1 DNS Extensions Working Group G. Sisson
2 Internet-Draft B. Laurie
3 Expires: January 11, 2006 Nominet
7 Derivation of DNS Name Predecessor and Successor
8 draft-ietf-dnsext-dns-name-p-s-00
12 By submitting this Internet-Draft, each author represents that any
13 applicable patent or other IPR claims of which he or she is aware
14 have been or will be disclosed, and any of which he or she becomes
15 aware will be disclosed, in accordance with Section 6 of BCP 79.
17 Internet-Drafts are working documents of the Internet Engineering
18 Task Force (IETF), its areas, and its working groups. Note that
19 other groups may also distribute working documents as Internet-
22 Internet-Drafts are draft documents valid for a maximum of six months
23 and may be updated, replaced, or obsoleted by other documents at any
24 time. It is inappropriate to use Internet-Drafts as reference
25 material or to cite them other than as "work in progress."
27 The list of current Internet-Drafts can be accessed at
28 http://www.ietf.org/ietf/1id-abstracts.txt.
30 The list of Internet-Draft Shadow Directories can be accessed at
31 http://www.ietf.org/shadow.html.
33 This Internet-Draft will expire on January 11, 2006.
37 Copyright (C) The Internet Society (2005).
41 This document describes two methods for deriving the canonically-
42 ordered predecessor and successor of a DNS name. These methods may
43 be used for dynamic NSEC resource record synthesis, enabling
44 security-aware name servers to provide authenticated denial of
45 existence without disclosing other owner names in a DNSSEC-secured
52 Sisson & Laurie Expires January 11, 2006 [Page 1]
54 Internet-Draft DNS Name Predecessor and Successor July 2005
59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
60 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3
61 3. Absolute Method . . . . . . . . . . . . . . . . . . . . . . . 4
62 3.1. Derivation of DNS Name Predecessor . . . . . . . . . . . . 4
63 3.2. Derivation of DNS Name Successor . . . . . . . . . . . . . 4
64 4. Modified Method . . . . . . . . . . . . . . . . . . . . . . . 5
65 4.1. Derivation of DNS Name Predecessor . . . . . . . . . . . . 6
66 4.2. Derivation of DNS Name Successor . . . . . . . . . . . . . 6
67 5. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
68 5.1. Case Considerations . . . . . . . . . . . . . . . . . . . 7
69 5.2. Choice of Range . . . . . . . . . . . . . . . . . . . . . 7
70 5.3. Wild Card Considerations . . . . . . . . . . . . . . . . . 8
71 5.4. Possible Modifications . . . . . . . . . . . . . . . . . . 8
72 5.4.1. Restriction of Effective Maximum DNS Name Length . . . 8
73 5.4.2. Use of Modified Method With Zones Containing
74 SRV RRs . . . . . . . . . . . . . . . . . . . . . . . 9
75 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
76 6.1. Examples of Immediate Predecessors Using Absolute
77 Method . . . . . . . . . . . . . . . . . . . . . . . . . . 10
78 6.2. Examples of Immediate Successors Using Absolute Method . . 13
79 6.3. Examples of Predecessors Using Modified Method . . . . . . 19
80 6.4. Examples of Successors Using Modified Method . . . . . . . 20
81 7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
82 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
83 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
84 10.1. Normative References . . . . . . . . . . . . . . . . . . . 22
85 10.2. Informative References . . . . . . . . . . . . . . . . . . 22
86 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21
87 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 22
88 A.1. Changes from sisson-02 to ietf-00 . . . . . . . . . . . . 22
89 A.2. Changes from sisson-01 to sisson-02 . . . . . . . . . . . 23
90 A.3. Changes from sisson-00 to sisson-01 . . . . . . . . . . . 23
91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
92 Intellectual Property and Copyright Statements . . . . . . . . . . 25
108 Sisson & Laurie Expires January 11, 2006 [Page 2]
110 Internet-Draft DNS Name Predecessor and Successor July 2005
115 One of the proposals for avoiding the exposure of zone information
116 during the deployment DNSSEC is dynamic NSEC resource record (RR)
117 synthesis. This technique is described in [I-D.ietf-dnsext-dnssec-
118 trans] and [I-D.ietf-dnsext-dnssec-online-signing], and involves the
119 generation of NSEC RRs that just span the query name for non-existent
120 owner names. In order to do this, the DNS names which would occur
121 just prior to and just following a given query name must be
122 calculated in real time, as maintaining a list of all possible owner
123 names that might occur in a zone would be impracticable.
125 Section 6.1 of [RFC4034] defines canonical DNS name order. This
126 document does not amend or modify this definition. However, the
127 derivation of immediate predecessor and successor, while trivial, is
128 non-obvious. Accordingly, several methods are described here as an
129 aid to implementors and a reference to other interested parties.
131 This document describes two methods:
133 1. An ``absolute method'', which returns the immediate predecessor
134 or successor of a domain name such that no valid DNS name could
135 exist between that DNS name and the predecessor or successor.
