNAME itself matches the QTYPE, and the owner name matches QNAME.

2. DNAME本身与QTYPE匹配,所有者名称与QNAME匹配。

When the owner name matches the QNAME and the QTYPE matches another type owned there, the DNAME is not included in the answer.

当所有者名称与QNAME匹配,并且QTYPE与其中拥有的另一个类型匹配时,DNAME不包括在答案中。

A CNAME RR with Time to Live (TTL) equal to the corresponding DNAME RR is synthesized and included in the answer section when the DNAME is employed as a substitution instruction. The owner name of the CNAME is the QNAME of the query. The DNSSEC specification ([RFC4033] [RFC4034] [RFC4035]) says that the synthesized CNAME does not have to be signed. The signed DNAME has an RRSIG, and a validating resolver can check the CNAME against the DNAME record and validate the signature over the DNAME RR.

当DNAME用作替换指令时,将合成生存时间(TTL)等于相应DNAME RR的CNAME RR,并将其包含在应答部分中。CNAME的所有者名称是查询的QNAME。DNSSEC规范([RFC4033][RFC4034][RFC4035])规定合成的CNAME无需签名。签名的DNAME具有RRSIG,验证解析程序可以根据DNAME记录检查CNAME,并通过DNAME RR验证签名。

Servers MUST be able to answer a query for a synthesized CNAME. Like other query types, this invokes the DNAME, and then the server synthesizes the CNAME and places it into the answer section. If the server in question is a cache, the synthesized CNAME's TTL SHOULD be equal to the decremented TTL of the cached DNAME.

服务器必须能够回答对合成CNAME的查询。与其他查询类型一样,这将调用DNAME,然后服务器合成CNAME并将其放入应答部分。如果所讨论的服务器是缓存,则合成的CNAME的TTL应等于缓存的DNAME的递减TTL。

Resolvers MUST be able to handle a synthesized CNAME TTL of zero or a value equal to the TTL of the corresponding DNAME record (as some older, authoritative server implementations set the TTL of synthesized CNAMEs to zero). A TTL of zero means that the CNAME can be discarded immediately after processing the answer.

解析程序必须能够处理零的合成CNAME TTL或等于相应DNAME记录的TTL的值(因为一些较旧的权威服务器实现将合成CNAME的TTL设置为零)。TTL为零意味着在处理答案后可以立即丢弃CNAME。

3.2. Server Algorithm
3.2. 服务器算法

Below is the revised version of the server algorithm, which appears in RFC 2672, Section 4.1.

以下是服务器算法的修订版本,见RFC 2672第4.1节。

1. Set or clear the value of recursion available in the response depending on whether the name server is willing to provide recursive service. If recursive service is available and requested via the RD bit in the query, go to step 5; otherwise, step 2.

1. 根据名称服务器是否愿意提供递归服务,设置或清除响应中可用的递归值。如果递归服务可用并通过查询中的RD位请求,则转至步骤5;否则,请执行步骤2。

2. Search the available zones for the zone which is the nearest ancestor to QNAME. If such a zone is found, go to step 3; otherwise, step 4.

2. 在可用区域中搜索距离QNAME最近的区域。如果发现该区域,则转至步骤3;否则,请执行步骤4。

3. Start matching down, label by label, in the zone. The matching process can terminate several ways:

3. 在区域中开始逐标签向下匹配。匹配过程可以通过几种方式终止:

A. If the whole of QNAME is matched, we have found the node.

A.如果整个QNAME匹配,则我们已找到该节点。

If the data at the node is a CNAME, and QTYPE does not match CNAME, copy the CNAME RR into the answer section of the response, change QNAME to the canonical name in the CNAME RR, and go back to step 1.

如果节点上的数据是CNAME,并且QTYPE与CNAME不匹配,请将CNAME RR复制到响应的应答部分,将QNAME更改为CNAME RR中的规范名称,然后返回步骤1。

Otherwise, copy all RRs which match QTYPE into the answer section and go to step 6.

否则,将所有与QTYPE匹配的RRs复制到应答部分并转至步骤6。

B. If a match would take us out of the authoritative data, we have a referral. This happens when we encounter a node with NS RRs marking cuts along the bottom of a zone.

B.如果匹配会将我们排除在权威数据之外,我们将获得推荐。当我们遇到一个节点,其NS RRs标记沿着分区底部的切口时,就会发生这种情况。

Copy the NS RRs for the sub-zone into the authority section of the reply. Put whatever addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache. Go to step 4.

将分区的NS RRs复制到回复的权限部分。将任何可用的地址放入附加部分,如果地址不能从权威数据或缓存中获得,则使用glue RRs。转至步骤4。

C. If at some label, a match is impossible (i.e., the corresponding label does not exist), look to see whether the last label matched has a DNAME record.

