idnits 2.17.1 draft-bellis-dnsext-multi-qtypes-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 02, 2018) is 2306 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSEXT Working Group R. Bellis 3 Internet-Draft ISC 4 Intended status: Standards Track January 02, 2018 5 Expires: July 6, 2018 7 DNS Multiple QTYPEs 8 draft-bellis-dnsext-multi-qtypes-05 10 Abstract 12 This document specifies a method for a DNS client to request 13 additional DNS record types to be delivered alongside the primary 14 record type specified in the question section of a DNS query. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on July 6, 2018. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Terminology used in this document . . . . . . . . . . . . . . 3 52 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3.1. Multiple QTYPE EDNS Option Format . . . . . . . . . . . . 3 54 3.2. Response Generation . . . . . . . . . . . . . . . . . . . 4 55 3.2.1. Server Side Processing . . . . . . . . . . . . . . . 4 56 3.2.2. Client Side Processing . . . . . . . . . . . . . . . 5 57 3.2.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 5 58 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 59 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 60 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 61 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 64 1. Introduction 66 A commonly requested DNS [RFC1035] feature is the ability to receive 67 multiple related resource records (RRs) in a single DNS response. 69 For example, it may be desirable to receive both the A and AAAA 70 records for a domain name together, rather than having to issue 71 multiple queries. 73 The DNS wire protocol in theory supports having multiple questions in 74 a single packet, but in practise this does not work: 76 o Each question consists of the tuple (QNAME, QTYPE, QCLASS). Since 77 each question has its own QNAME field it would be possible for one 78 name to exist and another to not exist, resulting in an 79 inconsistent response code. 81 o The idea that only a single question is allowed is sufficiently 82 entrenched that many DNS servers will simply return an error (or 83 fail to response at all) if they receive a query with a question 84 count (QDCOUNT) of more than one. 86 To resolve both of these issues, this document constraints the 87 problem to those cases where only the QTYPE varies by specifying a 88 new option for the Extension Mechanisms for DNS (EDNS [RFC6891]) that 89 contains an additional list of QTYPE values that the client wishes to 90 receive in addition to that in the primary question. 92 TODO: why not "ANY" ? 94 2. Terminology used in this document 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in BCP 99 14 [RFC2119] [RFC8174] when, and only when, they appear in all 100 capitals, as shown here. 102 3. Description 104 3.1. Multiple QTYPE EDNS Option Format 106 The overall format of an EDNS option is shown for reference below, 107 per [RFC6891], followed by the option specific data: 109 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 110 0: | OPTION-CODE | 111 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 112 2: | OPTION-LENGTH | 113 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 114 4: | | 115 / OPTION-DATA / 116 / / 117 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 119 OPTION-CODE: TBD by IANA 121 OPTION-LENGTH: Size (in octets) of OPTION-DATA. 123 OPTION-DATA: Option specific, as below: 125 +0 (MSB) +1 (LSB) 126 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 127 0: |QTD| reserved | QTCOUNT | QT1 (MSB) | 128 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 129 2: | QT1 (LSB) | ... | 130 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 131 | ... /// QTn (MSB) | 132 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 133 | QTn (LSB) | 134 +---+---+---+---+---+---+---+---+ 136 QTD: this bit indicates the direction of the packet. It MUST be 137 clear (0) in a query and set (1) in a response. 139 QTCOUNT: a 3 bit field with range 0 .. 7 specifying the number of QT 140 fields to follow. NB: Whilst the QTCOUNT could in theory be 141 calculated based on the OPTION-LENGTH field, having it explicitly 142 specified ensures a sensible constraint its value. 144 QTn: a 2 byte field (MSB first) specifying a DNS RR type. The RR 145 type MUST be for a real resource record, and MUST NOT refer to a 146 pseudo RR type such as "OPT", "IXFR", "TSIG", "*", etc. 148 3.2. Response Generation 150 3.2.1. Server Side Processing 152 A conforming server that receives a Multiple QTYPE Option in a query 153 MUST return a Multiple QTYPE Option in its response. 155 The QTD bit in that response MUST be set (1) as protection against 156 servers which simply echo unknown EDNS options verbatim. If the QTD 157 bit in a response is zero the client MUST treat the response as if 158 this option is unsupported. 