1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
|
<pre>Network Working Group J. Rosenberg, Ed.
Request for Comments: 4367 IAB
Category: Informational February 2006
<span class="h1">What's in a Name: False Assumptions about DNS Names</span>
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The Domain Name System (DNS) provides an essential service on the
Internet, mapping structured names to a variety of data, usually IP
addresses. These names appear in email addresses, Uniform Resource
Identifiers (URIs), and other application-layer identifiers that are
often rendered to human users. Because of this, there has been a
strong demand to acquire names that have significance to people,
through equivalence to registered trademarks, company names, types of
services, and so on. There is a danger in this trend; the humans and
automata that consume and use such names will associate specific
semantics with some names and thereby make assumptions about the
services that are, or should be, provided by the hosts associated
with the names. Those assumptions can often be false, resulting in a
variety of failure conditions. This document discusses this problem
in more detail and makes recommendations on how it can be avoided.
<span class="grey">Rosenberg Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-2">2</a>
<a href="#section-2">2</a>. Target Audience .................................................<a href="#page-4">4</a>
<a href="#section-3">3</a>. Modeling Usage of the DNS .......................................<a href="#page-4">4</a>
<a href="#section-4">4</a>. Possible Assumptions ............................................<a href="#page-5">5</a>
<a href="#section-4.1">4.1</a>. By the User ................................................<a href="#page-5">5</a>
<a href="#section-4.2">4.2</a>. By the Client ..............................................<a href="#page-6">6</a>
<a href="#section-4.3">4.3</a>. By the Server ..............................................<a href="#page-7">7</a>
<a href="#section-5">5</a>. Consequences of False Assumptions ...............................<a href="#page-8">8</a>
<a href="#section-6">6</a>. Reasons Why the Assumptions Can Be False ........................<a href="#page-9">9</a>
<a href="#section-6.1">6.1</a>. Evolution ..................................................<a href="#page-9">9</a>
<a href="#section-6.2">6.2</a>. Leakage ...................................................<a href="#page-10">10</a>
<a href="#section-6.3">6.3</a>. Sub-Delegation ............................................<a href="#page-10">10</a>
<a href="#section-6.4">6.4</a>. Mobility ..................................................<a href="#page-12">12</a>
<a href="#section-6.5">6.5</a>. Human Error ...............................................<a href="#page-12">12</a>
<a href="#section-7">7</a>. Recommendations ................................................<a href="#page-12">12</a>
<a href="#section-8">8</a>. A Note on <a href="./rfc2219">RFC 2219</a> and <a href="./rfc2782">RFC 2782</a> ................................<a href="#page-13">13</a>
<a href="#section-9">9</a>. Security Considerations ........................................<a href="#page-14">14</a>
<a href="#section-10">10</a>. Acknowledgements ..............................................<a href="#page-14">14</a>
<a href="#section-11">11</a>. IAB Members ...................................................<a href="#page-14">14</a>
<a href="#section-12">12</a>. Informative References ........................................<a href="#page-15">15</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Domain Name System (DNS) [<a href="#ref-1" title=""Domain names - concepts and facilities"">1</a>] provides an essential service on the
Internet, mapping structured names to a variety of different types of
data. Most often it is used to obtain the IP address of a host
associated with that name [<a href="#ref-2" title=""A DNS RR for specifying the location of services (DNS SRV)"">2</a>] [<a href="#ref-1" title=""Domain names - concepts and facilities"">1</a>] [<a href="#ref-3" title=""Dynamic Delegation Discovery System (DDDS) Part Three: The Domain Name System (DNS) Database"">3</a>]. However, it can be used to
obtain other information, and proposals have been made for nearly
everything, including geographic information [<a href="#ref-4" title=""A Means for Expressing Location Information in the Domain Name System"">4</a>].
