Extension mechanisms for DNS
Extension mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as RFC 2671, also known as EDNS0.[1]
Motivation
The Domain Name System was first developed in the early 1980s, since which time it has been progressively enhanced with new features, while maintaining compatibility with earlier versions of the protocol.
The restrictions in size of several flags fields, return codes and label types available in the basic DNS protocol were not sufficient to support some desirable features. Moreover, DNS messages carried by UDP were restricted to 512 bytes, not considering the Internet Protocol (IP) and transport layer headers.[2] Resorting to a virtual circuit transport, using the Transmission Control Protocol (TCP), would greatly increase overhead. This presented a major obstacle to adding new features to DNS. In 1999, Paul Vixie proposed extending DNS to allow for new flags and response codes, and to provide support for longer responses in a framework that is backwards compatible with previous implementations.
Mechanism
Since no new flags could be added in the DNS header, EDNS adds information to DNS messages in the form of pseudo-resource-records included in the "additional data" section of a DNS message. Note that this section exists in both requests and responses.
The pseudo-RR EDNS introduces for this are of type OPT
.
As pseudo-RRs, OPT type RRs never appear in any zone file; they exist only in messages, fabricated by the DNS participants.
The mechanism is backward compatible, because older DNS responders ignore any RR of the unknown OPT type in a request and a newer DNS responder never includes an OPT in a response unless there was one in the request. The presence of the OPT in the request signifies a newer requester that knows what to do with an OPT in the response.
The OPT pseudo-record provides space for up to 16 flags and it extends the space for the response code. The overall size of the UDP packet and the version number (at present 0) are contained in the OPT record. A variable length data field allows further information to be registered in future versions of the protocol. The original DNS protocol provided two label types, which are defined by the first two bits in DNS packets (RFC 1035): 00 (standard label) and 11 (compressed label). EDNS introduces the label type 01 as extended label. The lower 6 bits of the first byte may be used to define up to 63 new extended labels.
Example
An example of an OPT pseudo-record, as displayed by the Domain Information Groper (dig) utility tool:
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096
The result of "EDNS: version: 0" indicates full conformance with EDNS0.[3] The result "flags: do" indicates that "DNSSEC OK" is set.[4]
Applications
EDNS is essential for the implementation of DNS Security Extensions (DNSSEC).[5]
Issues
In practice, difficulties can arise when using EDNS traversing firewalls, since some firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets.
The introduction of EDNS made a type of Reflected Denial-of-Service attacks called DNS amplification feasible, since EDNS facilitates very large response packets compared to relatively small request packets.
The IETF DNS Extensions working group (dnsext) has finished work on a refinement of EDNS0, which has been published as RFC 6891.
References
- ↑ RFC 2671, Extension Mechanisms for DNS (EDNS0), P. Vixie, The Internet Society (August 1999)
- ↑ RFC 1035, Domain Names - Implementation and Specification, P. Mockapetris (November 1987)
- ↑ Network Working Group of the IETF, August 1999, RFC 2671: Extension Mechanisms for DNS (EDNS0), page 3, Full conformance with this specification is indicated by version "0."
- ↑ Network Working Group of the IETF, December 2001, RFC 3225: Indicating Resolver Support of DNSSEC, page 3, The mechanism chosen for the explicit notification of the ability of the client to accept (if not understand) DNSSEC security RRs is using the most significant bit of the Z field on the EDNS0 OPT header in the query. This bit is referred to as the "DNSSEC OK" (DO) bit.
- ↑ RFC 4035, Protocol Modifications for the DNS Security Extensions, R. Arends, Telematica Instituut, 2005. Section 4.1 EDNS Support