mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
840 lines
26 KiB
Plaintext
840 lines
26 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group S.E. Hardcastle-Kille
|
||
Requests for Comments 1279 University College London
|
||
November 1991
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
X.500 and Domains
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Status of this Memo
|
||
This memo defines an Experimental Protocol for the Internet
|
||
community. Discussion and suggestions for improvement are
|
||
requested. Please refer to the current edition of the ``IAB
|
||
Official Protocol Standards'' for the standardization state and
|
||
status of this protocol. Distribution of this memo is unlimited.
|
||
Abstract
|
||
|
||
This RFCconsiders X.500 in relation to Internet and UK Domains.
|
||
A basic model of X.500 providing a higher level and more
|
||
descriptive naming structure is emphasised. In addition, a
|
||
mapping of domains onto X.500 is proposed, which gives a range of
|
||
new management and user facilities over and above those currently
|
||
available. This specification proposes an experimental new
|
||
mechanism to access and manage domain information on the Internet
|
||
and in the UK Academic Community. There is no current intention
|
||
to provide an operational replacement for DNS.
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
1 The Domain Name System
|
||
|
||
The Domain (Nameserver) System (DNS) provides a hierarchical resource
|
||
labelling system [Moc87a] [Moc87b] [Lar83]. Example domains are:
|
||
|
||
MIT.EDU
|
||
VENERA.ISI.EDU
|
||
CS.UCL.AC.UK
|
||
|
||
|
||
Entries usually have a single name, although pointers to entries (not
|
||
subtrees) may be provided by CNAME records. Information (resource
|
||
records) is associated with each entry. Name components are typically
|
||
chosen to be shortish (e.g., ``CS'').
|
||
RFC 822 mailbox names are closely related [Cro82]. For example:
|
||
|
||
|
||
<S.Kille@CS.UCL.AC.UK>
|
||
|
||
The local-part of the RFC 822 mailbox can be considered as one level
|
||
lower in the domain hierarchy.
|
||
|
||
|
||
2 X.500
|
||
|
||
The OSI Directory, usually known as X.500, provides a very general
|
||
naming framework [CCI88]. A basic usage of X.500 is to provide
|
||
Organisationally Structured Names. A Schema for this is defined
|
||
within the standard. Name components will typically have longish
|
||
values. This is an example directory name represented in Tabular
|
||
form:
|
||
|
||
|
||
Country GB
|
||
Organisation University College London
|
||
Organisational Unit Computer Science
|
||
Common Name Stephen E. Hardcastle-Kille
|
||
|
||
This can also be written in the ``User Friendly Name'' notation
|
||
defined in [HK91]. This syntax is used for names in the rest of this
|
||
document:
|
||
|
||
|
||
Stephen E. Hardcastle-Kille, Computer Science,
|
||
|
||
Hardcastle-Kille Page 1
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
University College London, GB
|
||
|
||
This type of structure is termed ``organisational X.500''. This is a
|
||
subset of the general capabilities.
|
||
|
||
|
||
3 The basic model
|
||
|
||
X.500 has as much relation to the DNS as DNS has to ARP. Paul
|
||
Mockapetris
|
||
|
||
|
||
This is, essentially, the position adopted here. The basic model is
|
||
that organisational X.500 is providing a layer of naming at the level
|
||
above domain names. These structured names can be considered to form
|
||
a naming layer above domain names. There are the following key
|
||
differences:
|
||
|
||
o Organisational X.500 tends to use longer and more descriptive
|
||
values
|
||
|
||
o The organisational X.500 DIT is slightly shallower than the DNS
|
||
tree
|
||
|
||
o X.500 has a richer information framework than DNS
|
||
|
||
|
||
These differences suggest that the following should NOT be done:
|
||
|
||
o Represent X.500 information in the DNS
|
||
|
||
o Have an algorithmic mapping between the two hierarchies
|
||
|
||
This note proposes to represent DNS information in the DIT, and to
|
||
provide for a loose coupling between the two trees. This note does
|
||
not propose an equivalencing of X.500 and Domains.
