Internet DRAFT - draft-bellis-dnsop-qdcount-is-one
draft-bellis-dnsop-qdcount-is-one
DNSOP Working Group R. Bellis
Internet-Draft ISC
Updates: RFC1035 (if approved) J. Abley
Intended status: Standards Track Cloudflare
Expires: 21 August 2023 17 February 2023
In the DNS, QDCOUNT is (usually) One
draft-bellis-dnsop-qdcount-is-one-00
Abstract
This document clarifies the allowable values of the QDCOUNT parameter
in DNS messages with OPCODE = 0 (QUERY) and specifies the required
behaviour when values that are not allowed are encountered.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 August 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Bellis & Abley Expires 21 August 2023 [Page 1]
�
Internet-Draft In the DNS, QDCOUNT is (usually) One February 2023
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology used in this document . . . . . . . . . . . . . . 2
3. QDCOUNT is (usually) One . . . . . . . . . . . . . . . . . . 3
3.1. OPCODE = 0 (QUERY) and 1 (IQUERY) . . . . . . . . . . . . 3
3.2. OPCODE = 4 (NOTIFY) . . . . . . . . . . . . . . . . . . . 4
3.3. OPCODE = 5 (UPDATE) . . . . . . . . . . . . . . . . . . . 4
3.4. OPCODE = 6 (DNS Stateful Operations, DSO) . . . . . . . . 4
3.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 4
4. Updates to RFC 1035 . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
The DNS protocol [RFC1034][RFC1035] includes a parameter QDCOUNT in
the DNS message header, whose value is specified to mean the number
of questions in the Question Section of a message.
In a general sense it seems perfectly plausible for the QDCOUNT
parameter, an unsigned 16-bit value, to take a considerable range of
values. However, in the specific case of messages that encode DNS
queries and responses (messages with OPCODE = 0) there are other
limitations inherent in the protocol that constrain values of QDCOUNT
to be either 0 or 1. In particular, several parameters specified for
DNS response messages such as AA and RCODE have no defined meaning
when the message contains multiple queries, since there is no way to
signal which question those parameters relate to.
In this document we briefly survey the existing written DNS
specification; we provide a description of the semantic and practical
requirements for DNS queries that naturally constrain the allowable
values of QDCOUNT; and we update the DNS base specification to
clarify the allowable values of the QDCODE parameter in the specific
case of DNS messages with OPCODE = 0 (QUERY).
2. Terminology used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Bellis & Abley Expires 21 August 2023 [Page 2]
�
Internet-Draft In the DNS, QDCOUNT is (usually) One February 2023
3. QDCOUNT is (usually) One
The following brief survey provides some commentary on the use of
QDCOUNT in the written DNS specification.
3.1. OPCODE = 0 (QUERY) and 1 (IQUERY)
[RFC1035] significantly predates the use of normative requirements
keywords, and parts of it are consequently somewhat open to
interpretation.
Section 4.1.2 ("Question section format") has this to say about
QDCOUNT:
The section contains QDCOUNT (usually 1) entries
The only documented exceptions within [RFC1035] relate to the IQuery
Opcode, where the request has "an empty question section" (QDCOUNT ==
0), and "zero, one, or multiple domain names for the specified
resource as QNAMEs in the question section". The IQuery OpCode was
made obsolete in [RFC3425].
In the absence of clearly expressed normative requirements, we rely
on other text in [RFC1035] that makes use of the definite article or
other text that implies a singuar question and, by implication,
QDCOUNT = 1.
For example, Section 4.1:
the question for the name server
and:
The question section contains fields that describe a question to a
name server
and in Section 4.1.1. ("Header section format"):
AA Authoritative Answer - this bit is valid in responses, and
specifies that the responding name server is an authority for the
domain name in question section.
DNS Cookies [RFC7873] in Section 5.4 allow a client to receive a
valid Server Cookie without sending a specific question by sending a
Query packet (OpCode 0) with QDCOUNT == 0, with the resulting
response also containing no question.