C.如果在某个标签上无法匹配(即,对应的标签不存在),查看最后匹配的标签是否有DNAME记录。

           If a DNAME record exists at that point, copy that record into
           the answer section.  If substitution of its <target> for its
           <owner> in QNAME would overflow the legal size for a <domain-
           name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise,
           perform the substitution and continue.  The server MUST
        
           If a DNAME record exists at that point, copy that record into
           the answer section.  If substitution of its <target> for its
           <owner> in QNAME would overflow the legal size for a <domain-
           name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise,
           perform the substitution and continue.  The server MUST
        

synthesize a CNAME record as described above and include it in the answer section. Go back to step 1.

如上所述合成CNAME记录,并将其包含在回答部分。返回到步骤1。

If there was no DNAME record, look to see if the "*" label exists.

如果没有DNAME记录,请查看“*”标签是否存在。

If the "*" label does not exist, check whether the name we are looking for is the original QNAME in the query or a name we have followed due to a CNAME or DNAME. If the name is original, set an authoritative name error in the response and exit. Otherwise, just exit.

如果“*”标签不存在,请检查我们要查找的名称是查询中的原始QNAME还是由于CNAME或DNAME而跟随的名称。如果名称为原始名称,请在响应中设置权威名称错误并退出。否则,请退出。

If the "*" label does exist, match RRs at that node against QTYPE. If any match, copy them into the answer section, but set the owner of the RR to be QNAME, and not the node with the "*" label. If the data at the node with the "*" label is a CNAME, and QTYPE doesn't match CNAME, copy the CNAME RR into the answer section of the response changing the owner name to the QNAME, change QNAME to the canonical name in the CNAME RR, and go back to step 1. Otherwise, go to step 6.

如果“*”标签确实存在,请将该节点上的RRs与QTYPE匹配。如果有匹配项,则将它们复制到应答部分,但将RR的所有者设置为QNAME,而不是带有“*”标签的节点。如果带有“*”标签的节点上的数据是CNAME,并且QTYPE与CNAME不匹配,则将CNAME RR复制到响应的应答部分,将所有者名称更改为QNAME,将QNAME更改为CNAME RR中的规范名称,然后返回步骤1。否则,转至步骤6。

4. Start matching down in the cache. If QNAME is found in the cache, copy all RRs attached to it that match QTYPE into the answer section. If QNAME is not found in the cache but a DNAME record is present at an ancestor of QNAME, copy that DNAME record into the answer section. If there was no delegation from authoritative data, look for the best one from the cache, and put it in the authority section. Go to step 6.

4. 在缓存中开始向下匹配。如果在缓存中找到QNAME,则将与QTYPE匹配的所有附加到QNAME的RRs复制到应答部分。如果在缓存中找不到QNAME,但QNAME的祖先处存在DNAME记录,请将该DNAME记录复制到应答部分。如果没有来自权威数据的委派,请从缓存中查找最佳委派,并将其放入权威部分。转至步骤6。

5. Use the local resolver or a copy of its algorithm to answer the query. Store the results, including any intermediate CNAMEs and DNAMEs, in the answer section of the response.

5. 使用本地解析器或其算法的副本来回答查询。将结果(包括任何中间CNAMEs和DNAMEs)存储在响应的答案部分。

6. Using local data only, attempt to add other RRs that may be useful to the additional section of the query. Exit.

6. 仅使用本地数据,尝试添加可能对查询的附加部分有用的其他RRs。出口

Note that there will be at most one ancestor with a DNAME as described in step 4 unless some zone's data is in violation of the no-descendants limitation in Section 3. An implementation might take advantage of this limitation by stopping the search of step 3c or step 4 when a DNAME record is encountered.

请注意,除非某些区域的数据违反了第3节中的无后代限制,否则最多会有一个祖先具有步骤4中描述的DNAME。当遇到DNAME记录时,实现可以通过停止步骤3c或步骤4的搜索来利用此限制。

3.3. Wildcards
3.3. 通配符

The use of DNAME in conjunction with wildcards is discouraged [RFC4592]. Thus, records of the form "*.example.com DNAME example.net" SHOULD NOT be used.

不鼓励将DNAME与通配符结合使用[RFC4592]。因此,不应使用格式为“*.example.com DNAME example.net”的记录。

The interaction between the expansion of the wildcard and the redirection of the DNAME is non-deterministic. Due to the fact that the processing is non-deterministic, DNSSEC validating resolvers may not be able to validate a wildcarded DNAME.

通配符扩展和DNAME重定向之间的交互是不确定的。由于处理是非确定性的,DNSSEC验证解析程序可能无法验证通配符DNAME。

A server MAY give a warning that the behavior is unspecified if such a wildcarded DNAME is loaded. The server MAY refuse it, refuse to load the zone, or refuse dynamic updates.

如果加载了这样一个通配符的DNAME,服务器可能会发出警告,表示行为未指定。服务器可能会拒绝它、拒绝加载区域或拒绝动态更新。

3.4. Acceptance and Intermediate Storage
3.4. 验收和中间储存

Recursive caching name servers can encounter data at names below the owner name of a DNAME RR, due to a change at the authoritative server where data from before and after the change resides in the cache. This conflict situation is a transitional phase that ends when the old data times out. The caching name server can opt to store both old and new data and treat each as if the other did not exist, or drop the old data, or drop the longer domain name. In any approach, consistency returns after the older data TTL times out.

