in Index   Prev   Next

RFC 8499

DNS Terminology

Pages: 50
Best Current Practice: 219
Obsoletes:  7719
Updates:  2308
Part 2 of 4 – Pages 16 to 28
First   Prev   Next

Top   ToC   RFC8499 - Page 16   prevText

6. DNS Servers and Clients

This section defines the terms used for the systems that act as DNS clients, DNS servers, or both. In past RFCs, DNS servers are sometimes called "name servers", "nameservers", or just "servers". There is no formal definition of "DNS server", but RFCs generally assume that it is an Internet server that listens for queries and sends responses using the DNS protocol defined in [RFC1035] and its successors. It is important to note that the terms "DNS server" and "name server" require context in order to understand the services being provided. Both authoritative servers and recursive resolvers are often called "DNS servers" and "name servers" even though they serve different roles (but may be part of the same software package). For terminology specific to the public DNS root server system, see [RSSAC026]. That document defines terms such as "root server", "root server operator", and terms that are specific to the way that the root zone of the public DNS is served. Resolver: A program "that extract[s] information from name servers in response to client requests." (Quoted from [RFC1034], Section 2.4) A resolver performs queries for a name, type, and class, and receives responses. The logical function is called "resolution". In practice, the term is usually referring to some specific type of resolver (some of which are defined below), and understanding the use of the term depends on understanding the context. A related term is "resolve", which is not formally defined in [RFC1034] or [RFC1035]. An imputed definition might be "asking a question that consists of a domain name, class, and type, and receiving some sort of response". Similarly, an imputed definition of "resolution" might be "the response received from resolving".
Top   ToC   RFC8499 - Page 17
   Stub resolver:  A resolver that cannot perform all resolution itself.
      Stub resolvers generally depend on a recursive resolver to
      undertake the actual resolution function.  Stub resolvers are
      discussed but never fully defined in Section 5.3.1 of [RFC1034].
      They are fully defined in Section of [RFC1123].

   Iterative mode:  A resolution mode of a server that receives DNS
      queries and responds with a referral to another server.
      Section 2.3 of [RFC1034] describes this as "The server refers the
      client to another server and lets the client pursue the query."  A
      resolver that works in iterative mode is sometimes called an
      "iterative resolver".  See also "iterative resolution" later in
      this section.

   Recursive mode:  A resolution mode of a server that receives DNS
      queries and either responds to those queries from a local cache or
      sends queries to other servers in order to get the final answers
      to the original queries.  Section 2.3 of [RFC1034] describes this
      as "the first server pursues the query for the client at another
      server".  Section 4.3.1 of [RFC1034] says: "in [recursive] mode
      the name server acts in the role of a resolver and returns either
      an error or the answer, but never referrals."  That same section
      also says:

         The recursive mode occurs when a query with RD set arrives at a
         server which is willing to provide recursive service; the
         client can verify that recursive mode was used by checking that
         both RA and RD are set in the reply.

      A server operating in recursive mode may be thought of as having a
      name server side (which is what answers the query) and a resolver
      side (which performs the resolution function).  Systems operating
      in this mode are commonly called "recursive servers".  Sometimes
      they are called "recursive resolvers".  In practice, it is not
      possible to know in advance whether the server that one is
      querying will also perform recursion; both terms can be observed
      in use interchangeably.

   Recursive resolver:  A resolver that acts in recursive mode.  In
      general, a recursive resolver is expected to cache the answers it
      receives (which would make it a full-service resolver), but some
      recursive resolvers might not cache.

      [RFC4697] tried to differentiate between a recursive resolver and
      an iterative resolver.
Top   ToC   RFC8499 - Page 18
   Recursive query:  A query with the Recursion Desired (RD) bit set to
      1 in the header.  (See Section 4.1.1 of [RFC1035].)  If recursive
      service is available and is requested by the RD bit in the query,
      the server uses its resolver to answer the query.  (See
      Section 4.3.2 of [RFC1034].)

   Non-recursive query:  A query with the Recursion Desired (RD) bit set
      to 0 in the header.  A server can answer non-recursive queries
      using only local information: the response contains either an
      error, the answer, or a referral to some other server "closer" to
      the answer.  (See Section 4.3.1 of [RFC1034].)

