| blob | f066b6468eb13bbfae0e7beb7f6fecf264ccc8f6 |
7 Network Working Group J. Rosenberg, Ed.
8 Request for Comments: 4367 IAB
9 Category: Informational February 2006
12 What's in a Name: False Assumptions about DNS Names
14 Status of This Memo
16 This memo provides information for the Internet community. It does
17 not specify an Internet standard of any kind. Distribution of this
18 memo is unlimited.
20 Copyright Notice
22 Copyright (C) The Internet Society (2006).
24 Abstract
26 The Domain Name System (DNS) provides an essential service on the
27 Internet, mapping structured names to a variety of data, usually IP
28 addresses. These names appear in email addresses, Uniform Resource
29 Identifiers (URIs), and other application-layer identifiers that are
30 often rendered to human users. Because of this, there has been a
31 strong demand to acquire names that have significance to people,
32 through equivalence to registered trademarks, company names, types of
33 services, and so on. There is a danger in this trend; the humans and
34 automata that consume and use such names will associate specific
35 semantics with some names and thereby make assumptions about the
36 services that are, or should be, provided by the hosts associated
37 with the names. Those assumptions can often be false, resulting in a
38 variety of failure conditions. This document discusses this problem
39 in more detail and makes recommendations on how it can be avoided.
58 Rosenberg Informational [Page 1]
59 \f
60 RFC 4367 Name Assumptions February 2006
63 Table of Contents
65 1. Introduction ....................................................2
66 2. Target Audience .................................................4
67 3. Modeling Usage of the DNS .......................................4
68 4. Possible Assumptions ............................................5
69 4.1. By the User ................................................5
70 4.2. By the Client ..............................................6
71 4.3. By the Server ..............................................7
72 5. Consequences of False Assumptions ...............................8
73 6. Reasons Why the Assumptions Can Be False ........................9
74 6.1. Evolution ..................................................9
75 6.2. Leakage ...................................................10
76 6.3. Sub-Delegation ............................................10
77 6.4. Mobility ..................................................12
78 6.5. Human Error ...............................................12
79 7. Recommendations ................................................12
80 8. A Note on RFC 2219 and RFC 2782 ................................13
81 9. Security Considerations ........................................14
82 10. Acknowledgements ..............................................14
83 11. IAB Members ...................................................14
84 12. Informative References ........................................15
86 1. Introduction
88 The Domain Name System (DNS) [1] provides an essential service on the
89 Internet, mapping structured names to a variety of different types of
90 data. Most often it is used to obtain the IP address of a host
91 associated with that name [2] [1] [3]. However, it can be used to
92 obtain other information, and proposals have been made for nearly
93 everything, including geographic information [4].
95 Domain names are most often used in identifiers used by application
96 protocols. The most well known include email addresses and URIs,
97 such as the HTTP URL [5], Real Time Streaming Protocol (RTSP) URL
98 [6], and SIP URI [7]. These identifiers are ubiquitous, appearing on
99 business cards, web pages, street signs, and so on. Because of this,
100 there has been a strong demand to acquire domain names that have
101 significance to people through equivalence to registered trademarks,
102 company names, types of services, and so on. Such identifiers serve
103 many business purposes, including extension of brand, advertising,
104 and so on.
106 People often make assumptions about the type of service that is or
107 should be provided by a host associated with that name, based on
108 their expectations and understanding of what the name implies. This,
109 in turn, triggers attempts by organizations to register domain names
110 based on that presumed user expectation. Examples of this are the
114 Rosenberg Informational [Page 2]
115 \f
116 RFC 4367 Name Assumptions February 2006
119 various proposals for a Top-Level Domain (TLD) that could be
120 associated with adult content [8], the requests for creation of TLDs
121 associated with mobile devices and services, and even phishing
122 attacks.
124 When these assumptions are codified into the behavior of an
125 automaton, such as an application client or server, as a result of
126 implementor choice, management directive, or domain owner policy, the
127 overall system can fail in various ways. This document describes a
128 number of typical ways in which these assumptions can be codified,
129 how they can be wrong, the consequences of those mistakes, and the
130 recommended ways in which they can be avoided.
