draft-ietf-dnsop-zoneversion-02.txt | draft-ietf-dnsop-zoneversion-09.txt | |||
---|---|---|---|---|
Internet Engineering Task Force H. Salgado | Internet Engineering Task Force H. Salgado | |||
Internet-Draft NIC Chile | Internet-Draft NIC Chile | |||
Intended status: Informational M. Vergara | Intended status: Standards Track M. Vergara | |||
Expires: 25 August 2023 DigitalOcean | Expires: 2 January 2025 DigitalOcean | |||
21 February 2023 | D. Wessels | |||
Verisign | ||||
1 July 2024 | ||||
The "ZONEVERSION" EDNS option for the version token of a RR's zone | The DNS Zone Version (ZONEVERSION) Option | |||
draft-ietf-dnsop-zoneversion-02 | draft-ietf-dnsop-zoneversion-09 | |||
Abstract | Abstract | |||
The "ZONEVERSION" EDNS option allows a DNS querier to request a DNS | The DNS ZONEVERSION option is a way for DNS clients to request, and | |||
authoritative server to add an EDNS option in the answer of such | for authoritative DNS servers to provide, information regarding the | |||
query with a token field representing the version of the zone which | version of the zone from which a response is generated. The Serial | |||
contains the answered Resource Record, such as the SOA serial field | field from the Start Of Authority (SOA) resource record is a good | |||
in zones when this number corresponds to the zone version. | example of a zone's version, and the only one defined by this | |||
specification. Additional version types may be defined by future | ||||
specifications. | ||||
This "ZONEVERSION" data allows to debug and diagnose problems by | Including zone version data in a response simplifies and improves the | |||
helping to recognize the data source of an answer in an atomic single | quality of debugging and diagnostics since the version and the DNS | |||
query, by associating the response with a respective zone version. | answer are provided atomically. This can be especially useful for | |||
zones and DNS providers that leverage IP anycast or multiple backend | ||||
systems. It functions similarly to the DNS Name Server Identifier | ||||
(NSID) option [RFC5001]. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 25 August 2023. | This Internet-Draft will expire on 2 January 2025. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
2. The ZONEVERSION Option . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.1. The ZONEVERSION Option Presentation Format . . . . . . . 4 | 2. The ZONEVERSION Option . . . . . . . . . . . . . . . . . . . 4 | |||
3. ZONEVERSION Processing . . . . . . . . . . . . . . . . . . . 4 | 2.1. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
3.1. Initiator . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.2. Presentation Format . . . . . . . . . . . . . . . . . . . 5 | |||
3.2. Responder . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. ZONEVERSION Processing . . . . . . . . . . . . . . . . . . . 5 | |||
4. Flag Definition for SOA-SERIAL . . . . . . . . . . . . . . . 4 | 3.1. Initiators . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
4.1. Flag SOA-SERIAL Presentation Format . . . . . . . . . . . 5 | 3.2. Responders . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
5. Example usage . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.2.1. ZONEVERSION Is Not Transitive . . . . . . . . . . . . 7 | |||
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | 4. The SOA-SERIAL ZONEVERSION Type . . . . . . . . . . . . . . . 7 | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 4.1. Type SOA-SERIAL Presentation Format . . . . . . . . . . . 7 | |||
7.1. DNS EDNS0 Option Code Registration . . . . . . . . . . . 6 | 5. Example usage . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
7.2. ZONEVERSION Registry . . . . . . . . . . . . . . . . . . 7 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
7.2.1. Expert Review Directives . . . . . . . . . . . . . . 7 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7.1. DNS EDNS0 Option Code Registration . . . . . . . . . . . 9 | |||
9. Normative References . . . . . . . . . . . . . . . . . . . . 8 | 7.2. ZONEVERSION Registry . . . . . . . . . . . . . . . . . . 9 | |||
10. Informative References . . . . . . . . . . . . . . . . . . . 9 | 7.2.1. Expert Review Directives . . . . . . . . . . . . . . 10 | |||
Appendix A. Implementation Considerations . . . . . . . . . . . 9 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
Appendix B. Implementation References . . . . . . . . . . . . . 9 | 9. Normative References . . . . . . . . . . . . . . . . . . . . 11 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | 10. Informative References . . . . . . . . . . . . . . . . . . . 11 | |||
Appendix A. Implementation Considerations . . . . . . . . . . . 12 | ||||
