1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
|
<pre>Network Working Group P. Koch
Request for Comments: 3123 Universitaet Bielefeld
Category: Experimental June 2001
<span class="h1">A DNS RR Type for Lists of Address Prefixes (APL RR)</span>
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
The Domain Name System (DNS) is primarily used to translate domain
names into IPv4 addresses using A RRs (Resource Records). Several
approaches exist to describe networks or address ranges. This
document specifies a new DNS RR type "APL" for address prefix lists.
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Conventions used in this document</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
Domain names herein are for explanatory purposes only and should not
be expected to lead to useful information in real life [<a href="./rfc2606" title=""Reserved Top Level DNS Names"">RFC2606</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Background</span>
The Domain Name System [<a href="./rfc1034" title=""Domain Names - Concepts and Facilities"">RFC1034</a>], [<a href="./rfc1035" title=""Domain Names - Implementation and Specification"">RFC1035</a>] provides a mechanism to
associate addresses and other Internet infrastructure elements with
hierarchically built domain names. Various types of resource records
have been defined, especially those for IPv4 and IPv6 [<a href="./rfc2874" title=""DNS Extensions to Support IPv6 Address Aggregation and Renumbering"">RFC2874</a>]
addresses. In [<a href="./rfc1101" title=""DNS Encoding of Network Names and Other Types"">RFC1101</a>] a method is described to publish information
about the address space allocated to an organisation. In older BIND
versions, a weak form of controlling access to zone data was
implemented using TXT RRs describing address ranges.
This document specifies a new RR type for address prefix lists.
<span class="grey">Koch Experimental [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc3123">RFC 3123</a> DNS APL RR June 2001</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. APL RR Type</span>
An APL record has the DNS type of "APL" and a numeric value of 42
[<a href="#ref-IANA">IANA</a>]. The APL RR is defined in the IN class only. APL RRs cause
no additional section processing.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. APL RDATA format</span>
The RDATA section consists of zero or more items (<apitem>) of the
form
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| ADDRESSFAMILY |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| PREFIX | N | AFDLENGTH |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
/ AFDPART /
| |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
ADDRESSFAMILY 16 bit unsigned value as assigned by IANA
(see IANA Considerations)
PREFIX 8 bit unsigned binary coded prefix length.
Upper and lower bounds and interpretation of
this value are address family specific.
N negation flag, indicates the presence of the
"!" character in the textual format. It has
the value "1" if the "!" was given, "0" else.
AFDLENGTH length in octets of the following address
family dependent part (7 bit unsigned).
AFDPART address family dependent part. See below.
This document defines the AFDPARTs for address families 1 (IPv4) and
2 (IPv6). Future revisions may deal with additional address
families.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. AFDPART for IPv4</span>
The encoding of an IPv4 address (address family 1) follows the
encoding specified for the A RR by <a href="./rfc1035#section-3.4.1">[RFC1035], section 3.4.1</a>.
PREFIX specifies the number of bits of the IPv4 address starting at
the most significant bit. Legal values range from 0 to 32.
Trailing zero octets do not bear any information (e.g., there is no
semantic difference between 10.0.0.0/16 and 10/16) in an address
prefix, so the shortest possible AFDLENGTH can be used to encode it.
However, for DNSSEC [<a href="./rfc2535" title=""Domain Name System Security Extensions"">RFC2535</a>] a single wire encoding must be used by
<span class="grey">Koch Experimental [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc3123">RFC 3123</a> DNS APL RR June 2001</span>
all. Therefore the sender MUST NOT include trailing zero octets in
the AFDPART regardless of the value of PREFIX. This includes cases
in which AFDLENGTH times 8 results in a value less than PREFIX. The
AFDPART is padded with zero bits to match a full octet boundary.
An IPv4 AFDPART has a variable length of 0 to 4 octets.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. AFDPART for IPv6</span>
The 128 bit IPv6 address (address family 2) is encoded in network
byte order (high-order byte first).
PREFIX specifies the number of bits of the IPv6 address starting at
the most significant bit. Legal values range from 0 to 128.
