Network Working Group R. Edmonds Internet-Draft Fastly Intended status: Standards Track July 2, 2017 Expires: January 3, 2018 Signaling DNS Capabilities draft-edmonds-dnsop-capabilities-00 Abstract This document defines an Extension Mechanisms for DNS (EDNS0) option that allows DNS clients and servers to signal support for DNS protocol capabilities. Clients and servers that support this option can take advantage of new DNS protocol features when completing a transaction, and by caching the set of capabilities advertised by a DNS server, a DNS client can utilize any mutually supported DNS protocol capability in subsequent queries. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 3, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Edmonds Expires January 3, 2018 [Page 1] Internet-Draft DNS Capabilities July 2017 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Option Format . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1. The "DNS Features" Capability . . . . . . . . . . . . . . 5 4.2. The "EDNS0 Option Codes" Capability . . . . . . . . . . . 6 5. Protocol Description . . . . . . . . . . . . . . . . . . . . 7 5.1. Originating the Option . . . . . . . . . . . . . . . . . 7 5.2. Generating a Response . . . . . . . . . . . . . . . . . . 7 5.3. Caching the Option . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 10. TODO . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 11.2. Informative References . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction The lack of explicit capability signaling in the DNS protocol [RFC1035] makes it hard to deploy new functionality. For instance, Client Subnet in DNS Queries [RFC7871] defines an EDNS option to be used with a subset of specialized zones on the Internet capable of producing "tailored responses". It describes two strategies for deciding when to originate the Client Subnet option: the use of periodic probes by the resolver, and the use of a safelist of nameservers permitted by the resolver operator to use the option. In practice, few EDNS options have been defined, and EDNS options have not been originated routinely by general purpose resolvers on the Internet. If many EDNS options were to be widely used, it would be unreasonable to expect resolver implementations to perform option- specific probing or resolver operators to perform option-specific safelisting for each newly introduced EDNS option. EDNS options are not the only aspect of the DNS protocol that can benefit from explicit capability signaling. Extension Mechanisms for DNS (EDNS(0)) [RFC6891] includes a VERSION field in the OPT Pseudo- RR, but encourages clients to set this field to the "lowest implemented level capable of expressing a transaction, to minimize the responder and network load of discovering the greatest common Edmonds Expires January 3, 2018 [Page 2] Internet-Draft DNS Capabilities July 2017 implementation level between requestor and responder". If new EDNS VERSIONs were to be introduced, capability signaling would permit a DNS transaction initiated with a lower implementation level to be completed with the highest mutually supported implementation level. Similarly, Q and Meta-TYPEs [RFC6895] (Section 3.1) have been allocated sparingly. Introducing a new general purpose QTYPE is problematic, because by definition the existing installed base of nameservers will not support the new QTYPE. This document defines an EDNS0 option that allows DNS clients and servers to exchange lists of supported "DNS Capabilities". This new option includes explicit client-side caching semantics that allow future queries to be initiated that take advantage of mutually supported functionality. It also defines two DNS Capabilities. The first, "DNS Features", encodes an array of feature flags that future DNS protocol features may take advantage of. The second, "EDNS0 Option Codes", encodes the set of EDNS0 options supported by the client or server. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Overview A DNS client that implements this protocol will include the "DNS Capabilities" EDNS0 option described in Section 4 in queries that it initiates (Section 5.1). If a DNS server that implements this protocol receives a query that includes this option, it will generate a corresponding response (Section 5.2) indicating which DNS Capabilities it supports and the length of time that the client may cache the server's capabilities for (Section 5.3). 