递归缓存名称服务器可能会遇到DNAME RR所有者名称以下的数据,这是由于权威服务器发生了更改,更改前后的数据都驻留在缓存中。这种冲突情况是一个过渡阶段,在旧数据超时时结束。缓存名称服务器可以选择存储旧数据和新数据,并将它们视为另一个不存在,或者删除旧数据,或者删除更长的域名。在任何方法中,在较旧的数据TTL超时后,一致性都会返回。

Recursive caching name servers MUST perform CNAME synthesis on behalf of clients.

递归缓存名称服务器必须代表客户端执行CNAME合成。

If a recursive caching name server encounters a DNSSEC validated DNAME RR that contradicts information already in the cache (excluding CNAME records), it SHOULD cache the DNAME RR, but it MAY cache the CNAME record received along with it, subject to the rules for CNAME. If the DNAME RR cannot be validated via DNSSEC (i.e., not BOGUS, but not able to validate), the recursive caching server SHOULD NOT cache the DNAME RR but MAY cache the CNAME record received along with it, subject to the rules for CNAME.

如果递归缓存名称服务器遇到DNSSEC验证的DNAME RR与缓存中已有的信息(不包括CNAME记录)相矛盾,则它应该缓存DNAME RR,但它可以缓存随它一起接收的CNAME记录,但要遵守CNAME规则。如果无法通过DNSSEC验证DNAME RR(即,不是伪造的,但无法验证),递归缓存服务器不应缓存DNAME RR,但可以缓存随它一起接收的CNAME记录,但需遵守CNAME规则。

3.4.1. Resolver Algorithm
3.4.1. 分解器算法

Below is the revised version of the resolver algorithm, which appears in RFC 2672, Section 4.2.

以下是解析器算法的修订版本,见RFC 2672第4.2节。

1. See if the answer is in local information or can be synthesized from a cached DNAME; if so, return it to the client.

1. 查看答案是否在本地信息中,或者是否可以从缓存的DNAME合成;如果是,请将其返回给客户机。

2. Find the best servers to ask.

2. 找到最好的服务器进行询问。

3. Send queries until one returns a response.

3. 发送查询,直到返回响应为止。

4. Analyze the response, either:

4. 分析响应,或者:

A. If the response answers the question or contains a name error, cache the data as well as return it back to the client.

A.如果回答回答了问题或包含名称错误,请缓存数据并将其返回给客户端。

B. If the response contains a better delegation to other servers, cache the delegation information, and go to step 2.

B.如果响应包含到其他服务器的更好的委派,请缓存委派信息,然后转至步骤2。

C. If the response shows a CNAME and that is not the answer itself, cache the CNAME, change the SNAME to the canonical name in the CNAME RR, and go to step 1.

C.如果响应显示一个CNAME,而这不是答案本身,则缓存CNAME,将SNAME更改为CNAME RR中的规范名称,然后转到步骤1。

D. If the response shows a DNAME and that is not the answer itself, cache the DNAME (upon successful DNSSEC validation if the client is a validating resolver). If substitution of the DNAME's target name for its owner name in the SNAME would overflow the legal size for a domain name, return an implementation-dependent error to the application; otherwise, perform the substitution and go to step 1.

D.如果响应显示一个DNAME,而这不是答案本身,则缓存该DNAME(如果客户端是验证解析程序,则在成功进行DNSSEC验证后)。如果在SNAME中将DNAME的目标名称替换为其所有者名称会使域名的合法大小溢出,则向应用程序返回依赖于实现的错误;否则,执行替换并转至步骤1。

E. If the response shows a server failure or other bizarre contents, delete the server from the SLIST and go back to step 3.

E.如果响应显示服务器故障或其他奇怪的内容,请从SLIST中删除服务器并返回步骤3。

4. DNAME Discussions in Other Documents
4. 其他文件中的DNAME讨论

In Section 10.3 of [RFC2181], the discussion on MX and NS records touches on redirection by CNAMEs, but this also holds for DNAMEs.

在[RFC2181]的第10.3节中,关于MX和NS记录的讨论涉及到CNAMEs的重定向,但这也适用于DNAMEs。

Section 10.3 ("MX and NS records") of [RFC2181] states:

[RFC2181]第10.3节(“MX和NS记录”)规定:

The domain name used as the value of a NS resource record, or part of the value of a MX resource record must not be an alias. Not only is the specification clear on this point, but using an alias in either of these positions neither works as well as might be hoped, nor well fulfills the ambition that may have led to this approach. This domain name must have as its value one or more address records. Currently those will be A records, however in the future other record types giving addressing information may be acceptable. It can also have other RRs, but never a CNAME RR.