Appendix B. Implementation References . . . . . . . . . . . . . 12 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
1. Introduction | 1. Introduction | |||
The "ZONEVERSION" EDNS option [RFC6891] allows a DNS querier to | The ZONEVERSION option allows DNS queriers to request, and | |||
request to a DNS authoritative server to add an EDNS option in the | authoritative DNS servers to provide, a token representing the | |||
answer of such query with a token field representing the version of | version of the zone from which a DNS response was generated. It is | |||
the zone associated to the answered Resource Record, such as the SOA | similar to the NSID option [RFC5001], which can be used to convey the | |||
serial field in zones when this number corresponds to the zone | identification of a name server that generates a response. | |||
version. | ||||
This "ZONEVERSION" data allows to help debug by recognizing the data | ||||
source of an answer, associating this answer with a respective zone | ||||
version. | ||||
DNS data is of loose coherent nature, meaning that a record obtained | The Domain Name System allows data to be loosely coherent [RFC3254], | |||
by a response could be out-of-sync with other authoritative sources | because synchronization can never be instantaneous, and some uses of | |||
of the same data. This makes it difficult to debug responses, | DNS do not require strong coherency anyway. This means that a record | |||
because you'd need to couple an answer with the same version of the | obtained by one response could be out-of-sync with other | |||
zone used to obtain such data. Even when in zones where the SOA | authoritative sources of the same data at the same point in time. | |||
serial field have the meaning of zone version you could use a | This can make it difficult to debug some problems when there is a | |||
separate query to ask for the SOA RR of the zone and therefore know | need to couple the data with the version of the zone it came from. | |||
its SOA serial, such separate query is performed in a different time | Furthermore, in today's Internet, it is common for high volume and | |||
and could arrive from another authoritative source (for example, in | important DNS zones to utilize IP anycast Section 4.9 of [RFC4786] | |||
the case the server is anycasted as described in Section 4.9 of | and/or load-balanced backend servers. In general, there is no way to | |||
[RFC4786]), so it's not directly correlated with the original query. | ensure that two separate queries are delivered to the same server. | |||
The ZONEVERSION option both simplifies and improves the DNS | ||||
monitoring and debugging by directly associating the data and the | ||||
version together in a single response. | ||||
This EDNS option is aimed to be used only on authoritative servers | The SOA Serial field (Section 4.3.5 of [RFC1034]) is one example of | |||
for a zone. It's intended for hop-to-hop communication (not | zone versioning. Its purpose is to facilitate the distribution of | |||
transitive). Resolver and forwarder behavior is undefined. | zone data between primary and secondary name servers. It is also | |||
often useful in DNS monitoring and debugging. This document | ||||
specifies the SOA Serial as one type of ZONEVERSION data. | ||||
The ZONEVERSION EDNS extension can have different meaning depending | Some DNS zones may use other distribution and synchronization | |||
on the semantics of the zone maintainer and implementation of | mechanisms not based on the SOA Serial number, such as relational | |||
nameservers. This document defines one possible value, when the zone | databases or other proprietary methods. In those cases the SOA | |||
version corresponds to the serial field of the SOA Resource Record of | Serial field may not be relevant with respect to the versioning of | |||
the zone, a classic behaviour defined in Section 4.3.5 of [RFC1034]. | its content. To accommodate these use cases, new ZONEVERSION types | |||
could be defined in future specifications. Alternatively, zone | ||||
operators may use one of the private use ZONEVERSION code points | ||||
allocated by this specification. | ||||
As the writing of this document, we recognize there are cases where | The ZONEVERSION option is OPTIONAL to implement by DNS clients and | |||
nameservers use different backends for its data sources (like | name servers. It is designed for use only when a name server | |||
relational databases or by using a different off-DNS synchronicity | provides authoritative response data. It is intended only for hop- | |||
among others) therefore, the SOA version field doesn't offer much | to-hop communication and is not transitive. | |||
relevance as a versioning to its content, and in those cases the | ||||
ZONEVERSION EDNS extension SHOULD be extended with a different flag | ||||
