Network Working Group S. Josefsson Internet-Draft September 2, 2004 Expires: March 3, 2005 Domain Name System Uniform Resource Identifiers draft-josefsson-dns-url-10 Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 3, 2005. Copyright Notice Copyright (C) The Internet Society (2004). Abstract This document define Uniform Resource Identifiers for Domain Name System resources. Josefsson Expires March 3, 2005 [Page 1] Internet-Draft DNS URI September 2004 Table of Contents 1. Introduction and Background . . . . . . . . . . . . . . . . . 3 2. DNS URI Registration . . . . . . . . . . . . . . . . . . . . . 4 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1 Normative References . . . . . . . . . . . . . . . . . . . . 9 6.2 Informative References . . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 10 A. Revision Changes . . . . . . . . . . . . . . . . . . . . . . . 10 A.1 Changes since -06 . . . . . . . . . . . . . . . . . . . . 10 A.2 Changes since -07 . . . . . . . . . . . . . . . . . . . . 10 A.3 Changes since -08 . . . . . . . . . . . . . . . . . . . . 11 A.4 Changes since -09 . . . . . . . . . . . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . 12 Josefsson Expires March 3, 2005 [Page 2] Internet-Draft DNS URI September 2004 1. Introduction and Background The Domain Name System (DNS) [1][2] is a widely deployed system used to, among other things, translate host names into IP addresses. Recent work has added support for storing certificates and certificate revocation lists (CRLs) in the DNS [9]. Several protocols use Uniform Resource Locators (URLs) to point at certificates and CRLs. By defining a Uniform Resource Identifier (URI) scheme for DNS resources, such protocols can reference certificates and CRLs stored in the DNS. A few examples of protocols that may utilize DNS URIs: o The OpenPGP Message Format [7], where an end-user may indicate the location of a copy of any updates to her key, using the "preferred key server" field. o The X.509 Online Certificate Status Protocol [10], where the OCSP responder can indicate where a CRL is found, using the id-pkix-ocsp-crl extension. The DNS URI scheme defined here can be used to reference any data stored in the DNS, and is not limited to certificates or CRLs. The purpose of this specification is to define a generic DNS URI, not to specify a solution only for certificates stored in the DNS. Data browsers may support DNS URIs by forming DNS queries and render DNS responses using HTML [13], similar to what is commonly done for FTP [5] resources. The core part of this document is the URI Registration Template in accordance with [12]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [6]. Josefsson Expires March 3, 2005 [Page 3] Internet-Draft DNS URI September 2004 2. DNS URI Registration URL scheme name: "dns". URL scheme syntax: A DNS URI designate a DNS resource record set, referenced by domain name, class, type and optionally the authority. The DNS URI follows the generic syntax from RFC 2396 [4], and is described using ABNF [3]. Strings are not case sensitive and free insertion of linear-white-space is not permitted. dnsurl = "dns:" [ "//" dnsauthority "/" ] dnsname ["?" dnsquery] dnsauthority = hostport ; See RFC 2396 for "hostport" definition. dnsname = *pchar ; See RFC 2396 for "pchar" definition. ; The "dnsname" field may be a "relative" ; or "absolute" name, as per RFC 1034 ; section 3.1. ; Note further that an empty "dnsname" ; value is to be interpreted as the ; root itself. See below on relative ; dnsname's. dnsquery = dnsqueryelement [";" dnsquery] dnsqueryelement = ( "CLASS=" dnsclassval ) / ( "TYPE=" dnstypeval ) ; Each clause MUST NOT be used more than ; once. dnsclassval = 1*digit / "IN" / "CH" / ... ; Any IANA registered DNS class expressed ; as mnemonic or as decimal integer. dnstypeval = 1*digit / "A" / "NS" / "MD" / ... ; Any IANA registered DNS type expressed ; as mnemonic or as decimal integer. Unless specified in the URI, the authority ("dnsauthority") is assumed to be locally known, the class ("dnsclassval") to be the Internet class ("IN"), and the type ("dnstypeval") to be the Address type ("A"). These default values match the typical use of DNS; to look up addresses for host names. A dnsquery element MUST NOT contain more than one occurance of the Josefsson Expires March 3, 2005 [Page 4] Internet-Draft DNS URI September 2004 "CLASS" and "TYPE" fields. For example, both "dns:example?TYPE=A;TYPE=TXT" and "dns:example?TYPE=A;TYPE=A" are invalid. However, the fields may occur in any order, so that both "dns:example?TYPE=A;CLASS=IN" and "dns:example?CLASS=IN;TYPE=A" are valid. The digit representation of types and classes MAY be used when a mnemonic for the corresponding value is not well known (e.g., for newly introduced types or classes), but SHOULD NOT be used for the types or classes defined in the DNS specification [2]. All implementations MUST recognize the mnemonics defined in [2]. To avoid ambiguity, relative "dnsname" values (i.e., those not ending with ".") are assumed to be relative to the root. For example, "dns:host.example" and "dns:host.example." both refer to the same owner name, namely "host.example.". Further, an empty "dnsname" value is considered to be a degenerative form of a relative name, which refer to the root ("."). To resolve a DNS URI using the DNS protocol [2] a query is created, using as input the dnsname, dnsclassval and dnstypeval