|
||
|
||
The proposed model is illustrated in Figure 1. Both an organisational
|
||
and domain structure is represented in the DIT, by use of appropriate
|
||
object classes and attribute types. A weak linkage is provided
|
||
between the two parts of the tree by use of special attributes. Here,
|
||
the linkage is 1:1, but it may be more complex for some parts of the
|
||
organisational DIT or domain namespace. The linkage is achieved by
|
||
use of special attributes, as described in Section 11.
|
||
|
||
Hardcastle-Kille Page 2
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
j jZ Z
|
||
|
||
j j ZZ
|
||
jj Z Z
|
||
jjj ZZ
|
||
|
||
Domain Component=UK Country Name=GB
|
||
|
|
||
|
|
||
|
|
||
Domain Component=AC Organisation Name=Univeristy College London
|
||
|
||
* BB
|
||
ss BBB
|
||
|
||
Domain Component=UCL Org Unit Name=Computer Science
|
||
| *
|
||
|
||
|| ss
|
||
Domain Component=CS Common Name=Steve Kille
|
||
|
||
| *
|
||
| ss
|
||
|
||
Domain Component=S.Kille
|
||
Figure 1: Example X.500 tree
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hardcastle-Kille Page 3
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
4 Representing Domains in X.500
|
||
|
||
Domains are at the level below X.500 names of the form illustrated in
|
||
the previous section. However, it is also possible to use X.500 in
|
||
other ways. In particular, there are benefits from representing
|
||
Domains in X.500. Note that this is very different to equivalencing,
|
||
as no attempt is made to represent X.500 information within the domain
|
||
scheme. There are the following potential advantages:
|
||
|
||
|
||
o Domain Services (DNS and NRS) could be replaced with an OSI
|
||
service (some may not view this as an advantage). This is
|
||
particularly attractive for OSI services, where use of a non-OSI
|
||
directory may be inappropriate.
|
||
|
||
o For Internet sites, access to domain information (beyond MX
|
||
records) could be provided for systems registered remotely. For
|
||
UK Academic Community sites, access to domain information for
|
||
domains not registered in the NRS could be given. For sites
|
||
neither on the Internet nor in the UK Academic Community there
|
||
will usually be even more of an advantage, as they usually have
|
||
very limited information on domains.
|
||
|
||
o Assuming that information is downloaded from an X.500 database
|
||
into a DNS or NRS system, the remote management facilities of
|
||
X.500 could be used. This is possible because of the extra
|
||
security features of X.500.
|
||
|
||
Note: For initial work, the converse situation of information
|
||
being mastered in Domain Databases and uploaded into the X.500
|
||
DIT is more likely.
|
||
|
||
o User access to the domain data, and in particular searching, could
|
||
be provided. This would allow users to browse the domain
|
||
namespace, and to determine information associated with the
|
||
domains.
|
||
|
||
o The X.500 framework would allow for additional management
|
||
information to be stored, and to relate the domain names into a
|
||
more complex structure of information. For example, this might
|
||
allow for the managers of a system to be identified, and
|
||
information on how to contact the manager.
|
||
|
||
|
||
|
||
Hardcastle-Kille Page 4
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
o A facility to map RFC 822 mailbox into a Directory Name (and thus
|
||
access other user information on the basis of this key) could be
|
||
provided. This may be useful for the user to determine
|
||
information about a message originator.
|
||
|
||
o This technique may be useful to facilitate introduction of
|
||
security, as it will enable certificates to be associated with
|
||
domains and mailboxes. This may be very useful for the privacy
|
||
enchanced mail work [Lin89].