Domain names are most often used in identifiers used by application
protocols. The most well known include email addresses and URIs,
such as the HTTP URL [<a href="#ref-5" title=""Hypertext Transfer Protocol -- HTTP/1.1"">5</a>], Real Time Streaming Protocol (RTSP) URL
[<a href="#ref-6" title=""Real Time Streaming Protocol (RTSP)"">6</a>], and SIP URI [<a href="#ref-7" title=""SIP: Session Initiation Protocol"">7</a>]. These identifiers are ubiquitous, appearing on
business cards, web pages, street signs, and so on. Because of this,
there has been a strong demand to acquire domain names that have
significance to people through equivalence to registered trademarks,
company names, types of services, and so on. Such identifiers serve
many business purposes, including extension of brand, advertising,
and so on.
People often make assumptions about the type of service that is or
should be provided by a host associated with that name, based on
their expectations and understanding of what the name implies. This,
in turn, triggers attempts by organizations to register domain names
based on that presumed user expectation. Examples of this are the
<span class="grey">Rosenberg Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
various proposals for a Top-Level Domain (TLD) that could be
associated with adult content [<a href="#ref-8" title="".sex Considered Dangerous"">8</a>], the requests for creation of TLDs
associated with mobile devices and services, and even phishing
attacks.
When these assumptions are codified into the behavior of an
automaton, such as an application client or server, as a result of
implementor choice, management directive, or domain owner policy, the
overall system can fail in various ways. This document describes a
number of typical ways in which these assumptions can be codified,
how they can be wrong, the consequences of those mistakes, and the
recommended ways in which they can be avoided.
<a href="#section-4">Section 4</a> describes some of the possible assumptions that clients,
servers, and people can make about a domain name. In this context,
an "assumption" is defined as any behavior that is expected when
accessing a service at a domain name, even though the behavior is not
explicitly codified in protocol specifications. Frequently, these
assumptions involve ignoring parts of a specification based on an
assumption that the client or server is deployed in an environment
that is more rigid than the specification allows. <a href="#section-5">Section 5</a>
overviews some of the consequences of these false assumptions.
Generally speaking, these consequences can include a variety of
different interoperability failures, user experience failures, and
system failures. <a href="#section-6">Section 6</a> discusses why these assumptions can be
false from the very beginning or become false at some point in the
future. Most commonly, they become false because the environment
changes in unexpected ways over time, and what was a valid assumption
before, no longer is. Other times, the assumptions prove wrong
because they were based on the belief that a specific community of
clients and servers was participating, and an element outside of that
community began participating.
<a href="#section-7">Section 7</a> then provides some recommendations. These recommendations
encapsulate some of the engineering mantras that have been at the
root of Internet protocol design for decades. These include:
Follow the specifications.
Use the capability negotiation techniques provided in the
protocols.
Be liberal in what you accept, and conservative in what you send.
[<a href="#ref-18" title=""Requirements for Internet Hosts - Communication Layers"">18</a>]
Overall, automata should not change their behavior within a protocol
based on the domain name, or some component of the domain name, of
the host they are communicating with.
<span class="grey">Rosenberg Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Target Audience</span>
This document has several audiences. Firstly, it is aimed at
implementors who ultimately develop the software that make the false
assumptions that are the subject of this document. The
recommendations described here are meant to reinforce the engineering
guidelines that are often understood by implementors, but frequently
forgotten as deadlines near and pressures mount.
The document is also aimed at technology managers, who often develop
the requirements that lead to these false assumptions. For them,
this document serves as a vehicle for emphasizing the importance of
not taking shortcuts in the scope of applicability of a project.