   Iterative resolution:  A name server may be presented with a query
      that can only be answered by some other server.  The two general
      approaches to dealing with this problem are "recursive", in which
      the first server pursues the query on behalf of the client at
      another server, and "iterative", in which the server refers the
      client to another server and lets the client pursue the query
      there.  (See Section 2.3 of [RFC1034].)

      In iterative resolution, the client repeatedly makes non-recursive
      queries and follows referrals and/or aliases.  The iterative
      resolution algorithm is described in Section 5.3.3 of [RFC1034].

   Full resolver:  This term is used in [RFC1035], but it is not defined
      there.  RFC 1123 defines a "full-service resolver" that may or may
      not be what was intended by "full resolver" in [RFC1035].  This
      term is not properly defined in any RFC.

   Full-service resolver:  Section of [RFC1123] defines this
      term to mean a resolver that acts in recursive mode with a cache
      (and meets other requirements).

   Priming:  "The act of finding the list of root servers from a
      configuration that lists some or all of the purported IP addresses
      of some or all of those root servers."  (Quoted from [RFC8109],
      Section 2) In order to operate in recursive mode, a resolver needs
      to know the address of at least one root server.  Priming is most
      often done from a configuration setting that contains a list of
      authoritative servers for the root zone.

   Root hints:  "Operators who manage a DNS recursive resolver typically
      need to configure a 'root hints file'.  This file contains the
      names and IP addresses of the authoritative name servers for the
      root zone, so the software can bootstrap the DNS resolution
      process.  For many pieces of software, this list comes built into
      the software."  (Quoted from [IANA_RootFiles]) This file is often
      used in priming.
Top   ToC   RFC8499 - Page 19
   Negative caching:  "The storage of knowledge that something does not
      exist, cannot or does not give an answer."  (Quoted from
      [RFC2308], Section 1)

   Authoritative server:  "A server that knows the content of a DNS zone
      from local knowledge, and thus can answer queries about that zone
      without needing to query other servers."  (Quoted from [RFC2182],
      Section 2) An authoritative server is named in the NS ("name
      server") record in a zone.  It is a system that responds to DNS
      queries with information about zones for which it has been
      configured to answer with the AA flag in the response header set
      to 1.  It is a server that has authority over one or more DNS
      zones.  Note that it is possible for an authoritative server to
      respond to a query without the parent zone delegating authority to
      that server.  Authoritative servers also provide "referrals",
      usually to child zones delegated from them; these referrals have
      the AA bit set to 0 and come with referral data in the Authority
      and (if needed) the Additional sections.

   Authoritative-only server:  A name server that only serves
      authoritative data and ignores requests for recursion.  It will
      "not normally generate any queries of its own.  Instead it answers
      non-recursive queries from iterative resolvers looking for
      information in zones it serves."  (Quoted from [RFC4697],
      Section 2.4) In this case, "ignores requests for recursion" means
      "responds to requests for recursion with responses indicating that
      recursion was not performed".

   Zone transfer:  The act of a client requesting a copy of a zone and
      an authoritative server sending the needed information.  (See
      Section 7 for a description of zones.)  There are two common
      standard ways to do zone transfers: the AXFR ("Authoritative
      Transfer") mechanism to copy the full zone (described in
      [RFC5936], and the IXFR ("Incremental Transfer") mechanism to copy
      only parts of the zone that have changed (described in [RFC1995]).
      Many systems use non-standard methods for zone transfer outside
      the DNS protocol.

   Slave server:  See "Secondary server".

   Secondary server:  "An authoritative server which uses zone transfer
      to retrieve the zone."  (Quoted from [RFC1996], Section 2.1)
      Secondary servers are also discussed in [RFC1034].  [RFC2182]
      describes secondary servers in more detail.  Although early DNS
      RFCs such as [RFC1996] referred to this as a "slave", the current
      common usage has shifted to calling it a "secondary".

   Master server:  See "Primary server".
Top   ToC   RFC8499 - Page 20
   Primary server:  "Any authoritative server configured to be the
      source of zone transfer for one or more [secondary] servers."
      (Quoted from [RFC1996], Section 2.1) Or, more specifically,
      [RFC2136] calls it "an authoritative server configured to be the
      source of AXFR or IXFR data for one or more [secondary] servers".
      Primary servers are also discussed in [RFC1034].  Although early
      DNS RFCs such as [RFC1996] referred to this as a "master", the
      current common usage has shifted to "primary".

