]> Internet Systems Consortium, Inc.

PO Box 360 Newmarket NH 03857 USA +1 650 423 1300 ray@isc.org

Internet DNSEXT Working Group Internet-Draft This document specifies a method for a DNS client to request additional DNS record types to be delivered alongside the primary record type specified in the question section of a DNS query.

Introduction RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING: The source for this draft is maintained in GitHub at: https://github.com/raybellis/draft-bellis-dnsext-multi-qtypes Please submit suggested changes as issues or pull requests there. A commonly requested DNS feature is the ability to receive multiple related resource records (RRs) in a single DNS response. For example, it may be desirable to receive both the A and AAAA records for a domain name together, rather than having to issue multiple queries. The DNS wire protocol in theory supports having multiple questions in a single packet, but in practise this does not work:

• Each question consists of the tuple (QNAME, QTYPE, QCLASS). Since each question has its own QNAME field it would be possible for one name to exist and another to not exist, resulting in an inconsistent response code.
• says that QDCOUNT is "usually 1" but the only documented exceptions relate to the IQuery OpCode which was obsoleted in . Other text in strongly implies a singular question.
• The idea that only a single question is allowed is sufficiently entrenched that many DNS servers will simply return an error (or fail to response at all) if they receive a query with a question count (QDCOUNT) of more than one.

To mitigate these issues, this document constrains the problem to those cases where only the QTYPE varies by specifying a new option for the Extension Mechanisms for DNS (EDNS ) that contains an additional list of QTYPE values that the client wishes to receive in addition to the single QTYPE appearing in the question section. TODO: why not "ANY" ?

Terminology used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Description

Multiple QTYPE EDNS Option Format The overall format of an EDNS option is shown for reference below, per , followed by the option specific data: OPTION-CODE: TBD by IANA OPTION-LENGTH: Size (in octets) of OPTION-DATA. OPTION-DATA: Option specific, as below: QTD: this bit indicates the direction of the packet. It MUST be clear (0) in a request and set (1) in a response. QTCOUNT: a 3 bit field with range 0 .. 7 specifying the number of QT fields to follow. NB: Whilst the QTCOUNT could in theory be calculated based on the OPTION-LENGTH field, having it explicitly specified ensures a sensible constraint on its range of values. QTn: a 2 byte field (MSB first) specifying a DNS RR type. The RR type MUST be for a real resource record, and MUST NOT refer to a pseudo RR type such as "OPT", "IXFR", "TSIG", "*", etc.

Response Generation

Server Side Processing A conforming server that receives a Multiple QTYPE Option in a query MUST return a Multiple QTYPE Option in its response. The QTD bit in that response MUST be set (1) as protection against servers which simply echo unknown EDNS options verbatim. If the QTD bit in a response is zero the client MUST treat the response as if this option is unsupported. The server SHOULD attempt to return any resource records known to it that match the additional (QNAME, QTn, QCLASS) tuples. These records MUST be returned in the Answer Section of the response, but the answer for the primary QTYPE from the Question Section MUST be included first. For any particular QTn in the query, if the server provides additional answers, or has knowledge that the RR type type does not exist for that QNAME (a "negative answer"), it must include that QTn value in the Multiple QTYPE Option of its response. A negative answer is therefore indicated by the combination of the presence of a QTn value in the Multiple QTYPE Option and the absence of a matching record in the Answer Section. This is necessary (in the absence of DNSSEC) to differentiate between absence of the record from the zone and absence of the record from the response. A server that is authoritative for the specified QNAME on receipt of a Multiple QTYPE Option MUST attempt to return all specified RR types except where that would result in truncation in which case it may omit some (or all) of the records for the additional RR types. Those RR types MUST then also be omitted from the Multiple QTYPE Option in the response. A caching recursive server receiving a Multiple QTYPE Option SHOULD attempt to fill its positive and negative caches with all of the specified RR types before returning its response to the client. TODO: is there a case for mandatory answers, i.e. the client saying I really want all these?

Client Side Processing Recursive resolvers MAY use this method to obtain multiple records from an authoritative server. For the purposes of Section 5.4.1 of any authoritative answers received MUST be ranked the same as the answer for the primary question.

DNSSEC If the DNS client sets the "DNSSEC OK" (DO) bit in the query then the server MUST also return the related DNSSEC records that would have been returned in a standalone query for the same QTYPE. A negative answer from a signed zone MUST contain the appropriate authenticated denial of existence records, per and . In a signed zone there is a theoretical risk of valid signatures for one RR type and invalid signatures for another. This is the only case known to the author where the response code for any particular QNAME may be inconsistent across different RR types. Should a validating resolver produce NOERROR for some RR types and SERVFAIL for others it MUST omit the RR types that failed to validate from its response and from the QTn fields on the Multiple QTYPE option. The client MAY then initiate standalone queries for those RR types.

Security Considerations The method documented here does not change any of the security properties of the DNS protocol itself. It should however be noted that this method does increase the potential amplification factor when the DNS protocol is used as a vector for a denial of service attack.

IANA Considerations IANA is requested to assign a new value in the DNS EDNS0 Option Codes registry.

Acknowledgements The author wishes to thank the following for their feedback and reviews during the initial development of this document: Michael Graff, Olafur Gudmundsson, Matthijs Mekking, Paul Vixie.

References Normative References This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow. This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document considers some areas that have been identified as problems with the specification of the Domain Name System, and proposes remedies for the defects identified. [STANDARDS-TRACK] This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK] The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. [STANDARDS-TRACK] Informative References The IQUERY method of performing inverse DNS lookups, specified in RFC 1035, has not been generally implemented and has usually been operationally disabled where it has been implemented. Both reflect a general view in the community that the concept was unwise and that the widely-used alternate approach of using pointer (PTR) queries and reverse-mapping records is preferable. Consequently, this document deprecates the IQUERY operation, declaring it entirely obsolete. This document updates RFC 1035. [STANDARDS-TRACK]