|
||
|
||
|
||
5 Representing Domain Names
|
||
|
||
A new attribute syntax is defined:
|
||
|
||
|
||
CaseIgnoreIA5StringSyntax ATTRIBUTE-SYNTAX
|
||
IA5String
|
||
MATCHES FOR EQUALITY SUBSTRINGS ORDERING
|
||
|
||
|
||
A new attribute and two new object classes are defined:
|
||
|
||
|
||
DomainComponent ATTRIBUTE
|
||
WITH ATTRIBUTE-SYNTAX caseIgnoreIA5StringSyntax
|
||
SINGLE VALUE
|
||
|
||
Domain OBJECT-CLASS
|
||
SUBCLASS OF top
|
||
MUST CONTAIN -DomainComponent"
|
||
MAY CONTAIN -AssociatedName,
|
||
organizationName,
|
||
organizationalAttributeSet,
|
||
manager"
|
||
|
||
RFC822Mailbox OBJECT-CLASS
|
||
SUBCLASS OF Domain
|
||
MAY CONTAIN -commonName,
|
||
surname,
|
||
description,
|
||
telephoneNumber,
|
||
postalAttributeSet,
|
||
telecommunicationAttributeSet "
|
||
|
||
Hardcastle-Kille Page 5
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
Note that the attribute AssociatedName is defined in Section 11. The
|
||
manager attribute is defined in the COSINE and Internet naming
|
||
architecture [BHK91]. It allows a manager to be associated with the
|
||
domain, which is useful where the manager of the domain is different
|
||
to the manager of the object defined by the AssociatedName. This will
|
||
allow any domain to be represented in an X.500 hierarchy. The local
|
||
part of an RFC 822 mailbox is treated as a special sort of domain
|
||
component, and so these can be represented in the tree as a natural
|
||
extension of the hierarchy.
|
||
For example, consider the mailbox S.Kille@cs.ucl.ac.uk. This will
|
||
lead to the following structure in the DIT:
|
||
|
||
___________________________________________
|
||
|_Object_Class__|RDN_Type________|RDN_Value_|
|
||
| Domain |DomainComponent |UK |
|
||
| Domain |DomainComponent |AC |
|
||
| Domain |DomainComponent |UCL |
|
||
| Domain |DomainComponent |CS |
|
||
|_RFC822Mailbox_|DomainComponent_|S.Kille__ |
|
||
|
||
This can be represented in User Friendly Name format as:
|
||
|
||
|
||
DomainComponent=S.Kille, DomainComponent=CS, DomainComponent=UCL,
|
||
DomainComponent=AC, DomainComponent=UK
|
||
|
||
Note that the RFC822Mailbox Object Class is a subclass of Domain.
|
||
Some attributes are allowed to be associated with these objects.
|
||
There may be other additional management attributes which it is useful
|
||
to define (e.g., Machine Type, Owner, Location etc.). This allows
|
||
some information which truly belongs to the domain to be represented
|
||
there. It also allows for further information to be associated with
|
||
the domain/mailbox when there is not a relevant part of the
|
||
organisationally structure DIT to be pointed at. When there is an
|
||
associated part of the DIT, information from that part of the DIT
|
||
should not be duplicated in the domain entry.
|
||
|
||
|
||
6 Wildcards
|
||
|
||
|
||
Wildcards are supported by having "*" as a special domain component
|
||
name. If there is a need to emulate wildcard matching using the
|
||
directory, the following algorithm must be employed. For example, the
|
||
|
||
Hardcastle-Kille Page 6
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
wildcard entry for *.*.PODUNK.COM would be represented in the DIT as:
|
||
|
||
DomainComponent=*, DomainComponent=*,
|
||
DomainComponent=MIT, DomainComponent=COM
|
||
|
||
|
||
If A.B.PODUNK.COM is looked up in the directory, the query will fail
|
||
and indicate that two components are matched. A substitution should
|
||
be made, and *.*.PODUNK.COM looked up explicitly to identify the
|
||
associated information.