   Primary master:  "The primary master is named in the zone's SOA MNAME
      field and optionally by an NS RR."  (Quoted from [RFC1996],
      Section 2.1) [RFC2136] defines "primary master" as "Master server
      at the root of the AXFR/IXFR dependency graph.  The primary master
      is named in the zone's SOA MNAME field and optionally by an NS RR.
      There is by definition only one primary master server per zone."

      The idea of a primary master is only used in [RFC1996] and
      [RFC2136].  A modern interpretation of the term "primary master"
      is a server that is both authoritative for a zone and that gets
      its updates to the zone from configuration (such as a master file)
      or from UPDATE transactions.

   Stealth server:  This is "like a slave server except not listed in an
      NS RR for the zone."  (Quoted from [RFC1996], Section 2.1)

   Hidden master:  A stealth server that is a primary server for zone
      transfers.  "In this arrangement, the master name server that
      processes the updates is unavailable to general hosts on the
      Internet; it is not listed in the NS RRset."  (Quoted from
      [RFC6781], Section 3.4.3) An earlier RFC, [RFC4641], said that the
      hidden master's name "appears in the SOA RRs MNAME field",
      although, in some setups, the name does not appear at all in the
      public DNS.  A hidden master can also be a secondary server for
      the zone itself.

   Forwarding:  The process of one server sending a DNS query with the
      RD bit set to 1 to another server to resolve that query.
      Forwarding is a function of a DNS resolver; it is different than
      simply blindly relaying queries.

      [RFC5625] does not give a specific definition for forwarding, but
      describes in detail what features a system that forwards needs to
      support.  Systems that forward are sometimes called "DNS proxies",
      but that term has not yet been defined (even in [RFC5625]).
Top   ToC   RFC8499 - Page 21
   Forwarder:  Section 1 of [RFC2308] describes a forwarder as "a
      nameserver used to resolve queries instead of directly using the
      authoritative nameserver chain".  [RFC2308] further says "The
      forwarder typically either has better access to the internet, or
      maintains a bigger cache which may be shared amongst many
      resolvers."  That definition appears to suggest that forwarders
      normally only query authoritative servers.  In current use,
      however, forwarders often stand between stub resolvers and
      recursive servers.  [RFC2308] is silent on whether a forwarder is
      iterative-only or can be a full-service resolver.

   Policy-implementing resolver:  A resolver acting in recursive mode
      that changes some of the answers that it returns based on policy
      criteria, such as to prevent access to malware sites or
      objectionable content.  In general, a stub resolver has no idea
      whether upstream resolvers implement such policy or, if they do,
      the exact policy about what changes will be made.  In some cases,
      the user of the stub resolver has selected the policy-implementing
      resolver with the explicit intention of using it to implement the
      policies.  In other cases, policies are imposed without the user
      of the stub resolver being informed.

   Open resolver:  A full-service resolver that accepts and processes
      queries from any (or nearly any) client.  This is sometimes also
      called a "public resolver", although the term "public resolver" is
      used more with open resolvers that are meant to be open, as
      compared to the vast majority of open resolvers that are probably
      misconfigured to be open.  Open resolvers are discussed in

   Split DNS:  The terms "split DNS" and "split-horizon DNS" have long
      been used in the DNS community without formal definition.  In
      general, they refer to situations in which DNS servers that are
      authoritative for a particular set of domains provide partly or
      completely different answers in those domains depending on the
      source of the query.  The effect of this is that a domain name
      that is notionally globally unique nevertheless has different
      meanings for different network users.  This can sometimes be the
      result of a "view" configuration, described below.

      Section 3.8 of [RFC2775] gives a related definition that is too
      specific to be generally useful.

   View:  A configuration for a DNS server that allows it to provide
      different responses depending on attributes of the query, such as
      for "split DNS".  Typically, views differ by the source IP address
      of a query, but can also be based on the destination IP address,
      the type of query (such as AXFR), whether it is recursive, and so
Top   ToC   RFC8499 - Page 22
      on.  Views are often used to provide more names or different
      addresses to queries from "inside" a protected network than to
      those "outside" that network.  Views are not a standardized part
      of the DNS, but they are widely implemented in server software.

   Passive DNS:  A mechanism to collect DNS data by storing DNS
      responses from name servers.  Some of these systems also collect
      the DNS queries associated with the responses, although doing so
      raises some privacy concerns.  Passive DNS databases can be used
      to answer historical questions about DNS zones such as which
      values were present at a given time in the past, or when a name
      was spotted first.  Passive DNS databases allow searching of the
      stored records on keys other than just the name and type, such as
      "find all names which have A records of a particular value".

