Internet Systems Consortium

950 Charter Street Redwood City 94063 CA US muks@mukund.org http://www.isc.org/

Internet Systems Consortium

950 Charter Street Redwood City 94063 CA US stephen@isc.org http://www.isc.org/

Internet Systems Consortium

950 Charter Street Redwood City 94063 CA US ray@isc.org http://www.isc.org/

Internet Systems Consortium

950 Charter Street Redwood City 94063 CA US wpk@isc.org http://www.isc.org/

Operations and Management Area Internet Engineering Task Force This document describes a method for automatic zone catalog provisioning and synchronization among DNS primary and secondary nameservers by storing and transferring the catalogs as regular DNS zones.

DNS nameservers implement AXFR and IXFR for zone data synchronization among a zone's primary and secondary nameservers, but the list of zones served by the primary (called a catalog in ) is not automatically synchronized. The administrator of a DNS nameserver farm has to synchronize such zone catalogs among primaries and their secondary nameservers manually or via an external application layer. This can be inconvenient, error-prone and dependent on the nameserver implementation. A method for automatic zone catalog provisioning and synchronization is useful, so that the zone catalog can be maintained in a reference location by an administrator, similar to zone data. This document describes one such method, in which the catalog is represented as a regular DNS zone called a "catalog zone", and transferred using DNS zone transfers. The representation of catalogs within DNS zones is specified and nameserver requirements are listed so that DNS implementations can support catalog zones. The contents and representation of catalog zones are described in . Nameserver behavior is described in . A glossary of some terms used in this memo is provided in . The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

A catalog zone is a specially crafted DNS zone that contains, as DNS zone data, a list of DNS zones called member zones, associated template zone configuration common to all its member zones, and zone-specific configuration that applies to a respective zone. An implementation of catalog zones MAY allow catalog zones to include other catalog zones, but template zone configuration present in a catalog zone only applies to its immediate member zones. A catalog zone is meant to be used to provision DNS catalogs to secondary nameservers via zone transfers, for the purpose of setting up member zones to be served from these secondary nameservers. A catalog zone uses some RR TYPEs such as PTR with alternate semantics for its purposes. Although this may be controversial, the situation is similar to other similar zone-based representations such as response-policy zones . A design criterion of catalog zones is that none of the RR TYPEs used therein may incur any additional section processing during DNS QUERY. Member zones' configuration is specified as a map of zone properties, represented as a subtree of a node in the domain name space inside a catalog zone. This is described in . Each zone property has a name and an associated value of a specific data type. Zone property value data types are described in . A list of permitted zone property names and their data types is given in . TBD: Transitive catalogs

A catalog zone contains various resource records (RRs). They have NAME, TYPE, CLASS, TTL, RDLENGTH and RDATA as fields . The NAME field contains the owner name of the respective RR. As with all DNS zones, the owner name must be a child of the catalog zone name. The TYPE field depends on the type of catalog zone property value being represented. describes how various zone property value types are represented. The CLASS field of the RR MUST be set to IN(1) . This is because some RR TYPEs such as APL used by catalog zones are defined only for the IN CLASS. The TTL field's value is not specially defined by this memo. Catalog zones are for nameserver management only and are not intended for general querying. Operators should use whatever value seems convenient for any management applications that may query the catalog zone. The RDLENGTH field contains the length of the RDATA field. The content of the RDATA field depends on the type of catalog zone property value being represented. describes how various zone property value types are represented.

Similar to any other DNS zone, a catalog zone would be expected to have a syntactically correct SOA record and one or more NS records at its apex. The SOA record's SERIAL, REFRESH, RETRY and EXPIRE fields are used during zone transfer. A catalog zone's SOA SERIAL field SHOULD increase when an update is made to the catalog zone's contents as per serial number arithmetic defined in . Otherwise, secondary nameservers may not notice updates to the catalog zone's contents. The SOA record's MINIMUM field's value is not specially defined by this memo. Although they are regular DNS zones, catalog zones contain only information for the management of a set of nameservers. For this reason, operators may want to limit the systems able to query these zones. As catalog zones do not participate in the DNS, NS records at the apex are not used but they are still required so that catalog zones are syntactically correct DNS zones. No parent delegation for the catalog zone is required. Any valid DNS name can be used in the NSDNAME field of such NS records and they MUST be ignored. A single NS RR with an NSDNAME field containing the absolute name "invalid." is recommended .