and have an opaque value for its data token. | ||||
1.1. Requirements Language | 1.1. Requirements Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
document are to be interpreted as described in [RFC2119]. | "OPTIONAL" in this document are to be interpreted as described in | |||
[BCP14] (RFC2119, RFC8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
1.2. Terminology | ||||
In this document "original QNAME" is used to mean what the DNS | ||||
terminology document [RFC8499] calls "QNAME (original)": | ||||
| The name actually sent in the Question section in the original | ||||
| query, which is always echoed in the (final) reply in the Question | ||||
| section when the QR bit is set to 1. | ||||
2. The ZONEVERSION Option | 2. The ZONEVERSION Option | |||
The variable part of RDATA in the OPT RR Section 6.1.2 of [RFC6891] | This document specifies a new EDNS(0) (Section 6.1.2 of [RFC6891]) | |||
for ZONEVERSION is defined as follows: | option, ZONEVERSION, which can be used by DNS clients and servers to | |||
provide information regarding the version of the zone from which a | ||||
response is generated. | ||||
* The OPTION-CODE for the ZONEVERSION option is <TBD>. | 2.1. Wire Format | |||
* The OPTION-LENGTH for the ZONEVERSION option MUST have a value of | The ZONEVERSION option is encoded as follows: | |||
0 for queries, and MUST have the value of length in octets for the | ||||
next OPTION-DATA for responses. | ||||
* The OPTION-DATA for the ZONEVERSION option is composed of the | OPTION-CODE for the ZONEVERSION option is <TBD>. | |||
concatenation of an unsigned 1 byte Flag number (FLAG-NUMBER), an | ||||
unsigned 2 bytes number with the Length of the next field in bytes | ||||
(FLAG-LENGTH), and the final Data value of the ZONEVERSION field | ||||
as an opaque bit value, with the previous specified length (FLAG- | ||||
DATA). | ||||
[RFC Editor: change <TBD> to the proper code when assigned by IANA.] | OPTION-LENGTH for the ZONEVERSION option MUST have a value of 0 for | |||
queries, and MUST have the value of the length (in octets) of the | ||||
OPTION-DATA for responses. | ||||
2.1. The ZONEVERSION Option Presentation Format | OPTION-DATA for the ZONEVERSION option is omitted in queries. For | |||
responses it is composed of three fields: | ||||
The presentation format of the RDATA portion is as follows: | * An unsigned 1-octet Label Count (LABELCOUNT) indicating the number | |||
of labels for the name of the zone that VERSION value refers to. | ||||
* An unsigned 1-octet type number (TYPE) that distinguishes the | ||||
format and meaning of VERSION. | ||||
* An opaque octet string conveying the zone version data (VERSION). | ||||
+0 (MSB) +1 (LSB) | ||||
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ||||
0: | LABELCOUNT | TYPE | | ||||
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ||||
2: | VERSION | | ||||
/ / | ||||
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ||||
Figure 1: Diagram with the OPTION-DATA format for ZONEVERSION option | ||||
The LABELCOUNT field indicates the name of the zone that the | ||||
ZONEVERSION option refers to, by means of taking the last LABELCOUNT | ||||
labels of the original QNAME. For example, an answer with QNAME | ||||
"a.b.c.example.com" and a ZONEVERSION option with a LABELCOUNT of | ||||
value 2, indicates that the zone name that this ZONEVERSION refers is | ||||
"example.com.". | ||||
The LABELCOUNT number helps to differentiate in the case of a | ||||
downward referral response, where the parent server is authoritative | ||||
for some portion of the QNAME that differs from a child server that | ||||
is below the zone cut. Also, if the ANSWER section has more than one | ||||
RR set with different zones (like a CNAME and a target name in | ||||
another zone) the number of labels in the QNAME disambiguates such a | ||||
situation. | ||||
The value of the LABELCOUNT field MUST NOT count the null (root) | ||||
label that terminates the original QNAME. The value of the | ||||
LABELCOUNT field MUST be less than or equal to the number of labels | ||||
in the original QNAME. The Root zone (".") has a LABELCOUNT field | ||||
value of 0. | ||||
2.2. Presentation Format | ||||
The presentation format of the ZONEVERSION option is as follows: | ||||
The OPTION-CODE field MUST be represented as the mnemonic value | The OPTION-CODE field MUST be represented as the mnemonic value | |||
"ZONEVERSION". | ZONEVERSION. | |||
The OPTION-LENGTH field could be omitted in presentation format, but | The OPTION-LENGTH field MAY be omitted, but if present it MUST be | |||
if is used, MUST be represented as an unsigned decimal integer. | represented as an unsigned decimal integer. | |||