   Anycast:  "The practice of making a particular service address
      available in multiple, discrete, autonomous locations, such that
      datagrams sent are routed to one of several available locations."
      (Quoted from [RFC4786], Section 2) See [RFC4786] for more detail
      on Anycast and other terms that are specific to its use.

   Instance:  "When anycast routing is used to allow more than one
      server to have the same IP address, each one of those servers is
      commonly referred to as an 'instance'."  It goes on to say: "An
      instance of a server, such as a root server, is often referred to
      as an 'Anycast instance'."  (Quoted from [RSSAC026])

   Privacy-enabling DNS server:  "A DNS server that implements DNS over
      TLS [RFC7858] and may optionally implement DNS over DTLS
      [RFC8094]."  (Quoted from [RFC8310], Section 2) Other types of DNS
      servers might also be considered privacy-enabling, such as those
      running DNS over HTTPS [RFC8484].

7. Zones

This section defines terms that are used when discussing zones that are being served or retrieved. Zone: "Authoritative information is organized into units called ZONEs, and these zones can be automatically distributed to the name servers which provide redundant service for the data in a zone." (Quoted from [RFC1034], Section 2.4) Child: "The entity on record that has the delegation of the domain from the Parent." (Quoted from [RFC7344], Section 1.1)
Top   ToC   RFC8499 - Page 23
   Parent:  "The domain in which the Child is registered."  (Quoted from
      [RFC7344], Section 1.1) Earlier, "parent name server" was defined
      in [RFC0882] as "the name server that has authority over the place
      in the domain name space that will hold the new domain".  (Note
      that [RFC0882] was obsoleted by [RFC1034] and [RFC1035].)
      [RFC819] also has some description of the relationship between
      parents and children.


      There are two different uses for this term:

      (a)  "The domain name that appears at the top of a zone (just
           below the cut that separates the zone from its parent)... The
           name of the zone is the same as the name of the domain at the
           zone's origin."  (Quoted from [RFC2181], Section 6) These
           days, this sense of "origin" and "apex" (defined below) are
           often used interchangeably.

      (b)  The domain name within which a given relative domain name
           appears in zone files.  Generally seen in the context of
           "$ORIGIN", which is a control entry defined in [RFC1035],
           Section 5.1, as part of the master file format.  For example,
           if the $ORIGIN is set to "", then a master file
           line for "www" is in fact an entry for "".

   Apex:  The point in the tree at an owner of an SOA and corresponding
      authoritative NS RRset.  This is also called the "zone apex".
      [RFC4033] defines it as "the name at the child's side of a zone
      cut".  The "apex" can usefully be thought of as a data-theoretic
      description of a tree structure, and "origin" is the name of the
      same concept when it is implemented in zone files.  The
      distinction is not always maintained in use, however, and one can
      find uses that conflict subtly with this definition.  [RFC1034]
      uses the term "top node of the zone" as a synonym of "apex", but
      that term is not widely used.  These days, the first sense of
      "origin" (above) and "apex" are often used interchangeably.

   Zone cut:  The delimitation point between two zones where the origin
      of one of the zones is the child of the other zone.

      "Zones are delimited by 'zone cuts'.  Each zone cut separates a
      'child' zone (below the cut) from a 'parent' zone (above the
      cut)."  (Quoted from [RFC2181], Section 6; note that this is
      barely an ostensive definition.)  Section 4.2 of [RFC1034] uses
      "cuts" instead of "zone cut".
Top   ToC   RFC8499 - Page 24
   Delegation:  The process by which a separate zone is created in the
      name space beneath the apex of a given domain.  Delegation happens
      when an NS RRset is added in the parent zone for the child origin.
      Delegation inherently happens at a zone cut.  The term is also
      commonly a noun: the new zone that is created by the act of

   Authoritative data:  "All of the RRs attached to all of the nodes
      from the top node of the zone down to leaf nodes or nodes above
      cuts around the bottom edge of the zone."  (Quoted from [RFC1034],
      Section 4.2.1) Note that this definition might inadvertently also
      cause any NS records that appear in the zone to be included, even
      those that might not truly be authoritative because there are
      identical NS RRs below the zone cut.  This reveals the ambiguity
      in the notion of authoritative data, because the parent-side NS
      records authoritatively indicate the delegation, even though they
      are not themselves authoritative data.