Member zones' configuration is specified as a map of zone properties, represented as a subtree of a node in the domain name space inside a catalog zone. A subtree of child nodes is used for a nested map, occuping another label level. A map element's key (property name) is represented in the label at that level. For example, if a catalog zone is named "catalog1.example.org." and contains a property with name "prop0", the corresponding owner name of the node representing that property is "prop0.catalog1.example.org." Zone property names are case-insensitive. Each zone property may use only one data type for its values. A list of permitted zone property names and their data types is given in . Many properties are single-valued, but some properties can be collections with thousands of values. An example is the list of member zones within a catalog zone, which can be larger than any single RDATA instance can allow. Multiple RRs are used to represent such properties. TBD: Currently a hashing method in owner names is used to split the elements of such properties with multiple RRs into individual RRsets, one per RR. This needs to be revisited as IXFR and DNS UPDATE both allow individual RRs within an RRset to be modified. The hashing method used is described in the appropriate property value data types in .

A property with a string value is specified using a single TXT RR with owner name set to the name of the property as a sub-domain of the catalog zone name, and RDATA set to the property value. For example, if a catalog zone is named "catalog1.example.org." and contains a property "prop0" with string value "Example", the corresponding RR would appear as follows:

prop0.catalog1.example.org. 3600 IN TXT "Example"

Here, "prop0" can contain multiple TXT RRs at that node of the domain name space . The single string property SHOULD be checked by the implementation.

A property with a boolean value is specified using a single TXT RR with owner name set to the name of the property as a sub-domain of the catalog zone name, and RDATA set to "true" for true condition and "false" for false condition. The RDATA is case-insensitive. For example, if a catalog zone is named "catalog1.example.org." and contains a property "active" with boolean value false, the corresponding RR would appear as follows:

active.catalog1.example.org. 3600 IN TXT "false"

Here, "active" can contain multiple TXT RRs at that node of the domain name space . The single boolean property SHOULD be checked by the implementation.

A property with an integer value is specified using a single TXT RR for signed integers or unsigned integers, with owner name set to the name of the property as a sub-domain of the catalog zone name, and RDATA set to the property value. A signed integer's TXT RDATA uses the representation of an unsuffixed "integer constant" as defined in the C programming language standard (of the type matching a 64-bit signed integer on that platform), with an optional minus prefix. The representation MUST be specified using a single <character-string> . An unsigned integer's TXT RDATA uses the representation of an unsuffixed "integer constant" as defined in the C programming language standard (of the type matching a 64-bit unsigned integer on that platform). The representation MUST be specified using a single <character-string> . For example, if a catalog zone is named "catalog1.example.org." and contains a property "min-ttl" with unsigned integer value 300, the corresponding RR would appear as follows:

min-ttl.catalog1.example.org. 3600 IN TXT "300"

Here, "min-ttl" can contain multiple TXT RRs at that node of the domain name space . The single integer property SHOULD be checked by the implementation.

A property with a floating-point value is specified using a single TXT RR with owner name set to the name of the property as a sub-domain of the catalog zone name, and RDATA set to the property value. A floating-point value's TXT RDATA uses the representation of an unsuffixed "floating constant" as defined in the C programming language standard . The representation MUST be specified using a single <character-string> . For example, if a catalog zone is named "catalog1.example.org." and contains a property "decay-rate" with value 0.15, the corresponding RR may appear as follows:

decay-rate.catalog1.example.org. 3600 IN TXT "15e-2"

Here, "decay-rate" can contain multiple TXT RRs at that node of the domain name space . The single floating-point property SHOULD be checked by the implementation.

A property with a single domain name as value is specified using a PTR RR with owner name set to the name of the property as a sub-domain of the catalog zone name, and RDATA set to the property value. For example, if a catalog zone is named "catalog1.example.org." and contains a property "prop1" with value "val1.example.com.", the corresponding RR would appear as follows:

prop1.catalog1.example.org. 3600 IN PTR val1.example.com.