Finally, this document is aimed at domain name policy makers and
administrators. For them, it points out the perils in establishing
domain policies that get codified into the operation of applications
running within that domain.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Modeling Usage of the DNS</span>
+--------+
| |
| |
| DNS |
|Service |
| |
+--------+
^ |
| |
| |
| |
/--\ | |
| | | V
| | +--------+ +--------+
\--/ | | | |
| | | | |
---+--- | Client |-------------------->| Server |
| | | | |
| | | | |
/\ +--------+ +--------+
/ \
/ \
User
Figure 1
<span class="grey">Rosenberg Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
Figure 1 shows a simple conceptual model of how the DNS is used by
applications. A user of the application obtains an identifier for
particular content or service it wishes to obtain. This identifier
is often a URL or URI that contains a domain name. The user enters
this identifier into its client application (for example, by typing
in the URL in a web browser window). The client is the automaton (a
software and/or hardware system) that contacts a server for that
application in order to provide service to the user. To do that, it
contacts a DNS server to resolve the domain name in the identifier to
an IP address. It then contacts the server at that IP address. This
simple model applies to application protocols such as HTTP [<a href="#ref-5" title=""Hypertext Transfer Protocol -- HTTP/1.1"">5</a>], SIP
[<a href="#ref-7" title=""SIP: Session Initiation Protocol"">7</a>], RTSP [<a href="#ref-6" title=""Real Time Streaming Protocol (RTSP)"">6</a>], and SMTP [<a href="#ref-9" title=""Simple Mail Transfer Protocol"">9</a>].
>From this model, it is clear that three entities in the system can
potentially make false assumptions about the service provided by the
server. The human user may form expectations relating to the content
of the service based on a parsing of the host name from which the
content originated. The server might assume that the client
connecting to it supports protocols that it does not, can process
content that it cannot, or has capabilities that it does not.
Similarly, the client might assume that the server supports
protocols, content, or capabilities that it does not. Furthermore,
applications can potentially contain a multiplicity of humans,
clients, and servers, all of which can independently make these false
assumptions.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Possible Assumptions</span>
For each of the three elements, there are many types of false
assumptions that can be made.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. By the User</span>
The set of possible assumptions here is nearly boundless. Users
might assume that an HTTP URL that looks like a company name maps to
a server run by that company. They might assume that an email from a
email address in the .gov TLD is actually from a government employee.
They might assume that the content obtained from a web server within
a TLD labeled as containing adult materials (for example, .sex)
actually contains adult content [<a href="#ref-8" title="".sex Considered Dangerous"">8</a>]. These assumptions are
unavoidable, may all be false, and are not the focus of this
document.
<span class="grey">Rosenberg Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. By the Client</span>
Even though the client is an automaton, it can make some of the same
assumptions that a human user might make. For example, many clients
assume that any host with a hostname that begins with "www" is a web
server, even though this assumption may be false.
In addition, the client concerns itself with the protocols needed to
communicate with the server. As a result, it might make assumptions
about the operation of the protocols for communicating with the
server. These assumptions manifest themselves in an implementation
when a standardized protocol negotiation technique defined by the
protocol is ignored, and instead, some kind of rule is coded into the
software that comes to its own conclusion about what the negotiation
would have determined. The result is often a loss of
interoperability, degradation in reliability, and worsening of user
experience.
Authentication Algorithm: Though a protocol might support a
multiplicity of authentication techniques, a client might assume
that a server always supports one that is only optional according
to the protocol. For example, a SIP client contacting a SIP
server in a domain that is apparently used to identify mobile
devices (for example, www.example.cellular) might assume that the
server supports the optional Authentication and Key Agreement
(AKA) digest technique [<a href="#ref-10" title=""Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)"">10</a>], just because of the domain name that
was used to access the server. As another example, a web client
might assume that a server with the name https.example.com
supports HTTP over Transport Layer Security (TLS) [<a href="#ref-16" title=""HTTP Over TLS"">16</a>].
Data Formats: Though a protocol might allow a multiplicity of data
formats to be sent from the server to the client, the client might
assume a specific one, rather than using the content labeling and
negotiation capabilities of the underlying protocol. For example,
an RTSP client might assume that all audio content delivered to it
from media.example.cellular uses a low-bandwidth codec. As
another example, a mail client might assume that the contents of
messages it retrieves from a mail server at mail.example.cellular
are always text, instead of checking the MIME headers [<a href="#ref-11" title=""Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies"">11</a>] in the
message in order to determine the actual content type.
