Internet Engineering Task Force (IETF) W. Hardaker Request for Comments: 7477 Parsons, Inc. Category: Standards Track March 2015 ISSN: 2070-1721
Internet Engineering Task Force (IETF) W. Hardaker Request for Comments: 7477 Parsons, Inc. Category: Standards Track March 2015 ISSN: 2070-1721
Child-to-Parent Synchronization in DNS
DNS中的子到父同步
Abstract
摘要
This document specifies how a child zone in the DNS can publish a record to indicate to a parental agent that the parental agent may copy and process certain records from the child zone. The existence of the record and any change in its value can be monitored by a parental agent and acted on depending on local policy.
本文档指定DNS中的子区域如何发布记录,以向父代理指示父代理可以复制和处理子区域中的某些记录。记录的存在及其价值的任何变化都可以由家长代理监控,并根据当地政策采取行动。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7477.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7477.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2 1.1. Terminology Used in This Document ..........................3 2. Definition of the CSYNC RRType ..................................3 2.1. The CSYNC Resource Record Format ...........................4 2.1.1. The CSYNC Resource Record Wire Format ...............4 2.1.2. The CSYNC Presentation Format .......................6 2.1.3. CSYNC RR Example ....................................6 3. CSYNC Data Processing ...........................................6 3.1. Processing Procedure .......................................7 3.2. CSYNC Record Types .........................................8 3.2.1. The NS type .........................................8 3.2.2. The A and AAAA Types ................................9 4. Operational Considerations ......................................9 4.1. Error Reporting ...........................................10 4.2. Child Nameserver Selection ................................10 4.3. Out-of-Bailiwick NS Records ...............................10 4.4. Documented Parental Agent Type Support ....................11 4.5. Removal of the CSYNC Records ..............................11 4.6. Parent/Child/Grandchild Glue Synchronization ..............12 5. Security Considerations ........................................12 6. IANA Considerations ............................................12 7. References .....................................................13 7.1. Normative References ......................................13 7.2. Informative References ....................................14 Acknowledgments ...................................................15 Author's Address ..................................................15
1. Introduction ....................................................2 1.1. Terminology Used in This Document ..........................3 2. Definition of the CSYNC RRType ..................................3 2.1. The CSYNC Resource Record Format ...........................4 2.1.1. The CSYNC Resource Record Wire Format ...............4 2.1.2. The CSYNC Presentation Format .......................6 2.1.3. CSYNC RR Example ....................................6 3. CSYNC Data Processing ...........................................6 3.1. Processing Procedure .......................................7 3.2. CSYNC Record Types .........................................8 3.2.1. The NS type .........................................8 3.2.2. The A and AAAA Types ................................9 4. Operational Considerations ......................................9 4.1. Error Reporting ...........................................10 4.2. Child Nameserver Selection ................................10 4.3. Out-of-Bailiwick NS Records ...............................10 4.4. Documented Parental Agent Type Support ....................11 4.5. Removal of the CSYNC Records ..............................11 4.6. Parent/Child/Grandchild Glue Synchronization ..............12 5. Security Considerations ........................................12 6. IANA Considerations ............................................12 7. References .....................................................13 7.1. Normative References ......................................13 7.2. Informative References ....................................14 Acknowledgments ...................................................15 Author's Address ..................................................15
This document specifies how a child zone in the DNS ([RFC1034] [RFC1035]) can publish a record to indicate to a parental agent (see Section 1.1 for a definition of "parental agent") that it can copy and process certain records from the child zone. The existence of the record and any change in its value can be monitored by a parental agent and acted on depending on local policy.
本文档规定了DNS中的子区域([RFC1034][RFC1035])如何发布记录,以向父代理(有关“父代理”的定义,请参见第1.1节)表明其可以复制和处理子区域中的某些记录。记录的存在及其价值的任何变化都可以由家长代理监控,并根据当地政策采取行动。
Currently, some resource records (RRs) in a parent zone are typically expected to be in sync with the source data in the child's zone. The most common records that should match are the nameserver (NS) records and any necessary associated address records (A and AAAA), also known as "glue records". These records are referred to as "delegation records".
目前,父区域中的某些资源记录(RRs)通常预期与子区域中的源数据同步。最常见的应该匹配的记录是nameserver(NS)记录和任何必要的关联地址记录(A和AAAA),也称为“粘合记录”。这些记录称为“授权记录”。
It has been challenging for operators of child DNS zones to update their delegation records within the parent's set in a timely fashion. These difficulties may stem from operator laziness as well as from
对于子DNS区域的运营商来说,及时更新其在父DNS区域集中的委派记录一直是一个挑战。这些困难可能源于操作员的懒惰以及
the complexities of maintaining a large number of DNS zones. Having an automated mechanism for signaling updates will greatly ease the child zone operator's maintenance burden and improve the robustness of the DNS as a whole.
维护大量DNS区域的复杂性。拥有自动的信令更新机制将大大减轻子区域运营商的维护负担,并提高DNS整体的健壮性。
This document introduces a new Resource Record Type (RRType) named "CSYNC" that indicates which delegation records published by a child DNS operator should be processed by a parental agent and used to update the parent zone's DNS data.