132 Section 4 describes some of the possible assumptions that clients,
133 servers, and people can make about a domain name. In this context,
134 an "assumption" is defined as any behavior that is expected when
135 accessing a service at a domain name, even though the behavior is not
136 explicitly codified in protocol specifications. Frequently, these
137 assumptions involve ignoring parts of a specification based on an
138 assumption that the client or server is deployed in an environment
139 that is more rigid than the specification allows. Section 5
140 overviews some of the consequences of these false assumptions.
141 Generally speaking, these consequences can include a variety of
142 different interoperability failures, user experience failures, and
143 system failures. Section 6 discusses why these assumptions can be
144 false from the very beginning or become false at some point in the
145 future. Most commonly, they become false because the environment
146 changes in unexpected ways over time, and what was a valid assumption
147 before, no longer is. Other times, the assumptions prove wrong
148 because they were based on the belief that a specific community of
149 clients and servers was participating, and an element outside of that
150 community began participating.
152 Section 7 then provides some recommendations. These recommendations
153 encapsulate some of the engineering mantras that have been at the
154 root of Internet protocol design for decades. These include:
156 Follow the specifications.
158 Use the capability negotiation techniques provided in the
159 protocols.
161 Be liberal in what you accept, and conservative in what you send.
162 [18]
164 Overall, automata should not change their behavior within a protocol
165 based on the domain name, or some component of the domain name, of
166 the host they are communicating with.
170 Rosenberg Informational [Page 3]
171 \f
172 RFC 4367 Name Assumptions February 2006
175 2. Target Audience
177 This document has several audiences. Firstly, it is aimed at
178 implementors who ultimately develop the software that make the false
179 assumptions that are the subject of this document. The
180 recommendations described here are meant to reinforce the engineering
181 guidelines that are often understood by implementors, but frequently
182 forgotten as deadlines near and pressures mount.
184 The document is also aimed at technology managers, who often develop
185 the requirements that lead to these false assumptions. For them,
186 this document serves as a vehicle for emphasizing the importance of
187 not taking shortcuts in the scope of applicability of a project.
189 Finally, this document is aimed at domain name policy makers and
190 administrators. For them, it points out the perils in establishing
191 domain policies that get codified into the operation of applications
192 running within that domain.
194 3. Modeling Usage of the DNS
197 +--------+
198 | |
199 | |
200 | DNS |
201 |Service |
202 | |
203 +--------+
204 ^ |
205 | |
206 | |
207 | |
208 /--\ | |
209 | | | V
210 | | +--------+ +--------+
211 \--/ | | | |
212 | | | | |
213 ---+--- | Client |-------------------->| Server |
214 | | | | |
215 | | | | |
216 /\ +--------+ +--------+
217 / \
218 / \
220 User
221 Figure 1
226 Rosenberg Informational [Page 4]
227 \f
228 RFC 4367 Name Assumptions February 2006
231 Figure 1 shows a simple conceptual model of how the DNS is used by
232 applications. A user of the application obtains an identifier for
233 particular content or service it wishes to obtain. This identifier
234 is often a URL or URI that contains a domain name. The user enters
235 this identifier into its client application (for example, by typing
236 in the URL in a web browser window). The client is the automaton (a
237 software and/or hardware system) that contacts a server for that
238 application in order to provide service to the user. To do that, it
239 contacts a DNS server to resolve the domain name in the identifier to
240 an IP address. It then contacts the server at that IP address. This
241 simple model applies to application protocols such as HTTP [5], SIP
242 [7], RTSP [6], and SMTP [9].
244 >From this model, it is clear that three entities in the system can
245 potentially make false assumptions about the service provided by the
246 server. The human user may form expectations relating to the content
247 of the service based on a parsing of the host name from which the
248 content originated. The server might assume that the client
249 connecting to it supports protocols that it does not, can process
250 content that it cannot, or has capabilities that it does not.