|
||
|
||
|
||
7 DNS Information
|
||
|
||
DNS information can be associated with an entry in the DIT. It is
|
||
important that this is done in a manner which is exactly equivalent to
|
||
the information stored in the DNS. This will allow the DIT to have
|
||
information loaded from the DNS or vice versa. All (authoritative)
|
||
records associated with a domain will be stored in the DIT. There is
|
||
no attempt made by the OSI Directory to emulate DNS caching or TTL
|
||
handling. It is assumed that the master entries are maintained by use
|
||
of DNS Zone Transfer (or equivalent), and that they can be treated as
|
||
authoritative. There is a need to define an attribute syntax which
|
||
represents a DNS record. This then allows DNS records to be stored in
|
||
the DIT. There are three possible encodings of this record:
|
||
|
||
ASN.1 Encoded This is the most natural approach in terms of X.500.
|
||
However, it would require all users of this service to handle the
|
||
new syntax, which would be awkward. There is a problem with
|
||
handling the resource format in a general manner.
|
||
|
||
DNS Binary Encoded Use the formally defined record syntax. This
|
||
would be convenient for access to the data by DNS related
|
||
software, but would be an awkward encoding for independent X.500
|
||
DUAs.
|
||
|
||
Text encoded Use of a text encoding derived from the DNS
|
||
specifications. This is straightforward to map onto DNS protocol,
|
||
and easy to support in a naive X.500 DUA. This approach is chosen.
|
||
|
||
|
||
The syntax is defined in IA5 characters. The BNF of the record uses
|
||
the definitions of section 5.1 of RFC 1035. It is
|
||
|
||
|
||
Hardcastle-Kille Page 7
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
<rr> [ ";" <comment> ]
|
||
|
||
Three examples of this (for domain C.ISI.EDU) might be:
|
||
|
||
|
||
500 A 10.1.0.52 ; Basic address record
|
||
IN 600 MX 10 VENERA.ISI.EDU. ; MX record
|
||
600 IN MX 10 VENERA.ISI.EDU. ; MX record - other order
|
||
|
||
Note that:
|
||
|
||
|
||
o The class and TTL may be in either order (following RFC 1035)
|
||
|
||
o The class defaults to IN
|
||
|
||
o Domains must always be fully specified (i.e., master file
|
||
abbreviate rules are not used).
|
||
|
||
o The TTL for a record must always be present (this saves looking at
|
||
the parent entry to find the SOA record).
|
||
|
||
o Records (e.g., SOA) may be multiline. Lines should be separated
|
||
with the two IA5 characters <CR><LF>.
|
||
|
||
CNAME records are mapped symmetrically onto Directory Aliases.
|
||
|
||
This is now defined in terms of attribute and object class
|
||
definitions. A single record type is defined, as opposed to one
|
||
attribute type per record type. This allows the definition to not
|
||
require extension when new DNS Record types are define. However,
|
||
there is some loss of efficiency if only a single record type is
|
||
needed, as filtering must be done by the DUA.
|
||
Similarly, no distinction is made on the basis of DNS class. This
|
||
means that if there are two class hierarchies, that they must be
|
||
represented in a single DIT, and that information for different
|
||
classes must be separated by DUA filtering.
|
||
|
||
|
||
DNSDomain OBJECT-CLASS
|
||
SUBCLASS OF Domain
|
||
MAY CONTAIN -
|
||
DNSRecord "
|
||
|
||
|
||
Hardcastle-Kille Page 8
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
DNSRecord ATTRIBUTE
|
||
ATTRIBUTE-SYNTAX IA5String
|
||
MATCHES FOR EQUALITY
|
||
|
||
|
||
Lookup of a domain is achieved by translating it algorithmically to a
|
||
Distinguished Name (DN), and reading back attributes desired. This
|
||
information can be managed and searched in a straightforward fashion.
|
||
|
||
The information may also be downloaded into a DNS database. This
|
||
should be done by use of zone transfer. A tool to perform zone
|
||
transfer (in both directions) between a DNS Server and a DSA would
|
||
seem to be both straightforward and useful. This would be a key tool
|
||
in a transition to X.500 based management of the DNS. It would also
|
||
allow a large part of the DNS namespace to be rapidly made available
|
||
in an X.500 pilot.
