draft-josefsson-dns-url-12.txt   draft-josefsson-dns-url.txt 
Network Working Group S. Josefsson Network Working Group S. Josefsson
Expires: November 26, 2005 Expires: February 6, 2006
Domain Name System Uniform Resource Identifiers Domain Name System Uniform Resource Identifiers
draft-josefsson-dns-url-12 draft-josefsson-dns-url-13
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 26, 2005. This Internet-Draft will expire on February 6, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document define Uniform Resource Identifiers for Domain Name This document define Uniform Resource Identifiers for Domain Name
System resources. System resources.
skipping to change at page 2, line 26 skipping to change at page 2, line 26
9.1 Normative References . . . . . . . . . . . . . . . . . . . 10 9.1 Normative References . . . . . . . . . . . . . . . . . . . 10
9.2 Informative References . . . . . . . . . . . . . . . . . . 10 9.2 Informative References . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 11
A. Revision Changes . . . . . . . . . . . . . . . . . . . . . . . 11 A. Revision Changes . . . . . . . . . . . . . . . . . . . . . . . 11
A.1 Changes since -06 . . . . . . . . . . . . . . . . . . . . 11 A.1 Changes since -06 . . . . . . . . . . . . . . . . . . . . 11
A.2 Changes since -07 . . . . . . . . . . . . . . . . . . . . 12 A.2 Changes since -07 . . . . . . . . . . . . . . . . . . . . 12
A.3 Changes since -08 . . . . . . . . . . . . . . . . . . . . 12 A.3 Changes since -08 . . . . . . . . . . . . . . . . . . . . 12
A.4 Changes since -09 . . . . . . . . . . . . . . . . . . . . 12 A.4 Changes since -09 . . . . . . . . . . . . . . . . . . . . 12
A.5 Changes since -10 . . . . . . . . . . . . . . . . . . . . 12 A.5 Changes since -10 . . . . . . . . . . . . . . . . . . . . 12
A.6 Changes since -11 . . . . . . . . . . . . . . . . . . . . 12 A.6 Changes since -11 . . . . . . . . . . . . . . . . . . . . 12
Intellectual Property and Copyright Statements . . . . . . . . 13 A.7 Changes since -12 . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . . 14
1. Introduction and Background 1. Introduction and Background
The Domain Name System (DNS) [1] [2] is a widely deployed system used The Domain Name System (DNS) [1] [2] is a widely deployed system used
to, among other things, translate host names into IP addresses. to, among other things, translate host names into IP addresses.
Recent work has added support for storing certificates and Several protocols are using Uniform Resource Identifier (URI) to
certificate revocation lists (CRLs) in the DNS [9]. Several refer to data. By defining a URI scheme for DNS data, the gap
protocols use Uniform Resource Locators (URLs) to point at between these two worlds are bridged. The DNS URI scheme defined
certificates and CRLs. By defining a Uniform Resource Identifier here can be used to reference any data stored in the DNS.
(URI) scheme for DNS resources, such protocols can reference
certificates and CRLs stored in the DNS.
Two examples of data structures that may embed DNS URIs:
o The OpenPGP Message Format [7], where an end-user may indicate the
location of a copy of any updates to her key, using the "preferred
key server" field.
o The Internet X.509 Public Key Infrastructure [14] format, where
the issuer may use a DNS URI in a CRL Distribution Point
certificate extension field.
The DNS URI scheme defined here can be used to reference any data
stored in the DNS, and is not limited to certificates or CRLs. The
purpose of this specification is to define a generic DNS URI, not to
specify a solution only for certificates stored in the DNS.
Data browsers may support DNS URIs by forming DNS queries and render Data browsers may support DNS URIs by forming DNS queries and render
DNS responses using HTML [13], similar to what is commonly done for DNS responses using HTML [14], similar to what is commonly done for
FTP [6] resources. FTP [6] resources. Applications that are Multipurpose Internet Mail
Extension (MIME) [7] aware may tag DNS data retrieve using this
scheme with the text/dns or application/dns types as specified in
[18].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [3]. document are to be interpreted as described in RFC 2119 [3].
2. Usage Model 2. Usage Model
The reader is referred to section 1 of [5] for an in-depth discussion The reader is referred to section 1 of [5] for an in-depth discussion
of URI classifications. In particular, the reader is assumed to be of URI classifications. In particular, the reader is assumed to be
familiar with the "name" vs "locator" distinction. This section familiar with the "name" vs "locator" distinction. This section
skipping to change at page 5, line 8 skipping to change at page 5, line 8
certain applications, a more detailed URI syntax that map more certain applications, a more detailed URI syntax that map more
closely to the DNS protocol may be required. However, such an URI closely to the DNS protocol may be required. However, such an URI
definition is not included in this document. This document specify a definition is not included in this document. This document specify a
URI that is primarily intended to name DNS resources, but it can also URI that is primarily intended to name DNS resources, but it can also
be used to locate said resources for simple (but common) be used to locate said resources for simple (but common)
applications. applications.