160 The server SHOULD attempt to return any resource records known to it 161 that match the additional (QNAME, QTn, QCLASS) tuples. These records 162 MUST be returned in the Answer Section of the response, but the 163 answer for the primary QTYPE from the Question Section MUST be 164 included first. 166 For any particular QTn in the query, if the server provides 167 additional answers, or has knowledge that the RR type type does not 168 exist for that QNAME (a "negative answer"), it must include that QTn 169 value in the Multiple QTYPE Option of its response. 171 A negative answer is therefore indicated by the combination of the 172 presence of a QTn value in the Multiple QTYPE Option and the absence 173 of a matching record in the Answer Section. This is necessary (in 174 the absence of DNSSEC) to differentiate between absence of the record 175 from the zone and absence of the record from the response. 177 A server that is authoritative for the specified QNAME on receipt of 178 a Multiple QTYPE Option MUST attempt to return all specified RR types 179 except where that would result in truncation in which case it may 180 omit some (or all) of the records for the additional RR types. Those 181 RR types MUST then also be omitted from the Multiple QTYPE Option in 182 the response. 184 A caching recursive server receiving a Multiple QTYPE Option SHOULD 185 attempt to fill its positive and negative caches with all of the 186 specified RR types before returning its response to the client. 188 TODO: is there a case for mandatory answers, i.e. the client saying I 189 _really_ want all these? 191 3.2.2. Client Side Processing 193 Recursive resolvers MAY use this method to obtain multiple records 194 from an authoritative server. For the purposes of Section 5.4.1 of 195 [RFC2181] any authoritative answers received MUST be ranked the same 196 as the answer for the primary question. 198 3.2.3. DNSSEC 200 If the DNS client sets the "DNSSEC OK" (DO) bit in the query then the 201 server MUST also return the related DNSSEC records that would have 202 been returned in a standalone query for the same QTYPE. 204 A negative answer from a signed zone MUST contain the appropriate 205 authenticated denial of existence records, per [RFC4034] and 206 [RFC5155]. 208 In a signed zone there is a theoretical risk of valid signatures for 209 one RR type and invalid signatures for another. This is the only 210 case known to the author where the response code for any particular 211 QNAME may be inconsistent across different RR types. 213 Should a validating resolver produce NOERROR for some RR types and 214 SERVFAIL for others it MUST omit the RR types that failed to validate 215 from its response and from the QTn fields on the Multiple QTYPE 216 option. The client MAY then initiate standalone queries for those RR 217 types. 219 4. Security Considerations 221 The method documented here does not change any of the security 222 properties of the DNS protocol itself. 224 It should however be noted that this method does increase the 225 potential amplification factor when the DNS protocol is used as a 226 vector for a denial of service attack. 228 5. IANA Considerations 230 IANA is requested to assign a new value in the DNS EDNS0 Option Codes 231 registry. 233 6. Acknowledgements 235 The author wishes to thank the following for their feedback and 236 reviews during the initial development of this document: Michael 237 Graff, Olafur Gudmundsson, Matthijs Mekking, Paul Vixie. 239 7. Normative References 241 [RFC1035] Mockapetris, P., "Domain names - implementation and 242 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 243 November 1987, . 245 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 246 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 247 RFC2119, March 1997, . 250 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 251 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 252 . 254 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 255 Rose, "Resource Records for the DNS Security Extensions", 256 RFC 4034, DOI 10.17487/RFC4034, March 2005, 257 . 259 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 260 Security (DNSSEC) Hashed Authenticated Denial of 261 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 262 . 264 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 265 for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/ 266 RFC6891, April 2013, . 269 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 270 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 271 May 2017, . 273 Author's Address 274 Ray Bellis 275 Internet Systems Consortium, Inc. 276 950 Charter Street 277 Redwood City CA 94063 278 USA 280 Phone: +1 650 423 1200 281 Email: ray@isc.org