|
||
Inverse information can be derived by the usual IN-ADDR domain, which
|
||
will be represented in the same manner in the DIT.
|
||
|
||
|
||
8 NRS Information
|
||
|
||
Information associated with the UK NRS (Name Registration Scheme) can
|
||
be handled in a similar manner [Lar83]. This is being developed in a
|
||
separate document by Alan Turland.
|
||
|
||
|
||
9 Application Entity Titles
|
||
|
||
In many cases, Application entities will be closely related to
|
||
domains. In some cases, it may be appropriate to give Application
|
||
Entities names which are related to the DNS part of the DIT. In this
|
||
case, the Domain Name will be used to identify the application, and
|
||
the entry for the domain will also be of object class Application
|
||
Process. The children of this entry will identify Application
|
||
Entities, with names such as ``FTAM Service''.
|
||
|
||
|
||
10 Networks
|
||
|
||
|
||
It is clearly useful to represent networks within the DIT. A short
|
||
note on how to do this is given here. It is likely that this
|
||
specification will later be evolved in a separate document. This
|
||
|
||
Hardcastle-Kille Page 9
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
defines an Object Class for a general network, and shows how it can be
|
||
subclassed to define technology specific networks.
|
||
|
||
Network OBJECT-CLASS
|
||
SUBCLASS OF TOP
|
||
MAY CONTAIN -
|
||
Manager,
|
||
Locality,
|
||
Description "
|
||
|
||
IPNetwork OBJECT-CLASS
|
||
SUBCLASS OF Network
|
||
MUST CONTAIN -AssociatedDomain"
|
||
|
||
|
||
The Network Object Class allows networks to be defined, and for useful
|
||
attributes to be associated with the entry. A network will often
|
||
appear in more than one organisational structure, and this linkage
|
||
should be achieved by use of aliases. This grouping can facilitate
|
||
management of networks.
|
||
The subclass IPNetwork mandates linkage into the DNS part of the DIT.
|
||
This will be represented in the DIT using the structures of RFC 1101
|
||
[Moc89]. Both of the domains which identify the network should be
|
||
represented in the Object Class. For example, a network might have
|
||
the (user friendly) name:
|
||
|
||
UCL-Ethernet, University College London, GB
|
||
|
||
|
||
This would have associated domains 0.0.40.128.IN-ADDR.ARPA and
|
||
UCL-ETHERNET.UCL.AC.UK. These would both have the analogous DIT
|
||
representations. For example:
|
||
|
||
DomainComponent=0, DomainComponent=0, DomainComponent=40,
|
||
DomainComponent=128, DomainComponent=IN-ADDR, DomainComponent=ARPA
|
||
|
||
|
||
11 Linkage
|
||
|
||
|
||
There is a need to associate the organisational X.500 DIT and the DNS
|
||
tree. The objects represented are different (Domain 6= Organisation;
|
||
Person 6= RFC 822 Mailbox). Therefore aliasing is not an appropriate
|
||
linkage. However, in many cases, there is a linkage which is rather
|
||
|
||
Hardcastle-Kille Page 10
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
stronger than that implied by the seeAlso attribute. Therefore, we
|
||
define new attributes, which represent this stronger cross-linkage.
|
||
The same mechanism can be used to link a domains with an Application
|
||
Entity or an Application Process.
|
||
Links from the organisational X.500 DIT to the DNS tree are provided
|
||
by a new attribute, which could be present in Organisation or
|
||
Organisational Unit entries.
|
||
|
||
|
||
ObjectWithAssociatedDomain OBJECT-CLASS
|
||
SUBCLASS OF top
|
||
MUST CONTAIN -AssociatedDomain"
|
||
|
||
AssociatedDomain ATTRIBUTE
|
||
WITH ATTRIBUTE-SYNTAX ia5StringSyntax
|
||
|
||
For example, the organisational entry:
|
||
|
||
University College London, GB
|
||
|
||
|
||
would have an attribute:
|
||
|
||
AssociatedDomain = UCL.AC.UK
|
||
|
||
|
||
Similarly, an RFC 822 mailbox attribute is used to link entries of
|
||
Person Object Class to their associated DNS entry. This attribute is
|
||
defined in the Cosine and Internet Naming Architecture [BHK91].