With the same reasoning as in 4.1 above, the sender MUST NOT include
trailing zero octets in the AFDPART regardless of the value of
PREFIX. This includes cases in which AFDLENGTH times 8 results in a
value less than PREFIX. The AFDPART is padded with zero bits to
match a full octet boundary.
An IPv6 AFDPART has a variable length of 0 to 16 octets.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Zone File Syntax</span>
The textual representation of an APL RR in a DNS zone file is as
follows:
<owner> IN <TTL> APL {[!]afi:address/prefix}*
The data consists of zero or more strings of the address family
indicator <afi>, immediately followed by a colon ":", an address,
immediately followed by the "/" character, immediately followed by a
decimal numeric value for the prefix length. Any such string may be
preceded by a "!" character. The strings are separated by
whitespace. The <afi> is the decimal numeric value of that
particular address family.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Textual Representation of IPv4 Addresses</span>
An IPv4 address in the <address> part of an <apitem> is in dotted
quad notation, just as in an A RR. The <prefix> has values from the
interval 0..32 (decimal).
<span class="grey">Koch Experimental [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc3123">RFC 3123</a> DNS APL RR June 2001</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Textual Representation of IPv6 Addresses</span>
The representation of an IPv6 address in the <address> part of an
<apitem> follows <a href="./rfc2373#section-2.2">[RFC2373], section 2.2</a>. Legal values for <prefix>
are from the interval 0..128 (decimal).
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. APL RR usage</span>
An APL RR with empty RDATA is valid and implements an empty list.
Multiple occurrences of the same <apitem> in a single APL RR are
allowed and MUST NOT be merged by a DNS server or resolver.
<apitems> MUST be kept in order and MUST NOT be rearranged or
aggregated.
A single APL RR may contain <apitems> belonging to different address
families. The maximum number of <apitems> is upper bounded by the
available RDATA space.
RRSets consisting of more than one APL RR are legal but the
interpretation is left to the particular application.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Applicability Statement</span>
The APL RR defines a framework without specifying any particular
meaning for the list of prefixes. It is expected that APL RRs will
be used in different application scenarios which have to be
documented separately. Those scenarios may be distinguished by
characteristic prefixes placed in front of the DNS owner name.
An APL application specification MUST include information on
o the characteristic prefix, if any
o how to interpret APL RRSets consisting of more than one RR
o how to interpret an empty APL RR
o which address families are expected to appear in the APL RRs for
that application
o how to deal with APL RR list elements which belong to other
address families, including those not yet defined
o the exact semantics of list elements negated by the "!" character
<span class="grey">Koch Experimental [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc3123">RFC 3123</a> DNS APL RR June 2001</span>
Possible applications include the publication of address ranges
similar to [<a href="./rfc1101" title=""DNS Encoding of Network Names and Other Types"">RFC1101</a>], description of zones built following [<a href="./rfc2317" title=""Classless IN- ADDR.ARPA delegation"">RFC2317</a>]
and in-band access control to limit general access or zone transfer
(AXFR) availability for zone data held in DNS servers.
The specification of particular application scenarios is out of the
scope of this document.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Examples</span>
The following examples only illustrate some of the possible usages
outlined in the previous section. None of those applications are
hereby specified nor is it implied that any particular APL RR based
application does exist now or will exist in the future.
; <a href="./rfc1101">RFC 1101</a>-like announcement of address ranges for foo.example
foo.example. IN APL 1:192.168.32.0/21 !1:192.168.38.0/28
; CIDR blocks covered by classless delegation
42.168.192.IN-ADDR.ARPA. IN APL ( 1:192.168.42.0/26 1:192.168.42.64/26
1:192.168.42.128/25 )
; Zone transfer restriction
_axfr.sbo.example. IN APL 1:127.0.0.1/32 1:172.16.64.0/22
; List of address ranges for multicast
multicast.example. IN APL 1:224.0.0.0/4 2:FF00:0:0:0:0:0:0:0/8
Note that since trailing zeroes are ignored in the first APL RR the
AFDLENGTH of both <apitems> is three.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Security Considerations</span>
Any information obtained from the DNS should be regarded as unsafe
unless techniques specified in [<a href="./rfc2535" title=""Domain Name System Security Extensions"">RFC2535</a>] or [<a href="./rfc2845" title=""Secret Key Transaction Authentication for DNS (TSIG)"">RFC2845</a>] were used. The
definition of a new RR type does not introduce security problems into
the DNS, but usage of information made available by APL RRs may
compromise security. This includes disclosure of network topology
information and in particular the use of APL RRs to construct access
control lists.