251 Similarly, the client might assume that the server supports
252 protocols, content, or capabilities that it does not. Furthermore,
253 applications can potentially contain a multiplicity of humans,
254 clients, and servers, all of which can independently make these false
255 assumptions.
257 4. Possible Assumptions
259 For each of the three elements, there are many types of false
260 assumptions that can be made.
262 4.1. By the User
264 The set of possible assumptions here is nearly boundless. Users
265 might assume that an HTTP URL that looks like a company name maps to
266 a server run by that company. They might assume that an email from a
267 email address in the .gov TLD is actually from a government employee.
268 They might assume that the content obtained from a web server within
269 a TLD labeled as containing adult materials (for example, .sex)
270 actually contains adult content [8]. These assumptions are
271 unavoidable, may all be false, and are not the focus of this
272 document.
282 Rosenberg Informational [Page 5]
283 \f
284 RFC 4367 Name Assumptions February 2006
287 4.2. By the Client
289 Even though the client is an automaton, it can make some of the same
290 assumptions that a human user might make. For example, many clients
291 assume that any host with a hostname that begins with "www" is a web
292 server, even though this assumption may be false.
294 In addition, the client concerns itself with the protocols needed to
295 communicate with the server. As a result, it might make assumptions
296 about the operation of the protocols for communicating with the
297 server. These assumptions manifest themselves in an implementation
298 when a standardized protocol negotiation technique defined by the
299 protocol is ignored, and instead, some kind of rule is coded into the
300 software that comes to its own conclusion about what the negotiation
301 would have determined. The result is often a loss of
302 interoperability, degradation in reliability, and worsening of user
303 experience.
305 Authentication Algorithm: Though a protocol might support a
306 multiplicity of authentication techniques, a client might assume
307 that a server always supports one that is only optional according
308 to the protocol. For example, a SIP client contacting a SIP
309 server in a domain that is apparently used to identify mobile
310 devices (for example, www.example.cellular) might assume that the
311 server supports the optional Authentication and Key Agreement
312 (AKA) digest technique [10], just because of the domain name that
313 was used to access the server. As another example, a web client
314 might assume that a server with the name https.example.com
315 supports HTTP over Transport Layer Security (TLS) [16].
317 Data Formats: Though a protocol might allow a multiplicity of data
318 formats to be sent from the server to the client, the client might
319 assume a specific one, rather than using the content labeling and
320 negotiation capabilities of the underlying protocol. For example,
321 an RTSP client might assume that all audio content delivered to it
322 from media.example.cellular uses a low-bandwidth codec. As
323 another example, a mail client might assume that the contents of
324 messages it retrieves from a mail server at mail.example.cellular
325 are always text, instead of checking the MIME headers [11] in the
326 message in order to determine the actual content type.
328 Protocol Extensions: A client may attempt an operation on the server
329 that requires the server to support an optional protocol
330 extension. However, rather than implementing the necessary
331 fallback logic, the client may falsely assume that the extension
332 is supported. As an example, a SIP client that requires reliable
333 provisional responses to its request (RFC 3262 [17]) might assume
334 that this extension is supported on servers in the domain
338 Rosenberg Informational [Page 6]
339 \f
340 RFC 4367 Name Assumptions February 2006
343 sip.example.telecom. Furthermore, the client would not implement
344 the fallback behavior defined in RFC 3262, since it would assume
345 that all servers it will communicate with are in this domain and
346 that all therefore support this extension. However, if the
347 assumptions prove wrong, the client is unable to make any phone
348 calls.
350 Languages: A client may support facilities for processing text
351 content differently depending on the language of the text. Rather
352 than determining the language from markers in the message from the
353 server, the client might assume a language based on the domain
354 name. This assumption can easily be wrong. For example, a client
355 might assume that any text in a web page retrieved from a server
356 within the .de country code TLD (ccTLD) is in German, and attempt
357 a translation to Finnish. This would fail dramatically if the
358 text was actually in French. Unfortunately, this client behavior
359 is sometimes exhibited because the server has not properly labeled
360 the language of the content in the first place, often because the
361 server assumed such a labeling was not needed. This is an example
362 of how these false assumptions can create vicious cycles.