Protocol Extensions: A client may attempt an operation on the server
that requires the server to support an optional protocol
extension. However, rather than implementing the necessary
fallback logic, the client may falsely assume that the extension
is supported. As an example, a SIP client that requires reliable
provisional responses to its request (<a href="./rfc3262">RFC 3262</a> [<a href="#ref-17" title=""Reliability of Provisional Responses in Session Initiation Protocol (SIP)"">17</a>]) might assume
that this extension is supported on servers in the domain
<span class="grey">Rosenberg Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
sip.example.telecom. Furthermore, the client would not implement
the fallback behavior defined in <a href="./rfc3262">RFC 3262</a>, since it would assume
that all servers it will communicate with are in this domain and
that all therefore support this extension. However, if the
assumptions prove wrong, the client is unable to make any phone
calls.
Languages: A client may support facilities for processing text
content differently depending on the language of the text. Rather
than determining the language from markers in the message from the
server, the client might assume a language based on the domain
name. This assumption can easily be wrong. For example, a client
might assume that any text in a web page retrieved from a server
within the .de country code TLD (ccTLD) is in German, and attempt
a translation to Finnish. This would fail dramatically if the
text was actually in French. Unfortunately, this client behavior
is sometimes exhibited because the server has not properly labeled
the language of the content in the first place, often because the
server assumed such a labeling was not needed. This is an example
of how these false assumptions can create vicious cycles.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. By the Server</span>
The server, like the client, is an automaton. Let us consider one
servicing a particular domain -- www.company.cellular, for example.
It might assume that all clients connecting to this domain support
particular capabilities, rather than using the underlying protocol to
make this determination. Some examples include:
Authentication Algorithm: The server can assume that a client
supports a particular, optional, authentication technique, and it
therefore does not support the mandatory one.
Language: The server can serve content in a particular language,
based on an assumption that clients accessing the domain speak a
particular language, or based on an assumption that clients coming
from a particular IP address speak a certain language.
Data Formats: The server can assume that the client supports a
particular set of MIME types and is only capable of sending ones
within that set. When it generates content in a protocol
response, it ignores any content negotiation headers that were
present in the request. For example, a web server might ignore
the Accept HTTP header field and send a specific image format.
<span class="grey">Rosenberg Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
Protocol Extensions: The server might assume that the client supports
a particular optional protocol extension, and so it does not
support the fallback behavior necessary in the case where the
client does not.
Client Characteristics: The server might assume certain things about
the physical characteristics of its clients, such as memory
footprint, processing power, screen sizes, screen colors, pointing
devices, and so on. Based on these assumptions, it might choose
specific behaviors when processing a request. For example, a web
server might always assume that clients connect through cell
phones, and therefore return content that lacks images and is
tuned for such devices.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Consequences of False Assumptions</span>
There are numerous negative outcomes that can arise from the various
false assumptions that users, servers, and clients can make. These
include:
Interoperability Failure: In these cases, the client or server
assumed some kind of protocol operation, and this assumption was
wrong. The result is that the two are unable to communicate, and
the user receives some kind of an error. This represents a total
interoperability failure, manifesting itself as a lack of service
to users of the system. Unfortunately, this kind of failure
persists. Repeated attempts over time by the client to access the
service will fail. Only a change in the server or client software
can fix this problem.
System Failure: In these cases, the client or server misinterpreted a
protocol operation, and this misinterpretation was serious enough
to uncover a bug in the implementation. The bug causes a system
crash or some kind of outage, either transient or permanent (until
user reset). If this failure occurs in a server, not only will
the connecting client lose service, but other clients attempting
to connect will not get service. As an example, if a web server
assumes that content passed to it from a client (created, for
example, by a digital camera) is of a particular content type, and
it always passes image content to a codec for decompression prior
to storage, the codec might crash when it unexpectedly receives an
image compressed in a different format. Of course, it might crash
even if the Content-Type was correct, but the compressed bitstream
was invalid. False assumptions merely introduce additional
failure cases.
<span class="grey">Rosenberg Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
Poor User Experience: In these cases, the client and server
communicate, but the user receives a diminished user experience.