Bellis & Abley Expires 21 August 2023 [Page 3]
�
Internet-Draft In the DNS, QDCOUNT is (usually) One February 2023
3.2. OPCODE = 4 (NOTIFY)
DNS Notify [RFC1996] also lacks a clearly defined range of values for
QDCOUNT. Section 3.7 says:
A NOTIFY request has QDCOUNT > 0
but all other text in the RFC talks about the <QNAME, QCLASS, QTYPE>
tuple in the singular.
3.3. OPCODE = 5 (UPDATE)
DNS Update [RFC2136] renames the QDCOUNT field to ZOCOUNT, but the
value is constrained to be one by Section 2.3 ("Zone Section"):
All records to be updated must be in the same zone, and therefore
the Zone Section is allowed to contain exactly one record.
3.4. OPCODE = 6 (DNS Stateful Operations, DSO)
DNS Stateful Operations [RFC8490] (DSO - OpCode 6) attempts to
preserve compatibility with the standard DNS 12 octet header, and
does so by requiring that all four of the section count values be set
to zero.
3.5. Conclusion
There is no description in [RFC1035] that describes how other
parameters in the DNS message such as AA, RCODE should be interpreted
in the case where a message includes more than one question. An
originator of a query with QDCOUNT > 1 can have no expectations of
how it will be processed, and the receiver of a response with QDCOUNT
> 1 has no guidance for how it should be interpreted.
The allowable values of QDCOUNT seem to be clearly specified for
OPCODE = 4 (NOTIFY), OPCODE = 5 (UPDATE) and OPCODE = 6 (DNS Stateful
Operations, DSO). OPCODE = 1 (IQUERY) is obsolete and OPCODE = 2
(STATUS) is not specified. OPCODE = 3 is reserved.
The allowable values of QDCOUNT are specified in [RFC1035] without
the clarity of normative language, and this looseness of language
results in some ambiguity.
Bellis & Abley Expires 21 August 2023 [Page 4]
�
Internet-Draft In the DNS, QDCOUNT is (usually) One February 2023
4. Updates to RFC 1035
A DNS message with OPCODE = 0 (QUERY) MUST NOT include a QDCOUNT
parameter whose value is greater than 1. It follows that the
Question Section of a DNS message with OPCODE = 0 MUST NOT contain
more than one question.
A DNS message with OPCODE = 0 (QUERY) and QDCOUNT > 1 MUST be treated
as an incorrectly-formatted message. The value of the RCODE
parameter in the response message MUST be set to 1 (FORMERR).
Firewalls that process DNS messages in order to eliminate unwanted
traffic SHOULD treat messages with OPCODE = 0 and QDCOUNT > 1 as
malformed traffic. See Section 4 of [RFC8906] for further guidance.
5. Security Considerations
This document clarifies the DNS specification and aims to improve
interoperability between different DNS implementations. In general,
the elimination of ambiguity seems well-aligned with security
hygiene.
6. IANA Considerations
This document has no IANA actions.
7. References
7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3425] Lawrence, D., "Obsoleting IQUERY", RFC 3425,
DOI 10.17487/RFC3425, November 2002,
<https://www.rfc-editor.org/info/rfc3425>.
Bellis & Abley Expires 21 August 2023 [Page 5]
�
Internet-Draft In the DNS, QDCOUNT is (usually) One February 2023
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
August 1996, <https://www.rfc-editor.org/info/rfc1996>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997,
<https://www.rfc-editor.org/info/rfc2136>.
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
<https://www.rfc-editor.org/info/rfc7873>.
[RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
Lemon, T., and T. Pusateri, "DNS Stateful Operations",
RFC 8490, DOI 10.17487/RFC8490, March 2019,
<https://www.rfc-editor.org/info/rfc8490>.
[RFC8906] Andrews, M. and R. Bellis, "A Common Operational Problem
in DNS Servers: Failure to Communicate", BCP 231,
RFC 8906, DOI 10.17487/RFC8906, September 2020,
<https://www.rfc-editor.org/info/rfc8906>.
Authors' Addresses
Ray Bellis
Internet Systems Consortium, Inc.
PO Box 360
Newmarket, NH 03857
United States of America
Phone: +1 650 423 1300
Email: ray@isc.org
Joe Abley
Cloudflare
Amsterdam
Netherlands
Phone: +31 6 45 56 36 34
Email: jabley@cloudflare.com
Bellis & Abley Expires 21 August 2023 [Page 6]