|
||
Conversely, there are pointers from the DNS represented tree into the
|
||
organisational X.500 DIT:
|
||
|
||
|
||
AssociatedName ATTRIBUTE
|
||
WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax
|
||
|
||
This attribute is associated with the Domain object class.
|
||
|
||
This entry is used to provide linkage from the DNS X.500 Hierarchy
|
||
into the organisational X.500 hierarchy. Where such entries do not
|
||
exist, attributes in the DNS entry (such as phone number) may be used.
|
||
It is recommended that information is not duplicated. The preferred
|
||
setup is for the DNS attributes to be rather skeletal, with pointers
|
||
into the organisational X.500 DIT.
|
||
|
||
Hardcastle-Kille Page 11
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
For example, the domain UCL.AC.UK would be represented in the DIT as:
|
||
|
||
DomainComponent=UCL, DomainComponent=AC,
|
||
DomainComponent=UK
|
||
|
||
|
||
This entry would have in it an AssociatedName attribute with value:
|
||
|
||
University College London, GB
|
||
|
||
|
||
This example shows a simple case with 1:1 linkage. There are cases
|
||
where a domain might be associated with multiple organisations, or an
|
||
organisation with multiple domains.
|
||
|
||
|
||
12 Conclusions and proposals for evaluation
|
||
|
||
Experiments should be undertaken to determine the practicality and
|
||
utility of this scheme, in a pilot environment. A possible approach
|
||
to this experimentation is described in Appendix A.
|
||
Object Identifiers have been assigned for this purpose in the Cosine
|
||
and Internet Naming Architecture [BHK91].
|
||
|
||
|
||
References
|
||
|
||
[BHK91] P. Barker and S.E. Hardcastle-Kille. The COSINE and Internet
|
||
X.500 schema. Request for Comments RFC 1274, Department of
|
||
Computer Science, University College London, November 1991.
|
||
|
||
[CCI88] The Directory --- overview of concepts, models and services,
|
||
December 1988. CCITT X.500 Series Recommendations.
|
||
|
||
[Cro82] D.H. Crocker. Standard of the format of ARPA internet text
|
||
messages. Request for Comments 822, University of Delaware,
|
||
August 1982.
|
||
|
||
[HK91] S.E. Hardcastle-Kille. Using the OSI directory to achieve
|
||
user friendly naming. Request for Comments in preparation,
|
||
Department of Computer Science, University College London,
|
||
November 1991.
|
||
|
||
|
||
|
||
Hardcastle-Kille Page 12
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
[Lar83] J. Larmouth. JNT name registration technical guide, April
|
||
1983.
|
||
|
||
[Lin89] J. Linn. Privacy Enhancement for Internet Electronic Mail:
|
||
Part 1 --- Message Encipherment and Authentication
|
||
Procedures. Request for Comments 1113, Bolt, Beranek, and
|
||
Newman, August 1989.
|
||
|
||
[Moc87a] P. Mockapetris. Domain names - concepts and facilities.
|
||
Request for Comments RFC 1034, USC/Information Sciences
|
||
Institute, November 1987.
|
||
|
||
[Moc87b] P. Mockapetris. Domain names - implementation and
|
||
specification. Request for Comments RFC 1035,
|
||
USC/Information Sciences Institute, November 1987.
|
||
|
||
[Moc89] P. Mockapetris. DNS encoding of network names and other
|
||
types. Request for Comments RFC 1101, USC/Information
|
||
Sciences Institute, April 1989.
|
||
|
||
|
||
13 Security Considerations
|
||
|
||
This memo does not directly address security issues. However, due to
|
||
the facilities of X.500, this proposal could lead to a more secure way
|
||
to access and manage domain information.