      [RFC4033], Section 2, defines "Authoritative RRset", which is
      related to authoritative data but has a more precise definition.

   Lame delegation:  "A lame delegations exists [sic] when a nameserver
      is delegated responsibility for providing nameservice for a zone
      (via NS records) but is not performing nameservice for that zone
      (usually because it is not set up as a primary or secondary for
      the zone)."  (Quoted from [RFC1912], Section 2.8) Another
      definition is that a lame delegation "...happens when a name
      server is listed in the NS records for some domain and in fact it
      is not a server for that domain.  Queries are thus sent to the
      wrong servers, who don't know nothing [sic] (at least not as
      expected) about the queried domain.  Furthermore, sometimes these
      hosts (if they exist!) don't even run name servers."  (Quoted from
      [RFC1713], Section 2.3)

   Glue records:  "...[Resource records] which are not part of the
      authoritative data [of the zone], and are address RRs for the
      [name] servers [in subzones].  These RRs are only necessary if the
      name server's name is 'below' the cut, and are only used as part
      of a referral response."  Without glue "we could be faced with the
      situation where the NS RRs tell us that in order to learn a name
      server's address, we should contact the server using the address
      we wish to learn."  (Quoted from [RFC1034], Section 4.2.1)

      A later definition is that glue "includes any record in a zone
      file that is not properly part of that zone, including nameserver
      records of delegated sub-zones (NS records), address records that
      accompany those NS records (A, AAAA, etc), and any other stray
      data that might appear."  (Quoted from [RFC2181], Section 5.4.1)
Top   ToC   RFC8499 - Page 25
      Although glue is sometimes used today with this wider definition
      in mind, the context surrounding the definition in [RFC2181]
      suggests it is intended to apply to the use of glue within the
      document itself and not necessarily beyond.

   Bailiwick:  "In-bailiwick" is a modifier to describe a name server
      whose name is either a subdomain of or (rarely) the same as the
      origin of the zone that contains the delegation to the name
      server.  In-bailiwick name servers may have glue records in their
      parent zone (using the first of the definitions of "glue records"
      in the definition above).  (The word "bailiwick" means the
      district or territory where a bailiff or policeman has

      "In-bailiwick" names are divided into two types of names for name
      servers: "in-domain" names and "sibling domain" names.

      *  In-domain: a modifier to describe a name server whose name is
         either subordinate to or (rarely) the same as the owner name of
         the NS resource records.  An in-domain name server name needs
         to have glue records or name resolution fails.  For example, a
         delegation for "" may have "in-domain" name
         server name "".

      *  Sibling domain: a name server's name that is either subordinate
         to or (rarely) the same as the zone origin and not subordinate
         to or the same as the owner name of the NS resource records.
         Glue records for sibling domains are allowed, but not
         necessary.  For example, a delegation for ""
         in "" zone may have "sibling" name server name

      "Out-of-bailiwick" is the antonym of "in-bailiwick".  It is a
      modifier to describe a name server whose name is not subordinate
      to or the same as the zone origin.  Glue records for out-of-
      bailiwick name servers are useless.  The following table shows
      examples of delegation types.

   Delegation |Parent|Name Server Name  | Type
   com        | .    ||in-bailiwick / sibling domain
   net        | .    ||in-bailiwick / in-domain| org  |    |in-bailiwick / in-domain| org  |       |in-bailiwick / sibling domain| org  |    |out-of-bailiwick | jp   |     |in-bailiwick / in-domain | jp   |  |in-bailiwick / sibling domain | jp   |    |out-of-bailiwick
Top   ToC   RFC8499 - Page 26
   Root zone:  The zone of a DNS-based tree whose apex is the zero-
      length label.  Also sometimes called "the DNS root".

   Empty non-terminals (ENT):  "Domain names that own no resource
      records but have subdomains that do."  (Quoted from [RFC4592],
      Section 2.2.2) A typical example is in SRV records: in the name
      "", it is likely that "" has
      no RRsets, but that "" has (at least) an SRV

   Delegation-centric zone:  A zone that consists mostly of delegations
      to child zones.  This term is used in contrast to a zone that
      might have some delegations to child zones but also has many data
      resource records for the zone itself and/or for child zones.  The
      term is used in [RFC4956] and [RFC5155], but it is not defined in
      either document.