The OPTION-DATA field MUST be represented following its own format, | The LABELCOUNT value of OPTION-DATA field MAY be omitted, but if | |||
as specified in the corresponding Flag's specification. | present it MUST be represented as an unsigned decimal integer. The | |||
corresponding zone name SHOULD be displayed (i.e., LABELCOUNT labels | ||||
of the original QNAME) for easier human consumption. | ||||
The TYPE and VERSION fields of the option SHOULD be represented | ||||
according to each specific TYPE. | ||||
3. ZONEVERSION Processing | 3. ZONEVERSION Processing | |||
3.1. Initiator | 3.1. Initiators | |||
The EDNS ZONEVERSION option MAY be included on any QUERY, by adding a | A DNS client MAY signal its support and desire for zone version | |||
zero-length EDNS ZONEVERSION option to the options field of the OPT | information by including an empty ZONEVERSION option in the EDNS(0) | |||
record when the query is made. | OPT pseudo-RR of a query to an authoritative name server. An empty | |||
ZONEVERSION option has OPTION-LENGTH set to zero. | ||||
3.2. Responder | A DNS client SHOULD NOT send the ZONEVERSION option to non- | |||
authoritative name servers. | ||||
If an EDNS ZONEVERSION option is sent to a server that is | A DNS client MUST NOT include more than one ZONEVERSION option in the | |||
Authoritative for the zone, then a name server that understands the | OPT RR of a DNS query. | |||
ZONEVERSION option and chooses to honor a particular ZONEVERSION | ||||
request, MUST put in the OPTION-DATA a flag, length and value that | ||||
corresponds to the properly semantic of such flag number, and | ||||
corresponds to a zone versioning value of the zone that holds the | ||||
original QNAME of the reply (as per Section 4 of [RFC8499]). | ||||
Otherwise, the answer MUST NOT add an EDNS ZONEVERSION option to the | 3.2. Responders | |||
A name server that (a) understands the ZONEVERSION option, (b) | ||||
receives a query with the ZONEVERSION option, (c) is authoritative | ||||
for the zone of the original QNAME, and (d) chooses to honor a | ||||
particular ZONEVERSION request responds by including a TYPE and | ||||
corresponding VERSION value in a ZONEVERSION option in an EDNS(0) OPT | ||||
pseudo-RR in the response message. | ||||
Otherwise, a server MUST NOT include a ZONEVERSION option in the | ||||
response. | response. | |||
4. Flag Definition for SOA-SERIAL | A name server MUST ignore invalid ZONEVERSION options present in the | |||
query message. | ||||
The first and only ZONEVERSION Flag defined in this document for the | A name server MAY include more than one ZONEVERSION option in the | |||
ZONEVERSION Option has the FLAG-NUMBER of 0, a FLAG-LENGTH field of | response if it supports multiple TYPEs. A name server MAY also | |||
value 4, and its corresponding FLAG-DATA MUST be a copy of the | include more than one ZONEVERSION option in the response if it is | |||
unsigned 32 bit version number as defined in the SERIAL field of the | authoritative for more than one zone of the corresponding QNAME. A | |||
"SOA RDATA Format" in Section 3.3.13 of [RFC1035]. | name server MUST NOT include more than one ZONEVERSION option for a | |||
given TYPE and LABELCOUNT. | ||||
The FLAG-LENGTH for this ZONEVERSION Option MUST have a value of 7 | A name server SHOULD include zone version information in a name error | |||
for responses. | (NXDOMAIN) response, even though the response does not include any | |||
Answer section RRs. | ||||
The mnemonic of this flag is SOA-SERIAL. | A name server SHOULD include zone version information for downward | |||
referral responses (see "Referrals" in Section 4 of [RFC8499]). Even | ||||
though the response's Authoritative Answer bit is not set, the name | ||||
server is authoritative for the zone from which the referral was | ||||
generated. In this case, the ZONEVERSION data MUST correspond to the | ||||
version of the referring zone. | ||||
Note that in this case a NXDOMAIN RCODE already includes the complete | A name server SHOULD include zone version information in a server | |||
SOA Resource Record in the AUTHORITY section, so the inclusion of a | failure (SERVFAIL) response when it is authoritative for the original | |||
ZONEVERSION EDNS Option in the answer is superfluous and can be | QNAME. | |||
omitted. In the case of a SERVFAIL RCODE the responder MAY include | ||||
the ZONEVERSION EDNS Option if the QNAME still belongs to an | ||||
authoritative zone of the server, in which case that value MUST be | ||||
the one included in the answer. | ||||
Note that a NODATA response code as defined in Section 3 of [RFC8499] | A name server SHOULD include zone version information in a NODATA | |||
MUST also include the ZONEVERSION answer even when there's no ANSWER | response (Section 3 of [RFC8499]). Even though the NODATA response | |||