用作NS资源记录值或MX资源记录值的一部分的域名不得为别名。规范不仅在这一点上是明确的,而且在这两个位置中使用别名既不能像人们希望的那样有效,也不能很好地实现导致这种方法的目标。此域名必须有一个或多个地址记录作为其值。目前,这些将是A记录,但在未来,提供寻址信息的其他记录类型可能会被接受。它也可以有其他RR,但决不能有CNAME RR。

The DNAME RR is discussed in RFC 3363, Section 4, on A6 and DNAME. The opening premise of this section is demonstrably wrong, and so the conclusion based on that premise is wrong. In particular, [RFC3363] deprecates the use of DNAME in the IPv6 reverse tree. Based on the

RFC 3363第4节A6和DNAME中讨论了DNAME RR。本节开头的前提显然是错误的,因此基于该前提的结论是错误的。特别是,[RFC3363]反对在IPv6反向树中使用DNAME。基于

experience gained in the meantime, [RFC3363] is revised, dropping all constraints on having DNAME RRs in these zones [RFC6434]. This would greatly improve the manageability of the IPv6 reverse tree. These changes are made explicit below.

同时,修订了[RFC3363]获得的经验,取消了在这些区域中拥有DNAME RRs的所有限制[RFC6434]。这将大大提高IPv6反向树的可管理性。这些变化在下文中有明确说明。

In [RFC3363], the following paragraph is updated by this document, and the use of DNAME RRs in the reverse tree is no longer deprecated.

在[RFC3363]中,本文件更新了以下段落,并且不再反对在反向树中使用DNAME RRs。

The issues for DNAME in the reverse mapping tree appears to be closely tied to the need to use fragmented A6 in the main tree: if one is necessary, so is the other, and if one isn't necessary, the other isn't either. Therefore, in moving RFC 2874 to experimental, the intent of this document is that use of DNAME RRs in the reverse tree be deprecated.

反向映射树中的DNAME问题似乎与在主树中使用片段A6的需要密切相关:如果一个是必需的,那么另一个也是必需的,如果一个不是必需的,那么另一个也不是必需的。因此,在将RFC 2874移动到实验中时,本文的目的是反对在反向树中使用DNAME RRs。

5. Other Issues with DNAME
5. DNAME的其他问题

There are several issues to be aware of about the use of DNAME.

关于DNAME的使用,有几个问题需要注意。

5.1. Canonical Hostnames Cannot Be below DNAME Owners
5.1. 规范主机名不能低于DNAME所有者

The names listed as target names of MX, NS, PTR, and SRV [RFC2782] records must be canonical hostnames. This means no CNAME or DNAME redirection may be present during DNS lookup of the address records for the host. This is discussed in RFC 2181 [RFC2181], Section 10.3, and RFC 1912 [RFC1912], Section 2.4. For SRV, see RFC 2782 [RFC2782], page 4.

作为MX、NS、PTR和SRV[RFC2782]记录的目标名称列出的名称必须是规范主机名。这意味着在DNS查找主机的地址记录期间,可能不存在CNAME或DNAME重定向。RFC 2181[RFC2181]第10.3节和RFC 1912[RFC1912]第2.4节对此进行了讨论。有关SRV,请参见RFC 2782[RFC2782],第4页。

The upshot of this is that although the lookup of a PTR record can involve DNAMEs, the name listed in the PTR record cannot fall under a DNAME. The same holds for NS, SRV, and MX records. For example, when punycode [RFC3492] alternates for a zone use DNAME, then the NS, MX, SRV, and PTR records that point to that zone must use names that are not aliases in their RDATA. Then, what must be done is to have the domain names with DNAME substitution already applied to it as the MX, NS, PTR, and SRV data. These are valid canonical hostnames.

结果是,尽管PTR记录的查找可能涉及DNAME,但PTR记录中列出的名称不能属于DNAME。NS、SRV和MX记录也是如此。例如,当punycode[RFC3492]为区域use DNAME替换时,则指向该区域的NS、MX、SRV和PTR记录必须使用在其RDATA中不是别名的名称。然后,必须做的是将具有DNAME替换的域名作为MX、NS、PTR和SRV数据应用于它。这些是有效的规范主机名。

5.2. Dynamic Update and DNAME
5.2. 动态更新和DNAME

DNAME records can be added, changed, and removed in a zone using dynamic update transactions. Adding a DNAME RR to a zone occludes any domain names that may exist under the added DNAME.

可以使用动态更新事务在区域中添加、更改和删除DNAME记录。将DNAME RR添加到区域会阻止添加的DNAME下可能存在的任何域名。

If a dynamic update message attempts to add a DNAME with a given owner name, but a CNAME is associated with that name, then the server MUST ignore the DNAME. If a DNAME is already associated with that name, then it is replaced with the new DNAME. Otherwise, add the DNAME. If a CNAME is added with a given owner name, but a DNAME is

如果动态更新消息尝试添加具有给定所有者名称的DNAME,但CNAME与该名称关联,则服务器必须忽略该DNAME。如果某个DNAME已与该名称关联,则会将其替换为新的DNAME。否则,添加DNAME。如果添加了一个具有给定所有者名称的CNAME,但添加了一个DNAME

associated with that name, then the CNAME MUST be ignored. Similar behavior occurs for dynamic updates to an owner name of a CNAME RR [RFC2136].

