idnits 2.17.1 draft-ietf-dnsind-edns-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-19) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** There are 98 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 131 has weird spacing: '...in name emp...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC1035' on line 299 looks like a reference -- Missing reference section? 'CRAW98' on line 303 looks like a reference -- Missing reference section? 'KOCH98' on line 307 looks like a reference Summary: 11 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSIND Working Group Paul Vixie 3 INTERNET-DRAFT ISC 4 August, 1998 6 Extensions to DNS (EDNS) 8 Status of this Memo 10 This document is an Internet-Draft. Internet-Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its areas, 12 and its working groups. Note that other groups may also distribute 13 working documents as Internet-Drafts. 15 Internet-Drafts are draft documents valid for a maximum of six months 16 and may be updated, replaced, or obsoleted by other documents at any 17 time. It is inappropriate to use Internet-Drafts as reference 18 material or to cite them other than as ``work in progress.'' 20 To view the entire list of current Internet-Drafts, please check the 21 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 22 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern 23 Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific 24 Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). 26 Abstract 28 The Domain Name System's wire protocol includes a number of fixed 29 fields whose range has been or soon will be exhausted, does not allow 30 clients to advertise their capabilities to servers, and does not 31 support the use of multiple questions per request. This document 32 describes backward compatible mechanisms for allowing the protocol to 33 grow. 35 1 - Rationale and Scope 37 1.1. DNS (see [RFC1035]) specifies a Message Format and within such 38 messages there are standard formats for encoding options, errors, and 39 name compression. The maximum allowable size of a DNS Message is fixed. 40 Many of DNS's protocol limits are too small for uses which are or which 41 are desired to become common. There is no way for clients to advertise 42 their capabilities to servers, and it is not possible to ask multiple 43 questions in a single request. 45 1.2. Existing clients will not know how to interpret the protocol 46 extensions detailed here. In practice, these clients will be upgraded 47 when they have need of a new feature, and only new features will make 48 use of the extensions. We must however take account of client behaviour 49 in the face of extra fields, and design a fallback scheme for 50 interoperability with these clients. 52 2 - Affected Protocol Elements 54 2.1. The DNS Message Header's (see [RFC1035 4.1.1]) second full 16-bit 55 word is divided into a 4-bit OPCODE, a 4-bit RCODE, and a number of 56 1-bit flags. The original reserved Z bits have been allocated to 57 various purposes, and most of the RCODE values are now in use. More 58 types and more possible RCODEs are needed. 60 2.2. The first two bits of a wire format domain label are used to denote 61 the type of the label. [RFC1035 4.1.4] allocates two of the four 62 possible types and reserves the other two. Proposals for use of the 63 remaining types far outnumber those available. More label types are 64 needed. 66 2.3. Compression pointers are 14 bits in size and are relative to the 67 start of the DNS Message, which can be 64KB in length. 14 bits restrict 68 pointers to the first 16KB of the message, which makes labels introduced 69 in the last 48KB of the message unreachable by compression pointers. A 70 longer pointer format is needed. 72 2.4. DNS Messages are limited to 512 octets in size when sent over UDP. 73 While the minimum maximum reassembly buffer size is still 512 bytes, 74 most of the hosts now connected to the Internet are able to reassemble 75 larger datagrams. Some mechanism must be created to allow requestors to 76 advertise larger buffer sizes to responders. 78 2.5. DNS Messages are limited to 65535 octets in size when sent over 79 TCP. This acts as an effective maximum on RRset size, since multiple 80 TCP messages are only possible in the case of zone transfers. Some 81 mechanism must be created to allow normal DNS responses (other than zone 82 transfers) to span multiple DNS Messages when TCP is used. 84 2.6. Multiple queries in a question section have not been supported in 85 DNS due the applicability of some DNS Message Header flags (such as AA) 86 and of the RCODE field only to a single QNAME, QTYPE, and QCLASS. 87 Multiple questions per request are desirable, and some way of asking 88 them must be made available. 