data for the QNAME, since the RCODE is NOERROR. | does not include any Answer section RRs, the RCODE is NOERROR and the | |||
name server is still authoritative for the zone. | ||||
4.1. Flag SOA-SERIAL Presentation Format | 3.2.1. ZONEVERSION Is Not Transitive | |||
The presentation format of this flag content is as follows: | The ZONEVERSION option is not transitive. A name server (recursive | |||
or otherwise) MUST NOT blindly copy the ZONEVERSION option from a | ||||
query it receives into a subsquent query that it sends onward to | ||||
another server. A name server MUST NOT send a ZONEVERSION option | ||||
back to a client which did not request it. | ||||
The FLAG-NUMBER field MUST be represented as the mnemonic value "SOA- | 4. The SOA-SERIAL ZONEVERSION Type | |||
SERIAL". | ||||
The FLAG-LENGTH field could be omitted in presentation format, but if | The first and only ZONEVERSION option TYPE defined in this document | |||
is used, MUST be represented as an unsigned decimal integer. | is a zone's serial number as found in the Start of Authority (SOA) | |||
RR. | ||||
The FLAG-DATA field MUST be represented as an unsigned decimal | The value for this type is: 0 | |||
integer. | ||||
The mnemonic of this type is: SOA-SERIAL. | ||||
The EDNS(0) OPTION-LENGTH for this type MUST be set to 6 in | ||||
responses. | ||||
The VERSION value for the SOA-SERIAL type MUST be a copy of the | ||||
unsigned 32-bit SERIAL field of the SOA RR, as defined in | ||||
Section 3.3.13 of [RFC1035]. | ||||
4.1. Type SOA-SERIAL Presentation Format | ||||
The presentation format of this type content is as follows: | ||||
The TYPE field MUST be represented as the mnemonic value "SOA- | ||||
SERIAL". | ||||
The VERSION field MUST be represented as an unsigned decimal integer. | ||||
5. Example usage | 5. Example usage | |||
A zone which utilizes the serial field of the SOA Resource Record as | A name server which (a) implements this specification, (b) receives a | |||
a number of the zone version release, should answer a ZONEVERSION | query with the ZONEVERSION option, (c) is authoritative for the zone | |||
request with an EDNS option code ZONEVERSION, an OPTION-DATA with a | of the original QNAME, and (d) utilizes the SOA serial field for | |||
Flag byte with value 0, Length value 4 and a copy of the unsigned 32 | versioning of said zone should include a ZONEVERSION option in its | |||
bit version number of the SERIAL field of its SOA zone Resourse | response. In the response's ZONEVERSION option the EDNS(0) OPTION- | |||
Record, and an OPTION-LENGTH with value 7. | LENGTH would be set to 6 and the OPTION-DATA would consist of the | |||
1-octet LABELCOUNT, the 1-octet TYPE with value 0, and 4-octet SOA | ||||
SERIAL value. | ||||
An example of a proper diagnostic tool that implements ZONEVERSION | The example below demonstrates expected output of a diagnostic tool | |||
EDNS extension towards a compliant authoritative DNS server could be: | that implements the ZONEVERSION option, displaying a response from a | |||
compliant authoritative DNS server: | ||||
$ dig @ns.example.com www.example.com AAAA +zoneversion +norec +cmd | $ dig @ns.example.com www.example.com aaaa +zoneversion +norecurse | |||
; (1 server found) | ; <<>> DiG 9.17.14-patched <<>> @ns.example.com www.example.com aaaa +zoneversion | |||
;; global options: +cmd | ; (1 server found) | |||
;; Got answer: | ;; global options: +cmd | |||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16429 | ;; Got answer: | |||
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7077 | |||
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 | ||||
;; OPT PSEUDOSECTION: | ;; OPT PSEUDOSECTION: | |||
; EDNS: version: 0, flags:; udp: 4096 | ; EDNS: version: 0, flags:; udp: 1232 | |||
; ZONEVERSION: 2019073001 (SOA-SERIAL) | ; ZONEVERSION: 02 00 78 95 a4 e9 ("SOA-SERIAL: 2023073001 (example.com.)") | |||
;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
;www.example.com. IN AAAA | ;www.example.com. IN AAAA | |||
;; ANSWER SECTION: | ;; ANSWER SECTION: | |||
www.example.com. 900 IN AAAA | www.example.com. 43200 IN AAAA 2001:db8::80 | |||
;; Query time: 53 msec | ;; AUTHORITY SECTION: | |||
;; SERVER: ns.example.com#53(2001:DB8::53) | example.com. 43200 IN NS ns.example.com. | |||
;; WHEN: Tue Aug 07 16:54:05 -04 2018 | ||||
;; MSG SIZE rcvd: 71 | ||||
Figure 1 | ;; ADDITIONAL SECTION: | |||
ns.example.com. 43200 IN AAAA 2001:db8::53 | ||||
;; Query time: 15 msec | ||||
;; SERVER: 2001:db8::53#53(2001:db8::53) (UDP) | ||||
;; WHEN: dom jul 30 19:51:04 -04 2023 | ||||
;; MSG SIZE rcvd: 129 | ||||
Figure 2: Example usage and dig output | ||||
6. Acknowledgements | 6. Acknowledgements | |||
The authors thanks all the comments and support made in the DNSOP | The authors thanks all the comments and support made in the DNSOP | |||