137 2. A ``modified method'', which returns a predecessor and successor
138 which are more economical in size and computation. This method
139 is restricted to use with zones consisting only of single-label
140 owner names where a maximum-length owner name would not result in
141 a DNS name exceeding the maximum DNS name length. This is,
142 however, the type of zone for which the technique of online-
143 signing is most likely to be used.
146 2. Notational Conventions
148 The following notational conventions are used in this document for
149 economy of expression:
151 N: An unspecified DNS name.
153 P(N): Immediate predecessor to N (absolute method).
155 S(N): Immediate successor to N (absolute method).
157 P'(N): Predecessor to N (modified method).
164 Sisson & Laurie Expires January 11, 2006 [Page 3]
166 Internet-Draft DNS Name Predecessor and Successor July 2005
169 S'(N): Successor to N (modified method).
174 These derivations assume that all uppercase US-ASCII letters in N
175 have already been replaced by their corresponding lowercase
176 equivalents. Unless otherwise specified, processing stops after the
177 first step in which a condition is met.
179 3.1. Derivation of DNS Name Predecessor
183 1. If N is the same as the owner name of the zone apex, prepend N
184 repeatedly with labels of the maximum length possible consisting
185 of octets of the maximum sort value (e.g. 0xff) until N is the
186 maximum length possible; otherwise continue to the next step.
188 2. If the least significant (left-most) label of N consists of a
189 single octet of the minimum sort value (e.g. 0x00), remove that
190 label; otherwise continue to the next step.
192 3. If the least significant (right-most) octet in the least
193 significant (left-most) label of N is the minimum sort value,
194 remove the least significant octet and continue with step 5.
196 4. Decrement the value of the least significant (right-most) octet,
197 skipping any values that correspond to uppercase US-ASCII
198 letters, and then append the label with as many octets as
199 possible of the maximum sort value. Continue to the next step.
201 5. Prepend N repeatedly with labels of as long a length as possible
202 consisting of octets of the maximum sort value until N is the
203 maximum length possible.
205 3.2. Derivation of DNS Name Successor
209 1. If N is two or more octets shorter than the maximum DNS name
210 length, prepend N with a label containing a single octet of the
211 minimum sort value (e.g. 0x00); otherwise continue to the next
214 2. If N is one or more octets shorter than the maximum DNS name
215 length and the least significant (left-most) label is one or more
216 octets shorter than the maximum label length, append an octet of
220 Sisson & Laurie Expires January 11, 2006 [Page 4]
222 Internet-Draft DNS Name Predecessor and Successor July 2005
225 the minimum sort value to the least significant label; otherwise
226 continue to the next step.
228 3. Increment the value of the least significant (right-most) octet
229 in the least significant (left-most) label that is less than the
230 maximum sort value (e.g. 0xff), skipping any values that
231 correspond to uppercase US-ASCII letters, and then remove any
232 octets to the right of that one. If all octets in the label are
233 the maximum sort value, then continue to the next step.
235 4. Remove the least significant (left-most) label. If N is now the
236 same as the owner name of the zone apex, do nothing. (This will
237 occur only if N is the maximum possible name in canonical DNS
238 name order, and thus has wrapped to the owner name of zone apex.)
239 Otherwise repeat starting at step 2.
244 This method is for use with zones consisting only of single-label
245 owner names where an owner name consisting of label of maximum length
246 would not result in a DNS name which exceeded the maximum DNS name
247 length. This method is computationally simpler and returns values
248 which are more economical in size than the absolute method. It
249 differs from the absolute method detailed above in the following
252 1. Step 1 of the derivation P(N) has been omitted as the existence
253 of the owner name of the zone apex never requires denial.
255 2. A new step 1 has been introduced which removes unnecessary
258 3. Step 4 of the derivation P(N) has been omitted as it is only
259 necessary for zones containing owner names consisting of more
260 than one label. This omission generally results in a significant
261 reduction of the length of derived predecessors.
263 4. Step 1 of the derivation S(N) had been omitted as it is only
264 necessary for zones containing owner names consisting of more
265 than one label. This omission results in a tiny reduction of the
266 length of derived successors, and maintains consistency with the
267 modification of step 4 of the derivation P(N) described above.
269 5. Steps 2 and 4 of the derivation S(N) have been modified to
270 eliminate checks for maximum DNS name length, as it is an
271 assumption of this method that no DNS name in the zone can exceed
272 the maximum DNS name length.
276 Sisson & Laurie Expires January 11, 2006 [Page 5]
278 Internet-Draft DNS Name Predecessor and Successor July 2005
281 These derivations assume that all uppercase US-ASCII letters in N
282 have already been replaced by their corresponding lowercase
283 equivalents. Unless otherwise specified, processing stops after the
284 first step in which a condition is met.
286 4.1. Derivation of DNS Name Predecessor
290 1. If N has more labels than the number of labels in the owner name
291 of the apex + 1, repeatedly remove the least significant (left-
292 most) label until N has no more labels than the number of labels
293 in the owner name of the apex + 1; otherwise continue to next
296 2. If the least significant (left-most) label of N consists of a
297 single octet of the minimum sort value (e.g. 0x00), remove that
298 label; otherwise continue to the next step.
300 3. If the least significant (right-most) octet in the least
301 significant (left-most) label of N is the minimum sort value,
302 remove the least significant octet.