90 3 - Extended Label Types 92 3.1. The ``1 0'' label type will now indicate an extended label type, 93 whose value is encoded in the lower six bits of the first octet of a 94 label. All subsequently developed label types should be encoded using 95 an extended label type. 97 3.2. The ``0 0 0 0 0 0'' extended label type will indicate an extended 98 compression pointer, such that the following two octets comprise a 99 16-bit compression pointer in network byte order. Like the normal 100 compression pointer, this pointer is relative to the start of the DNS 101 Message. 103 3.3. The ``0 0 0 0 0 1'' extended label type will indicate a counted bit 104 string label with interior longest-match query matching semantics as 105 described in [CRAW98]. 107 3.4. The ``0 0 0 0 1 0'' extended label type will indicate a ``long 108 local compression pointer'' as described in [KOCH98]. 110 3.5. The ``1 1 1 1 1 1'' extended label type will be reserved for future 111 expansion of the extended label type code space. 113 4 - OPT pseudo-RR 115 4.1. The OPT pseudo-RR can be added to the additional data section of 116 either a request or a response. An OPT is called a pseudo-RR because it 117 pertains to a particular transport level message and not to any actual 118 DNS data. OPT RRs shall never be cached, forwarded, or stored in or 119 loaded from master files. 121 4.2. An OPT RR has a fixed part and a variable set of options expressed 122 as {attribute, value} pairs. The fixed part holds some DNS meta data 123 and also a small collection of new protocol elements which we expect to 124 be so popular that it would be a waste of wire space to encode them as 125 {attribute, value} pairs. 127 4.3. The fixed part of an OPT RR is structured as follows: 129 Field Name Field Type Description 130 ----------------------------------------------------- 131 NAME domain name empty (root domain) 132 TYPE u_int16_t OPT (XXX IANA) 133 CLASS u_int16_t sender's UDP buffer size 134 TTL u_int32_t extended RCODE and flags 135 RDLEN u_int16_t describes RDATA 136 RDATA octet stream {attribute,value} pairs 138 4.4. The variable part of an OPT RR is encoded in its RDATA and is 139 structured as zero or more of the following: 141 +0 (MSB) +1 (LSB) 142 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 143 0: | OPTION-CODE | 144 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 145 2: | OPTION-LENGTH | 146 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 147 4: | | 148 / OPTION-DATA / 149 / / 150 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 152 OPTION-CODE Assigned by the IANA. Value 65535 is reserved for future 153 expansion. 155 OPTION-LENGTH Size (in octets) of OPTION-DATA. 157 OPTION-DATA Varies per OPTION-CODE. 159 4.5. The sender's UDP buffer size is the number of octets of the largest 160 UDP payload that can be reassembled and delivered in the sender's 161 network stack. Note that path MTU, with or without fragmentation, may 162 be smaller than this. Also note that a 512-octet UDP payload requires a 163 576-octet IP reassembly buffer. Choosing 1436 on an Ethernet connected 164 requestor would be reasonable. The consequence of choosing too large a 165 value may be an ICMP message from an intermediate gateway, or even a 166 silent drop of the response message. Requestors are advised to retry in 167 such cases. Both requestors and responders are advised to take account 168 of the path's MTU when considering message sizes. 170 4.6. The extended RCODE and flags are structured as follows: 172 +0 (MSB) +1 (LSB) 173 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 174 0: | EXTENDED-RCODE | VERSION | 175 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 176 2: |MD |FM |RRD|LM | Z | 177 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 179 EXTENDED-RCODE Forms upper 8 bits of extended 12-bit RCODE. 180 (Meaningless in requests.) 182 VERSION Indicates the implementation level of whoever sets it. 183 Full conformance with the draft standard version of this 184 specification is version ``0.'' Note that both 185 requestors and responders should set this to the highest 186 level they implement, that responders should send back 187 RCODE=BADVERS (XXX IANA) and that requestors should be 188 prepared to probe using lower version numbers if they 189 receive an RCODE=BADVERS. 191 Z Set to zero by senders and ignored by receivers, unless 192 modified in a subsequent specification. 194 MD ``More data'' flag. Valid only in TCP streams where 195 message ordering and reliability are guaranteed. This 196 flag indicates that the current message is not the 197 complete request or response, and should be aggregated 198 with the following message(s) before being considered 199 complete. Such messages are called ``segmented.'' It 200 is an error for the RCODE (including the EXTENDED- 201 RCODE), AA flag, or DNS Message ID to differ among 202 segments of a segmented message. It is an error for TC 203 to be set on any message of a segmented message. Any 204 given RR must fit completely within a message, and all 205 messages will both begin and end on RR boundaries. 207 FM ``First match'' flag. Notable only when multiple 208 questions are present. If set in a request, questions 209 will be processed in wire order and the first question 210 whose answer would be NOERROR AND ANCOUNT>0 is treated 211 as if it were the only question in the query message. 