本文档介绍了一种名为“CSYNC”的新资源记录类型(RRType),它指示由子DNS运营商发布的哪些委派记录应由父代理处理,并用于更新父区域的DNS数据。
This specification was not designed to synchronize DNSSEC security records, such as DS RRsets. For a solution to this problem, see the complementary solution [RFC7344], which is designed to maintain security delegation information. In addition, this specification does not address how to perform bootstrapping operations, including to get the required initial DNSSEC-secured operating environment in place.
本规范不是为同步DNSSEC安全记录而设计的,如DS RRSET。有关此问题的解决方案,请参阅补充解决方案[RFC7344],该解决方案旨在维护安全委派信息。此外,本规范未说明如何执行引导操作,包括获得所需的初始DNSSEC安全操作环境。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Terminology describing relationships between the interacting roles involved in this document are defined in the following list:
描述本文件中涉及的交互角色之间关系的术语定义如下:
Child: The entity on record that has the delegation of the domain from the parent
子项:记录中的实体,该实体具有来自父项的域委派
Parent: The domain in which the child is registered
父级:注册子级的域
Child DNS operator: The entity that maintains and publishes the zone information for the child DNS
子DNS操作员:维护和发布子DNS区域信息的实体
Parental agent: The entity that the child has relationship with, to change its delegation information
家长代理:与孩子有关系的实体,用于更改其委派信息
The CSYNC RRType contains, in its RDATA component, these parts: an SOA serial number, a set of flags, and a simple bit-list indicating the DNS RRTypes in the child that should be processed by the parental agent in order to modify the DNS delegation records within the parent's zone for the child DNS operator. Child DNS operators wanting a parental agent to perform the synchronization steps outlined in this document MUST publish a CSYNC record at the apex of the child zone. Parental agent implementations MAY choose to query
CSYNC RRType在其RDATA组件中包含以下部分:一个SOA序列号、一组标志和一个简单的位列表,该位列表指示父代理应处理的子DNS RRType,以便为子DNS操作员修改父区域内的DNS委派记录。希望父代理执行本文档中概述的同步步骤的子DNS操作员必须在子区域的顶点发布CSYNC记录。父代理实现可以选择查询
child zones for this record and process DNS record data as indicated by the Type Bit Map field in the RDATA of the CSYNC record. How the data is processed is described in Section 3.
此记录的子区域,并按照CSYNC记录的RDATA中的类型位图字段指示处理DNS记录数据。第3节描述了如何处理数据。
Parental agents MUST process the entire set of child data indicated by the Type Bit Map field (i.e., all record types indicated along with all of the necessary records to support processing of that type) or else parental agents MUST NOT make any changes to parental records at all. Errors due to unsupported Type Bit Map bits, or otherwise nonpunishable data, SHALL result in no change to the parent zone's delegation information for the child. Parental agents MUST ignore a child's CSYNC RDATA set if multiple CSYNC resource records are found; only a single CSYNC record should ever be present.
家长代理必须处理类型位图字段指示的整个子数据集(即,指示的所有记录类型以及支持该类型处理的所有必要记录),否则家长代理不得对家长记录进行任何更改。由于不受支持的类型位图位或其他不受惩罚的数据而导致的错误,不应导致对子级的父区域委派信息的更改。如果发现多个CSYNC资源记录,则家长代理必须忽略孩子的CSYNC RDATA集;只有一条CSYNC记录应该存在。
The parental agent MUST perform DNSSEC validation ([RFC4033] [RFC4034] [RFC4035]), of the CSYNC RRType data and MUST perform DNSSEC validation of any data to be copied from the child to the parent. Parents MUST NOT process any data from any of these records if any of the validation results indicate anything other than "Secure" [RFC4034] or if any the required data cannot be successfully retrieved.
父代理必须对CSYNC RRType数据执行DNSSEC验证([RFC4033][RFC4034][RFC4035]),并且必须对要从子代理复制到父代理的任何数据执行DNSSEC验证。如果任何验证结果表明除“安全”[RFC4034]之外的任何内容,或者如果无法成功检索所需数据,则家长不得处理这些记录中的任何数据。
The CSYNC RDATA consists of the following fields:
CSYNC RDATA由以下字段组成:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SOA Serial | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | Type Bit Map / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Type Bit Map (continued) / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SOA Serial | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | Type Bit Map / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Type Bit Map (continued) / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The SOA Serial field contains a copy of the 32-bit SOA serial number from the child zone. If the soaminimum flag is set, parental agents querying children's authoritative servers MUST NOT act on data from zones advertising an SOA serial number less than this value. See [RFC1982] for properly implementing "less than" logic. If the soaminimum flag is not set, parental agents MUST ignore the value in the SOA Serial field. Clients can set the field to any value if the soaminimum flag is unset, such as the number zero.