304 4. Decrement the value of the least significant (right-most) octet,
305 skipping any values which correspond to uppercase US-ASCII
306 letters, and then append the label with as many octets as
307 possible of the maximum sort value.
309 4.2. Derivation of DNS Name Successor
313 1. If N has more labels than the number of labels in the owner name
314 of the apex + 1, repeatedly remove the least significant (left-
315 most) label until N has no more labels than the number of labels
316 in the owner name of the apex + 1. Continue to next step.
318 2. If the least significant (left-most) label of N is one or more
319 octets shorter than the maximum label length, append an octet of
320 the minimum sort value to the least significant label; otherwise
321 continue to the next step.
323 3. Increment the value of the least significant (right-most) octet
324 in the least significant (left-most) label that is less than the
325 maximum sort value (e.g. 0xff), skipping any values which
326 correspond to uppercase US-ASCII letters, and then remove any
327 octets to the right of that one. If all octets in the label are
328 the maximum sort value, then continue to the next step.
332 Sisson & Laurie Expires January 11, 2006 [Page 6]
334 Internet-Draft DNS Name Predecessor and Successor July 2005
337 4. Remove the least significant (left-most) label. (This will occur
338 only if the least significant label is the maximum label length
339 and consists entirely of octets of the maximum sort value, and
340 thus has wrapped to the owner name of the zone apex.)
345 5.1. Case Considerations
347 Section 3.5 of [RFC1034] specifies that "while upper and lower case
348 letters are allowed in [DNS] names, no significance is attached to
349 the case". Additionally, Section 6.1 of [RFC4034] states that when
350 determining canonical DNS name order, "uppercase US-ASCII letters are
351 treated as if they were lowercase US-ASCII letters". Consequently,
352 values corresponding to US-ASCII uppercase letters must be skipped
353 when decrementing and incrementing octets in the derivations
354 described in Section 3.1 and Section 3.2.
356 The following pseudo-code is illustrative:
358 Decrement the value of an octet:
360 if (octet == '[') // '[' is just after uppercase 'Z'
361 octet = '@'; // '@' is just prior to uppercase 'A'
365 Increment the value of an octet:
367 if (octet == '@') // '@' is just prior to uppercase 'A'
368 octet = '['; // '[' is just after uppercase 'Z'
374 [RFC2181] makes the clarification that "any binary string whatever
375 can be used as the label of any resource record". Consequently the
376 minimum sort value may be set as 0x00 and the maximum sort value as
377 0xff, and the range of possible values will be any DNS name which
378 contains octets of any value other than those corresponding to
379 uppercase US-ASCII letters.
381 However, if all owner names in a zone are in the letter-digit-hyphen,
382 or LDH, format specified in [RFC1034], it may be desirable to
383 restrict the range of possible values to DNS names containing only
384 LDH values. This has the effect of:
388 Sisson & Laurie Expires January 11, 2006 [Page 7]
390 Internet-Draft DNS Name Predecessor and Successor July 2005
393 1. making the output of tools such as `dig' and `nslookup' less
394 subject to confusion;
396 2. minimising the impact that NSEC RRs containing DNS names with
397 non-LDH values (or non-printable values) might have on faulty DNS
398 resolver implementations; and
400 3. preventing the possibility of results which are wildcard DNS
401 names (see Section 5.3).
403 This may be accomplished by using a minimum sort value of 0x1f (US-
404 ASCII character `-') and a maximum sort value of 0x7a (US-ASCII
405 character lowercase `z'), and then skipping non-LDH, non-lowercase
406 values when incrementing or decrementing octets.
408 5.3. Wild Card Considerations
410 Neither derivation avoids the possibility that the result may be a
411 DNS name containing a wildcard label, i.e. a label containing a
412 single octet with the value 0x2a (US-ASCII character `*'). With
413 additional tests, wildcard DNS names may be explicitly avoided;
414 alternatively, if the range of octet values can be restricted to
415 those corresponding to letter-digit-hyphen, or LDH, characters (see
416 Section 5.2), such DNS names will not occur.
418 Note that it is improbable that a result which is a wildcard DNS name
419 will occur unintentionally; even if one does occur either as the
420 owner name of, or in the RDATA of an NSEC RR, it is treated as a
421 literal DNS name with no special meaning.
423 5.4. Possible Modifications
425 5.4.1. Restriction of Effective Maximum DNS Name Length
427 [RFC1034] specifies that "the total number of octets that represent a
428 [DNS] name (i.e., the sum of all label octets and label lengths) is
429 limited to 255", including the null (zero-length) label which
430 represents the root. For the purpose of deriving predecessors and
431 successors during NSEC RR synthesis, the maximum DNS name length may
432 be effectively restricted to the length of the longest DNS name in
433 the zone. This will minimise the size of responses containing
434 synthesised NSEC RRs but, especially in the case of the modified
435 method, may result in some additional computational complexity.