364 4.3. By the Server
366 The server, like the client, is an automaton. Let us consider one
367 servicing a particular domain -- www.company.cellular, for example.
368 It might assume that all clients connecting to this domain support
369 particular capabilities, rather than using the underlying protocol to
370 make this determination. Some examples include:
372 Authentication Algorithm: The server can assume that a client
373 supports a particular, optional, authentication technique, and it
374 therefore does not support the mandatory one.
376 Language: The server can serve content in a particular language,
377 based on an assumption that clients accessing the domain speak a
378 particular language, or based on an assumption that clients coming
379 from a particular IP address speak a certain language.
381 Data Formats: The server can assume that the client supports a
382 particular set of MIME types and is only capable of sending ones
383 within that set. When it generates content in a protocol
384 response, it ignores any content negotiation headers that were
385 present in the request. For example, a web server might ignore
386 the Accept HTTP header field and send a specific image format.
394 Rosenberg Informational [Page 7]
395 \f
396 RFC 4367 Name Assumptions February 2006
399 Protocol Extensions: The server might assume that the client supports
400 a particular optional protocol extension, and so it does not
401 support the fallback behavior necessary in the case where the
402 client does not.
404 Client Characteristics: The server might assume certain things about
405 the physical characteristics of its clients, such as memory
406 footprint, processing power, screen sizes, screen colors, pointing
407 devices, and so on. Based on these assumptions, it might choose
408 specific behaviors when processing a request. For example, a web
409 server might always assume that clients connect through cell
410 phones, and therefore return content that lacks images and is
411 tuned for such devices.
413 5. Consequences of False Assumptions
415 There are numerous negative outcomes that can arise from the various
416 false assumptions that users, servers, and clients can make. These
417 include:
419 Interoperability Failure: In these cases, the client or server
420 assumed some kind of protocol operation, and this assumption was
421 wrong. The result is that the two are unable to communicate, and
422 the user receives some kind of an error. This represents a total
423 interoperability failure, manifesting itself as a lack of service
424 to users of the system. Unfortunately, this kind of failure
425 persists. Repeated attempts over time by the client to access the
426 service will fail. Only a change in the server or client software
427 can fix this problem.
429 System Failure: In these cases, the client or server misinterpreted a
430 protocol operation, and this misinterpretation was serious enough
431 to uncover a bug in the implementation. The bug causes a system
432 crash or some kind of outage, either transient or permanent (until
433 user reset). If this failure occurs in a server, not only will
434 the connecting client lose service, but other clients attempting
435 to connect will not get service. As an example, if a web server
436 assumes that content passed to it from a client (created, for
437 example, by a digital camera) is of a particular content type, and
438 it always passes image content to a codec for decompression prior
439 to storage, the codec might crash when it unexpectedly receives an
440 image compressed in a different format. Of course, it might crash
441 even if the Content-Type was correct, but the compressed bitstream
442 was invalid. False assumptions merely introduce additional
443 failure cases.
450 Rosenberg Informational [Page 8]
451 \f
452 RFC 4367 Name Assumptions February 2006
455 Poor User Experience: In these cases, the client and server
456 communicate, but the user receives a diminished user experience.
457 For example, if a client on a PC connects to a web site that
458 provides content for mobile devices, the content may be
459 underwhelming when viewed on the PC. Or, a client accessing a
460 streaming media service may receive content of very low bitrate,
461 even though the client supported better codecs. Indeed, if a user
462 wishes to access content from both a cellular device and a PC
463 using a shared address book (that is, an address book shared
464 across multiple devices), the user would need two entries in that
465 address book, and would need to use the right one from the right
466 device. This is a poor user experience.
468 Degraded Security: In these cases, a weaker security mechanism is
469 used than the one that ought to have been used. As an example, a
470 server in a domain might assume that it is only contacted by
471 clients with a limited set of authentication algorithms, even
472 though the clients have been recently upgraded to support a
473 stronger set.