from the URI string (or the appropriate default values). If an authority ("dnsauthority") is given in the URI string, this indicate the server that should receive the DNS query, otherwise the default DNS server should receive it. Note that DNS URIs could be resolved by other protocols than the DNS protocol, or by using the DNS protocol in some other way than as described above (e.g., multicast DNS). DNS URIs do not require the use of the DNS protocol, although it is expected to be the typical usage. The previous paragraph only illustrate how DNS URIs are resolved using the DNS protocol. A client MAY want to check that it understands the dnsclassval and dnstypeval before sending a query, so that it will be able to understand the response. However, a typical example of a client that would not need to check dnsclassval and dnstypeval would be a proxy, that would just treat the received answer as opaque data. Character encoding considerations: The characters are encoded as per the "URI Generic Syntax" RFC [4]. The DNS protocol do not consider character sets, it simply transports opaque data. In particular, the "dnsname" field of the DNS URI is to be considered an internationalized domain name (IDN) unaware domain name slot, in the terminology of [15]. The considerations for "hostport" are discussed in [4] Because "." is used as the DNS label separator, an escaping mechanism Josefsson Expires March 3, 2005 [Page 5] Internet-Draft DNS URI September 2004 is required to encode a "." that is part of a DNS label. The escaping mechanism is described in section 5.1 of RFC 1035. For example, a DNS label of "exa.mple" can be escaped as "exa\.mple" or "exa\046mple". However, the URI specification disallow the "\" character from occuring directly in URIs, so it must be escaped as "%5c". The single DNS label "exa.mple" is thus encoded as "exa%5c.mple". The same mechanism can be used to encode other characters, for example "?" and ";". Note that "." and "%2e" are equivalent within dnsname, and are interchangable. This URI specification allows all possible domain names to be encoded (of course following the encoding rules of [4]), however certain applications may restrict the set of valid characters and care should be taken so that invalid characters in these contexts does not cause harm. In particular, host names in the DNS have certain restrictions. It is up to these application to limit this subset, this URI scheme places no restrictions. Intended usage: Whenever DNS resources are useful to reference by protocol independent identifiers, often when the data is more important than the access method. Since software in general has coped without this so far, it is not anticipated to be implemented widely, nor migrated to by existing systems, but specific solutions (especially security related) may find this appropriate. Applications and/or protocols which use this scheme: Security related software. DNS administration tools. Network programming packages. Interoperability considerations: The data referenced by this URI scheme might be transferred by protocols that are not URI aware (such as the DNS protocol). This is not anticipated to have any serious interoperability impact though. Interoperability problems may occur if one entity understands a new DNS class/type mnemonic and another entity do not understand it. This is an interoperability problem for DNS software in general, although it is not a major practical problem as the DNS types and classes are fairly static. To guarantee interoperability implementations can use integers for all mnemonics not defined in [2]. Interaction with Binary Labels [11], or other extended label types, has not been analyzed. However, they appear to be infrequently used in practice. Contact: simon@josefsson.org Author/Change Controller: simon@josefsson.org Josefsson Expires March 3, 2005 [Page 6] Internet-Draft DNS URI September 2004 3. Examples A DNS URI is of the following general form. This is intended to illustrate, not define, the scheme. dns:[//authority/]domain[?CLASS=class;TYPE=type] The following illustrate a URI for a resource with the absolute name "www.example.org.", the Internet (IN) class and the Address (A) type: dns:www.example.org.?clAsS=IN;tYpE=A Since the default class is IN, and the default type is A, the same resource can be identified by a shorter URI, using a relative name: dns:www.example.org The following illustrate a URI for a resource with the name "simon.example.org", for the CERT type, in the Internet (IN) class: dns:simon.example.org?type=CERT The following illustrate a URI for a resource with the name "ftp.example.org", in the Internet (IN) class and the address (A) type, but from the DNS authority 192.168.1.1 instead of the default authority: dns://192.168.1.1/ftp.example.org?type=A The following illustrate various escaping techniques. The owner name would be "world wide web.example\.domain.org" where "\." denote the character "." as part of a label, and "." denote the label separator: dns:world%20wide%20web.example%5c.domain.example?TYPE=TXT The following illustrate a strange, but valid, DNS resource: dns://fw.example.org/*.