Here, "prop1" can contain multiple PTR RRs at that node of the domain name space . The single domain name property SHOULD be checked by the implementation.

Let N be an absolute name formed by concatenating the RDATA hash (see ), the name of the property, and the catalog zone name in that order, such that N is a unique owner name in the catalog zone. Then, a property containing an unordered list of domain names as value is specified using multiple PTR RRs with owner name set to N, and each RR's RDATA set to each domain name in the list of the property's value respectively. For example, if a catalog zone is named "catalog1.example.org." and contains a property "prop2" with its value being an unordered list of two names "a.example.com." and "b.example.com.", the corresponding RRs would appear as follows:

<hash1>.prop2.catalog1.example.org. 3600 IN PTR a.example.com. <hash2>.prop2.catalog1.example.org. 3600 IN PTR b.example.com.

Here, "prop2"'s subtree child nodes (in the domain name space ) can contain multiple PTR RRs at each child. For example, <hash1>.prop2 may contain multiple PTR RRs at that node. The single domain name property SHOULD be checked by the implementation.

A property with a list of network addresses as value is specified using a single APL RR with owner name set to the name of the property as a sub-domain of the catalog zone name, and RDATA set to the property value. In its presentation format, the "!" character (corresponding to the negation flag) is used to negate a network element. The exact meaning of a negated network element is left to be described by the property that APL is used for. Note that the AFL RR TYPE is defined only for the IN(1) RR CLASS. For example, if a catalog zone is named "catalog1.example.org." and contains a property "allow-query" with value [192.0.2.0/24, 198.51.100.0/24] as the list of networks, the corresponding RR would appear as follows:

allow-query.catalog1.example.org. 3600 IN APL ( 1:192.0.2.0/24 2:2001:db8::/32)

Here, "allow-query" can contain multiple APL RRs at that node of the domain name space . The single APL RR property SHOULD be checked by the implementation.

A single host address is represented using the list of network addresses data type (see ) with a suitable network and prefix to result in a single host address.

Comments may be added anywhere in a catalog zone using a scheme such as NOTE RRs . This memo does not depend on NOTE RRs and it is only suggested here as an informative reference.

The catalog zone schema version is specified by an unsigned integer property with the property name "version". All catalog zones MUST have this property present. Primary and secondary nameservers MUST NOT use catalog zones with an unexpected value value in this property, but they may be transferred as ordinary zones. For this memo, the "version" property value MUST be set to 1. For example, if a catalog zone is named "catalog1.example.org.", the corresponding RR MUST look as follows:

version.catalog1.example.org. 3600 IN TXT "1"

Here, "version" can contain multiple TXT RRs at that node of the domain name space . The single TXT RR property SHOULD be checked by the implementation.

The list of member zones are specified as an unordered list (see ) of domain names under the owner name "zones" where "zones" is a sub-domain of the catalog zone. The names of member zones are represented on the RDATA side instead of as part of owner names so that all valid domain names may be represented regardless of their length. For example, if a catalog zone is named "catalog1.example.org." and lists 3 zones "example.com.", "example.net." and "example.org.", the RRs would appear as follows:

<hash>.zones.catalog1.example.org. 3600 IN PTR example.com. <hash>.zones.catalog1.example.org. 3600 IN PTR example.net. <hash>.zones.catalog1.example.org. 3600 IN PTR example.org.

TBD: Prepare a list of zone configuration properties that are common to DNS implementations. This is so that a company may manage a catalog zone using a Windows DNS server as the primary, and a secondary nameserver hosting service may pick up the common properties and may use a different nameserver implementation such as BIND or NSD on a POSIX operating system to serve it. TBD: We may specify that unrecognized zone property names must be ignored, or that nameserver specific properties must be specified using the "x-" prefix similar to MIME type naming. TBD: Any list of zone properties is ideally maintained as a registry rather than within this memo.

TBD.

TBD.