437 Note that this modification will have the effect of revealing
438 information about the longest name in the zone. Moreover, when the
439 contents of the zone changes, e.g. during dynamic updates and zone
440 transfers, care must be taken to ensure that the effective maximum
444 Sisson & Laurie Expires January 11, 2006 [Page 8]
446 Internet-Draft DNS Name Predecessor and Successor July 2005
449 DNS name length agrees with the new contents.
451 5.4.2. Use of Modified Method With Zones Containing SRV RRs
453 Normally the modified method cannot be used in zones that contain
454 SRV RRs [RFC2782], as SRV RRs have owner names which contain multiple
455 labels. However the use of SRV RRs can be accommodated by various
456 techniques. There are at least four possible ways to do this:
458 1. Use conventional NSEC RRs for the region of the zone that
459 contains first-level labels beginning with the underscore (`_')
460 character. For the purposes of generating these NSEC RRs, the
461 existence of (possibly fictional) ownernames `9{63}' and `a'
462 could be assumed, providing a lower and upper bound for this
463 region. Then all queries where the QNAME doesn't exist but
464 contains a first-level label beginning with an underscore could
465 be handled using the normal DNSSEC protocol.
467 This approach would make it possible to enumerate all DNS names
468 in the zone containing a first-level label beginning with
469 underscore, including all SRV RRs, but this may be of less a
470 concern to the zone administrator than incurring the overhead of
471 the absolute method or of the following variants of the modified
474 2. The absolute method could be used for synthesising NSEC RRs for
475 all queries where the QNAME contains a leading underscore.
476 However this re-introduces the susceptibility of the absolute
477 method to denial of service activity, as an attacker could send
478 queries for an effectively inexhaustible supply of domain names
479 beginning with a leading underscore.
481 3. A variant of the modified method could be used for synthesising
482 NSEC RRs for all queries where the QNAME contains a leading
483 underscore. This variant would assume that all predecessors and
484 successors to queries where the QNAME contains a leading
485 underscore may consist of two lablels rather than only one. This
486 introduces a little additional complexity without incurring the
487 full increase in response size and computational complexity as
490 4. Finally, a variant the modified method which assumes that all
491 owner names in the zone consist of one or two labels could be
492 used. However this negates much of the reduction in response
493 size of the modified method and may be nearly as computationally
494 complex as the absolute method.
500 Sisson & Laurie Expires January 11, 2006 [Page 9]
502 Internet-Draft DNS Name Predecessor and Successor July 2005
507 In the following examples:
509 the owner name of the zone apex is "example.com.";
511 the range of octet values is 0x00 - 0xff excluding values
512 corresponding to uppercase US-ASCII letters; and
514 non-printable octet values are expressed as three-digit decimal
515 numbers preceded by a backslash (as specified in Section 5.1 of
518 6.1. Examples of Immediate Predecessors Using Absolute Method
520 Example of typical case:
522 P(foo.example.com.) =
524 \255\255\255\255\255\255\255\255\255\255\255\255
525 \255\255\255\255\255\255\255\255\255\255\255\255
526 \255\255\255\255\255\255\255\255\255\255\255\255
527 \255\255\255\255\255\255\255\255\255\255\255\255
528 \255.\255\255\255\255\255\255\255\255\255\255
529 \255\255\255\255\255\255\255\255\255\255\255\255
530 \255\255\255\255\255\255\255\255\255\255\255\255
531 \255\255\255\255\255\255\255\255\255\255\255\255
532 \255\255\255\255\255\255\255\255\255\255\255\255
533 \255\255\255\255\255.\255\255\255\255\255\255
534 \255\255\255\255\255\255\255\255\255\255\255\255
535 \255\255\255\255\255\255\255\255\255\255\255\255
536 \255\255\255\255\255\255\255\255\255\255\255\255
537 \255\255\255\255\255\255\255\255\255\255\255\255
538 \255\255\255\255\255\255\255\255\255.fon\255\255
539 \255\255\255\255\255\255\255\255\255\255\255\255
540 \255\255\255\255\255\255\255\255\255\255\255\255
541 \255\255\255\255\255\255\255\255\255\255\255\255
542 \255\255\255\255\255\255\255\255\255\255\255\255
543 \255\255\255\255\255\255\255\255\255\255.example.com.
545 or, in alternate notation:
547 \255{49}.\255{63}.\255{63}.fon\255{60}.example.com.
549 where {n} represents the number of repetitions of an octet.
556 Sisson & Laurie Expires January 11, 2006 [Page 10]
558 Internet-Draft DNS Name Predecessor and Successor July 2005
561 Example where least significant (left-most) label of DNS name
562 consists of a single octet of the minimum sort value:
564 P(\000.foo.example.com.) = foo.example.com.
566 Example where least significant (right-most) octet of least
567 significant (left-most) label has the minimum sort value:
569 P(foo\000.example.com.) =
571 \255\255\255\255\255\255\255\255\255\255\255\255
572 \255\255\255\255\255\255\255\255\255\255\255\255
573 \255\255\255\255\255\255\255\255\255\255\255\255
574 \255\255\255\255\255\255\255\255\255.\255\255
575 \255\255\255\255\255\255\255\255\255\255\255\255
576 \255\255\255\255\255\255\255\255\255\255\255\255
577 \255\255\255\255\255\255\255\255\255\255\255\255
578 \255\255\255\255\255\255\255\255\255\255\255\255
579 \255\255\255\255\255\255\255\255\255\255\255\255
580 \255.\255\255\255\255\255\255\255\255\255\255
581 \255\255\255\255\255\255\255\255\255\255\255\255
582 \255\255\255\255\255\255\255\255\255\255\255\255
583 \255\255\255\255\255\255\255\255\255\255\255\255
584 \255\255\255\255\255\255\255\255\255\255\255\255
585 \255\255\255\255\255.\255\255\255\255\255\255
586 \255\255\255\255\255\255\255\255\255\255\255\255
587 \255\255\255\255\255\255\255\255\255\255\255\255
588 \255\255\255\255\255\255\255\255\255\255\255\255
589 \255\255\255\255\255\255\255\255\255\255\255\255
590 \255\255\255\255\255\255\255\255\255.foo.example.com.
592 or, in alternate notation:
594 \255{45}.\255{63}.\255{63}.\255{63}.foo.example.com.
612 Sisson & Laurie Expires January 11, 2006 [Page 11]
614 Internet-Draft DNS Name Predecessor and Successor July 2005
617 Example where DNS name contains an octet which must be decremented by
618 skipping values corresponding to US-ASCII uppercase letters:
620 P(fo\[.example.com.) =
622 \255\255\255\255\255\255\255\255\255\255\255\255
623 \255\255\255\255\255\255\255\255\255\255\255\255
624 \255\255\255\255\255\255\255\255\255\255\255\255
625 \255\255\255\255\255\255\255\255\255\255\255\255
626 \255.\255\255\255\255\255\255\255\255\255\255
627 \255\255\255\255\255\255\255\255\255\255\255\255
628 \255\255\255\255\255\255\255\255\255\255\255\255
629 \255\255\255\255\255\255\255\255\255\255\255\255
630 \255\255\255\255\255\255\255\255\255\255\255\255
631 \255\255\255\255\255.\255\255\255\255\255\255
632 \255\255\255\255\255\255\255\255\255\255\255\255
633 \255\255\255\255\255\255\255\255\255\255\255\255
634 \255\255\255\255\255\255\255\255\255\255\255\255
635 \255\255\255\255\255\255\255\255\255\255\255\255
636 \255\255\255\255\255\255\255\255\255.fo\@\255
637 \255\255\255\255\255\255\255\255\255\255\255\255
638 \255\255\255\255\255\255\255\255\255\255\255\255
639 \255\255\255\255\255\255\255\255\255\255\255\255
640 \255\255\255\255\255\255\255\255\255\255\255\255
641 \255\255\255\255\255\255\255\255\255\255\255.example.com.
643 or, in alternate notation:
645 \255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com.
647 where {n} represents the number of repetitions of an octet.
668 Sisson & Laurie Expires January 11, 2006 [Page 12]
670 Internet-Draft DNS Name Predecessor and Successor July 2005
673 Example where DNS name is the owner name of the zone apex, and
674 consequently wraps to the DNS name with the maximum possible sort
679 \255\255\255\255\255\255\255\255\255\255\255\255
680 \255\255\255\255\255\255\255\255\255\255\255\255
681 \255\255\255\255\255\255\255\255\255\255\255\255
682 \255\255\255\255\255\255\255\255\255\255\255\255
683 \255.\255\255\255\255\255\255\255\255\255\255
684 \255\255\255\255\255\255\255\255\255\255\255\255
685 \255\255\255\255\255\255\255\255\255\255\255\255
686 \255\255\255\255\255\255\255\255\255\255\255\255
687 \255\255\255\255\255\255\255\255\255\255\255\255
688 \255\255\255\255\255.\255\255\255\255\255\255
689 \255\255\255\255\255\255\255\255\255\255\255\255
690 \255\255\255\255\255\255\255\255\255\255\255\255
691 \255\255\255\255\255\255\255\255\255\255\255\255
692 \255\255\255\255\255\255\255\255\255\255\255\255
693 \255\255\255\255\255\255\255\255\255.\255\255
694 \255\255\255\255\255\255\255\255\255\255\255\255
695 \255\255\255\255\255\255\255\255\255\255\255\255
696 \255\255\255\255\255\255\255\255\255\255\255\255
697 \255\255\255\255\255\255\255\255\255\255\255\255
698 \255\255\255\255\255\255\255\255\255\255\255\255
701 or, in alternate notation:
703 \255{49}.\255{63}.\255{63}.\255{63}.example.com.
705 6.2. Examples of Immediate Successors Using Absolute Method
707 Example of typical case:
709 S(foo.example.com.) = \000.foo.example.com.
724 Sisson & Laurie Expires January 11, 2006 [Page 13]
726 Internet-Draft DNS Name Predecessor and Successor July 2005
729 Example where DNS name is one octet short of the maximum DNS name
732 N = fooooooooooooooooooooooooooooooooooooooooooooooo
733 .ooooooooooooooooooooooooooooooooooooooooooooooo
734 oooooooooooooooo.ooooooooooooooooooooooooooooooo
735 oooooooooooooooooooooooooooooooo.ooooooooooooooo
736 oooooooooooooooooooooooooooooooooooooooooooooooo.example.com.
