idnits 2.17.1 draft-bellis-dnsext-multi-qtypes-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 13, 2016) is 2935 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSEXT Working Group R. Bellis 3 Internet-Draft ISC 4 Intended status: Standards Track April 13, 2016 5 Expires: October 15, 2016 7 DNS Multiple QTYPEs 8 draft-bellis-dnsext-multi-qtypes-02 10 Abstract 12 This document specifies a method for a DNS client to request 13 additional DNS record types to be delivered alongside the primary 14 record type specified in the question section of a DNS query. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on October 15, 2016. 33 Copyright Notice 35 Copyright (c) 2016 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Terminology used in this document . . . . . . . . . . . . . . 3 52 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3.1. Multiple QTYPE EDNS Option Format . . . . . . . . . . . . 3 54 3.2. Response Generation . . . . . . . . . . . . . . . . . . . 4 55 3.2.1. Server Side Processing . . . . . . . . . . . . . . . 4 56 3.2.2. Client Side Processing . . . . . . . . . . . . . . . 5 57 3.2.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 5 58 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 59 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 60 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 61 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 64 1. Introduction 66 A commonly requested DNS [RFC1035] feature is the ability to receive 67 multiple related resource records (RRs) in a single DNS response. 69 For example, it may be desirable to receive both the A and AAAA 70 records for a domain name together, rather than having to issue 71 multiple queries. 73 The DNS wire protocol in theory supports having multiple questions in 74 a single packet, but in practise this does not work: 76 o Each question consists of the tuple (QNAME, QTYPE, QCLASS). Since 77 each question has its own QNAME field it would be possible for one 78 name to exist and another to not exist, resulting in an 79 inconsistent response code. 81 o The idea that only a single question is allowed is sufficiently 82 entrenched that many DNS servers will simply return an error (or 83 fail to response at all) if they receive a query with a question 84 count (QDCOUNT) of more than one. 86 To resolve both of these issues, this document constraints the 87 problem to those cases where only the QTYPE varies by specifying a 88 new option for the Extension Mechanisms for DNS (EDNS [RFC6891]) that 89 contains an additional list of QTYPE values that the client wishes to 90 receive in addition to that in the primary question. 92 TODO: why not "ANY" ? 94 2. Terminology used in this document 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 98 document are to be interpreted as described in [RFC2119]. 100 3. Description 102 3.1. Multiple QTYPE EDNS Option Format 104 The overall format of an EDNS option is shown for reference below, 105 per [RFC6891], followed by the option specific data: 107 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 108 0: | OPTION-CODE | 109 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 110 2: | OPTION-LENGTH | 111 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 112 4: | | 113 / OPTION-DATA / 114 / / 115 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 117 OPTION-CODE: TBD by IANA 119 OPTION-LENGTH: Size (in octets) of OPTION-DATA. 121 OPTION-DATA: Option specific, as below: 123 +0 (MSB) +1 (LSB) 124 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 125 0: |QTD| reserved | QTCOUNT | QT1 (MSB) | 126 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 127 2: | QT1 (LSB) | ... | 128 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 129 | ... /// QTn (MSB) | 130 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 131 | QTn (LSB) | 132 +---+---+---+---+---+---+---+---+ 134 QTD: this bit indicates the direction of the packet. It MUST be 135 clear (0) in a query and set (1) in a response. 137 QTCOUNT: a 3 bit field with range 0 .. 7 specifying the number of QT 138 fields to follow. 140 QTn: a 2 byte field (MSB first) specifying a DNS RR type. The RR 141 type MUST be for a real resource record, and MUST NOT refer to a 142 pseudo RR type such as "OPT", "IXFR", "TSIG", etc. 144 3.2. Response Generation 146 3.2.1. Server Side Processing 148 A conforming server that receives a Multiple QTYPE Option in a query 149 MUST return a Multiple QTYPE Option in its response. 151 The QTD bit in that response MUST be set (1) as protection against 152 servers which simply echo unknown EDNS options verbatim. If the QTD 153 bit in a response is zero the client MUST treat the response as if 154 this option is unsupported. 