Member zones in a catalog zone share template zone configuration that is common to all member zones in that catalog. This section describes the syntax that can be used to specify zone properties specific to single member zones. Let N be an absolute name formed by concatenating the member zone name hash as a label (see ), the label "zones", and the catalog zone name in that order, such that N is a unique owner name in the catalog zone. Zone properties specific to a particular member zone are specified under the respective sub-domain N. For example, if a catalog zone is named "catalog1.example.org." and a member zone "example.com." contains a property "prop0" with string (see ) value "Example", the corresponding RR would appear as follows:

prop0.<m-hash>.zones.catalog1.example.org. 3600 IN TXT "Example"

As another example, if a catalog zone is named "cat1.example.org." and a member zone "example.com." contains a property "prop2" with its value being an unordered list (see ) of two domain names "a.example.com." and "b.example.com.", the corresponding RRs would appear as follows:

(<hash>.prop2.<m-hash>.zones.cat1.example.org. 3600 IN PTR a.example.com.) (<hash>.prop2.<m-hash>.zones.cat1.example.org. 3600 IN PTR b.example.com.)

$ORIGIN catalog.example.org. @ IN SOA . . 1 3600 3600 86400 3600 IN NS invalid. version IN TXT "1" (5960775ba382e7a4e09263fc06e7c00569b6a05c.zones IN PTR domain1.example.com.)

TBD: Explain nameserver behavior in a more detailed way here. It is under-specified. As it is a regular DNS zone, a catalog zone can be transferred using DNS zone transfers among nameservers. Although they are regular DNS zones, catalog zones contain only information for the management of a set of nameservers. For this reason, operators may want to limit the systems able to query these zones. It may be inconvenient to serve some contents of catalog zones via DNS queries anyway due to the nature of their representation. A separate method of querying entries inside the catalog zone may be made available by nameserver implementations (see ). Catalog updates should be automatic, i.e., when a nameserver that supports catalog zones completes a zone transfer for a catalog zone, it SHOULD apply changes to the catalog within the running nameserver automatically without any manual intervention. As with regular zones, primary and secondary nameservers for a catalog zone may be operated by different administrators. The secondary nameservers may be configured to synchronize catalog zones from the primary, but the primary's administrators may not have any administrative access to the secondaries. A catalog zone can be updated via DNS UPDATE on a reference primary nameserver, or via zone transfers. Nameservers MAY allow loading and transfer of broken zones with incorrect catalog zone syntax (as they are treated as regular zones), but nameservers MUST NOT process such broken zones as catalog zones. For the purpose of catalog processing, the broken catalogs MUST be ignored. If a broken catalog zone was transferred, the newly transferred catalog zone MUST be ignored (but the older copy of the catalog zone SHOULD be left running subject to values in SOA fields). If there is a clash between an existing member zone's name and an incoming member zone's name (via transfer or update), the new instance of the zone MUST be ignored and an error SHOULD be logged. When zones are introduced into a catalog zone, a primary SHOULD first make the new zones available for transfers before making the updated catalog zone available for transfer, or sending NOTIFY for the catalog zone to secondaries. Note that secondary nameservers may attempt to transfer the catalog zone upon refresh timeout, so care must be taken to make the member zones available before any update to the list of member zones is visible in the catalog zone. When zones are deleted from a catalog zone, a primary MAY delete the member zone immediately after notifying secondaries. It is up to the secondary nameserver to handle this condition correctly. TBD: Transitive primary-secondary relationships

TBD: Explain updating catalog zones using DNS UPDATE.

Catalog zones on secondary nameservers would have to be setup manually, perhaps as static configuration, similar to how ordinary DNS zones are configured. Members of such catalog zones will be automatically synchronized by the secondary after the catalog zone is configured. An administrator would want to look at data inside a catalog zone. Typical queries may include dumping the list of member zones, dumping a member zone's effective configuration, querying a specific property value of a member zone, etc. Because of the syntax of catalog zones, it may not be possible to perform these queries intuitively, or in some cases, at all, using DNS QUERY. The list of member zones may not fit in a single DNS message. The set of present properties for a zone cannot be queried using a single DNS QUERY. Implementations are advised to provide a tool that uses either the output of AXFR or an out-of-band method to perform queries on catalog zones.