738 or, in alternate notation:
740 fo{47}.o{63}.o{63}.o{63}.example.com.
744 fooooooooooooooooooooooooooooooooooooooooooooooo
745 \000.ooooooooooooooooooooooooooooooooooooooooooo
746 oooooooooooooooooooo.ooooooooooooooooooooooooooo
747 oooooooooooooooooooooooooooooooooooo.ooooooooooo
748 oooooooooooooooooooooooooooooooooooooooooooooooo
751 or, in alternate notation:
753 fo{47}\000.o{63}.o{63}.o{63}.example.com.
780 Sisson & Laurie Expires January 11, 2006 [Page 14]
782 Internet-Draft DNS Name Predecessor and Successor July 2005
785 Example where DNS name is the maximum DNS name length:
787 N = fooooooooooooooooooooooooooooooooooooooooooooooo
788 o.oooooooooooooooooooooooooooooooooooooooooooooo
789 ooooooooooooooooo.oooooooooooooooooooooooooooooo
790 ooooooooooooooooooooooooooooooooo.oooooooooooooo
791 oooooooooooooooooooooooooooooooooooooooooooooooo
794 or, in alternate notation:
796 fo{48}.o{63}.o{63}.o{63}.example.com.
800 fooooooooooooooooooooooooooooooooooooooooooooooo
801 p.oooooooooooooooooooooooooooooooooooooooooooooo
802 ooooooooooooooooo.oooooooooooooooooooooooooooooo
803 ooooooooooooooooooooooooooooooooo.oooooooooooooo
804 oooooooooooooooooooooooooooooooooooooooooooooooo
807 or, in alternate notation:
809 fo{47}p.o{63}.o{63}.o{63}.example.com.
836 Sisson & Laurie Expires January 11, 2006 [Page 15]
838 Internet-Draft DNS Name Predecessor and Successor July 2005
841 Example where DNS name is the maximum DNS name length and the least
842 significant (left-most) label has the maximum sort value:
844 N = \255\255\255\255\255\255\255\255\255\255\255\255
845 \255\255\255\255\255\255\255\255\255\255\255\255
846 \255\255\255\255\255\255\255\255\255\255\255\255
847 \255\255\255\255\255\255\255\255\255\255\255\255
848 \255.ooooooooooooooooooooooooooooooooooooooooooo
849 oooooooooooooooooooo.ooooooooooooooooooooooooooo
850 oooooooooooooooooooooooooooooooooooo.ooooooooooo
851 oooooooooooooooooooooooooooooooooooooooooooooooo
854 or, in alternate notation:
856 \255{49}.o{63}.o{63}.o{63}.example.com.
860 oooooooooooooooooooooooooooooooooooooooooooooooo
861 oooooooooooooop.oooooooooooooooooooooooooooooooo
862 ooooooooooooooooooooooooooooooo.oooooooooooooooo
863 ooooooooooooooooooooooooooooooooooooooooooooooo.
866 or, in alternate notation:
868 o{62}p.o{63}.o{63}.example.com.
892 Sisson & Laurie Expires January 11, 2006 [Page 16]
894 Internet-Draft DNS Name Predecessor and Successor July 2005
897 Example where DNS name is the maximum DNS name length and the eight
898 least significant (right-most) octets of the least significant (left-
899 most) label have the maximum sort value:
901 N = foooooooooooooooooooooooooooooooooooooooo\255
902 \255\255\255\255\255\255\255.ooooooooooooooooooo
903 oooooooooooooooooooooooooooooooooooooooooooo.ooo
904 oooooooooooooooooooooooooooooooooooooooooooooooo
905 oooooooooooo.ooooooooooooooooooooooooooooooooooo
906 oooooooooooooooooooooooooooo.example.com.
908 or, in alternate notation:
910 fo{40}\255{8}.o{63}.o{63}.o{63}.example.com.
914 fooooooooooooooooooooooooooooooooooooooop.oooooo
915 oooooooooooooooooooooooooooooooooooooooooooooooo
916 ooooooooo.oooooooooooooooooooooooooooooooooooooo
917 ooooooooooooooooooooooooo.oooooooooooooooooooooo
918 ooooooooooooooooooooooooooooooooooooooooo.example.com.
920 or, in alternate notation:
922 fo{39}p.o{63}.o{63}.o{63}.example.com.
948 Sisson & Laurie Expires January 11, 2006 [Page 17]
950 Internet-Draft DNS Name Predecessor and Successor July 2005
953 Example where DNS name is the maximum DNS name length and contains an
954 octet which must be incremented by skipping values corresponding to
955 US-ASCII uppercase letters:
957 N = fooooooooooooooooooooooooooooooooooooooooooooooo
958 \@.ooooooooooooooooooooooooooooooooooooooooooooo
959 oooooooooooooooooo.ooooooooooooooooooooooooooooo
960 oooooooooooooooooooooooooooooooooo.ooooooooooooo
961 oooooooooooooooooooooooooooooooooooooooooooooooo
964 or, in alternate notation:
966 fo{47}\@.o{63}.o{63}.o{63}.example.com.
