Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NetBSD/dist/bind/doc/draft/draft-ietf-dnsext-edns0dot5...

339 lines
10 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Network Working Group R. Austein
draft-ietf-dnsext-edns0dot5-02.txt InterNetShare.com, Inc.
H. Alvestrand
Cisco Systems
November 2000
A Proposed Enhancement to the EDNS0 Version Mechanism
Status of this document
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt>
The list of Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>
Distribution of this document is unlimited. Please send comments to
the Namedroppers mailing list <namedroppers@ops.ietf.org>.
Motivation and Scope
EDNS0 [EDNS0] specifies a general framework for extending the packet
format used by the Domain Name System protocols. The framework
includes a simple version numbering scheme to allow the parties in a
DNS protocol exchange to determine which extension features the other
party understands. While having the advantage of simplicity, the
version numbering scheme as specified has drawbacks:
- It provides no way to deprecate a protocol feature;
- It provides no way to deploy experimental protocol features.
Austein & Alvestrand Expires 22 May 2001 [Page 1]
draft-ietf-dnsext-edns0dot5-02.txt November 2000
This note proposes to augument the monolithic version numbering
mechanism with a mechanism for listing an explicit set of protocol
features that a particular implementation supports. We retain
version numbering as a way of abbreviating the feature sets that we
expect to see in common use.
Model
Our revised extension model for the DNS is designed with three goals
in mind:
- We want the protocol to be as simple as possible for the common
case of a client or server that implements "mainstream standard
DNS";
- We want to provide a safe way to experiment with new protocol
features, both inside and outside the deployed DNS;
- We want to provide a safe way to deprecate protocol features.
Our revised extension model has two parts, both of which are carried
in the OPT pseudo-RR: the VERSION, which stored in the second octet
of the TTL field of the OPT RR, and a variable-length list of
FEATURES, stored in the variable part of the OPT RR.
All FEATUREs are extensions of the DNS. We reserve the range of
FEATURE numbers from 1 to 100 for describing features of the original
RFC 1034/1035 DNS specification that we might eventually choose to
deprecate.
Any query/response pair can be described as using a set of DNS
FEATUREs. Such features might for instance be:
- Domain binary labels according to [BINARY-LABELS];
- Extended RCODEs (the general principle, not specific values);
- Multi-packet UDP response;
- Increased maximum UDP payload size;
- Character set identification in DNS labels;
- SIG record parsing and checking;
FEATURE numbers are handed out by IANA on a first-come-first-served
basis within their appropriate ranges. Any revised specification of
a format or function should have its own FEATURE number; in the IETF
Austein & Alvestrand Expires 22 May 2001 [Page 2]
draft-ietf-dnsext-edns0dot5-02.txt November 2000
process, any significantly changed Internet-Draft should have a new
FEATURE number assigned for experimentation.
An assigned VERSION number names a set of FEATUREs. VERSION numbers
are assigned by the IETF through a standards action.
Normally, any VERSION number encompasses every FEATURE of all lower
VERSION numbers, but the possibility of removing FEATUREs exists for
two reasons:
- To remove the need for supporting FEATUREs that turned out to be a
Really Bad Idea;
- To allow replacing a badly specified FEATURE with a better
specified FEATURE performing the same function that has a new
FEATURE number.
Mechanism
We transport explicit feature sets as lists of integers carried in
the variable RDATA portion of the EDNS0 OPT pseudo-RR.
The OPTION-CODE for FEATURES is [TBD].
The OPTION-DATA for FEATURES is an ordered list of "feature numbers";
a feature number is represented as a big-endian 16-bit unsigned
integer, and the list is sorted into numerically increasing order.
Each feature number names a particular protocol feature that is
supported by the implementation that generated this OPT pseudo-RR.
Usage
In most respects, the FEATURE mechanism is used symmetrically by
clients and servers; exceptions to this rule are stated after the
general explanation.
When composing a DNS message, a client or server includes an OPT
record indicating a set of FEATUREs that:
- MUST include all FEATUREs that the client or server believes are
relevant to this message;
- MAY include all FEATURES that the client or server is prepared to
receive.