与该名称关联,则必须忽略CNAME。对CNAME RR[RFC2136]的所有者名称进行动态更新时也会出现类似的行为。

5.3. DNSSEC and DNAME
5.3. DNSSEC和DNAME

The following subsections specify the behavior of implementations that understand both DNSSEC and DNAME (synthesis).

以下小节指定了同时理解DNSSEC和DNAME(合成)的实现的行为。

5.3.1. Signed DNAME, Unsigned Synthesized CNAME
5.3.1. 有符号的DNAME,无符号的合成CNAME

In any response, a signed DNAME RR indicates a non-terminal redirection of the query. There might or might not be a server-synthesized CNAME in the answer section; if there is, the CNAME will never be signed. For a DNSSEC validator, verification of the DNAME RR and then that the CNAME was properly synthesized is sufficient proof.

在任何响应中,签名的DNAME RR表示查询的非终端重定向。答案部分中可能有或可能没有服务器合成的CNAME;如果有,CNAME将永远不会被签署。对于DNSSEC验证器,验证DNAME RR,然后验证CNAME是否正确合成是充分的证据。

5.3.2. DNAME Bit in NSEC Type Map
5.3.2. NSEC类型映射中的DNAME位

In any negative response, the NSEC or NSEC3 [RFC5155] record type bitmap SHOULD be checked to see that there was no DNAME that could have been applied. If the DNAME bit in the type bitmap is set and the query name is a subdomain of the closest encloser that is asserted, then DNAME substitution should have been done, but the substitution has not been done as specified.

在任何否定响应中,应检查NSEC或NSEC3[RFC5155]记录类型位图,以确定没有可能应用的DNAME。如果设置了类型位图中的DNAME位,并且查询名称是所断言的最近封闭器的子域,则应已完成DNAME替换,但未按指定完成替换。

5.3.3. DNAME Chains as Strong as the Weakest Link
5.3.3. DNAME链与最薄弱的环节一样牢固

A response can contain a chain of DNAME and CNAME redirections. That chain can end in a positive answer or a negative reply (no name error or no data error). Each step in that chain results in resource records being added to the answer or authority section of the response. Only if all steps are secure can the AD (Authentic Data) bit be set for the response. If one of the steps is bogus, the result is bogus.

响应可以包含DNAME和CNAME重定向链。该链可以以肯定回答或否定回答(无名称错误或无数据错误)结束。该链中的每一步都会将资源记录添加到响应的答案或权限部分。只有在所有步骤都安全的情况下,才能为响应设置AD(真实数据)位。如果其中一个步骤是假的,则结果是假的。

5.3.4. Validators Must Understand DNAME
5.3.4. 验证器必须理解DNAME

Below are examples of why DNSSEC validators MUST understand DNAME. In the examples, SOA records, wildcard denial NSECs, and other material not under discussion have been omitted or shortened.

下面是DNSSEC验证器必须理解DNAME的示例。在示例中,省略或缩短了SOA记录、通配符拒绝NSEC和其他未讨论的内容。

5.3.4.1. Invalid Name Error Response Caused by DNAME in Bitmap
5.3.4.1. 位图中的DNAME导致无效的名称错误响应
   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096
        
   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096
        

;; Question foo.bar.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. RRSIG NSEC [valid signature]

;; 问题foo.bar.example.com。在一个;;Authority bar.example.com。NSEC dub.example.com。A DNAME bar.example.com。RRSIG NSEC[有效签名]

If this is the received response, then only by understanding that the DNAME bit in the NSEC bitmap means that foo.bar.example.com needed to have been redirected by the DNAME, the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply.

如果这是收到的响应,那么只有了解到NSEC位图中的DNAME位意味着foo.bar.example.com需要被DNAME重定向,验证程序才能发现这是来自攻击者的伪造回复,该攻击者整理了DNS中的现有记录以创建混淆的回复。

If the DNAME bit had not been set in the NSEC record above, then the answer would have validated as a correct name error response.

如果上述NSEC记录中未设置DNAME位,则答案将被验证为正确的名称错误响应。

5.3.4.2. Valid Name Error Response Involving DNAME in Bitmap
5.3.4.2. 位图中涉及DNAME的有效名称错误响应
   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096
        
   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096
        

;; Question cee.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. RRSIG NSEC [valid signature]

;; 问题cee.example.com。在一个;;Authority bar.example.com。NSEC dub.example.com。A DNAME bar.example.com。RRSIG NSEC[有效签名]

This response has the same NSEC records as the example above, but with this query name (cee.example.com), the answer is validated, because 'cee' does not get redirected by the DNAME at 'bar'.

此响应与上面的示例具有相同的NSEC记录,但使用此查询名称(cee.example.com),将验证答案,因为“cee”不会被“bar”处的DNAME重定向。

5.3.4.3. Response with Synthesized CNAME
5.3.4.3. 合成CNAME的响应
   ;; Header: QR AA RCODE=0(NOERROR)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096
        
   ;; Header: QR AA RCODE=0(NOERROR)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096
        

;; Question foo.bar.example.com. IN A ;; Answer bar.example.com. DNAME bar.example.net. bar.example.com. RRSIG DNAME [valid signature] foo.bar.example.com. CNAME foo.bar.example.net.