475 6. Reasons Why the Assumptions Can Be False
477 Assumptions made by clients and servers about the operation of
478 protocols when contacting a particular domain are brittle, and can be
479 wrong for many reasons. On the server side, many of the assumptions
480 are based on the notion that a domain name will only be given to, or
481 used by, a restricted set of clients. If the holder of the domain
482 name assumes something about those clients, and can assume that only
483 those clients use the domain name, then it can configure or program
484 the server to operate specifically for those clients. Both parts of
485 this assumption can be wrong, as discussed in more detail below.
487 On the client side, the notion is similar, being based on the
488 assumption that a server within a particular domain will provide a
489 specific type of service. Sub-delegation and evolution, both
490 discussed below, can make these assumptions wrong.
492 6.1. Evolution
494 The Internet and the devices that access it are constantly evolving,
495 often at a rapid pace. Unfortunately, there is a tendency to build
496 for the here and now, and then worry about the future at a later
497 time. Many of the assumptions above are predicated on
498 characteristics of today's clients and servers. Support for specific
499 protocols, authentication techniques, or content are based on today's
500 standards and today's devices. Even though they may, for the most
501 part, be true, they won't always be. An excellent example is mobile
502 devices. A server servicing a domain accessed by mobile devices
506 Rosenberg Informational [Page 9]
507 \f
508 RFC 4367 Name Assumptions February 2006
511 might try to make assumptions about the protocols, protocol
512 extensions, security mechanisms, screen sizes, or processor power of
513 such devices. However, all of these characteristics can and will
514 change over time.
516 When they do change, the change is usually evolutionary. The result
517 is that the assumptions remain valid in some cases, but not in
518 others. It is difficult to fix such systems, since it requires the
519 server to detect what type of client is connecting, and what its
520 capabilities are. Unless the system is built and deployed with these
521 capability negotiation techniques built in to begin with, such
522 detection can be extremely difficult. In fact, fixing it will often
523 require the addition of such capability negotiation features that, if
524 they had been in place and used to begin with, would have avoided the
525 problem altogether.
527 6.2. Leakage
529 Servers also make assumptions because of the belief that they will
530 only be accessed by specific clients, and in particular, those that
531 are configured or provisioned to use the domain name. In essence,
532 there is an assumption of community -- that a specific community
533 knows and uses the domain name, while others outside of the community
534 do not.
536 The problem is that this notion of community is a false one. The
537 Internet is global. The DNS is global. There is no technical
538 barrier that separates those inside of the community from those
539 outside. The ease with which information propagates across the
540 Internet makes it extremely likely that such domain names will
541 eventually find their way into clients outside of the presumed
542 community. The ubiquitous presence of domain names in various URI
543 formats, coupled with the ease of conveyance of URIs, makes such
544 leakage merely a matter of time. Furthermore, since the DNS is
545 global, and since it can only have one root [12], it becomes possible
546 for clients outside of the community to search and find and use such
547 "special" domain names.
549 Indeed, this leakage is a strength of the Internet architecture, not
550 a weakness. It enables global access to services from any client
551 with a connection to the Internet. That, in turn, allows for rapid
552 growth in the number of customers for any particular service.
554 6.3. Sub-Delegation
556 Clients and users make assumptions about domains because of the
557 notion that there is some kind of centralized control that can
558 enforce those assumptions. However, the DNS is not centralized; it
562 Rosenberg Informational [Page 10]
563 \f
564 RFC 4367 Name Assumptions February 2006
567 is distributed. If a domain doesn't delegate its sub-domains and has
568 its records within a single zone, it is possible to maintain a
569 centralized policy about operation of its domain. However, once a
570 domain gets sufficiently large that the domain administrators begin
571 to delegate sub-domains to other authorities, it becomes increasingly
572 difficult to maintain any kind of central control on the nature of
573 the service provided in each sub-domain.