This set is expressed as a VERSION and any additional FEATURES
required.
Austein & Alvestrand Expires 22 May 2001 [Page 3]
draft-ietf-dnsext-edns0dot5-02.txt November 2000
In general, we expect that a client or server will include an OPT
pseudo-RR that indicates:
- The highest VERSION number that the entity generating the message
supports; and
- A small (possibly empty) set of additional FEATUREs not encompassed
by the VERSION that the entity deems necessary or desirable.
The above symmetry notwithstanding, we impose one important
constraint on the server: while a server is allowed to indicate
whatever FEATUREs it believes are relevant or useful, a server MUST
NOT make use of any FEATURE in a response that is not within the set
of FEATUREs indicated by the client that generated the corresponding
request. That is, a response may say "I support FEATURE FOO"
regardless of what the client supports, but the rest of the response
must not use FEATURE FOO unless the client also supports it.
As a special case, if a client explicitly queries for the OPT RR of
the root zone, the server returns an OPT record including all
FEATUREs that the server supports. This functionality is provided
strictly for diagnostic purposes.
Life Cycle
We expect the life cycle of new features to proceed as follows:
- VERSION X is defined and deployed.
- A new FEATURE is defined and experimentally implemented. All
clients and servers taking part in the experiment use FEATURE to
indicate support.
- Community consensus is reached that this FEATURE is genuinely
useful.
- VERSION X+1 is defined, encompassing all FEATUREs from VERSION X,
plus the new FEATURE (and perhaps others).
- The next generation of DNS software supports VERSION X+1, and never
use FEATURE.
Risks
While we have tried to provide the ability to deprecate old bad
protocol features, such an ability should be used only rarely, if at
all, since by any realistic estimate it takes years (decades?) to
upgrade all the DNS implementations already in the field.
Austein & Alvestrand Expires 22 May 2001 [Page 4]
draft-ietf-dnsext-edns0dot5-02.txt November 2000
A flexible extension mechanism of this type increases the risk that
some implementors might chose to deploy features designed to hinder
interoperability (so-called "labeled noninteroperability").
Security Considerations
We do not believe that this protocol enhancement adds any major new
security risks, but we do believe that it would be helpful in getting
complicated DNS extensions such as [DNSSEC] deployed more quickly.
As with any enhancement to or complication of the DNS protocol, this
enhancement offers attackers yet another way to increase the load on
a name server. Root, TLD and other "major" name servers should view
excessively complicated FEATURE sets with suspicion, and should not
allow themselves to be tricked into performing more work than is
really necessary.
IANA Considerations
IANA will need to allocate an EDNS0 option code for FEATURES.
IANA will need to create a new registry of feature numbers.
Acknowledgments
The authors would like to thank the following people for their help
in improving this document: Randy Bush, Patrik Faltstrom, Olafur
Gudmundsson, Bob Halley, and XXX.
References
[DNSSEC] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999.
[DNS-CONCEPTS] Mockapetris, P., "Domain names - concepts and
facilities", RFC 1034, November 1987.
[DNS-IMPLEMENTATION] Mockapetris, P., "Domain names - implementation
and specification", RFC 1035, November 1987.
[EDNS0] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
August 1999.
[BINARY-LABELS] Crawford, M., "Binary Labels in the Domain Name
System", RFC 2673 August 1999.
Austein & Alvestrand Expires 22 May 2001 [Page 5]
draft-ietf-dnsext-edns0dot5-02.txt November 2000
Author's addresses:
Rob Austein
InterNetShare.com, Inc.
505 West Olive Ave., Suite 321
Sunnyvale, CA 94086
USA
sra@hactrn.net
Harald Tveit Alvestrand
Cisco Systems
Weidemanns vei 27
N-7043 Trondheim
NORWAY
+47 73 50 33 52
Harald@Alvestrand.no
Austein & Alvestrand Expires 22 May 2001 [Page 6]
Reference in New Issue View Git Blame Copy Permalink