3. DNS URI Registration 3. DNS URI Registration
The section contain the registration template for the DNS URI scheme The section contain the registration template for the DNS URI scheme
in accordance with [12]. in accordance with [13].
URL scheme name: "dns". URL scheme name: "dns".
URL scheme syntax: A DNS URI designate a DNS resource record set, URL scheme syntax: A DNS URI designate a DNS resource record set,
referenced by domain name, class, type and optionally the authority. referenced by domain name, class, type and optionally the authority.
The DNS URI follows the generic syntax from RFC 3986 [5], and is The DNS URI follows the generic syntax from RFC 3986 [5], and is
described using ABNF [4]. Strings are not case sensitive and free described using ABNF [4]. Strings are not case sensitive and free
insertion of linear-white-space is not permitted. insertion of linear-white-space is not permitted.
dnsurl = "dns:" [ "//" dnsauthority "/" ] dnsurl = "dns:" [ "//" dnsauthority "/" ]
skipping to change at page 7, line 46 skipping to change at page 7, line 46
interoperability impact though. interoperability impact though.
Interoperability problems may occur if one entity understands a new Interoperability problems may occur if one entity understands a new
DNS class/type mnemonic and another entity do not understand it. DNS class/type mnemonic and another entity do not understand it.
This is an interoperability problem for DNS software in general, This is an interoperability problem for DNS software in general,
although it is not a major practical problem as the DNS types and although it is not a major practical problem as the DNS types and
classes are fairly static. To guarantee interoperability classes are fairly static. To guarantee interoperability
implementations can use integers for all mnemonics not defined in implementations can use integers for all mnemonics not defined in
[2]. [2].
Interaction with Binary Labels [11], or other extended label types, Interaction with Binary Labels [12], or other extended label types,
has not been analyzed. However, they appear to be infrequently used has not been analyzed. However, they appear to be infrequently used
in practice. in practice.
Contact: simon@josefsson.org Contact: simon@josefsson.org
Author/Change Controller: simon@josefsson.org Author/Change Controller: simon@josefsson.org
4. Examples 4. Examples
A DNS URI is of the following general form. This is intended to A DNS URI is of the following general form. This is intended to
illustrate, not define, the scheme. illustrate, not define, the scheme.
skipping to change at page 9, line 24 skipping to change at page 9, line 24
If a DNS URI references domains in the Internet DNS environment, both If a DNS URI references domains in the Internet DNS environment, both
the URI itself and the information referenced by the URI is public the URI itself and the information referenced by the URI is public
information. If a DNS URI is used within an "internal" DNS information. If a DNS URI is used within an "internal" DNS
environment, both the DNS URI and the data is referenced should be environment, both the DNS URI and the data is referenced should be
handled using the same considerations that apply to DNS data in the handled using the same considerations that apply to DNS data in the
environment. environment.
If information referenced by DNS URIs are used to make security If information referenced by DNS URIs are used to make security
decisions (examples of such data include, but is not limited to, decisions (examples of such data include, but is not limited to,
certificates stored in the DNS), implementations may need to employ certificates stored in the DNS [10]), implementations may need to
security techniques such as Secure DNS [8], or even CMS [15] or employ security techniques such as Secure DNS [9], or even CMS [15]
OpenPGP [7], to protect the data during transport. How to implement or OpenPGP [8], to protect the data during transport. How to
this will depend on the usage scenario, and it is not up to this URI implement this will depend on the usage scenario, and it is not up to
scheme to define how the data referenced by DNS URIs should be this URI scheme to define how the data referenced by DNS URIs should
protected. be protected.
If applications accept unknown dnsqueryelement values (e.g., accepts If applications accept unknown dnsqueryelement values (e.g., accepts
the URI "dns:www.example.org?secret=value" without knowing what the the URI "dns:www.example.org?secret=value" without knowing what the
"secret=value" dnsqueryelement means), a covert channel used to "secret=value" dnsqueryelement means), a covert channel used to
"leak" information may be enabled. The implications of covert "leak" information may be enabled. The implications of covert
channels should be understood by applications that accepts unknown channels should be understood by applications that accepts unknown
dnsqueryelement values. dnsqueryelement values.
Slight variations, such as difference between upper and lower case in Slight variations, such as difference between upper and lower case in
the dnsname field, can be used as a covert channel to leak the dnsname field, can be used as a covert channel to leak
information. information.
7. IANA Considerations 7. IANA Considerations
The IANA is asked to register the DNS URI scheme, using the template The IANA is asked to register the DNS URI scheme, using the template
in section 3, in accordance with RFC 2717 [12]. in section 3, in accordance with RFC 2717 [13].