As catalog zones are transmitted using DNS zone transfers, it is absolutely essential for these transfers to be protected from unexpected modifications on the route. So, it is a requirement that catalog zone transfers SHOULD be authenticated using TSIG . A primary nameserver SHOULD NOT serve a catalog zone for transfer without using TSIG and a secondary nameserver SHOULD abandon an update to a catalog zone that was received without using TSIG. DNS UPDATE to catalog zones similarly SHOULD be authenticated using TSIG. Zone transfers of member zones SHOULD similarly be authenticated using TSIG . The TSIG shared secrets used for member zones MUST NOT be mentioned anywhere in the catalog zone data. However, key identifiers may be shared within catalog zones. Catalog zones do not need to be signed using DNSSEC; their zone transfers being authenticated by TSIG. Signed zones MUST be handled normally by nameservers, and their contents MUST NOT be DNSSEC-validated.

This document has no IANA actions.

Catalog zones originated as the chosen method among various proposals that were evaluated at ISC for easy zone management. The chosen method of storing the catalog as a regular DNS zone was proposed by Stephen Morris. We later discovered that Paul Vixie's earlier proposal implemented a similar approach and reviewed it. Catalog zones borrows some syntax ideas from Metazones, as both share this scheme of representing the catalog as a regular DNS zone. Thanks to Brian Conry, Evan Hunt, and Victoria Risk for reviewing draft proposals and providing support, comments and suggestions. Thanks to BIND users who reviewed draft proposals and offered comments and suggestions.

National Institute of Standards and Technology

A DNS zone containing a DNS catalog, that is, a list of DNS zones and associated template zone configuration common to all member zones. A DNS zone whose configuration is published inside a catalog zone. An authoritative server configured to be the source of zone transfer to one or more [secondary] nameservers. Also see . The hexadecimal format 40-digit SHA-1 digest, of the RDATA of the corresponding RR. For RDATA containing DNS names, no name compression must be in use, i.e., the name must be in its full expanded wire data format when it is hashed. The hexadecimal format 40-digit SHA-1 digest, of a zone name in uncompressed wire format. An authoritative server which uses zone transfer to retrieve the zone. Also see . A configuration parameter of a zone, sometimes also called a zone option.

Config options We want catalog zones to be adopted by multiple DNS implementations. Towards this, we have to generalize zone config options and adopt a minimal set that we can expect most implementations to support. Catalog zone and member zones on different primary nameservers Will it be possible to setup a catalog zone on one nameserver as primary, and allow its member zones to be served by different primary namesservers? Transitive relationships For a catalog zone, a secondary nameserver may be a primary nameserver to a different set of nameservers in a nameserver farm. In these transitive relationships, zone configuration options (such as also-notify and allow-transfer) may differ based on the location of the primary in the hierarchy. It may not be possible to specify this within a catalog zone. Templates Are support for config and zone data templates useful at this level? They would add complexity across implementations. If added, it would be better to restrict templates at the primary nameserver and let the secondary receive regular expanded zones. Overriding controls A way to override zone config options (as prescribed by the catalog zones) on secondary nameservers was requested. As this would be configured outside catalog zones, it may be better to leave this to implementations. Use of hashing Should use of hashing be completely removed, and replaced with the same common owner name for all property RRs in a collection? Both IXFR and DNS UPDATE allow changing individual RRs in a RRset. Choice of hash function Should a different faster hash function be chosen to replace SHA-1 when computing catalog member zone name hashes? Overriding existing RR types This memo currently overrides only the PTR RR TYPE's meaning as PTR is currently used for reverse lookups. But such overridden use seems like a non-issue as PTR is defined to be a pointer to any name in . APL limits APL can only support as many networks as can fit in its RDATA. Though a very large number of networks can be listed in a single RDATA field, it is still limited in size. Will this limitation become a problem for any users?

draft-muks-dnsop-dns-catalog-zones-00 Initial public draft. draft-muks-dnsop-dns-catalog-zones-01 Added Witold, Ray as authors. Fixed typos, consistency issues. Fixed references. Updated Area. Removed newly introduced custom RR TYPEs. Changed schema version to 1. Changed TSIG requirement from MUST to SHOULD. Removed restrictive language about use of DNS QUERY. When zones are introduced into a catalog zone, a primary SHOULD first make the new zones available for transfers first (instead of MUST). Updated examples, esp. use IPv6 in examples per Fred Baker. Add catalog zone example.