156 The server SHOULD attempt to return any resource records known to it 157 that match the additional (QTYPE, QCLASS, QTn) tuples. These records 158 MUST be returned in the Answer Section of the response, but the 159 answer for the primary QTYPE from the Question Section MUST be 160 included first. 162 For any particular QTn in the query, if the server provides addtional 163 answers, or has knowledge that the RR type type does not exist for 164 that QNAME (a "negative answer"), it must include that QTn value in 165 the Multiple QTYPE Option of its response. 167 A negative answer is therefore indicated by the combination of the 168 presence of a QTn value in the Multiple QTYPE Option and the absence 169 of a matching record in the Answer Section. This is necessary (in 170 the absence of DNSSEC) to differentiate between absence of the record 171 from the zone and absence of the record from the response. 173 A server that is authoritative for the specified QNAME on receipt of 174 a Multiple QTYPE Option MUST attempt to return all specified RR types 175 except where that would result in truncation in which case it may 176 omit some (or all) of the records for the additional RR types. Those 177 RR types MUST then also be omitted from the Multiple QTYPE Option in 178 the response. 180 A caching recursive server receiving a Multiple QTYPE Option SHOULD 181 attempt to fill its positive and negative caches with all of the 182 specified RR types before returning its response to the client. 184 TODO: is there a case for mandatory answers, i.e. the client saying I 185 _really_ want all these? 187 3.2.2. Client Side Processing 189 Recursive resolvers MAY use this method to obtain multiple records 190 from an authoritative server. For the purposes of Section 5.4.1 of 191 [RFC2181] any authoritative answers received MUST be ranked the same 192 as the answer for the primary question. 194 3.2.3. DNSSEC 196 If the DNS client sets the "DNSSEC OK" (DO) bit in the query then the 197 server MUST also return the related DNSSEC records that would have 198 been returned in a standalone query for the same QTYPE. 200 A negative answer from a signed zone MUST contain the appropriate 201 authenticated denial of existence records, per [RFC4034] and 202 [RFC5155]. 204 In a signed zone there is a theoretical risk of valid signatures for 205 one RR type and invalid signatures for another. This is the only 206 case known to the author where the response code for any particular 207 QNAME may be inconsistent across different RR types. 209 Should a validating resolver produce NOERROR for some RR types and 210 SERVFAIL for others it MUST omit the RR types that failed to validate 211 from its response and from the QTn fields on the Multiple QTYPE 212 option. The client MAY then initiate standalone queries for those RR 213 types. 215 4. Security Considerations 217 The method documented here does not change any of the security 218 properties of the DNS protocol itself. 220 It should however be noted that this method does increase the 221 potential amplification factor when the DNS protocol is used as a 222 vector for a denial of service attack. 224 5. IANA Considerations 226 IANA is requested to assign a new value in the DNS EDNS0 Options 227 registry. 229 6. Acknowledgements 231 The author wishes to thank the following for their feedback and 232 reviews during the initial development of this document: Michael 233 Graff, Olafur Gudmundsson, Matthijs Mekking, Paul Vixie. 235 7. Normative References 237 [RFC1035] Mockapetris, P., "Domain names - implementation and 238 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 239 November 1987, . 241 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 242 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 243 RFC2119, March 1997, 244 . 246 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 247 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 248 . 250 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 251 Rose, "Resource Records for the DNS Security Extensions", 252 RFC 4034, DOI 10.17487/RFC4034, March 2005, 253 . 255 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 256 Security (DNSSEC) Hashed Authenticated Denial of 257 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 258 . 260 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 261 for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/ 262 RFC6891, April 2013, 263 . 265 Author's Address 267 Ray Bellis 268 Internet Systems Consortium, Inc. 269 950 Charter Street 270 Redwood City CA 94063 271 USA 273 Phone: +1 650 423 1200 274 Email: ray@isc.org