“SOA序列号”字段包含子区域中32位SOA序列号的副本。如果设置了soaminimum标志,则查询孩子的权威服务器的家长代理不得对来自广告SOA序列号小于此值的区域的数据进行操作。有关正确实现“小于”逻辑的信息,请参见[RFC1982]。如果未设置soaminimum标志,则父代理必须忽略SOA序列字段中的值。如果soaminimum标志未设置,客户端可以将该字段设置为任何值,例如数字零。
Note that a child zone's current SOA serial number may be greater than the number indicated by the CSYNC record. A child SHOULD update the SOA Serial field in the CSYNC record every time the data being referenced by the CSYNC record is changed (e.g., an NS record or associated address record is changed). A child MAY choose to update the SOA Serial field to always match the current SOA Serial field.
请注意,子区域的当前SOA序列号可能大于CSYNC记录指示的数字。每次更改CSYNC记录引用的数据时(例如,更改NS记录或关联的地址记录),子项都应更新CSYNC记录中的SOA序列字段。孩子可以选择更新SOA序列字段,以始终与当前SOA序列字段匹配。
Parental agents MAY cache SOA serial numbers from data they use and refuse to process data from zones older than the last instance from which they pulled data.
家长代理可能会缓存他们使用的数据中的SOA序列号,并拒绝处理他们从中提取数据的上一个实例之前的区域中的数据。
Although Section 3.2 of [RFC1982] describes how to properly implement a less-than comparison operation with SOA serial numbers that may wrap beyond the 32-bit value in both the SOA record and the CSYNC record, it is important that a child using the soaminimum flag must not increment its SOA serial number value more than 2^16 within the period of time that a parent might wait between polling the child for the CSYNC record.
尽管[RFC1982]的第3.2节描述了如何正确实现一个小于比较的操作,该操作使用的SOA序列号在SOA记录和CSYNC记录中都可能超过32位值,重要的是,使用soaminimum标志的子级在父级可能在轮询子级以获取CSYNC记录之间等待的时间段内,其SOA序列号值的增量不得超过2^16。
The Flags field contains 16 bits of boolean flags that define operations that affect the processing of the CSYNC record. The flags defined in this document are as follows:
Flags字段包含16位布尔标志,用于定义影响CSYNC记录处理的操作。本文件中定义的标志如下:
0x00 0x01: "immediate"
0x00 0x01:“立即”
0x00 0x02: "soaminimum"
0x00 0x02:“Soaminum”
The definitions for how the flags are to be used can be found in Section 3.
有关如何使用标志的定义,请参见第3节。
The remaining flags are reserved for use by future specifications. Undefined flags MUST be set to 0 by CSYNC publishers. Parental agents MUST NOT process a CSYNC record if it contains a 1 value for a flag that is unknown to or unsupported by the parental agent.
其余标志保留供将来的规范使用。CSYNC发布服务器必须将未定义的标志设置为0。如果CSYNC记录包含家长代理未知或不支持的标志值1,则家长代理不得处理该记录。
The Type Bit Map field indicates the record types to be processed by the parental agent, according to the procedures in Section 3. The Type Bit Map field is encoded in the same way as the Type Bit Map field of the NSEC record, described in [RFC4034], Section 4.1.2. If a bit has been set that a parental agent implementation does not understand, the parental agent MUST NOT act upon the record. Specifically, a parental agent must not simply copy the data, and it must understand the semantics associated with a bit in the Type Bit Map field that has been set to 1.
类型位图字段指示父代理根据第3节中的程序处理的记录类型。类型位图字段的编码方式与NSEC记录的类型位图字段相同,如[RFC4034]第4.1.2节所述。如果设置了家长代理实现无法理解的位,家长代理不得对记录采取行动。具体来说,父代理不能简单地复制数据,它必须理解与已设置为1的类型位图字段中的位相关联的语义。
The CSYNC presentation format is as follows:
CSYNC演示格式如下所示:
The SOA Serial field is represented as an integer.
SOA序列字段表示为整数。
The Flags field is represented as an integer.
Flags字段表示为整数。
The Type Bit Map field is represented as a sequence of RRType mnemonics. When the mnemonic is not known, the TYPE representation described in [RFC3597], Section 5, MUST be used. Implementations that support parsing of presentation format records SHOULD be able to read and understand these TYPE representations as well.
类型位图字段表示为RRType助记符序列。当助记符未知时,必须使用[RFC3597]第5节中描述的类型表示。支持解析表示格式记录的实现也应该能够读取和理解这些类型表示。
The following CSYNC RR shows an example entry for "example.com" that indicates the NS, A, and AAAA bits are set and should be processed by the parental agent for example.com. The parental agent should pull data only from a zone using a minimum SOA serial number of 66 (0x42 in hexadecimal).
下面的CSYNC RR显示了“example.com”的示例条目,该条目指示NS、A和AAAA位已设置,并且应由example.com的父代理处理。父代理应仅从使用最小SOA序列号66(十六进制为0x42)的区域提取数据。
example.com. 3600 IN CSYNC 66 3 A NS AAAA
example.com。3600英寸CSYNC 66 3安NS AAAA
The RDATA component of the example CSYNC RR would be encoded on the wire as follows:
示例CSYNC RR的RDATA组件将在导线上编码如下:
0x00 0x00 0x00 0x42 (SOA Serial) 0x00 0x03 (Flags = immediate | soaminimum) 0x00 0x04 0x60 0x00 0x00 0x08 (Type Bit Map)
0x00 0x00 0x00 0x42(SOA串行)0x00 0x03(标志=immediate | soaminum)0x00 0x04 0x60 0x00 0x00 0x00 0x08(类型位图)
The CSYNC record and associated data must be processed as an "all or nothing" operation set. If a parental agent fails to successfully query for any of the required records, the whole operation MUST be aborted. (Note that a query resulting in "no records exist" as proven by NSEC or NSEC3 is to be considered successful).