;; 问题foo.bar.example.com。在一个;;回答bar.example.com。DNAME bar.example.net。bar.example.com。RRSIG DNAME[有效签名]foo.bar.example.com。CNAME foo.bar.example.net。

The response shown above has the synthesized CNAME included. However, the CNAME has no signature, since the server does not sign online. So this response cannot be trusted. It could be altered by an attacker to be foo.bar.example.com CNAME bla.bla.example. The DNAME record does have its signature included, since it does not change. The validator must verify the DNAME signature and then recursively resolve further in order to query for the foo.bar.example.net A record.

上面显示的响应包含合成的CNAME。但是,CNAME没有签名,因为服务器没有在线签名。因此,此响应不可信。攻击者可以将其更改为foo.bar.example.com CNAME bla.bla.example。DNAME记录确实包含其签名,因为它不会更改。验证器必须验证DNAME签名,然后递归地进一步解析,以便查询foo.bar.example.net A记录。

6. Examples of DNAME Use in a Zone
6. 在区域中使用DNAME的示例

Below are some examples of the use of DNAME in a zone. These examples are by no means exhaustive.

下面是在区域中使用DNAME的一些示例。这些例子并非详尽无遗。

6.1. Organizational Renaming
6.1. 组织更名

If an organization with domain name FROBOZZ.EXAMPLE.NET became part of an organization with domain name ACME.EXAMPLE.COM, it might ease transition by placing information such as this in its old zone.

如果域名为FROBOZZ.EXAMPLE.NET的组织成为域名为ACME.EXAMPLE.COM的组织的一部分,则可以通过将此类信息放在其旧区域中来简化转换。

frobozz.example.net. DNAME frobozz-division.acme.example.com. MX 10 mailhub.acme.example.com.

frobozz.example.net。DNAME frobozz-division.acme.example.com。MX 10 mailhub.acme.example.com。

The response to an extended recursive query for www.frobozz.example.net would contain, in the answer section, the DNAME record shown above and the relevant RRs for www.frobozz-division.acme.example.com.

对www.frobozz.example.net的扩展递归查询的响应将在回答部分包含上面显示的DNAME记录以及www.frobozz-division.acme.example.com的相关RRs。

If an organization wants to have aliases for names, for a different spelling or language, the same example applies. Note that the MX RR at the zone apex is not redirected and has to be repeated in the target zone. Also note that the services at mailhub or www.frobozz-division.acme.example.com. have to recognize and handle the aliases.

如果一个组织想要为不同的拼写或语言的名称使用别名,同样的例子也适用。请注意,区域顶点处的MX RR没有重定向,必须在目标区域中重复。还请注意mailhub或www.frobozz-division.acme.example.com上的服务。必须识别和处理别名。

6.2. Classless Delegation of Shorter Prefixes
6.2. 短前缀的无类委托

The classless scheme for in-addr.arpa delegation [RFC2317] can be extended to prefixes shorter than 24 bits by use of the DNAME record. For example, the prefix 192.0.8.0/22 can be delegated by the following records.

通过使用DNAME记录,in-addr.arpa委托[RFC2317]的无类方案可以扩展到小于24位的前缀。例如,前缀192.0.8.0/22可以由以下记录委派。

$ORIGIN 0.192.in-addr.arpa. 8/22 NS ns.slash-22-holder.example.com. 8 DNAME 8.8/22 9 DNAME 9.8/22 10 DNAME 10.8/22 11 DNAME 11.8/22

$ORIGIN 0.192.in-addr.arpa。8/22 NS NS.slash-22-holder.example.com。8 DNAME 8.8/22 9 DNAME 9.8/22 10 DNAME 10.8/22 11 DNAME 11.8/22

A typical entry in the resulting reverse zone for some host with address 192.0.9.33 might be as follows:

对于地址为192.0.9.33的某些主机,结果反向区域中的典型条目可能如下所示:

$ORIGIN 8/22.0.192.in-addr.arpa. 33.9 PTR somehost.slash-22-holder.example.com.

$ORIGIN 8/22.0.192.in-addr.arpa。33.9 PTR somehost.slash-22-holder.example.com。

The advisory remarks in [RFC2317] concerning the choice of the "/" character apply here as well.

[RFC2317]中关于“/”字符选择的建议意见也适用于此处。

6.3. Network Renumbering Support
6.3. 网络重新编号支持

If IPv4 network renumbering were common, maintenance of address space delegation could be simplified by using DNAME records instead of NS records to delegate.

如果IPv4网络重新编号是常见的,则可以通过使用DNAME记录而不是NS记录进行委派来简化地址空间委派的维护。

$ORIGIN new-style.in-addr.arpa. 189.190 DNAME in-addr.example.net.

$ORIGIN新款.in-addr.arpa。189.190 DNAME in-addr.example.net。

$ORIGIN in-addr.example.net. 188 DNAME in-addr.customer.example.com.