4. Option Format This protocol uses an EDNS0 [RFC6891] option to encode the capabilities supported by the client or server. For each capability, the option contains a TLV element . Multiple Capability TLVs may be concatenated together, and the ordering of Capability TLVs within the option is not significant. The option is structured as follows: Edmonds Expires January 3, 2018 [Page 3] Internet-Draft DNS Capabilities July 2017 +0 (MSB) +1 (LSB) +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0: | OPTION-CODE | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 2: | OPTION-LENGTH | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 4: | OPTION-TTL-MINUTES | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 6: | CAPABILITY TYPE | CAPABILITY LENGTH | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 8: | | / CAPABILITY VALUE... / / / +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ / / / (Additional Capability TLVs...) / / / +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ o (Defined in [RFC6891]) OPTION-CODE, 2 octets, for the DNS Capabilities option is TBD-DNS-CAPABILITIES-OPT. o (Defined in [RFC6891]) OPTION-LENGTH, 2 octets, contains the length of the payload (everything after OPTION-LENGTH) in octets. o OPTION-TTL-MINUTES, 2 octets, unsigned, indicates the number of minutes clients may cache this DNS Capabilities option. o CAPABILITY TYPE, 1 octet, identifies the Capability encoded in the Capability TLV, using codes as assigned in TBD-DNS-CAPABILITIES- TYPE-REGISTRY. o CAPABILITY LENGTH, 1 octet, unsigned, encodes the number of octets in the CAPABILITY VALUE field. o CAPABILITY VALUE, variable number of octets, contains capability- specific data. The format of the CAPABILITY VALUE field depends on the value of the CAPABILITY TYPE field. This document defines the following CAPABILITY TYPE values: Edmonds Expires January 3, 2018 [Page 4] Internet-Draft DNS Capabilities July 2017 +---------+-------------------------------+-----------+-------------+ | Value | Name | Singleton | Reference | +---------+-------------------------------+-----------+-------------+ | 0 | Reserved | | This | | | | | document | | 1 | DNS Features | Y | Section 4.1 | | 2 | EDNS0 Option Codes | Y | Section 4.2 | | 3-249 | Unassigned | | | | 250-254 | Reserved for | | This | | | Local/Experimental Use | | document | | 255 | Reserved | | This | | | | | document | +---------+-------------------------------+-----------+-------------+ CAPABILITY TYPE values. The "DNS Features" and "EDNS0 Option Codes" capabilities are further described below. 4.1. The "DNS Features" Capability The "DNS Features" capability is a variable length array of feature flags encoded as a bitmap with trailing zero octets omitted. New DNS protocol functionality that requires upgraded semantics may register a flag in this capability. DNS clients and servers that support a new protocol feature with a feature flag in this capability MUST set the corresponding bit in this capability in queries and responses when those messages include a DNS Capabilities option. Each feature flag is assigned an individual bit in the "DNS Features" bitmap. For example, the first feature flag corresponds to the Most Significant Bit (MSB) of the first octet of the array, the ninth feature flag corresponds to the MSB of the second octet of the array, and the 256th feature flag corresponds to the Least Significant Bit (LSB) of the 32nd octet of the array. If no "DNS Features" flags are supported by the DNS client or server, this capability MUST be omitted from the DNS Capabilities option. Trailing zero octets in the "DNS Features" bitmap MUST be omitted. The minimum CAPABILITY LENGTH value for this capability is 1, and the maximum CAPABILITY LENGTH value for this capability is 32. Edmonds Expires January 3, 2018 [Page 5] Internet-Draft DNS Capabilities July 2017 +---------+------+----------------------------------+---------------+ | Bit | Flag | Description | Reference | +---------+------+----------------------------------+---------------+ | 0-249 | | Unassigned | | | 250-254 | | Reserved for Local/Experimental | This document | | | | Use | | | 255 | | Reserved | This document | +---------+------+----------------------------------+---------------+ "DNS Features" flags. The "DNS Features" capability is a singleton capability. It MUST NOT appear more than once in a DNS Capabilities option. 4.2. The "EDNS0 Option Codes" Capability [RFC4034] (Section 4.1.2) defines the Type Bit Maps field of the NSEC RR using a sparse encoding of the 16-bit code points in the DNS Resource Record (RR) TYPEs registry. This document reuses that "window block" bitmap encoding for the "DNS EDNS0 Option Codes (OPT)" registry, which is also a 16-bit code space. The "EDNS0 Option Codes" capability is a window block encoded bitmap indicating which EDNS0 Option Codes are supported by the DNS client or server. If the "EDNS0 Option Codes" capability is included in the DNS Capability option in a DNS message, the EDNS0 Option Codes supported by the DNS client or server SHOULD be indicated using this capability. The EDNS0 Option Codes space is split into 256 window blocks, each representing the low-order 8 bits of the 16-bit code space. Each block that has at least one indicated EDNS0 Option Code is encoded using a single octet window number (from 0 to 255), a single octet bitmap length (from 1 to 32) indicating the number of octets used for the window block's bitmap, and up to 32 octets (256 bits) of bitmap. Window blocks are present in the "EDNS0 Option Codes" capability in increasing numerical