8. Copying conditions 8. Copying conditions
Copyright (c) 2000, 2001, 2002, 2003, 2004, 2005 Simon Josefsson Copyright (c) 2000, 2001, 2002, 2003, 2004, 2005 Simon Josefsson
Regarding this entire document or any portion of it, the author makes Regarding this entire document or any portion of it, the author makes
no guarantees and is not responsible for any damage resulting from no guarantees and is not responsible for any damage resulting from
its use. The author grants irrevocable permission to anyone to use, its use. The author grants irrevocable permission to anyone to use,
modify, and distribute it in any way that does not diminish the modify, and distribute it in any way that does not diminish the
rights of anyone else to use, modify, and distribute it, provided rights of anyone else to use, modify, and distribute it, provided
skipping to change at page 10, line 43 skipping to change at page 10, line 43
[5] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [5] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
January 2005. January 2005.
9.2 Informative References 9.2 Informative References
[6] Postel, J. and J. Reynolds, "File Transfer Protocol", STD 9, [6] Postel, J. and J. Reynolds, "File Transfer Protocol", STD 9,
RFC 959, October 1985. RFC 959, October 1985.
[7] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, [7] Freed, N., Klensin, J., and J. Postel, "Multipurpose Internet
Mail Extensions (MIME) Part Four: Registration Procedures",
BCP 13, RFC 2048, November 1996.
[8] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
"OpenPGP Message Format", RFC 2440, November 1998. "OpenPGP Message Format", RFC 2440, November 1998.
[8] Eastlake, D., "Domain Name System Security Extensions", [9] Eastlake, D., "Domain Name System Security Extensions",
RFC 2535, March 1999. RFC 2535, March 1999.
[9] Eastlake, D. and O. Gudmundsson, "Storing Certificates in the [10] Eastlake, D. and O. Gudmundsson, "Storing Certificates in the
Domain Name System (DNS)", RFC 2538, March 1999. Domain Name System (DNS)", RFC 2538, March 1999.
[10] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, [11] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams,
"X.509 Internet Public Key Infrastructure Online Certificate "X.509 Internet Public Key Infrastructure Online Certificate
Status Protocol - OCSP", RFC 2560, June 1999. Status Protocol - OCSP", RFC 2560, June 1999.
[11] Crawford, M., "Binary Labels in the Domain Name System", [12] Crawford, M., "Binary Labels in the Domain Name System",
RFC 2673, August 1999. RFC 2673, August 1999.
[12] Petke, R. and I. King, "Registration Procedures for URL Scheme [13] Petke, R. and I. King, "Registration Procedures for URL Scheme
Names", BCP 35, RFC 2717, November 1999. Names", BCP 35, RFC 2717, November 1999.
[13] Connolly, D. and L. Masinter, "The 'text/html' Media Type", [14] Connolly, D. and L. Masinter, "The 'text/html' Media Type",
RFC 2854, June 2000. RFC 2854, June 2000.
[14] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", RFC 3280, April 2002.
[15] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369, [15] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369,
August 2002. August 2002.
[16] Faltstrom, P., Hoffman, P., and A. Costello, [16] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)", "Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003. RFC 3490, March 2003.
[17] Yergeau, F., "UTF-8, a transformation format of ISO 10646", [17] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
STD 63, RFC 3629, November 2003. STD 63, RFC 3629, November 2003.
[18] Josefsson, S., "Domain Name System Media Types", RFC 4027,
April 2005.
Author's Address Author's Address
Simon Josefsson Simon Josefsson
Email: simon@josefsson.org Email: simon@josefsson.org
Appendix A. Revision Changes Appendix A. Revision Changes
Note to RFC editor: Remove this appendix before publication. Note to RFC editor: Remove this appendix before publication.
skipping to change at page 13, line 5 skipping to change at page 13, line 5
Add section "Usage Model". Move acknowledgements, as per rfc2223bis. Add section "Usage Model". Move acknowledgements, as per rfc2223bis.
Add permissive copying condition. Updates to align with RFC 3986. Add permissive copying condition. Updates to align with RFC 3986.
A.6 Changes since -11 A.6 Changes since -11
Fix typos. IESG feedback: Move RFC2119 reference to normative Fix typos. IESG feedback: Move RFC2119 reference to normative
section. Replace OCSP example with X.509 CRL Distribution Point section. Replace OCSP example with X.509 CRL Distribution Point
extension. Fix ABNF not to use "...". extension. Fix ABNF not to use "...".
A.7 Changes since -12
Reference MIME and RFC 4027. IESG feedback: Do not mention OpenPGP/
X.509 as illustrative examples in the introduction section.
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/