CSYNC记录和相关数据必须作为“全部或无”操作集进行处理。如果家长代理无法成功查询任何所需记录,则必须中止整个操作。(请注意,经NSEC或NSEC3证明,导致“无记录存在”的查询将被视为成功查询)。
Parental agents MAY:
母公司代理人可以:
Process the CSYNC record immediately if the "immediate" flag is set. If the "immediate" flag is not set, the parental agent MUST NOT act until the zone administrator approves the operation through an out-of-band mechanism (such as through pushing a button via a web interface).
如果设置了“立即”标志,则立即处理CSYNC记录。如果未设置“立即”标志,则在区域管理员通过带外机制(如通过web界面按下按钮)批准操作之前,家长代理不得采取行动。
Choose not to process the CSYNC record immediately, even if the "immediate" flag is set. That is, a parental agent might require the child zone administrator approve the operation through an out-of-band mechanism (such as through pushing a button via a web interface).
选择不立即处理CSYNC记录,即使设置了“立即”标志。也就是说,家长代理可能要求子区域管理员通过带外机制(例如通过web界面按下按钮)批准操作。
Note: how the approval is done out of band is outside the scope of this document and is implementation specific to parental agents.
注:带外审批的方式不在本文件的范围内,具体实施方式针对母公司代理。
The following shows a sequence of steps that SHOULD be used when collecting and processing CSYNC records from a child zone. Because DNS queries are not allowed to contain more than one "question" at a time, a sequence of requests is needed. When processing a CSYNC transaction request, all DNS queries should be sent to a single authoritative name server for the child zone. To ensure a single host is being addressed, DNS over TCP SHOULD be used to avoid conversing with multiple nodes at an anycast address.
下面显示了从子区域收集和处理CSYNC记录时应使用的一系列步骤。由于DNS查询一次不允许包含多个“问题”,因此需要一系列请求。处理CSYNC事务请求时,应将所有DNS查询发送到子区域的单个权威名称服务器。为确保对单个主机进行寻址,应使用TCP上的DNS避免在选播地址与多个节点进行对话。
1. Query for the child zone's SOA record
1. 查询子区域的SOA记录
2. Query for the child zone's CSYNC record
2. 查询子区域的CSYNC记录
3. Query for the child zone's data records, as required by the CSYNC record's Type Bit Map field
3. 根据CSYNC记录的类型位图字段的要求,查询子区域的数据记录
* Note: if any of the resulting records being queried are not authoritative within the child zone but rather in a grandchild or deeper, SOA record queries must be made for the grandchildren. This will require the parental agent to determine where the child/grandchild zone cuts occur. Because of the additional operational complexity, parental agents MAY choose not to support this protocol with children making use of records that are authoritative in the grandchildren.
* 注意:如果查询的任何结果记录在子区域内不是权威的,而是在孙子或更深层的区域内,则必须对孙子进行SOA记录查询。这需要家长代理确定孩子/孙子区域切割发生的位置。由于额外的操作复杂性,家长代理可能会选择不支持此协议,让孩子使用孙辈中权威的记录。
4. Query for the collected SOA records again, starting with the deepest and ending with the SOA of the child's.
4. 再次查询收集的SOA记录,从最深的记录开始,以孩子的SOA结束。
If the SOA records from the first, middle, and last steps for a given zone have different serial numbers (for example, because the zone was edited and republished during the interval between steps 1 and 4), then the CSYNC record obtained in the second set SHOULD NOT be processed (rapidly changing child zones may need special consideration or processing). The operation MAY be restarted or retried in the future.
如果给定区域的第一步、中间步和最后一步的SOA记录具有不同的序列号(例如,因为该区域在步骤1和步骤4之间的间隔期间被编辑和重新发布),则不应处理在第二组中获得的CSYNC记录(快速变化的子区域可能需要特别考虑或处理)。以后可能会重新启动或重试该操作。
If the soaminimum flag is set and the SOA serial numbers are equal but less than the CSYNC record's SOA Serial field [RFC1982], the record MUST NOT be processed. If state is being kept by the parental agent and the SOA serial number is less than the last time a CSYNC record was processed, this CSYNC record SHOULD NOT be processed. Similarly, if state is being kept by the parental agent and the SOA Serial field of the CSYNC record is less than the SOA Serial field of the CSYNC record from last time, then this CSYNC record SHOULD NOT be processed.
如果设置了soaminimum标志,且SOA序列号等于但小于CSYNC记录的SOA序列字段[RFC1982],则不得处理该记录。如果状态由父代理保留,并且SOA序列号小于上次处理CSYNC记录的时间,则不应处理此CSYNC记录。类似地,如果状态由父代理保留,并且CSYNC记录的SOA序列字段小于上次CSYNC记录的SOA序列字段,则不应处理此CSYNC记录。
If a failure of any kind occurs while trying to obtain any of the required data, or if DNSSEC fails to validate all of the data returned for these queries as "secure", then this CSYNC record MUST NOT be processed.