575 Similarly, the usage of domain names with human semantic connotation
576 tends to lead to a registration of multiple domains in which a
577 particular service is to run. As an example, a service provider with
578 the name "example" might register and set up its services in
579 "example.com", "example.net", and generally example.foo for each foo
580 that is a valid TLD. This, like sub-delegation, results in a growth
581 in the number of domains over which it is difficult to maintain
582 centralized control.
584 Not that it is not possible, since there are many examples of
585 successful administration of policies across sub-domains many levels
586 deep. However, it takes an increasing amount of effort to ensure
587 this result, as it requires human intervention and the creation of
588 process and procedure. Automated validation of adherence to policies
589 is very difficult to do, as there is no way to automatically verify
590 many policies that might be put into place.
592 A less costly process for providing centralized management of
593 policies is to just hope that any centralized policies are being
594 followed, and then wait for complaints or perform random audits.
595 Those approaches have many problems.
597 The invalidation of assumptions due to sub-delegation is discussed in
598 further detail in Section 4.1.3 of [8] and in Section 3.3 of [20].
600 As a result of the fragility of policy continuity across sub-
601 delegations, if a client or user assumes some kind of property
602 associated with a TLD (such as ".wifi"), it becomes increasingly more
603 likely with the number of sub-domains that this property will not
604 exist in a server identified by a particular name. For example, in
605 "store.chain.company.provider.wifi", there may be four levels of
606 delegation from ".wifi", making it quite likely that, unless the
607 holder of ".wifi" is working diligently, the properties that the
608 holder of ".wifi" wishes to enforce are not present. These
609 properties may not be present due to human error or due to a willful
610 decision not to adhere to them.
618 Rosenberg Informational [Page 11]
619 \f
620 RFC 4367 Name Assumptions February 2006
623 6.4. Mobility
625 One of the primary value propositions of a hostname as an identifier
626 is its persistence. A client can change IP addresses, yet still
627 retain a persistent identifier used by other hosts to reach it.
628 Because their value derives from their persistence, hostnames tend to
629 move with a host not just as it changes IP addresses, but as it
630 changes access network providers and technologies. For this reason,
631 assumptions made about a host based on the presumed access network
632 corresponding to that hostname tend to be wrong over time. As an
633 example, a PC might normally be connected to its broadband provider,
634 and through dynamic DNS have a hostname within the domain of that
635 provider. However, one cannot assume that any host within that
636 network has access over a broadband link; the user could connect
637 their PC over a low-bandwidth wireless access network and still
638 retain its domain name.
640 6.5. Human Error
642 Of course, human error can be the source of errors in any system, and
643 the same is true here. There are many examples relevant to the
644 problem under discussion.
646 A client implementation may make the assumption that, just because a
647 DNS SRV record exists for a particular protocol in a particular
648 domain, indicating that the service is available on some port, that
649 the service is, in fact, running there. This assumption could be
650 wrong because the SRV records haven't been updated by the system
651 administrators to reflect the services currently running. As another
652 example, a client might assume that a particular domain policy
653 applies to all sub-domains. However, a system administrator might
654 have omitted to apply the policy to servers running in one of those
655 sub-domains.
657 7. Recommendations
659 Based on these problems, the clear conclusion is that clients,
660 servers, and users should not make assumptions on the nature of the
661 service provided to, or by, a domain. More specifically, however,
662 the following can be said:
664 Follow the specifications: When specifications define mandatory
665 baseline procedures and formats, those should be implemented and
666 supported, even if the expectation is that optional procedures
667 will most often be used. For example, if a specification mandates
668 a particular baseline authentication technique, but allows others
669 to be negotiated and used, implementations need to implement the
670 baseline authentication algorithm even if the other ones are used
674 Rosenberg Informational [Page 12]
675 \f
676 RFC 4367 Name Assumptions February 2006
679 most of the time. Put more simply, the behavior of the protocol
680 machinery should never change based on the domain name of the
681 host.