For example, if a client on a PC connects to a web site that
provides content for mobile devices, the content may be
underwhelming when viewed on the PC. Or, a client accessing a
streaming media service may receive content of very low bitrate,
even though the client supported better codecs. Indeed, if a user
wishes to access content from both a cellular device and a PC
using a shared address book (that is, an address book shared
across multiple devices), the user would need two entries in that
address book, and would need to use the right one from the right
device. This is a poor user experience.
Degraded Security: In these cases, a weaker security mechanism is
used than the one that ought to have been used. As an example, a
server in a domain might assume that it is only contacted by
clients with a limited set of authentication algorithms, even
though the clients have been recently upgraded to support a
stronger set.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Reasons Why the Assumptions Can Be False</span>
Assumptions made by clients and servers about the operation of
protocols when contacting a particular domain are brittle, and can be
wrong for many reasons. On the server side, many of the assumptions
are based on the notion that a domain name will only be given to, or
used by, a restricted set of clients. If the holder of the domain
name assumes something about those clients, and can assume that only
those clients use the domain name, then it can configure or program
the server to operate specifically for those clients. Both parts of
this assumption can be wrong, as discussed in more detail below.
On the client side, the notion is similar, being based on the
assumption that a server within a particular domain will provide a
specific type of service. Sub-delegation and evolution, both
discussed below, can make these assumptions wrong.
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Evolution</span>
The Internet and the devices that access it are constantly evolving,
often at a rapid pace. Unfortunately, there is a tendency to build
for the here and now, and then worry about the future at a later
time. Many of the assumptions above are predicated on
characteristics of today's clients and servers. Support for specific
protocols, authentication techniques, or content are based on today's
standards and today's devices. Even though they may, for the most
part, be true, they won't always be. An excellent example is mobile
devices. A server servicing a domain accessed by mobile devices
<span class="grey">Rosenberg Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
might try to make assumptions about the protocols, protocol
extensions, security mechanisms, screen sizes, or processor power of
such devices. However, all of these characteristics can and will
change over time.
When they do change, the change is usually evolutionary. The result
is that the assumptions remain valid in some cases, but not in
others. It is difficult to fix such systems, since it requires the
server to detect what type of client is connecting, and what its
capabilities are. Unless the system is built and deployed with these
capability negotiation techniques built in to begin with, such
detection can be extremely difficult. In fact, fixing it will often
require the addition of such capability negotiation features that, if
they had been in place and used to begin with, would have avoided the
problem altogether.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Leakage</span>
Servers also make assumptions because of the belief that they will
only be accessed by specific clients, and in particular, those that
are configured or provisioned to use the domain name. In essence,
there is an assumption of community -- that a specific community
knows and uses the domain name, while others outside of the community
do not.
The problem is that this notion of community is a false one. The
Internet is global. The DNS is global. There is no technical
barrier that separates those inside of the community from those
outside. The ease with which information propagates across the
Internet makes it extremely likely that such domain names will
eventually find their way into clients outside of the presumed
community. The ubiquitous presence of domain names in various URI
formats, coupled with the ease of conveyance of URIs, makes such
leakage merely a matter of time. Furthermore, since the DNS is
global, and since it can only have one root [<a href="#ref-12" title=""IAB Technical Comment on the Unique DNS Root"">12</a>], it becomes possible
for clients outside of the community to search and find and use such
"special" domain names.
Indeed, this leakage is a strength of the Internet architecture, not
a weakness. It enables global access to services from any client
with a connection to the Internet. That, in turn, allows for rapid
growth in the number of customers for any particular service.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Sub-Delegation</span>
Clients and users make assumptions about domains because of the
notion that there is some kind of centralized control that can
enforce those assumptions. However, the DNS is not centralized; it
<span class="grey">Rosenberg Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
is distributed. If a domain doesn't delegate its sub-domains and has
its records within a single zone, it is possible to maintain a
centralized policy about operation of its domain. However, once a
domain gets sufficiently large that the domain administrators begin
to delegate sub-domains to other authorities, it becomes increasingly
difficult to maintain any kind of central control on the nature of
the service provided in each sub-domain.