<span class="grey">Koch Experimental [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc3123">RFC 3123</a> DNS APL RR June 2001</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. IANA Considerations</span>
This section is to be interpreted as following [<a href="./rfc2434" title="">RFC2434</a>].
This document does not define any new namespaces. It uses the 16 bit
identifiers for address families maintained by IANA in
<a href="http://www.iana.org/numbers.html">http://www.iana.org/numbers.html</a>.
The IANA assigned numeric RR type value 42 for APL [<a href="#ref-IANA">IANA</a>].
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Acknowledgements</span>
The author would like to thank Mark Andrews, Olafur Gudmundsson, Ed
Lewis, Thomas Narten, Erik Nordmark, and Paul Vixie for their review
and constructive comments.
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. References</span>
[<a id="ref-RFC1034">RFC1034</a>] Mockapetris, P., "Domain Names - Concepts and Facilities",
STD 13, <a href="./rfc1034">RFC 1034</a>, November 1987.
[<a id="ref-RFC1035">RFC1035</a>] Mockapetris, P., "Domain Names - Implementation and
Specification", STD 13, <a href="./rfc1035">RFC 1035</a>, November 1987.
[<a id="ref-RFC1101">RFC1101</a>] Mockapetris, P., "DNS Encoding of Network Names and Other
Types", <a href="./rfc1101">RFC 1101</a>, April 1989.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2181">RFC2181</a>] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", <a href="./rfc2181">RFC 2181</a>, July 1997.
[<a id="ref-RFC2317">RFC2317</a>] Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
ADDR.ARPA delegation", <a href="https://www.rfc-editor.org/bcp/bcp20">BCP 20</a>, <a href="./rfc2317">RFC 2317</a>, March 1998.
[<a id="ref-RFC2373">RFC2373</a>] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", <a href="./rfc2373">RFC 2373</a>, July 1998.
[<a id="ref-RFC2434">RFC2434</a>] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", <a href="https://www.rfc-editor.org/bcp/bcp26">BCP 26</a>, <a href="./rfc2434">RFC 2434</a>,
October 1998.
[<a id="ref-RFC2535">RFC2535</a>] Eastlake, D., "Domain Name System Security Extensions", <a href="./rfc2535">RFC</a>
<a href="./rfc2535">2535</a>, March 1999.
[<a id="ref-RFC2606">RFC2606</a>] Eastlake, D. and A. Panitz, "Reserved Top Level DNS Names",
<a href="https://www.rfc-editor.org/bcp/bcp32">BCP 32</a>, <a href="./rfc2606">RFC 2606</a>, June 1999.
<span class="grey">Koch Experimental [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc3123">RFC 3123</a> DNS APL RR June 2001</span>
[<a id="ref-RFC2845">RFC2845</a>] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
"Secret Key Transaction Authentication for DNS (TSIG)", <a href="./rfc2845">RFC</a>
<a href="./rfc2845">2845</a>, May 2000.
[<a id="ref-RFC2874">RFC2874</a>] Crawford, M. and C. Huitema, "DNS Extensions to Support
IPv6 Address Aggregation and Renumbering", <a href="./rfc2874">RFC 2874</a>, July
2000.
[<a id="ref-IANA">IANA</a>] <a href="http://www.iana.org/assignments/dns-parameters">http://www.iana.org/assignments/dns-parameters</a>
<span class="h2"><a class="selflink" id="section-13" href="#section-13">13</a>. Author's Address</span>
Peter Koch
Universitaet Bielefeld
Technische Fakultaet
D-33594 Bielefeld
Germany
Phone: +49 521 106 2902
EMail: pk@TechFak.Uni-Bielefeld.DE
<span class="grey">Koch Experimental [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc3123">RFC 3123</a> DNS APL RR June 2001</span>
<span class="h2"><a class="selflink" id="section-14" href="#section-14">14</a>. Full Copyright Statement</span>
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Koch Experimental [Page 8]
</pre>
|