mailing list, chats and discussions. In special for the suggestions | mailing list, chats and discussions. Special thanks for the | |||
to generalize the option using a registry of flags from Petr Špaček, | suggestions to generalize the option using a registry of types from | |||
and suggestions for implementation from Stéphane Bortzmeyer. | Petr Špaček and Florian Obser, suggestions for implementation from | |||
Stéphane Bortzmeyer, security clarifications from George Michaelson, | ||||
zone name disambiguation from Joe Abley and Brian Dickson, and | ||||
reviews from Tim Wicinski and Peter Thomassen. | ||||
7. IANA Considerations | 7. IANA Considerations | |||
7.1. DNS EDNS0 Option Code Registration | 7.1. DNS EDNS0 Option Code Registration | |||
This document defines a new EDNS0 option, entitled "ZONEVERSION" (see | This document defines a new EDNS0 option, entitled ZONEVERSION (see | |||
Section 2), and assigns a value of <TBD> from the DNS EDNS0 Option | Section 2), and assigns a value of <TBD> from the DNS EDNS0 Option | |||
Codes (OPT) Option space: | Codes (OPT) Option space: | |||
+=======+=============+==========+=================+ | +=======+=============+==========+=================+ | |||
| Value | Name | Status | Reference | | | Value | Name | Status | Reference | | |||
+=======+=============+==========+=================+ | +=======+=============+==========+=================+ | |||
| <TBD> | ZONEVERSION | Standard | [this document] | | | <TBD> | ZONEVERSION | Standard | [this document] | | |||
+=======+=============+==========+=================+ | +=======+=============+==========+=================+ | |||
Table 1 | Table 1: DNS EDNS0 Option code | |||
[RFC Editor: change <TBD> to the proper code when assigned by IANA.] | ||||
[RFC Editor: change "this document" with the proper RFC number for | ||||
this document when assigned by IANA.] | ||||
7.2. ZONEVERSION Registry | 7.2. ZONEVERSION Registry | |||
The ZONEVERSION option also defines a 8-bit Flag field, for which | The ZONEVERSION option also defines a 8-bit TYPE field, for which | |||
IANA is to create and maintain a new registry entitled "DNS EDNS0 | IANA is requested to create and maintain a new registry entitled | |||
ZONEVERSION Flags values" (abbreviation "ZONEVERSION") used by the | "ZONEVERSION TYPE Values" (abbreviation ZONEVERSION) used by the | |||
ZONEVERSION option, inside the "Domain Name System (DNS) Parameters" | ZONEVERSION option, inside the "Domain Name System (DNS) Parameters" | |||
group. Initial values for the DNS EDNS0 ZONEVERSION Flags values | group. Initial values for the ZONEVERSION TYPE values registry are | |||
registry are given below; future assignments in the 1-245 values are | given below; future assignments in the 1-245 values are to be made | |||
to be made through Specification Required Review [BCP26]. | through Specification Required Review [BCP26]. Assignments consist | |||
Assignments consist of a Flag value as an unsigned 8-bit integer | of a TYPE value as an unsigned 8-bit integer recorded in decimal, a | |||
recorded in decimal, a Mnemonic name as an uppercase ASCII string | Mnemonic name as an uppercase ASCII string with maximum length of 15 | |||
with maximum length of 15 characters, and the required document | characters, and the required document reference. | |||
reference. | ||||
+==================+=====================+=================+ | ||||
| ZONEVERSION Flag | Mnemonic | Reference | | ||||
+==================+=====================+=================+ | ||||
| 0 | SOA-SERIAL | [this document] | | ||||
+==================+=====================+=================+ | ||||
| 1-245 | Unassigned | | | ||||
+==================+=====================+=================+ | ||||
| 246-254 | Reserved for Local/ | [this document] | | ||||
| | Experimental Use | | | ||||
+==================+=====================+=================+ | ||||
| 255 | Reserved for future | [this document] | | ||||
| | expansion | | | ||||
+==================+=====================+=================+ | ||||
Table 2 | +==================+==================+=================+ | |||
| ZONEVERSION TYPE | Mnemonic | Reference | | ||||
+==================+==================+=================+ | ||||
| 0 | SOA-SERIAL | [this document] | | ||||
+==================+==================+=================+ | ||||
| 1-245 | Unassigned | | | ||||
+==================+==================+=================+ | ||||
| 246-254 | Private Use | [this document] | | ||||
+==================+==================+=================+ | ||||
| 255 | Reserved for | [this document] | | ||||
| | future expansion | | | ||||
+==================+==================+=================+ | ||||