Similarly, the usage of domain names with human semantic connotation
tends to lead to a registration of multiple domains in which a
particular service is to run. As an example, a service provider with
the name "example" might register and set up its services in
"example.com", "example.net", and generally example.foo for each foo
that is a valid TLD. This, like sub-delegation, results in a growth
in the number of domains over which it is difficult to maintain
centralized control.
Not that it is not possible, since there are many examples of
successful administration of policies across sub-domains many levels
deep. However, it takes an increasing amount of effort to ensure
this result, as it requires human intervention and the creation of
process and procedure. Automated validation of adherence to policies
is very difficult to do, as there is no way to automatically verify
many policies that might be put into place.
A less costly process for providing centralized management of
policies is to just hope that any centralized policies are being
followed, and then wait for complaints or perform random audits.
Those approaches have many problems.
The invalidation of assumptions due to sub-delegation is discussed in
further detail in Section 4.1.3 of [<a href="#ref-8" title="".sex Considered Dangerous"">8</a>] and in <a href="#section-3.3">Section 3.3</a> of [<a href="#ref-20" title=""Design Choices When Expanding DNS"">20</a>].
As a result of the fragility of policy continuity across sub-
delegations, if a client or user assumes some kind of property
associated with a TLD (such as ".wifi"), it becomes increasingly more
likely with the number of sub-domains that this property will not
exist in a server identified by a particular name. For example, in
"store.chain.company.provider.wifi", there may be four levels of
delegation from ".wifi", making it quite likely that, unless the
holder of ".wifi" is working diligently, the properties that the
holder of ".wifi" wishes to enforce are not present. These
properties may not be present due to human error or due to a willful
decision not to adhere to them.
<span class="grey">Rosenberg Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
<span class="h3"><a class="selflink" id="section-6.4" href="#section-6.4">6.4</a>. Mobility</span>
One of the primary value propositions of a hostname as an identifier
is its persistence. A client can change IP addresses, yet still
retain a persistent identifier used by other hosts to reach it.
Because their value derives from their persistence, hostnames tend to
move with a host not just as it changes IP addresses, but as it
changes access network providers and technologies. For this reason,
assumptions made about a host based on the presumed access network
corresponding to that hostname tend to be wrong over time. As an
example, a PC might normally be connected to its broadband provider,
and through dynamic DNS have a hostname within the domain of that
provider. However, one cannot assume that any host within that
network has access over a broadband link; the user could connect
their PC over a low-bandwidth wireless access network and still
retain its domain name.
<span class="h3"><a class="selflink" id="section-6.5" href="#section-6.5">6.5</a>. Human Error</span>
Of course, human error can be the source of errors in any system, and
the same is true here. There are many examples relevant to the
problem under discussion.
A client implementation may make the assumption that, just because a
DNS SRV record exists for a particular protocol in a particular
domain, indicating that the service is available on some port, that
the service is, in fact, running there. This assumption could be
wrong because the SRV records haven't been updated by the system
administrators to reflect the services currently running. As another
example, a client might assume that a particular domain policy
applies to all sub-domains. However, a system administrator might
have omitted to apply the policy to servers running in one of those
sub-domains.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Recommendations</span>
Based on these problems, the clear conclusion is that clients,
servers, and users should not make assumptions on the nature of the
service provided to, or by, a domain. More specifically, however,
the following can be said:
Follow the specifications: When specifications define mandatory
baseline procedures and formats, those should be implemented and
supported, even if the expectation is that optional procedures
will most often be used. For example, if a specification mandates
a particular baseline authentication technique, but allows others
to be negotiated and used, implementations need to implement the
baseline authentication algorithm even if the other ones are used
<span class="grey">Rosenberg Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
most of the time. Put more simply, the behavior of the protocol
machinery should never change based on the domain name of the
host.