如果在尝试获取任何所需数据时发生任何类型的故障,或者如果DNSSEC未能将这些查询返回的所有数据验证为“安全”,则不得处理此CSYNC记录。
See the "Operational Consideration" section (Section 4) for additional guidance about processing.
有关处理的更多指导,请参阅“操作考虑”部分(第4节)。
This document defines how the following record types may be processed if the CSYNC Type Bit Map field indicates they are to be processed.
本文档定义了如果CSYNC Type位图字段指示要处理以下记录类型,则如何处理这些记录类型。
The NS type flag indicates that the NS records from the child zone should be copied into the parent's delegation information records for the child.
NS type标志表示子区域中的NS记录应复制到父区域中该子区域的委派信息记录中。
NS records found within the child's zone should be copied verbatim (with the exception of the Time to Live (TTL) field, for which the parent MAY want to select a different value) and the result published within the parent zone should be a set of NS records that match exactly. If the child has published a new NS record within their set, this record should be added to the parent zone. Similarly, if NS records in the parent's delegation records for the child contain records that have been removed in the child's NS set, then they should be removed in the parent's set as well.
应逐字复制在子区域中找到的NS记录(生存时间(TTL)字段除外,父区域可能希望为其选择不同的值),并且在父区域中发布的结果应是一组完全匹配的NS记录。如果子项在其集合中发布了新的NS记录,则应将该记录添加到父区域。类似地,如果父对象的子对象的委派记录中的NS记录包含已在子对象的NS集中删除的记录,则也应在父对象的NS集中删除这些记录。
Parental agents MAY refuse to perform NS updates if the replacement records fail to meet NS record policies required by the parent zone (e.g., "every child zone must have at least two NS records"). Parental agents MUST NOT perform NS updates if there are no NS records returned in a query, as verified by DNSSEC denial-of-existence protection. This situation should never happen unless the child nameservers are misconfigured.
如果替换记录不符合父区域要求的NS记录策略(例如,“每个子区域必须至少有两个NS记录”),则父区域代理可能会拒绝执行NS更新。如果查询中没有返回NS记录(经DNSSEC拒绝存在保护验证),则家长代理不得执行NS更新。这种情况永远不会发生,除非子名称服务器配置错误。
Note that it is permissible for a child's nameserver to return a CSYNC record that removes the queried nameserver itself from the future NS or address set.
请注意,允许子级的名称服务器返回一条CSYNC记录,该记录将查询的名称服务器本身从未来的NS或地址集中删除。
The A and AAAA type flags indicates that the A and AAAA address glue records for in-bailiwick NS records within the child zone should be copied verbatim (with the exception of the TTL field, for which the parent MAY want to select a different value) into the parent's delegation information.
A和AAAA类型标志表示应将子区域内辖区内NS记录的A和AAAA地址粘合记录逐字复制到父区域的委派信息中(TTL字段除外,父区域可能希望为其选择不同的值)。
Queries should be sent by the parental agent to determine the A and AAAA record addresses for each NS record within a NS set for the child that are in bailiwick.
家长代理应发送查询,以确定辖区内孩子的NS集合中每个NS记录的A和AAAA记录地址。
Note: only the matching types should be queried. For example, if the AAAA bit has not been set, then the AAAA records (if any) in the parent's delegation should remain as is. If a given address type is set and the child's zone contains no data for that type (as proven by appropriate NSEC or NSEC3 records), then the result in the parent's delegation records for the child should be an empty set. However, if the end result of processing would leave no glue records present in the parent zone for any of the of the in-bailiwick NS records, then the parent MUST NOT update the glue address records. That is, if the result of the processing would leave no in-bailiwick A or AAAA records when there are in-bailiwick NS records, then processing of the address records cannot happen as it would leave the parent/child relationship without any address linkage.
注意:只能查询匹配的类型。例如,如果尚未设置AAAA位,则父级委派中的AAAA记录(如果有)应保持原样。如果设置了给定的地址类型,并且子区域不包含该类型的数据(如适当的NSEC或NSEC3记录所证明的),则子级的父级委派记录中的结果应为空集。但是,如果处理的最终结果将不会在任何辖区内NS记录的父区域中留下任何粘合记录,则父区域不得更新粘合地址记录。也就是说,如果处理的结果在有in-bailiwick NS记录时不会留下in-bailiwick A或AAAA记录,则无法处理地址记录,因为它会使父/子关系没有任何地址链接。
The procedure for querying for A and AAAA records MUST occur after the procedure, if required, for querying for NS records as defined in Section 3.2.1. This ensures that the right set of NS records is used as provided by the current NS set of the child. That is, for CSYNC records that have the NS bit set, the NS set used should be the one pulled from the child while processing the CSYNC record. For CSYNC records without the NS bit set, the existing NS records within the parent should be used to determine which A and/or AAAA records to update.
