idnits 2.17.1 draft-ietf-dnsind-edns-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** There are 94 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 128 has weird spacing: '...in name emp...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC1035' on line 285 looks like a reference -- Missing reference section? 'CRAW98' on line 289 looks like a reference Summary: 11 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSIND Working Group Paul Vixie 3 INTERNET-DRAFT Vixie Enterprises 4 March, 1998 6 Extensions to DNS (EDNS) 8 Status of this Memo 10 This document is an Internet-Draft. Internet-Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its areas, 12 and its working groups. Note that other groups may also distribute 13 working documents as Internet-Drafts. 15 Internet-Drafts are draft documents valid for a maximum of six months 16 and may be updated, replaced, or obsoleted by other documents at any 17 time. It is inappropriate to use Internet-Drafts as reference 18 material or to cite them other than as ``work in progress.'' 20 To learn the current status of any Internet-Draft, please check the 21 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 22 Directories on ftp.is.co.za (Africa), ftp.nordu.net (North Europe), 23 ftp.nis.garr.it (South Europe), munnari.oz.au (Pacific Rim), 24 ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). 26 Abstract 28 The Domain Name System's wire protocol includes a number of fixed 29 fields whose range has been or soon will be exhausted, does not allow 30 clients to advertise their capabilities to servers, and does not 31 support the use of multiple questions per request. This document 32 describes backward compatible mechanisms for allowing the protocol to 33 grow. 35 1 - Rationale and Scope 37 1.1. DNS (see [RFC1035]) specifies a Message Format and within such 38 messages there are standard formats for encoding options, errors, and 39 name compression. The maximum allowable size of a DNS Message is fixed. 40 Many of DNS's protocol limits are too small for uses which are or which 41 are desired to become common. There is no way for clients to advertise 42 their capabilities to servers, and it is not possible to ask multiple 43 questions in a single request. 45 1.2. Existing clients will not know how to interpret the protocol 46 extensions detailed here. In practice, these clients will be upgraded 47 when they have need of a new feature, and only new features will make 48 use of the extensions. We must however take account of client behaviour 49 in the face of extra fields, and design a fallback scheme for 50 interoperability with these clients. 52 2 - Affected Protocol Elements 54 2.1. The DNS Message Header's (see [RFC1035 4.1.1]) second full 16-bit 55 word is divided into a 4-bit OPCODE, a 4-bit RCODE, and a number of 56 1-bit flags. The original reserved Z bits have been allocated to 57 various purposes, and most of the RCODE values are now in use. More 58 types and more possible RCODEs are needed. 60 2.2. The first two bits of a wire format domain label are used to denote 61 the type of the label. [RFC1035 4.1.4] allocates two of the four 62 possible types and reserves the other two. Proposals for use of the 63 remaining types far outnumber those available. More label types are 64 needed. 66 2.3. Compression pointers are 14 bits in size and are relative to the 67 start of the DNS Message, which can be 64KB in length. 14 bits restrict 68 pointers to the first 16KB of the message, which makes labels introduced 69 in the last 48KB of the message unreachable by compression pointers. A 70 longer pointer format is needed. 72 2.4. DNS Messages are limited to 512 octets in size when sent over UDP. 73 While the minimum maximum reassembly buffer size is still 512 bytes, 74 most of the hosts now connected to the Internet are able to reassemble 75 larger datagrams. Some mechanism must be created to allow requestors to 76 advertise larger buffer sizes to responders. 78 2.5. DNS Messages are limited to 65535 octets in size when sent over 79 TCP. This acts as an effective maximum on RRset size, since multiple 80 TCP messages are only possible in the case of zone transfers. Some 81 mechanism must be created to allow normal DNS responses (other than zone 82 transfers) to span multiple DNS Messages when TCP is used. 84 2.6. Multiple queries in a question section have not been supported in 85 DNS due the applicability of some DNS Message Header flags (such as AA) 86 and of the RCODE field only to a single QNAME, QTYPE, and QCLASS. 87 Multiple questions per request are desirable, and some way of asking 88 them must be made available. 