212 Otherwise, questions can be processed in any order and 213 all possible answer records will be included in the 214 response. FM should be set to zero in responses and 215 ignored by requestors. 217 RRD ``Recursion really desired'' flag. Notable only when a 218 request is processed by an intermediate name server 219 (``forwarder'') who is not authoritative for the zone 220 containing QNAME, and where QTYPE=ANY or QDCOUNT>1. If 221 set in a request, the intermediate name server can only 222 answer using unexpired cached answers (either positive 223 or negative) which were atomically acquired using the 224 same QTYPE or set of QTYPEs present in the current 225 question and where all such answers had the same TTL 226 when first cached. 228 LM ``Longest match'' flag. If this flag is present in a 229 query message, then for any question whose QNAME is not 230 fully matched by zone or cache data, the longest 231 trailing suffix of the QNAME for which zone or cache 232 data is present will be eligible for use as an answer. 233 Any of: QTYPE=ANY, or QCLASS=ANY, or QCOUNT>1, shall be 234 considered an error if the LM flag is set. 236 5 - Multiple Questions for QUERY 238 5.1. If QDCOUNT>1, multiple questions are present. All questions must 239 be for the same QNAME and QCLASS; only the QTYPE is allowed to vary. It 240 is an error for QDCOUNT>1 and any QTYPE=ANY or QCLASS=ANY. 242 5.2. RCODE and AA apply to all RRs in the answer section having the 243 QNAME that is shared by all questions in the question section. AA 244 applies to all matching answers, and will not be set unless the exact 245 original request was processed by an authoritative server and the 246 response forwarded in its entirety if at all, or unless iterative 247 requests are used as described in [5.4] below. 249 5.3. If a multiple question request is processed by an intermediate 250 server and the authority server does not support multiple questions, the 251 intermediate server must generate an answer iteratively by making 252 multiple requests of the authority server. In this case, AA must never 253 be set in the final answer due to lack of atomicity of the contributing 254 authoritative responses. 256 5.4. If iteratively processing a multiple question request using an 257 authority server which can only process single question requests, if any 258 contributing request generates a SERVFAIL response, then the final 259 response's RCODE should be SERVFAIL. 261 6 - Transport Considerations 263 6.1. The presence of an OPT pseudo-RR, or any new label type, or 264 QDCOUNT>1 in a request should be taken as an indication that the 265 requestor fully implements that feature of this specification, and can 266 correctly understand any response that conforms to that feature's 267 specification. If a new label type or QDCOUNT>1 is used in a message 268 that does not have an OPT RR, a VERSION of ``0'' shall be imputed, for 269 the purpose of either interpreting the request or defining conformance 270 of the response. 272 6.2. Lack of use of these features in a request must be taken as an 273 indication that the requestor does not implement any part of this 274 specification and that the responder may make no use of any protocol 275 extension described here in its response. 277 6.3. Responders who do not understand these protocol extensions are 278 expected to send a respose with RCODE NOTIMPL, FORMERR, or SERVFAIL. 279 Therefore use of extensions should be ``probed'' such that a responder 280 who isn't known to support them be allowed a retry with no extensions if 281 it responds with one of the above mentioned RCODEs. If a responder's 282 capability is cached by requestors, a new probe should be sent 283 periodically to test for upgrades to responder capability. 285 7 - Security Considerations 287 Requestor-side specification of the maximum buffer size may open a new 288 DNS denial of service attack if responders can be made to send messages 289 which are too large for intermediate gateways to forward, thus leading 290 to potential ICMP storms between gateways and responders. 292 8 - Acknowledgements 294 Paul Mockapetris, Mark Andrews, Robert Elz, Don Lewis, Bob Halley, and 295 Donald Eastlake were each instrumental in creating this specification. 297 9 - References 299 [RFC1035] P. Mockapetris, ``Domain Names - Implementation and 300 Specification,'' RFC 1035, USC/Information Sciences 301 Institute, November 1987. 303 [CRAW98] M. Crawford, ``Binary Labels in the Domain Name System,'' 304 Draft draft-ietf-dnsind-binary-labels-XX, IETF DNSIND, March 305 1998. 307 [KOCH98] P. Koch, ``A New Scheme for the Compression of Domain 308 Names,'' Draft draft-ietf-dnsind-local-compression-XX.txt. 309 IETF DNSIND, March 1998. 311 10 - Author's Address 313 Paul Vixie 314 Vixie Enterprises 315 950 Charter Street 316 Redwood City, CA 94063 317 +1 650 779 7001 318