$ORIGIN in-addr.example.net。188 DNAME in-addr.customer.example.com。

$ORIGIN in-addr.customer.example. 1 PTR www.customer.example.com 2 PTR mailhub.customer.example.com. ; etc ...

$ORIGIN in-addr.customer.example。1 PTR www.customer.example.com 2 PTR mailhub.customer.example.com;等

This would allow the address space 190.189.0.0/16 assigned to the ISP "example.net" to be changed without having to alter the zone data describing the use of that space by the ISP and its customers.

这将允许更改分配给ISP“example.net”的地址空间190.189.0.0/16,而无需更改描述ISP及其客户使用该空间的区域数据。

Renumbering IPv4 networks is currently so arduous a task that updating the DNS is only a small part of the labor, so this scheme may have a low value. But it is hoped that in IPv6 the renumbering task will be quite different, and the DNAME mechanism may play a useful part.

重新对IPv4网络进行编号目前是一项非常艰巨的任务,更新DNS只需一小部分劳动,因此此方案的价值可能较低。但人们希望在IPv6中重新编号的任务会有很大的不同,DNAME机制可能会发挥有用的作用。

7. IANA Considerations
7. IANA考虑

The DNAME resource record type code 39 (decimal) originally was registered by [RFC2672] in the DNS Resource Record (RR) Types registry table at http://www.iana.org/assignments/dns-parameters. IANA has updated the DNS resource record registry to point to this document for RR type 39.

DNAME资源记录类型代码39(十进制)最初由[RFC2672]在的DNS资源记录(RR)类型注册表表中注册http://www.iana.org/assignments/dns-parameters. IANA已更新DNS资源记录注册表,以指向RR类型39的此文档。

8. Security Considerations
8. 安全考虑

DNAME redirects queries elsewhere, which may impact security based on policy and the security status of the zone with the DNAME and the redirection zone's security status. For validating resolvers, the lowest security status of the links in the chain of CNAME and DNAME redirections is applied to the result.

DNAME将查询重定向到其他位置,这可能会影响基于策略的安全性,以及具有DNAME和重定向区域安全状态的区域的安全状态。为了验证解析程序,将CNAME和DNAME重定向链中链接的最低安全状态应用于结果。

If a validating resolver accepts wildcarded DNAMEs, this creates security issues. Since the processing of a wildcarded DNAME is non-deterministic and the CNAME that was substituted by the server has no signature, the resolver may choose a different result than what the server meant, and consequently end up at the wrong destination. Use of wildcarded DNAMEs is discouraged in any case [RFC4592].

如果验证解析器接受通配符的DNAME,则会产生安全问题。由于对通配符DNAME的处理是不确定的,并且被服务器替换的CNAME没有签名,因此冲突解决程序可能会选择与服务器所指不同的结果,并最终导致错误的目的地。在任何情况下都不鼓励使用通配符数据名[RFC4592]。

A validating resolver MUST understand DNAME, according to [RFC4034]. The examples in Section 5.3.4 illustrate this need.

根据[RFC4034],验证解析器必须理解DNAME。第5.3.4节中的示例说明了这一需要。

9. Acknowledgments
9. 致谢

The authors of this document would like to acknowledge Matt Larson for beginning this effort to address the issues related to the DNAME RR type. The authors would also like to acknowledge Paul Vixie, Ed Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly, Sam Weiler, Alfred Hoenes, and Kevin Darcy for their reviews and comments on this document.

本文作者感谢Matt Larson开始努力解决与DNAME RR类型相关的问题。作者还要感谢Paul Vixie、Ed Lewis、Mark Andrews、Mike StJohns、Niall O'Reilly、Sam Weiler、Alfred Hoenes和Kevin Darcy对本文件的评论和评论。

10. References
10. 工具书类
10.1. Normative References
10.1. 规范性引用文件

[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.

[RFC1034]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月。

[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.

[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,1987年11月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April 1997.

[RFC2136]Vixie,P.,Thomson,S.,Rekhter,Y.,和J.Bound,“域名系统中的动态更新(DNS更新)”,RFC 21361997年4月。

[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997.

[RFC2181]Elz,R.和R.Bush,“DNS规范的澄清”,RFC 21811997年7月。

[RFC2317] Eidnes, H., de Groot, G., and P. Vixie, "Classless IN-ADDR.ARPA delegation", BCP 20, RFC 2317, March 1998.

[RFC2317]Eidnes,H.,de Groot,G.,和P.Vixie,“无类别地址ARPA委托”,BCP 20,RFC 2317,1998年3月。

[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000.

[RFC2782]Gulbrandsen,A.,Vixie,P.和L.Esibov,“用于指定服务位置(DNS SRV)的DNS RR”,RFC 2782,2000年2月。

[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR) Types", RFC 3597, September 2003.

[RFC3597]Gustafsson,A.,“未知DNS资源记录(RR)类型的处理”,RFC3597,2003年9月。

[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.

[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。

[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.

[RFC4034]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 40342005年3月。

[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.

[RFC4035]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月。

[RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name System", RFC 4592, July 2006.