Use capability negotiation: Many protocols are engineered with
capability negotiation mechanisms. For example, a content
negotiation framework has been defined for protocols using MIME
content [<a href="#ref-13" title=""Indicating Media Features for MIME Content"">13</a>] [<a href="#ref-14" title=""A Syntax for Describing Media Feature Sets"">14</a>] [<a href="#ref-15" title=""Protocol-independent Content Negotiation Framework"">15</a>]. SIP allows for clients to negotiate the
media types used in the multimedia session, as well as protocol
parameters. HTTP allows for clients to negotiate the media types
returned in requests for content. When such features are
available in a protocol, client and servers should make use of
them rather than making assumptions about supported capabilities.
A corollary is that protocol designers should include such
mechanisms when evolution is expected in the usage of the
protocol.
"Be liberal in what you accept, and conservative in what you send"
[<a href="#ref-18" title=""Requirements for Internet Hosts - Communication Layers"">18</a>]: This axiom of Internet protocol design is applicable here
as well. Implementations should be prepared for the full breadth
of what a protocol allows another entity to send, rather than be
limiting in what it is willing to receive.
To summarize -- there is never a need to make assumptions. Rather
than doing so, utilize the specifications and the negotiation
capabilities they provide, and the overall system will be robust and
interoperable.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. A Note on <a href="./rfc2219">RFC 2219</a> and <a href="./rfc2782">RFC 2782</a></span>
Based on the definition of an assumption given here, the behavior
hinted at by records in the DNS also represents an assumption. <a href="./rfc2219">RFC</a>
<a href="./rfc2219">2219</a> [<a href="#ref-19" title=""Use of DNS Aliases for Network Services"">19</a>] defines well-known aliases that can be used to construct
domain names for reaching various well-known services in a domain.
This approach was later followed by the definition of a new resource
record, the SRV record [<a href="#ref-2" title=""A DNS RR for specifying the location of services (DNS SRV)"">2</a>], which specifies that a particular service
is running on a server in a domain. Although both of these
mechanisms are useful as a hint that a particular service is running
in a domain, both of them represent assumptions that may be false.
However, they differ in the set of reasons why those assumptions
might be false.
A client that assumes that "ftp.example.com" is an FTP server may be
wrong because the presumed naming convention in <a href="./rfc2219">RFC 2219</a> was not
known by, or not followed by, the owner of domain.com. With <a href="./rfc2782">RFC</a>
<a href="./rfc2782">2782</a>, an SRV record for a particular service would be present only by
explicit choice of the domain administrator, and thus a client that
<span class="grey">Rosenberg Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
assumes that the corresponding host provides this service would be
wrong only because of human error in configuration. In this case,
the assumption is less likely to be wrong, but it certainly can be.
The only way to determine with certainty that a service is running on
a host is to initiate a connection to the port for that service, and
check. Implementations need to be careful not to codify any
behaviors that cause failures should the information provided in the
record actually be false. This borders on common sense for robust
implementations, but it is valuable to raise this point explicitly.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Security Considerations</span>
One of the assumptions that can be made by clients or servers is the
availability and usage (or lack thereof) of certain security
protocols and algorithms. For example, a client accessing a service
in a particular domain might assume a specific authentication
algorithm or hash function in the application protocol. It is
possible that, over time, weaknesses are found in such a technique,
requiring usage of a different mechanism. Similarly, a system might
start with an insecure mechanism, and then decide later on to use a
secure one. In either case, assumptions made on security properties
can result in interoperability failures, or worse yet, providing
service in an insecure way, even though the client asked for, and
thought it would get, secure service. These kinds of assumptions are
fundamentally unsound even if the records themselves are secured with
DNSSEC.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Acknowledgements</span>
The IAB would like to thank John Klensin, Keith Moore and Peter Koch
for their comments.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. IAB Members</span>
Internet Architecture Board members at the time of writing of this
document are:
Bernard Aboba
Loa Andersson
Brian Carpenter
Leslie Daigle
Patrik Faltstrom
<span class="grey">Rosenberg Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
Bob Hinden
Kurtis Lindqvist
David Meyer
Pekka Nikander
Eric Rescorla
Pete Resnick
Jonathan Rosenberg
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. Informative References</span>
[<a id="ref-1">1</a>] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, <a href="./rfc1034">RFC 1034</a>, November 1987.