[RFC Editor: change "this document" with the proper RFC number for | Table 2: ZONEVERSION Registry | |||
this document when assigned by IANA.] | ||||
The change control for this registry should be my means of an | The change control for this registry should be by means of an | |||
Standard action. | Standard action. | |||
7.2.1. Expert Review Directives | 7.2.1. Expert Review Directives | |||
Allocation procedures for new code points in the ZONEVERSION Flag | Allocation procedures for new code points in the ZONEVERSION TYPE | |||
registry require Specification Required review, and so it requires | registry require Specification Required review, and so it requires | |||
Expert Reviews as stated in [BCP26]. | Expert Reviews as stated in [BCP26]. | |||
The expert should consider the following points: | The expert should consider the following points: | |||
* Duplication of code point allocations should be avoided. | * Duplication of code point allocations should be avoided. | |||
* A Presentation Format section should be provided, with a clear | * A Presentation Format section should be provided, with a clear | |||
code point mnemonic. | code point mnemonic. | |||
* The referenced document and stated use of the new code point | * The referenced document and stated use of the new code point | |||
should be appropriate for the intended use of a ZONEVERSION Flag | should be appropriate for the intended use of a ZONEVERSION TYPE | |||
assignment. In particular the reference should state clear | assignment. In particular the reference should state clear | |||
instructions for implementers about the syntax and semantic of the | instructions for implementers about the syntax and semantic of the | |||
data. Also the Length of the Data must have proper limits. | data. Also the Length of the Data must have proper limits. | |||
The expert reviewing the request MUST approve or disapprove the | The expert reviewing the request MUST approve or disapprove the | |||
request within 10 business days from when he or she received the | request within 10 business days from when she or he received the | |||
expert review request. | expert review request. | |||
8. Security Considerations | 8. Security Considerations | |||
The EDNS extension data it's not covered by RRSIG records, so there's | The EDNS extension data it's not covered by RRSIG records, so there's | |||
no way to verify its authenticity nor integrity using DNSSEC and | no way to verify its authenticity nor integrity using DNSSEC and | |||
could theoretically be tampered by a person-in-the-middle if the | could theoretically be tampered by a person-in-the-middle if the | |||
transport is made by insecure means. Caution should be taken to use | transport is made by insecure means. Caution should be taken to use | |||
the EDNS ZONEVERSION data for any means besides troubleshooting and | the EDNS ZONEVERSION data for any means besides troubleshooting and | |||
debugging. | debugging. | |||
If there's a need to certify the ZONEVERSION trustworthiness, it will | If there's a need to certify the ZONEVERSION trustworthiness, it will | |||
be necessary to use an encrypted and authenticated DNS transport. | be necessary to use an encrypted and authenticated DNS transport, | |||
TSIG [RFC8945], or SIG(0) [RFC2931]. | ||||
If there's a need to authenticate data origin for the ZONEVERSION | If there's a need to authenticate data origin for the ZONEVERSION | |||
value, an answer with the SOA-SERIAL flag as defined above could be | value, an answer with the SOA-SERIAL type as defined above could be | |||
compared to a separate regular SOA query with DO flag, whose answer | compared to a separate regular SOA query with DO flag, whose answer | |||
shall be DNSSEC signed, with the cautions about Anycast and others as | shall be DNSSEC signed, with the cautions about Anycast and others as | |||
already stated in Introduction. | already stated in Introduction. | |||
With the SOA-SERIAL flag defined above, there's no risk on disclosure | With the SOA-SERIAL type defined above, there's no risk on disclosure | |||
of private information, as the SERIAL of the SOA record is already | of private information, as the SERIAL of the SOA record is already | |||
publicly available. | publicly available. | |||
Please note that the ZONEVERSION option can not be used for checking | ||||
the correctness of an entire zone in a server. For such cases, the | ||||
ZONEMD record [RFC8976] might be better suited at such a task. | ||||
ZONEVERSION can help identify and correlate a certain specific answer | ||||
with a version of a zone, but it has no special integrity or | ||||
verification function besides a normal field value inside a zone, as | ||||
stated above. | ||||
9. Normative References | 9. Normative References | |||
[BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