683 Use capability negotiation: Many protocols are engineered with
684 capability negotiation mechanisms. For example, a content
685 negotiation framework has been defined for protocols using MIME
686 content [13] [14] [15]. SIP allows for clients to negotiate the
687 media types used in the multimedia session, as well as protocol
688 parameters. HTTP allows for clients to negotiate the media types
689 returned in requests for content. When such features are
690 available in a protocol, client and servers should make use of
691 them rather than making assumptions about supported capabilities.
692 A corollary is that protocol designers should include such
693 mechanisms when evolution is expected in the usage of the
694 protocol.
696 "Be liberal in what you accept, and conservative in what you send"
697 [18]: This axiom of Internet protocol design is applicable here
698 as well. Implementations should be prepared for the full breadth
699 of what a protocol allows another entity to send, rather than be
700 limiting in what it is willing to receive.
702 To summarize -- there is never a need to make assumptions. Rather
703 than doing so, utilize the specifications and the negotiation
704 capabilities they provide, and the overall system will be robust and
705 interoperable.
707 8. A Note on RFC 2219 and RFC 2782
709 Based on the definition of an assumption given here, the behavior
710 hinted at by records in the DNS also represents an assumption. RFC
711 2219 [19] defines well-known aliases that can be used to construct
712 domain names for reaching various well-known services in a domain.
713 This approach was later followed by the definition of a new resource
714 record, the SRV record [2], which specifies that a particular service
715 is running on a server in a domain. Although both of these
716 mechanisms are useful as a hint that a particular service is running
717 in a domain, both of them represent assumptions that may be false.
718 However, they differ in the set of reasons why those assumptions
719 might be false.
721 A client that assumes that "ftp.example.com" is an FTP server may be
722 wrong because the presumed naming convention in RFC 2219 was not
723 known by, or not followed by, the owner of domain.com. With RFC
724 2782, an SRV record for a particular service would be present only by
725 explicit choice of the domain administrator, and thus a client that
730 Rosenberg Informational [Page 13]
731 \f
732 RFC 4367 Name Assumptions February 2006
735 assumes that the corresponding host provides this service would be
736 wrong only because of human error in configuration. In this case,
737 the assumption is less likely to be wrong, but it certainly can be.
739 The only way to determine with certainty that a service is running on
740 a host is to initiate a connection to the port for that service, and
741 check. Implementations need to be careful not to codify any
742 behaviors that cause failures should the information provided in the
743 record actually be false. This borders on common sense for robust
744 implementations, but it is valuable to raise this point explicitly.
746 9. Security Considerations
748 One of the assumptions that can be made by clients or servers is the
749 availability and usage (or lack thereof) of certain security
750 protocols and algorithms. For example, a client accessing a service
751 in a particular domain might assume a specific authentication
752 algorithm or hash function in the application protocol. It is
753 possible that, over time, weaknesses are found in such a technique,
754 requiring usage of a different mechanism. Similarly, a system might
755 start with an insecure mechanism, and then decide later on to use a
756 secure one. In either case, assumptions made on security properties
757 can result in interoperability failures, or worse yet, providing
758 service in an insecure way, even though the client asked for, and
759 thought it would get, secure service. These kinds of assumptions are
760 fundamentally unsound even if the records themselves are secured with
761 DNSSEC.
763 10. Acknowledgements
765 The IAB would like to thank John Klensin, Keith Moore and Peter Koch
766 for their comments.
768 11. IAB Members
770 Internet Architecture Board members at the time of writing of this
771 document are:
773 Bernard Aboba
775 Loa Andersson
777 Brian Carpenter
779 Leslie Daigle
781 Patrik Faltstrom
786 Rosenberg Informational [Page 14]
787 \f
788 RFC 4367 Name Assumptions February 2006
791 Bob Hinden
793 Kurtis Lindqvist
795 David Meyer
797 Pekka Nikander
799 Eric Rescorla
801 Pete Resnick
803 Jonathan Rosenberg
805 12. Informative References
807 [1] Mockapetris, P., "Domain names - concepts and facilities",
808 STD 13, RFC 1034, November 1987.
810 [2] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
811 specifying the location of services (DNS SRV)", RFC 2782,
812 February 2000.
814 [3] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
815 Three: The Domain Name System (DNS) Database", RFC 3403,
816 October 2002.
818 [4] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A Means
819 for Expressing Location Information in the Domain Name System",
820 RFC 1876, January 1996.
822 [5] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
823 Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol --
824 HTTP/1.1", RFC 2616, June 1999.
826 [6] Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time Streaming
827 Protocol (RTSP)", RFC 2326, April 1998.
829 [7] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
830 Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
831 Session Initiation Protocol", RFC 3261, June 2002.
833 [8] Eastlake, D., ".sex Considered Dangerous", RFC 3675,
834 February 2004.
836 [9] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
837 April 2001.
842 Rosenberg Informational [Page 15]
843 \f
844 RFC 4367 Name Assumptions February 2006
847 [10] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
848 Protocol (HTTP) Digest Authentication Using Authentication and
849 Key Agreement (AKA)", RFC 3310, September 2002.
851 [11] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
852 Extensions (MIME) Part One: Format of Internet Message Bodies",
853 RFC 2045, November 1996.
855 [12] Internet Architecture Board, "IAB Technical Comment on the
856 Unique DNS Root", RFC 2826, May 2000.
858 [13] Klyne, G., "Indicating Media Features for MIME Content",
859 RFC 2912, September 2000.
861 [14] Klyne, G., "A Syntax for Describing Media Feature Sets",
862 RFC 2533, March 1999.
864 [15] Klyne, G., "Protocol-independent Content Negotiation
865 Framework", RFC 2703, September 1999.
867 [16] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
869 [17] Rosenberg, J. and H. Schulzrinne, "Reliability of Provisional
870 Responses in Session Initiation Protocol (SIP)", RFC 3262,
871 June 2002.
873 [18] Braden, R., "Requirements for Internet Hosts - Communication
874 Layers", STD 3, RFC 1122, October 1989.
876 [19] Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
877 Services", BCP 17, RFC 2219, October 1997.
879 [20] Faltstrom, P., "Design Choices When Expanding DNS", Work in
880 Progress, June 2005.
882 Author's Address
884 Jonathan Rosenberg, Editor
885 IAB
886 600 Lanidex Plaza
887 Parsippany, NJ 07054
888 US
890 Phone: +1 973 952-5000
891 EMail: jdrosen@cisco.com
892 URI: http://www.jdrosen.net
898 Rosenberg Informational [Page 16]
899 \f
900 RFC 4367 Name Assumptions February 2006
903 Full Copyright Statement
905 Copyright (C) The Internet Society (2006).
907 This document is subject to the rights, licenses and restrictions
908 contained in BCP 78, and except as set forth therein, the authors
909 retain all their rights.
911 This document and the information contained herein are provided on an
912 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
913 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
914 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
915 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
916 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
917 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
919 Intellectual Property
921 The IETF takes no position regarding the validity or scope of any
922 Intellectual Property Rights or other rights that might be claimed to
923 pertain to the implementation or use of the technology described in
924 this document or the extent to which any license under such rights
925 might or might not be available; nor does it represent that it has
926 made any independent effort to identify any such rights. Information
927 on the procedures with respect to rights in RFC documents can be
928 found in BCP 78 and BCP 79.
930 Copies of IPR disclosures made to the IETF Secretariat and any
931 assurances of licenses to be made available, or the result of an
932 attempt made to obtain a general license or permission for the use of
933 such proprietary rights by implementers or users of this
934 specification can be obtained from the IETF on-line IPR repository at
935 http://www.ietf.org/ipr.
937 The IETF invites any interested party to bring to its attention any
938 copyrights, patents or patent applications, or other proprietary
939 rights that may cover technology that may be required to implement
940 this standard. Please address the information to the IETF at
941 ietf-ipr@ietf.org.
943 Acknowledgement
945 Funding for the RFC Editor function is provided by the IETF
946 Administrative Support Activity (IASA).
954 Rosenberg Informational [Page 17]
955 \f