查询A和AAAA记录的程序必须在第3.2.1节中定义的查询NS记录的程序(如果需要)之后进行。这样可以确保使用正确的NS记录集,正如子级的当前NS集所提供的那样。也就是说,对于设置了NS位的CSYNC记录,所使用的NS集应该是在处理CSYNC记录时从子级提取的。对于未设置NS位的CSYNC记录,应使用父级中的现有NS记录来确定要更新的A和/或AAAA记录。
There are a number of important operational aspects to consider when deploying a CSYNC RRType.
在部署CSYNC RRYPE时,有许多重要的操作方面需要考虑。
There is no inline mechanism for a parental agent to report errors to operators of child zones. Thus, the only error reporting mechanisms must be out of band, such as through a web console or over email. Parental agents should, at a minimum, at least log errors encountered when processing CSYNC records. Child operators utilizing the "immediate" flag that fail to see an update within the parental agent's specified operational window should access the parental agent's error logging interface to determine why an update failed to be processed.
家长代理没有向子区域的操作员报告错误的内联机制。因此,唯一的错误报告机制必须是带外的,例如通过web控制台或电子邮件。家长代理至少应记录处理CSYNC记录时遇到的错误。使用“立即”标志的子操作员如果在父代理指定的操作窗口内看不到更新,则应访问父代理的错误日志界面,以确定无法处理更新的原因。
Parental agents will need to poll child nameservers in search of CSYNC records and related data records.
家长代理需要轮询子名称服务器以搜索CSYNC记录和相关数据记录。
Parental agents MAY perform best-possible verification by querying all NS records for available data to determine which has the most recent SOA and CSYNC version (in an ideal world, they would all be equal, but this is not possible in practice due to synchronization delays and transfer failures).
家长代理可以通过查询所有NS记录中的可用数据来执行最佳验证,以确定哪个具有最新的SOA和CSYNC版本(在理想情况下,它们都是相同的,但由于同步延迟和传输失败,这在实践中是不可能的)。
Parental agents may offer a configuration interface to allow child operators to specify which nameserver should be considered the master to send data queries, too. Note that this master could be a different nameserver than the publicly listed nameservers in the NS set (i.e., it may be a "hidden master").
父代理可以提供一个配置接口,允许子操作员指定哪个名称服务器也应该被视为发送数据查询的主服务器。请注意,此主机可能是与NS集中公开列出的名称服务器不同的名称服务器(即,它可能是“隐藏主机”)。
Parental agents with a large number of clients may choose to offer a programmatic interface to let their children indicate that new CSYNC records and data are available for polling rather than polling every child on a frequent basis.
拥有大量客户端的家长代理可能会选择提供一个编程接口,让他们的孩子指示新的CSYNC记录和数据可用于轮询,而不是频繁轮询每个孩子。
Children that wish to phase out a nameserver will need to publish the CSYNC record to remove the nameserver and then wait for the parental agent to process the published record before turning off the service. This is required because the child cannot control which nameserver in the existing NS set the parental agent may choose to query when performing CSYNC processing.
希望逐步淘汰名称服务器的子级需要发布CSYNC记录以删除名称服务器,然后等待父代理处理已发布的记录,然后再关闭服务。这是必需的,因为在执行CSYNC处理时,子级无法控制父代理可以选择查询现有NS集中的哪个名称服务器。
When a zone contains NS records where the domain name pointed at does not fall within the zone itself, there is no way for the parent to safely update the associated glue records. Thus, the child DNS operator MAY indicate that the NS records should be synchronized, and
当一个区域包含NS记录,而指向的域名不在该区域内时,父级无法安全地更新相关的glue记录。因此,子DNS操作员可指示NS记录应被同步,并且
MAY set any glue record flags (A, AAAA) as well, but the parent will only update those glue records that are below the child's delegation point.
也可以设置任何粘合记录标志(A、AAAA),但父级仅更新低于子级委派点的粘合记录。
Children deploying NS records pointing to domain names within their own children (the "grandchildren") SHOULD ensure the grandchildren's associated glue records are properly set before publishing the CSYNC record. That is, it is imperative that proper communication and synchronization exist between the child and the grandchild.
在发布CSYNC记录之前,部署指向其子代(“孙辈”)中域名的NS记录的子代应确保孙辈的关联glue记录已正确设置。也就是说,孩子和孙子之间必须有适当的沟通和同步。
Parental agents that support processing CSYNC records SHOULD publicly document the following minimum processing characteristics:
支持处理CSYNC记录的家长代理应公开记录以下最低处理特征:
The fact that they support CSYNC processing
它们支持CSYNC处理的事实
The Type Bit Map bits they support
它们支持的类型位图位
The frequency with which they poll clients (which may also be configurable by the client)
他们轮询客户端的频率(客户端也可以配置)
If they support the "immediate" flag
如果他们支持“立即”标志
If they poll a child's single nameserver, a configured list of nameservers, or all of the advertised nameservers when querying records
如果在查询记录时轮询子级的单个名称服务器、已配置的名称服务器列表或所有播发的名称服务器
If they support SOA serial number caching to avoid issues with regression and/or replay
如果他们支持SOA序列号缓存以避免回归和/或重播问题
Where errors for CSYNC processing are published
发布CSYNC处理错误的位置
If they support sending queries to a "hidden master"
如果它们支持向“隐藏主机”发送查询
Children MAY remove the CSYNC record upon noticing that the parent zone has published the required records, thus eliminating the need for the parent to continually query for the CSYNC record and all corresponding records. By removing the CSYNC record from the child zone, the parental agent will only need to perform the query for the CSYNC record and can stop processing when it finds it missing. This will reduce resource usage by both the child and the parental agent.