order. Each bitmap encodes the low-order 8 bits of EDNS0 Option Codes within the window block. The first bit is bit 0. For window block 0, bit 3 corresponds to NSID [RFC5001], bit 8 corresponds to EDNS Client Subnet [RFC7871], and so forth. If a bit is set, it indicates that the corresponding EDNS0 Option Code is supported by the DNS protocol implementation that sent the message containing the "EDNS0 Option Codes" capability. Edmonds Expires January 3, 2018 [Page 6] Internet-Draft DNS Capabilities July 2017 Window blocks with no EDNS0 Option Codes present MUST NOT be included. Trailing zero octets in the bitmap MUST be omitted. The length of each block's bitmap is determined by the option code with the largest numerical value, within that block, among the set of option codes indicated as supported. Trailing zero octets not specified MUST be interpreted as zero octets. The "EDNS0 Option Codes" capability is a singleton capability. It MUST NOT appear more than once in a DNS Capabilities option. 5. Protocol Description 5.1. Originating the Option A DNS client that implements this protocol SHOULD include the DNS Capabilities option in each EDNS(0) enabled query it sends. If the DNS client supports any DNS Features (Section 4.1), it MUST include a DNS Features capability in the DNS Capabilities option advertising the supported features. If the DNS client supports any EDNS0 Option Codes, it MAY include an EDNS0 Option Codes capability in the DNS Capabilities option advertising the supported option codes. DNS clients MUST set the OPTION-TTL-MINUTES field to zero. 5.2. Generating a Response When a query containing the DNS Capabilities option is received, a DNS server supporting DNS Capabilities MAY use the information contained in the client's option to generate a response that utilizes the functionality that the client has advertised as supported. A DNS server that implements this protocol and receives a DNS Capabilities option MUST include a DNS Capabilities option in its response. If the DNS server implements any DNS Features (Section 4.1), it MUST include a DNS Features capability in the DNS Capabilities option advertising the supported features. If the DNS server supports any EDNS0 Option Codes, it MUST include an EDNS0 Option Codes capability in the DNS Capabilities option advertising the supported option codes. If the DNS Capabilities option was not included in a query, a DNS server MUST NOT include one when generating a response. 5.3. Caching the Option When a DNS client originates a query containing the DNS Capabilities option and receives a response containing the DNS Capabilities option, the data contained in the option SHOULD be cached so that Edmonds Expires January 3, 2018 [Page 7] Internet-Draft DNS Capabilities July 2017 future queries sent to the same DNS server can utilize functionality that the server has advertised as supported. A query sent to "the same DNS server" means a query sent to a server identified by the same network address as a previous query. The amount of time that the DNS Capabilities option may be cached for is indicated in the OPTION-TTL-MINUTES field. This allows a maximum cache entry lifetime of 45.5 days. If a DNS Capabilities option for a given DNS server is already cached when a subsequent response containing a DNS Capabilities option is received, the cached option MAY be overwritten with the newer data, and the cache entry's lifetime MAY be extended or reduced. If a DNS client receives a response containing the DNS Capabilities option where the OPTION-TTL-MINUTES field is zero, the data contained in the option MUST be discarded, and the response MUST be treated as if it did not contain a DNS Capabilities option. 6. IANA Considerations To be written. 7. Implementation Status To be written. 8. Security Considerations To be written. 9. Acknowledgements To be written. 10. TODO 1. There is a limited amount of space available in a UDP DNS query message (512 octets), and a query message with a maximum size query name (255 octets) and a plausible set of other EDNS0 options could be as much as ~300 octets, leaving ~200 octets for the DNS Capabilities option. What should happen if all of the desired DNS Capabilities data can't be serialized into a <= 512 octet query message? Edmonds Expires January 3, 2018 [Page 8] Internet-Draft DNS Capabilities July 2017 11. References 11.1. Normative References [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, . [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/RFC6891, April 2013, . 11.2. Informative References [RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option", RFC 5001, DOI 10.17487/RFC5001, August 2007, . [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, April 2013, . [RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. Kumari, "Client Subnet in DNS Queries", RFC 7871, DOI 10.17487/RFC7871, May 2016, . Author's Address Robert Edmonds Fastly Atlanta, Georgia United States of America Email: edmonds@mycre.ws Edmonds Expires January 3, 2018 [Page 9]