90 3 - Extended Label Types 92 3.1. The ``1 0'' label type will now indicate an extended label type, 93 whose value is encoded in the lower six bits of the first octet of a 94 label. All subsequently developed label types should be encoded using 95 an extended label type. 97 3.2. The ``0 0 0 0 0 0'' extended label type will indicate an extended 98 compression pointer, such that the following two octets comprise a 99 16-bit compression pointer in network byte order. Like the normal 100 compression pointer, this pointer is relative to the start of the DNS 101 Message. 103 3.3. The ``0 0 0 0 0 1'' extended label type will indicate a counted bit 104 string label with interior longest-match query matching semantics as 105 described in [CRAW98]. 107 3.5. The ``1 1 1 1 1 1'' extended label type will be reserved for future 108 expansion of the extended label type code space. 110 4 - OPT pseudo-RR 112 4.1. The OPT pseudo-RR can be added to the additional data section of 113 either a request or a response. An OPT is called a pseudo-RR because it 114 pertains to a particular transport level message and not to any actual 115 DNS data. OPT RRs shall never be cached, forwarded, or stored in or 116 loaded from master files. 118 4.2. An OPT RR has a fixed part and a variable set of options expressed 119 as {attribute, value} pairs. The fixed part holds some DNS meta data 120 and also a small collection of new protocol elements which we expect to 121 be so popular that it would be a waste of wire space to encode them as 122 {attribute, value} pairs. 124 4.3. The fixed part of an OPT RR is structured as follows: 126 Field Name Field Type Description 127 ----------------------------------------------------- 128 NAME domain name empty (root domain) 129 TYPE u_int16_t OPT (XXX IANA) 130 CLASS u_int16_t sender's UDP buffer size 131 TTL u_int32_t extended RCODE and flags 132 RDLEN u_int16_t describes RDATA 133 RDATA octet stream {attribute,value} pairs 134 4.4. The variable part of an OPT RR is encoded in its RDATA and is 135 structured as zero or more of the following: 137 +0 (MSB) +1 (LSB) 138 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 139 0: | OPTION-CODE | 140 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 141 2: | OPTION-LENGTH | 142 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 143 4: | | 144 / OPTION-DATA / 145 / / 146 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 148 OPTION-CODE Assigned by the IANA. Value 65535 is reserved for future 149 expansion. 151 OPTION-LENGTH Size (in octets) of OPTION-DATA. 153 OPTION-DATA Varies per OPTION-CODE. 155 4.5. The sender's UDP buffer size is the number of octets of the largest 156 UDP payload that can be reassembled and delivered in the sender's 157 network stack. Note that path MTU, with or without fragmentation, may 158 be smaller than this. Also note that a 512-octet UDP payload requires a 159 576-octet IP reassembly buffer. Choosing 1436 on an Ethernet connected 160 requestor would be reasonable. The consequence of choosing too large a 161 value may be an ICMP message from an intermediate gateway, or even a 162 silent drop of the response message. Requestors are advised to retry in 163 such cases. Both requestors and responders are advised to take account 164 of the path's MTU when considering message sizes. 166 4.6. The extended RCODE and flags are structured as follows: 168 +0 (MSB) +1 (LSB) 169 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 170 0: | EXTENDED-RCODE | VERSION | 171 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 172 2: |MD |FM |RRD| Z | 173 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 175 EXTENDED-RCODE Forms upper 8 bits of extended 12-bit RCODE. 176 (Meaningless in requests.) 178 VERSION Indicates the implementation level of whoever sets it. 179 Full conformance with the draft standard version of this 180 specification is version ``0.'' Note that both 181 requestors and responders should set this to the highest 182 level they implement, that responders should send back 183 RCODE=BADVERS (XXX IANA) and that requestors should be 184 prepared to probe using lower version numbers if they 185 receive an RCODE=BADVERS. 187 Z Set to zero by senders and ignored by receivers, unless 188 modified in a subsequent specification. 190 MD ``More data'' flag. Valid only in TCP streams where 191 message ordering and reliability are guaranteed. This 192 flag indicates that the current message is not the 193 complete request or response, and should be aggregated 194 with the following message(s) before being considered 195 complete. Such messages are called ``segmented.'' It 196 is an error for the RCODE (including the EXTENDED- 197 RCODE), AA flag, or DNS Message ID to differ among 198 segments of a segmented message. It is an error for TC 199 to be set on any message of a segmented message. Any 200 given RR must fit completely within a message, and all 201 messages will both begin and end on RR boundaries. 