当注意到父区域已发布所需记录时,子区域可以删除CSYNC记录,从而消除父区域持续查询CSYNC记录和所有相应记录的需要。通过从子区域中删除CSYNC记录,父代理只需执行CSYNC记录的查询,并在发现缺少CSYNC记录时停止处理。这将减少子代理和父代理对资源的使用。
When a child needs to publish a CSYNC record that synchronizes NS and A/AAAA glue records and the NS record is actually pointing to a child of the child (a grandchild of the parent), then it is critical that the glue records in the child point to the proper real addresses records published by the grandchild. It is assumed that if a child is using a grandchild's nameserver that they must be in careful synchronization. Specifically, this specification requires this to be the case.
如果子级需要发布同步NS和a/AAAA粘合记录的CSYNC记录,并且NS记录实际上指向子级的子级(父级的孙子级),则子级中的粘合记录必须指向孙子级发布的正确实地址记录。假设一个孩子正在使用孙子的命名服务器,那么他们必须小心地进行同步。具体而言,本规范要求如此。
This specification requires the use of DNSSEC in order to determine that the data being updated was unmodified by third parties. Parental agents implementing CSYNC processing MUST ensure all DNS transactions are validated by DNSSEC as "secure". Clients deploying CSYNC MUST ensure their zones are signed, current and properly linked to the parent zone with a DS record that points to an appropriate DNSKEY of the child's zone.
本规范要求使用DNSSEC,以确定正在更新的数据未经第三方修改。实施CSYNC处理的家长代理必须确保DNSSEC将所有DNS事务验证为“安全”。部署CSYNC的客户端必须确保其区域已签名、处于当前状态并正确链接到父区域,其中DS记录指向子区域的相应DNSKEY。
This specification does not address how to perform bootstrapping operations to get the required initial DNSSEC-secured operating environment in place. Additionally, this specification was not designed to synchronize DNSSEC security records, such as DS pointers, or the CSYNC record itself. Thus, implementations of this protocol MUST NOT use it to synchronize DS records, DNSKEY materials, CDS records, CDNSKEY records, or CSYNC records. Similarly, future documents extending this protocol MUST NOT offer the ability to synchronize DS, DNSKEY materials, CDS records, CDNSKEY records, or CSYNC records. For such a solution, please see the complimentary solution [RFC7344] for maintaining security delegation information.
本规范未说明如何执行引导操作以获得所需的初始DNSSEC安全操作环境。此外,本规范不是为同步DNSSEC安全记录(如DS指针)或CSYNC记录本身而设计的。因此,此协议的实现不得使用它来同步DS记录、DNSKEY资料、CDS记录、CDNSKEY记录或CSYNC记录。类似地,扩展此协议的未来文档不得提供同步DS、DNSKEY资料、CD记录、CDNSKEY记录或CSYNC记录的功能。有关此解决方案,请参阅维护安全委派信息的免费解决方案[RFC7344]。
To ensure that an older CSYNC record making use of the soaminimum flag cannot be replayed to revert values, the SOA serial number MUST NOT be incremented by more than 2^16 during the lifetime of the signature window of the associated RRSIGs signing the SOA and CSYNC records. Note that this is independent of whether or not the increment causes the 2^32 bit serial number field to wrap.
为确保使用soaminum标志的旧CSYNC记录不能被重放以还原值,在对SOA和CSYNC记录进行签名的相关RRSIG的签名窗口的生命周期内,SOA序列号的增量不得超过2^16。请注意,这与增量是否导致2^32位序列号字段换行无关。
This document defines a new DNS Resource Record Type, named "CSYNC". The IANA has assigned a code point from the "Resource Record (RR) TYPEs" sub-registry of the "Domain Name System (DNS) Parameters" registry (http://www.iana.org/assignments/dns-parameters) for this record.
此文档定义了一个新的DNS资源记录类型,名为“CSYNC”。IANA已从“域名系统(DNS)参数”注册表的“资源记录(RR)类型”子注册表分配了一个代码点(http://www.iana.org/assignments/dns-parameters)记录在案。
TYPE Value Meaning Reference ----- ------ -------------------------- ----------- CSYNC 62 Child-to-Parent Synchronization [RFC7477]
TYPE Value Meaning Reference ----- ------ -------------------------- ----------- CSYNC 62 Child-to-Parent Synchronization [RFC7477]
The IANA has created and maintains a sub-registry (the "Child Synchronization (CSYNC) Flags" registry) of the "Domain Name System (DNS) Parameters" registry. The initial values for this registry are below.
IANA已创建并维护“域名系统(DNS)参数”注册表的子注册表(“子同步(CSYNC)标志”注册表)。此注册表的初始值如下所示。
A "Standards Action" [RFC5226] is required for the assignment of new flag value.