970 fooooooooooooooooooooooooooooooooooooooooooooooo
971 \[.ooooooooooooooooooooooooooooooooooooooooooooo
972 oooooooooooooooooo.ooooooooooooooooooooooooooooo
973 oooooooooooooooooooooooooooooooooo.ooooooooooooo
974 oooooooooooooooooooooooooooooooooooooooooooooooo
977 or, in alternate notation:
979 fo{47}\[.o{63}.o{63}.o{63}.example.com.
1004 Sisson & Laurie Expires January 11, 2006 [Page 18]
1006 Internet-Draft DNS Name Predecessor and Successor July 2005
1009 Example where DNS name has the maximum possible sort order in the
1010 zone, and consequently wraps to the owner name of the zone apex:
1012 N = \255\255\255\255\255\255\255\255\255\255\255\255
1013 \255\255\255\255\255\255\255\255\255\255\255\255
1014 \255\255\255\255\255\255\255\255\255\255\255\255
1015 \255\255\255\255\255\255\255\255\255\255\255\255
1016 \255.\255\255\255\255\255\255\255\255\255\255
1017 \255\255\255\255\255\255\255\255\255\255\255\255
1018 \255\255\255\255\255\255\255\255\255\255\255\255
1019 \255\255\255\255\255\255\255\255\255\255\255\255
1020 \255\255\255\255\255\255\255\255\255\255\255\255
1021 \255\255\255\255\255.\255\255\255\255\255\255
1022 \255\255\255\255\255\255\255\255\255\255\255\255
1023 \255\255\255\255\255\255\255\255\255\255\255\255
1024 \255\255\255\255\255\255\255\255\255\255\255\255
1025 \255\255\255\255\255\255\255\255\255\255\255\255
1026 \255\255\255\255\255\255\255\255\255.\255\255
1027 \255\255\255\255\255\255\255\255\255\255\255\255
1028 \255\255\255\255\255\255\255\255\255\255\255\255
1029 \255\255\255\255\255\255\255\255\255\255\255\255
1030 \255\255\255\255\255\255\255\255\255\255\255\255
1031 \255\255\255\255\255\255\255\255\255\255\255\255
1034 or, in alternate notation:
1036 \255{49}.\255{63}.\255{63}.\255{63}.example.com.
1040 6.3. Examples of Predecessors Using Modified Method
1042 Example of typical case:
1044 P'(foo.example.com.) =
1046 fon\255\255\255\255\255\255\255\255\255\255\255
1047 \255\255\255\255\255\255\255\255\255\255\255\255
1048 \255\255\255\255\255\255\255\255\255\255\255\255
1049 \255\255\255\255\255\255\255\255\255\255\255\255
1050 \255\255\255\255\255\255\255\255\255\255\255\255
1053 or, in alternate notation:
1055 fon\255{60}.example.com.
1060 Sisson & Laurie Expires January 11, 2006 [Page 19]
1062 Internet-Draft DNS Name Predecessor and Successor July 2005
1065 Example where DNS name contains more labels than DNS names in the
1068 P'(bar.foo.example.com.) = foo.example.com.
1070 Example where least significant (right-most) octet of least
1071 significant (left-most) label has the minimum sort value:
1073 P'(foo\000.example.com.) = foo.example.com.
1075 Example where least significant (left-most) label has the minimum
1078 P'(\000.example.com.) = example.com.
1080 Example where DNS name is the owner name of the zone apex, and
1081 consequently wraps to the DNS name with the maximum possible sort
1086 \255\255\255\255\255\255\255\255\255\255\255\255
1087 \255\255\255\255\255\255\255\255\255\255\255\255
1088 \255\255\255\255\255\255\255\255\255\255\255\255
1089 \255\255\255\255\255\255\255\255\255\255\255\255
1090 \255\255\255\255\255\255\255\255\255\255\255\255
1091 \255\255\255.example.com.
1093 or, in alternate notation:
1095 \255{63}.example.com.
1097 6.4. Examples of Successors Using Modified Method
1099 Example of typical case:
1101 S'(foo.example.com.) = foo\000.example.com.
1103 Example where DNS name contains more labels than DNS names in the
1106 S'(bar.foo.example.com.) = foo\000.example.com.
1116 Sisson & Laurie Expires January 11, 2006 [Page 20]
1118 Internet-Draft DNS Name Predecessor and Successor July 2005
1121 Example where least significant (left-most) label has the maximum
1122 sort value, and consequently wraps to the owner name of the zone
1125 N = \255\255\255\255\255\255\255\255\255\255\255\255
1126 \255\255\255\255\255\255\255\255\255\255\255\255
1127 \255\255\255\255\255\255\255\255\255\255\255\255
1128 \255\255\255\255\255\255\255\255\255\255\255\255
1129 \255\255\255\255\255\255\255\255\255\255\255\255
1130 \255\255\255.example.com.
1132 or, in alternate notation:
1134 \255{63}.example.com.
1136 S'(N) = example.com.
1139 7. Security Considerations
1141 The derivation of some predecessors/successors requires the testing
1142 of more conditions than others. Consequently the effectiveness of a
1143 denial-of-service attack may be enhanced by sending queries that
1144 require more conditions to be tested. The modified method involves
1145 the testing of fewer conditions than the absolute method and
1146 consequently is somewhat less susceptible to this exposure.