%20%00.example?type=TXT Josefsson Expires March 3, 2005 [Page 7] Internet-Draft DNS URI September 2004 4. Security Considerations If a DNS URI references domains in the Internet DNS environment, both the URI itself and the information referenced by the URI is public information. If a DNS URI is used within an "internal" DNS environment, both the DNS URI and the data is referenced should be handled using the same considerations that apply to DNS data in the environment. If information referenced by DNS URIs are used to make security decisions (examples of such data include, but is not limited to, certificates stored in the DNS), implementations may need to employ security techniques such as Secure DNS [8], or even CMS [14] or OpenPGP [7], to protect the data during transport. How to implement this will depend on the usage scenario, and it is not up to this URI scheme to define how the data referenced by DNS URIs should be protected. If applications accept unknown dnsqueryelement values (e.g., accepts the URI "dns:www.example.org?secret=value" without knowing what the "secret=value" dnsqueryelement means), a covert channel used to "leak" information may be enabled. The implications of covert channels should be understood by applications that accepts unknown dnsqueryelement values. Slight variations, such as difference between upper and lower case in the dnsname field, can be used as a covert channel to leak information. 5. IANA Considerations The IANA is asked to register the DNS URI scheme, using the template in section 2, in accordance with RFC 2717 [12]. Josefsson Expires March 3, 2005 [Page 8] Internet-Draft DNS URI September 2004 Acknowledgments Thanks to Stuart Cheshire, Donald Eastlake, Pasi Eronen, Ted Hardie, Peter Koch, Andrew Main, Larry Masinter, Michael Mealling, Steve Mattson, and Paul Vixie for comments and suggestions. The author acknowledges the RSA Laboratories for supporting the work that led to this document. 6. References 6.1 Normative References [1] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. [2] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [3] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997. [4] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. 6.2 Informative References [5] Postel, J. and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, October 1985. [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [7] Callas, J., Donnerhacke, L., Finney, H. and R. Thayer, "OpenPGP Message Format", RFC 2440, November 1998. [8] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999. [9] Eastlake, D. and O. Gudmundsson, "Storing Certificates in the Domain Name System (DNS)", RFC 2538, March 1999. [10] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560, June 1999. [11] Crawford, M., "Binary Labels in the Domain Name System", RFC 2673, August 1999. Josefsson Expires March 3, 2005 [Page 9] Internet-Draft DNS URI September 2004 [12] Petke, R. and I. King, "Registration Procedures for URL Scheme Names", BCP 35, RFC 2717, November 1999. [13] Connolly, D. and L. Masinter, "The 'text/html' Media Type", RFC 2854, June 2000. [14] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369, August 2002. [15] Faltstrom, P., Hoffman, P. and A. Costello, "Internationalizing Domain Names in Applications (IDNA)", RFC 3490, March 2003. [16] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. Author's Address Simon Josefsson EMail: simon@josefsson.org Appendix A. Revision Changes Note to RFC editor: Remove this appendix before publication. A.1 Changes since -06 The MIME registration templates for text/dns and application/dns was removed, and will be defined in separate documents. Improved discussion related to which mnemonics that must be supported. The interoperability problem that provoked the clarification is also mentioned. Security consideration improvements. A.2 Changes since -07 Author/Change Controller changed to author of this document, not IESG. Terminology section collapsed into introduction. The second paragraph of the introduction rewritten and gives explicit examples. Intended usage and applications fields fixed. Moved this revision tracking information to an appendix. Mention IDN in charset section. All previous thanks to suggestions by Larry Masinter. Josefsson Expires March 3, 2005 [Page 10] Internet-Draft DNS URI September 2004 A.3 Changes since -08 Modifications derived from Last-Call comments: Made more clear that DNS URIs does not imply use of the DNS protocol, but the issue is not stressed because of the apparent inflamatory state of affairs. Added informative references to HTML and FTP. Clarified that dnsname can be empty. Clarified that first dnsqueryelement "win" in case of ambiguity. Clarified security consideration with respect to unknown dnsqueryelements. Use "authority" instead of "server". Say "IANA registered" instead of "standard". Interoperability note about binary DNS labels. Typos. A.4 Changes since -09 Use legal texts from RFC 3667. Update UTF-8 reference to RFC 3629. Simplified introduction. Discuss relative and absolute dnsname's. Clarify that empty dnsname correspond to the root. Change so that dns:foo?TYPE=A;TYPE=TXT is invalid, instead of meaning TYPE=A. The underspecified extension mechanism was dropped; now only TYPE= and CLASS= are permitted. Remove background discussion of why the dnsname field is made a IDN unaware domain name slot. Use standard DNS escaping (i.e, "\." for ".") instead of broken approach that violated the URI specification. Improve examples. Add security considerations. Josefsson Expires March 3, 2005 [Page 11] Internet-Draft DNS URI September 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Josefsson Expires March 3, 2005 [Page 12]