分配新标志值需要“标准操作”[RFC5226]。
This registry holds a set of single-bit "Flags" for use in the CSYNC record within the 16-bit Flags field. Thus, a maximum of 16 flags may be defined.
此注册表在16位标志字段中保存一组用于CSYNC记录的单位“标志”。因此,最多可定义16个标志。
The initial assignments in this registry are:
此注册表中的初始分配为:
Bit Flag Description Reference ---- ------ ------------- ----------- Bit 0 immediate Immediately process this [RFC7477], CSYNC record. Section 3
Bit Flag Description Reference ---- ------ ------------- ----------- Bit 0 immediate Immediately process this [RFC7477], CSYNC record. Section 3
Bit 1 soaminimum Require a SOA serial [RFC7477], number greater than the Section 2.1.1.1 one specified.
位1 soaminimum需要一个SOA序列号[RFC7477],该编号大于第2.1.1.1节规定的编号。
[RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, August 1996, <http://www.rfc-editor.org/info/rfc1982>.
[RFC1982]Elz,R.和R.Bush,“序列号算术”,RFC 1982,1996年8月<http://www.rfc-editor.org/info/rfc1982>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR) Types", RFC 3597, September 2003, <http://www.rfc-editor.org/info/rfc3597>.
[RFC3597]Gustafsson,A.,“未知DNS资源记录(RR)类型的处理”,RFC3597,2003年9月<http://www.rfc-editor.org/info/rfc3597>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005, <http://www.rfc-editor.org/info/rfc4034>.
[RFC4034]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 40342005年3月<http://www.rfc-editor.org/info/rfc4034>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987, <http://www.rfc-editor.org/info/rfc1034>.
[RFC1034]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月<http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 10351987年11月<http://www.rfc-editor.org/info/rfc1035>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005, <http://www.rfc-editor.org/info/rfc4033>.
[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月<http://www.rfc-editor.org/info/rfc4033>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005, <http://www.rfc-editor.org/info/rfc4035>.
[RFC4035]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月<http://www.rfc-editor.org/info/rfc4035>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>.
[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月<http://www.rfc-editor.org/info/rfc5226>.
[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating DNSSEC Delegation Trust Maintenance", RFC 7344, September 2014, <http://www.rfc-editor.org/info/rfc7344>.
[RFC7344]Kumari,W.,Gudmundsson,O.,和G.Barwood,“自动化DNSSEC委托信托维护”,RFC 73442014年9月<http://www.rfc-editor.org/info/rfc7344>.
Acknowledgments
致谢
A thank you goes out to Warren Kumari and Olafur Gudmundsson, whose work on the CDS record type helped inspire the work in this document, as well as the definition for the "parental agent" definition and significant contributions to the text. A thank you also goes out to Ed Lewis, with whom the author held many conversations about the issues surrounding parent/child relationships and synchronization. Much of the work in this document is derived from the careful existing analysis of these three esteemed colleagues. Thank you to the following people who have contributed text or detailed reviews to the document (in no particular order): Matthijs Mekking, Petr Spacek, JINMEI Tatuya, Pete Resnick, Joel Jaeggli, Brian Haberman, Warren Kumari, Adrian Farrel, Alia Atlas, Barry Leiba, Richard Barnes, Stephen Farrell, and Ted Lemon. Lastly, the DNSOP WG chairs Tim Wicinski and Suzanne Woolf have been a tremendous help in getting this document moving forward to publication.
感谢Warren Kumari和Olafur Gudmundsson,他们在CD唱片类型方面的工作帮助激发了本文件中的工作,以及“家长代理人”定义的定义和对文本的重大贡献。感谢Ed Lewis,作者与他就父母/孩子关系和同步问题进行了多次对话。本文件中的大部分工作源自这三位尊敬的同事的仔细分析。感谢以下为本文件提供文本或详细评论的人员(无特定顺序):Matthijs Mekking、Petr Spacek、JINMEI Tatuya、Pete Resnick、Joel Jaeggli、Brian Haberman、Warren Kumari、Adrian Farrel、Alia Atlas、Barry Leiba、Richard Barnes、Stephen Farrell和Ted Lemon。最后,DNSOP工作组主席Tim Wicinski和Suzanne Woolf为本文件的出版提供了巨大帮助。
A special thanks goes to Roy Arends, for taking the "bite out of that hamburger" challenge while discussing this document.
特别感谢罗伊·阿伦兹,感谢他在讨论本文件时接受了“咬汉堡”的挑战。
A similar project, independently designed and developed, was conducted by ep.net called "Child Activated DNS Refresh".
ep.net进行了一个独立设计和开发的类似项目,名为“儿童激活DNS刷新”。
Author's Address
作者地址
Wes Hardaker Parsons, Inc. P.O. Box 382 Davis, CA 95617 US
美国加利福尼亚州戴维斯市韦斯·哈达克·帕森斯公司邮政信箱382号,邮编95617
Phone: +1 530 792 1913 EMail: ietf@hardakers.net
Phone: +1 530 792 1913 EMail: ietf@hardakers.net