1149 8. IANA Considerations
1151 This document has no IANA actions.
1153 Note to RFC Editor: This section is included to make it clear during
1154 pre-publication review that this document has no IANA actions. It
1155 may therefore be removed should it be published as an RFC.
1160 The authors would like to thank Olaf Kolkman, Olafur Gudmundsson and
1161 Niall O'Reilly for their review and input.
1172 Sisson & Laurie Expires January 11, 2006 [Page 21]
1174 Internet-Draft DNS Name Predecessor and Successor July 2005
1177 10.1 Normative References
1179 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
1180 STD 13, RFC 1034, November 1987.
1182 [RFC1035] Mockapetris, P., "Domain names - implementation and
1183 specification", STD 13, RFC 1035, November 1987.
1185 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
1186 Specification", RFC 2181, July 1997.
1188 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
1189 specifying the location of services (DNS SRV)", RFC 2782,
1192 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1193 Rose, "Resource Records for the DNS Security Extensions",
1194 RFC 4034, March 2005.
1196 10.2 Informative References
1198 [I-D.ietf-dnsext-dnssec-online-signing]
1199 Ihren, J. and S. Weiler, "Minimally Covering NSEC Records
1200 and DNSSEC On-line Signing",
1201 draft-ietf-dnsext-dnssec-online-signing-00 (work in
1202 progress), May 2005.
1204 [I-D.ietf-dnsext-dnssec-trans]
1205 Arends, R., Koch, P., and J. Schlyter, "Evaluating DNSSEC
1206 Transition Mechanisms",
1207 draft-ietf-dnsext-dnssec-trans-02 (work in progress),
1211 Appendix A. Change History
1213 A.1. Changes from sisson-02 to ietf-00
1215 o Added notes on use of SRV RRs with modified method.
1217 o Changed reference from weiler-dnssec-online-signing to ietf-
1218 dnsext-dnssec-online-signing.
1220 o Changed reference from ietf-dnsext-dnssec-records to RFC 4034.
1222 o Miscellaneous minor changes to text.
1228 Sisson & Laurie Expires January 11, 2006 [Page 22]
1230 Internet-Draft DNS Name Predecessor and Successor July 2005
1233 A.2. Changes from sisson-01 to sisson-02
1235 o Added modified version of derivation (with supporting examples).
1237 o Introduced notational conventions N, P(N), S(N), P'(N) and S'(N).
1239 o Added clarification to derivations about when processing stops.
1241 o Miscellaneous minor changes to text.
1243 A.3. Changes from sisson-00 to sisson-01
1245 o Split step 3 of derivation of DNS name predecessor into two
1246 distinct steps for clarity.
1248 o Added clarifying text and examples related to the requirement to
1249 avoid uppercase characters when decrementing or incrementing
1252 o Added optimisation using restriction of effective maximum DNS name
1255 o Changed examples to use decimal rather than octal notation as per
1258 o Corrected DNS name length of some examples.
1260 o Added reference to weiler-dnssec-online-signing.
1262 o Miscellaneous minor changes to text.
1284 Sisson & Laurie Expires January 11, 2006 [Page 23]
1286 Internet-Draft DNS Name Predecessor and Successor July 2005
1299 Phone: +44 1865 332339
1300 Email: geoff@nominet.org.uk
1310 Phone: +44 20 8735 0686
1311 Email: ben@algroup.co.uk
1340 Sisson & Laurie Expires January 11, 2006 [Page 24]
1342 Internet-Draft DNS Name Predecessor and Successor July 2005
1345 Intellectual Property Statement
1347 The IETF takes no position regarding the validity or scope of any
1348 Intellectual Property Rights or other rights that might be claimed to
1349 pertain to the implementation or use of the technology described in
1350 this document or the extent to which any license under such rights
1351 might or might not be available; nor does it represent that it has
1352 made any independent effort to identify any such rights. Information
1353 on the procedures with respect to rights in RFC documents can be
1354 found in BCP 78 and BCP 79.
1356 Copies of IPR disclosures made to the IETF Secretariat and any
1357 assurances of licenses to be made available, or the result of an
1358 attempt made to obtain a general license or permission for the use of
1359 such proprietary rights by implementers or users of this
1360 specification can be obtained from the IETF on-line IPR repository at
1361 http://www.ietf.org/ipr.
1363 The IETF invites any interested party to bring to its attention any
1364 copyrights, patents or patent applications, or other proprietary
1365 rights that may cover technology that may be required to implement
1366 this standard. Please address the information to the IETF at
1370 Disclaimer of Validity
1372 This document and the information contained herein are provided on an
1373 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1374 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1375 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1376 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1377 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1378 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1383 Copyright (C) The Internet Society (2005). This document is subject
1384 to the rights, licenses and restrictions contained in BCP 78, and
1385 except as set forth therein, the authors retain all their rights.
1390 Funding for the RFC Editor function is currently provided by the
1396 Sisson & Laurie Expires January 11, 2006 [Page 25]