|
||
|
||
|
||
14 Author's Address
|
||
|
||
Steve Hardcastle-Kille
|
||
Department of Computer Science
|
||
University College London
|
||
Gower Street
|
||
WC1E 6BT
|
||
England
|
||
|
||
Phone: +44-71-380-7294
|
||
|
||
|
||
EMail: S.Kille@CS.UCL.AC.UK
|
||
|
||
|
||
|
||
|
||
Hardcastle-Kille Page 13
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
A Possible Deployment Approach
|
||
|
||
This appendix notes a possible approach to deploying an experiment to
|
||
evaluate this mechanism. The following components of a possible
|
||
experiment are noted.
|
||
|
||
|
||
1. User tool. This will take a domain or mailbox as input. This
|
||
will be looked up in the DIT. This tool should be capable of:
|
||
|
||
o Attempting to correct user input
|
||
|
||
o Helping browsing
|
||
|
||
o Looking up information associated with the domain (or mailbox)
|
||
and associated name, in particular the manager (of both domain
|
||
and associated name) and information on the manager (e.g.,
|
||
phone number and mailbox).
|
||
|
||
o Supply DNS records
|
||
|
||
o Handle IN-ADDR.ARPA inverse lookups if supplied with an IP
|
||
Address
|
||
|
||
o Look up networks
|
||
|
||
2. A procedural library to allow user interfaces to make easy use of
|
||
these facilities.
|
||
|
||
3. Zone transfer tool. This will use the zone transfer protocol to
|
||
transfer information between a DSA and Domain Nameserver. When
|
||
writing to the DSA, attributes in an entry which are not DNS
|
||
records should remain untouched.
|
||
|
||
4. Linkage patching tool. When the organisational DIT is
|
||
established, associated domain pointers are usually inserted. A
|
||
tool can be written to search the DIT and insert the reverse
|
||
pointers.
|
||
|
||
5. DNS Manager Tool. This will allow user addition of additional
|
||
information into the DNS part of the DIT. A standard DUA can
|
||
probably be used for this.
|
||
|
||
|
||
|
||
Hardcastle-Kille Page 14
|
||
|
||
|
||
|
||
|
||
RFC 1279 X.500 and Domains November 1991
|
||
|
||
|
||
6. Mailbox download tool. This will allow download of local
|
||
mailboxes, with pointers to the user entries.
|
||
|
||
7. Emulation DNS Server, using the Directory as a database. The
|
||
server should maintain a permanent connection to its local DSA. As
|
||
there is no OSI bind, the response of this server can be at least
|
||
as fast as a normal DNS server. There can be two variants of this
|
||
server.
|
||
|
||
(a) Using a local DSA as a local database but using DNS
|
||
distributed operations.
|
||
|
||
(b) Do all lookups in the directory (using Directory Distributed
|
||
Operations).
|
||
|
||
An initial experiment is straightforward. The Zone Transfer Tool (3)
|
||
can be used to download a large part of the DNS space into a single
|
||
DSA (there will be some restrictions, as parts of the DNS hierarchy do
|
||
not permit zone transfer). This can be used repeatedly to maintain
|
||
the information. The linkage patching tool (4) can be used to put in
|
||
pointers to parts of the DIT. The user tool can then be used (by all
|
||
sites participation the the directory pilot) to look up domain
|
||
information. This will allow the utility of the approach to be
|
||
evaluated. The manager tool (5) will allow extra information to be
|
||
added to parts of the DNS tree.
|
||
|
||
The next stage will be to distribute the DNS part of the DIT over
|
||
multiple DSAs using Directory distribution techniques.
|
||
The emulation DNS Server (7) will be useful to ensure that equivalent
|
||
functionality is being offered by the Directory. It can also be used
|
||
to examine performance differences.
|
||
A final step is to master some parts of the DNS hierarchy in the DIT.
|
||
Because of the zone transfer technique, this will be entirely
|
||
transparent to the DNS user. Management benefits can then be
|
||
examined.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hardcastle-Kille Page 15
|
||
|