[RFC4592]Lewis,E.,“通配符在域名系统中的作用”,RFC4592,2006年7月。

[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence", RFC 5155, March 2008.

[RFC5155]Laurie,B.,Sisson,G.,Arends,R.,和D.Blacka,“DNS安全(DNSSEC)哈希认证拒绝存在”,RFC 51552008年3月。

10.2. Informative References
10.2. 资料性引用

[RFC1912] Barr, D., "Common DNS Operational and Configuration Errors", RFC 1912, February 1996.

[RFC1912]Barr,D.,“常见DNS操作和配置错误”,RFC1912,1996年2月。

[RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC 2672, August 1999.

[RFC2672]克劳福德,M.,“非终端DNS名称重定向”,RFC 26721999年8月。

[RFC3363] Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T. Hain, "Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS)", RFC 3363, August 2002.

[RFC3363]Bush,R.,Durand,A.,Fink,B.,Gudmundsson,O.,和T.Hain,“代表域名系统(DNS)中的互联网协议版本6(IPv6)地址”,RFC 33632002年8月。

[RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)", RFC 3492, March 2003.

[RFC3492]Costello,A.,“Punycode:应用程序中国际化域名的Unicode引导字符串编码(IDNA)”,RFC 3492,2003年3月。

[RFC6434] Jankiewicz, E., Loughney, J., and T. Narten, "IPv6 Node Requirements", RFC 6434, December 2011.

[RFC6434]Jankiewicz,E.,Loughney,J.和T.Narten,“IPv6节点要求”,RFC 64342011年12月。

Appendix A. Changes from RFC 2672
附录A.RFC 2672的变更
A.1. Changes to Server Behavior
A.1. 对服务器行为的更改

Major changes to server behavior from the original DNAME specification are summarized below:

原始DNAME规范对服务器行为的主要更改总结如下:

o The rules for DNAME substitution have been clarified in Section 2.2.

o 第2.2节阐明了DNAME替换规则。

o The EDNS option to signal DNAME understanding and compression has never been specified, and this document clarifies that there is no signaling method (Section 2.5).

o 从未规定过用EDNS选项来发送DNAME理解和压缩信号,本文件澄清了没有信号发送方法(第2.5节)。

o The TTL for synthesized CNAME RRs is now set to the TTL of the DNAME, not zero (Section 3.1).

o 合成CNAME RRs的TTL现在设置为DNAME的TTL,而不是零(第3.1节)。

o Recursive caching servers MUST perform CNAME synthesis on behalf of clients (Section 3.4).

o 递归缓存服务器必须代表客户端执行CNAME合成(第3.4节)。

o The revised server algorithm is detailed in Section 3.2.

o 第3.2节详细介绍了修改后的服务器算法。

o Rules for dynamic update messages adding a DNAME or CNAME RR to a zone where a CNAME or DNAME already exists are detailed in Section 5.2.

o 第5.2节详细介绍了将DNAME或CNAME RR添加到CNAME或DNAME已存在的区域的动态更新消息规则。

A.2. Changes to Client Behavior
A.2. 客户行为的变化

Major changes to client behavior from the original DNAME specification are summarized below:

原始DNAME规范对客户端行为的主要更改总结如下:

o Clients MUST be able to accept synthesized CNAME RR's with a TTL of either zero or the TTL of the DNAME RR that accompanies the CNAME RR.

o 客户端必须能够接受TTL为零或伴随CNAME RR的DNAME RR的TTL的合成CNAME RR。

o DNSSEC-aware clients SHOULD cache DNAME RRs and MAY cache synthesized CNAME RRs they receive in the same response. DNSSEC-aware clients SHOULD also check the NSEC/NSEC3 type bitmap to verify that DNAME redirection is to be done. DNSSEC validators MUST understand DNAME (Section 5.3).

o 支持DNSSEC的客户端应缓存DNAME RRs,并可缓存在同一响应中接收到的合成CNAME RRs。支持DNSSEC的客户端还应检查NSEC/NSEC3类型位图,以验证是否要执行DNAME重定向。DNSSEC验证器必须理解DNAME(第5.3节)。

o The revised client algorithm is detailed in Section 3.4.1.

o 第3.4.1节详细介绍了修改后的客户端算法。

Authors' Addresses

作者地址

Scott Rose NIST 100 Bureau Dr. Gaithersburg, MD 20899 USA

斯科特·罗斯NIST 100局盖瑟斯堡博士,美国马里兰州20899

   Phone: +1-301-975-8439
   Fax:   +1-301-975-6238
   EMail: scott.rose@nist.gov
        
   Phone: +1-301-975-8439
   Fax:   +1-301-975-6238
   EMail: scott.rose@nist.gov
        

Wouter Wijngaards NLnet Labs Science Park 140 Amsterdam 1098 XH The Netherlands

荷兰阿姆斯特丹140号Wouter Wijngaards NLnet实验室科技园1098 XH

   Phone: +31-20-888-4551
   EMail: wouter@nlnetlabs.nl
        
   Phone: +31-20-888-4551
   EMail: wouter@nlnetlabs.nl