   Occluded name:  "The addition of a delegation point via dynamic
      update will render all subordinate domain names to be in a limbo,
      still part of the zone but not available to the lookup process.
      The addition of a DNAME resource record has the same impact.  The
      subordinate names are said to be 'occluded'."  (Quoted from
      [RFC5936], Section 3.5)

   Fast flux DNS:  This "occurs when a domain is [found] in DNS using A
      records to multiple IP addresses, each of which has a very short
      Time-to-Live (TTL) value associated with it.  This means that the
      domain resolves to varying IP addresses over a short period of
      time."  (Quoted from [RFC6561], Section 1.1.5, with a typo
      corrected) In addition to having legitimate uses, fast flux DNS
      can used to deliver malware.  Because the addresses change so
      rapidly, it is difficult to ascertain all the hosts.  It should be
      noted that the technique also works with AAAA records, but such
      use is not frequently observed on the Internet as of this writing.

   Reverse DNS, reverse lookup:  "The process of mapping an address to a
      name is generally known as a 'reverse lookup', and the
      IN-ADDR.ARPA and IP6.ARPA zones are said to support the 'reverse
      DNS'."  (Quoted from [RFC5855], Section 1)

   Forward lookup:  "Hostname-to-address translation".  (Quoted from
      [RFC3493], Section 6)

   arpa: Address and Routing Parameter Area Domain:  "The 'arpa' domain
      was originally established as part of the initial deployment of
      the DNS, to provide a transition mechanism from the Host Tables
      that were common in the ARPANET, as well as a home for the IPv4
      reverse mapping domain.  During 2000, the abbreviation was
Top   ToC   RFC8499 - Page 27
      redesignated to 'Address and Routing Parameter Area' in the hope
      of reducing confusion with the earlier network name."  (Quoted
      from [RFC3172], Section 2) .arpa is an "infrastructure domain", a
      domain whose "role is to support the operating infrastructure of
      the Internet".  (Quoted from [RFC3172], Section 2) See [RFC3172]
      for more history of this name.

   Service name:  "Service names are the unique key in the Service Name
      and Transport Protocol Port Number registry.  This unique symbolic
      name for a service may also be used for other purposes, such as in
      DNS SRV records."  (Quoted from [RFC6335], Section 5)

8. Wildcards

Wildcard: [RFC1034] defined "wildcard", but in a way that turned out to be confusing to implementers. For an extended discussion of wildcards, including clearer definitions, see [RFC4592]. Special treatment is given to RRs with owner names starting with the label "*". "Such RRs are called 'wildcards'. Wildcard RRs can be thought of as instructions for synthesizing RRs." (Quoted from [RFC1034], Section 4.3.3) Asterisk label: "The first octet is the normal label type and length for a 1-octet-long label, and the second octet is the ASCII representation [RFC20] for the '*' character. A descriptive name of a label equaling that value is an 'asterisk label'." (Quoted from [RFC4592], Section 2.1.1) Wildcard domain name: "A 'wildcard domain name' is defined by having its initial (i.e., leftmost or least significant) label, in binary format: 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)". (Quoted from [RFC4592], Section 2.1.1) The second octet in this label is the ASCII representation for the "*" character. Closest encloser: "The longest existing ancestor of a name." (Quoted from [RFC5155], Section 1.3) An earlier definition is "The node in the zone's tree of existing domain names that has the most labels matching the query name (consecutively, counting from the root label downward). Each match is a 'label match' and the order of the labels is the same." (Quoted from [RFC4592], Section 3.3.1) Closest provable encloser: "The longest ancestor of a name that can be proven to exist. Note that this is only different from the closest encloser in an Opt-Out zone." (Quoted from [RFC5155], Section 1.3) See Section 10 for more on "opt-out".
Top   ToC   RFC8499 - Page 28
   Next closer name:  "The name one label longer than the closest
      provable encloser of a name."  (Quoted from [RFC5155],
      Section 1.3)

   Source of Synthesis:  "The source of synthesis is defined in the
      context of a query process as that wildcard domain name
      immediately descending from the closest encloser, provided that
      this wildcard domain name exists.  'Immediately descending' means
      that the source of synthesis has a name of the form:
      <asterisk label>.<closest encloser>."
      (Quoted from [RFC4592], Section 3.3.1)

(page 28 continued on part 3)

Next Section