203 FM ``First match'' flag. Notable only when multiple 204 questions are present. If set in a request, questions 205 will be processed in wire order and the first question 206 whose answer would be NOERROR AND ANCOUNT>0 is treated 207 as if it were the only question in the query message. 208 Otherwise, questions can be processed in any order and 209 all possible answer records will be included in the 210 response. FM should be set to zero in responses and 211 ignored by requestors. 213 RRD ``Recursion really desired'' flag. Notable only when a 214 request is processed by an intermediate name server 215 (``forwarder'') who is not authoritative for the zone 216 containing QNAME, and where QTYPE=ANY or QDCOUNT>1. If 217 set in a request, the intermediate name server can only 218 answer using unexpired cached answers (either positive 219 or negative) which were atomically acquired using the 220 same QTYPE or set of QTYPEs present in the current 221 question and where all such answers had the same TTL 222 when first cached. 224 5 - Multiple Questions for QUERY 226 5.1. If QDCOUNT>1, multiple questions are present. All questions must 227 be for the same QNAME and QCLASS; only the QTYPE is allowed to vary. It 228 is an error for QDCOUNT>1 and any QTYPE=ANY or QCLASS=ANY. 230 5.2. RCODE and AA apply to all RRs in the answer section having the 231 QNAME that is shared by all questions in the question section. AA 232 applies to all matching answers, and will not be set unless the exact 233 original request was processed by an authoritative server and the 234 response forwarded in its entirety if at all, or unless iterative 235 requests are used as described in [5.4] below. 237 5.3. If a multiple question request is processed by an intermediate 238 server and the authority server does not support multiple questions, the 239 intermediate server must generate an answer iteratively by making 240 multiple requests of the authority server. In this case, AA must never 241 be set in the final answer due to lack of atomicity of the contributing 242 authoritative responses. 244 5.4. If iteratively processing a multiple question request using an 245 authority server which can only process single question requests, if any 246 contributing request generates a SERVFAIL response, then the final 247 response's RCODE should be SERVFAIL. 249 6 - Transport Considerations 251 6.1. The presence of an OPT pseudo-RR or any new label type, or 252 QDCOUNT>1 in a request should be taken as an indication that the 253 requestor fully implements this specification and can correctly 254 understand any response that conforms to this specification. If a new 255 label type or QDCOUNT>1 is used in a message that does not have an OPT 256 RR, a VERSION of ``0'' shall be imputed. 258 6.2. Lack of use of these features in a request must be taken as an 259 indication that the requestor does not implement any part of this 260 specification and that the responder may make no use of any protocol 261 extension described here in its response. 263 6.3. Responders who do not understand these protocol extensions are 264 expected to send a respose with RCODE NOTIMPL, FORMERR, or SERVFAIL. 265 Therefore use of extensions should be ``probed'' such that a responder 266 who isn't known to support them be allowed a retry with no extensions if 267 it responds with one of the above mentioned RCODEs. If a responder's 268 capability is cached by requestors, a new probe should be sent 269 periodically to test for upgrades to responder capability. 271 7 - Security Considerations 273 Requestor-side specification of the maximum buffer size may open a new 274 DNS denial of service attack if responders can be made to send messages 275 which are too large for intermediate gateways to forward, thus leading 276 to potential ICMP storms between gateways and responders. 278 8 - Acknowledgements 280 Paul Mockapetris, Mark Andrews, Robert Elz, Don Lewis, Bob Halley, and 281 Donald Eastlake were each instrumental in creating this specification. 283 9 - References 285 [RFC1035] P. Mockapetris, ``Domain Names - Implementation and 286 Specification,'' RFC 1035, USC/Information Sciences 287 Institute, November 1987. 289 [CRAW98] M. Crawford, ``Binary Labels in the Domain Name System,'' 290 Draft draft-ietf-dnsind-binary-labels-XX, IETF DNSIND, March 291 1998. 293 10 - Author's Address 295 Paul Vixie 296 Vixie Enterprises 297 950 Charter Street 298 Redwood City, CA 94063 299 +1 650 779 7001 300