[<a id="ref-2">2</a>] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", <a href="./rfc2782">RFC 2782</a>,
February 2000.
[<a id="ref-3">3</a>] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
Three: The Domain Name System (DNS) Database", <a href="./rfc3403">RFC 3403</a>,
October 2002.
[<a id="ref-4">4</a>] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A Means
for Expressing Location Information in the Domain Name System",
<a href="./rfc1876">RFC 1876</a>, January 1996.
[<a id="ref-5">5</a>] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol --
HTTP/1.1", <a href="./rfc2616">RFC 2616</a>, June 1999.
[<a id="ref-6">6</a>] Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time Streaming
Protocol (RTSP)", <a href="./rfc2326">RFC 2326</a>, April 1998.
[<a id="ref-7">7</a>] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", <a href="./rfc3261">RFC 3261</a>, June 2002.
[<a id="ref-8">8</a>] Eastlake, D., ".sex Considered Dangerous", <a href="./rfc3675">RFC 3675</a>,
February 2004.
[<a id="ref-9">9</a>] Klensin, J., "Simple Mail Transfer Protocol", <a href="./rfc2821">RFC 2821</a>,
April 2001.
<span class="grey">Rosenberg Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
[<a id="ref-10">10</a>] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
Protocol (HTTP) Digest Authentication Using Authentication and
Key Agreement (AKA)", <a href="./rfc3310">RFC 3310</a>, September 2002.
[<a id="ref-11">11</a>] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Bodies",
<a href="./rfc2045">RFC 2045</a>, November 1996.
[<a id="ref-12">12</a>] Internet Architecture Board, "IAB Technical Comment on the
Unique DNS Root", <a href="./rfc2826">RFC 2826</a>, May 2000.
[<a id="ref-13">13</a>] Klyne, G., "Indicating Media Features for MIME Content",
<a href="./rfc2912">RFC 2912</a>, September 2000.
[<a id="ref-14">14</a>] Klyne, G., "A Syntax for Describing Media Feature Sets",
<a href="./rfc2533">RFC 2533</a>, March 1999.
[<a id="ref-15">15</a>] Klyne, G., "Protocol-independent Content Negotiation
Framework", <a href="./rfc2703">RFC 2703</a>, September 1999.
[<a id="ref-16">16</a>] Rescorla, E., "HTTP Over TLS", <a href="./rfc2818">RFC 2818</a>, May 2000.
[<a id="ref-17">17</a>] Rosenberg, J. and H. Schulzrinne, "Reliability of Provisional
Responses in Session Initiation Protocol (SIP)", <a href="./rfc3262">RFC 3262</a>,
June 2002.
[<a id="ref-18">18</a>] Braden, R., "Requirements for Internet Hosts - Communication
Layers", STD 3, <a href="./rfc1122">RFC 1122</a>, October 1989.
[<a id="ref-19">19</a>] Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
Services", <a href="https://www.rfc-editor.org/bcp/bcp17">BCP 17</a>, <a href="./rfc2219">RFC 2219</a>, October 1997.
[<a id="ref-20">20</a>] Faltstrom, P., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22Design+Choices+When+Expanding+DNS%22'>"Design Choices When Expanding DNS"</a>, Work in
Progress, June 2005.
Author's Address
Jonathan Rosenberg, Editor
IAB
600 Lanidex Plaza
Parsippany, NJ 07054
US
Phone: +1 973 952-5000
EMail: jdrosen@cisco.com
URI: <a href="http://www.jdrosen.net">http://www.jdrosen.net</a>
<span class="grey">Rosenberg Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc4367">RFC 4367</a> Name Assumptions February 2006</span>
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Rosenberg Informational [Page 17]
</pre>
|