<https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
<https://www.rfc-editor.org/info/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
[RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | |||
November 1987, <https://www.rfc-editor.org/info/rfc1035>. | November 1987, <https://www.rfc-editor.org/info/rfc1035>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
Requirement Levels", BCP 14, RFC 2119, | ||||
DOI 10.17487/RFC2119, March 1997, | ||||
<https://www.rfc-editor.org/info/rfc2119>. | ||||
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | |||
for DNS (EDNS(0))", STD 75, RFC 6891, | for DNS (EDNS(0))", STD 75, RFC 6891, | |||
DOI 10.17487/RFC6891, April 2013, | DOI 10.17487/RFC6891, April 2013, | |||
<https://www.rfc-editor.org/info/rfc6891>. | <https://www.rfc-editor.org/info/rfc6891>. | |||
10. Informative References | 10. Informative References | |||
[BCP14] Best Current Practice 14, | ||||
<https://www.rfc-editor.org/info/bcp14>. | ||||
At the time of writing, this BCP comprises the following: | ||||
Bradner, S., "Key words for use in RFCs to Indicate | ||||
Requirement Levels", BCP 14, RFC 2119, | ||||
DOI 10.17487/RFC2119, March 1997, | ||||
<https://www.rfc-editor.org/info/rfc2119>. | ||||
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
[ImplRef] Salgado, H., "Zoneversion Implementations", 2023, | ||||
<https://github.com/huguei/rrserial>. | ||||
[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures | ||||
( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September | ||||
2000, <https://www.rfc-editor.org/info/rfc2931>. | ||||
[RFC3254] Alvestrand, H., "Definitions for talking about | ||||
directories", RFC 3254, DOI 10.17487/RFC3254, April 2002, | ||||
<https://www.rfc-editor.org/info/rfc3254>. | ||||
[RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast | [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast | |||
Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786, | Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786, | |||
December 2006, <https://www.rfc-editor.org/info/rfc4786>. | December 2006, <https://www.rfc-editor.org/info/rfc4786>. | |||
[RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option", | ||||
RFC 5001, DOI 10.17487/RFC5001, August 2007, | ||||
<https://www.rfc-editor.org/info/rfc5001>. | ||||
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | |||
January 2019, <https://www.rfc-editor.org/info/rfc8499>. | January 2019, <https://www.rfc-editor.org/info/rfc8499>. | |||
[RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D., | ||||
Gudmundsson, O., and B. Wellington, "Secret Key | ||||
Transaction Authentication for DNS (TSIG)", STD 93, | ||||
RFC 8945, DOI 10.17487/RFC8945, November 2020, | ||||
<https://www.rfc-editor.org/info/rfc8945>. | ||||
[RFC8976] Wessels, D., Barber, P., Weinberg, M., Kumari, W., and W. | ||||
Hardaker, "Message Digest for DNS Zones", RFC 8976, | ||||
DOI 10.17487/RFC8976, February 2021, | ||||
<https://www.rfc-editor.org/info/rfc8976>. | ||||
Appendix A. Implementation Considerations | Appendix A. Implementation Considerations | |||
With very few exceptions, EDNS options which elicit an EDNS option in | With very few exceptions, EDNS options which elicit an EDNS option in | |||
the response are independent of the QNAME. This is not the case of | the response are independent of the queried name. This is not the | |||
ZONEVERSION, so its implementation may be more or less difficult | case of ZONEVERSION, so its implementation may be more or less | |||
depending on how EDNS options are handled in the name server. | difficult depending on how EDNS options are handled in the name | |||
server. | ||||
Appendix B. Implementation References | Appendix B. Implementation References | |||
There's a patched NSD server version 4.3.7 with support for | There's a patched NSD server version 4.7.0 with support for | |||
ZONEVERSION with the experimental opcode 65024 maintained in | ZONEVERSION with an experimental opcode, with live test servers | |||
https://github.com/huguei/nsd/tree/rrserial with SOA-SERIAL flag | installed for compliance tests. Also there is a client command "dig" | |||
support, and installed for live testing in 200.1.122.30 address with | with added zoneversion support, along with test libraries in Perl, | |||
configured zones dateserial.example.com. and incserial.example.com.; | Python and Go. More information in the working document [ImplRef]. | |||
with MX, TXT and AAAA apex records. | ||||
Authors' Addresses | Authors' Addresses | |||
Hugo Salgado | Hugo Salgado | |||
NIC Chile | NIC Chile | |||
Miraflores 222, piso 14 | Miraflores 222, piso 14 | |||
CP 8320198 Santiago | CP 8320198 Santiago | |||
Chile | Chile | |||
Phone: +56 2 29407700 | Phone: +56 2 29407700 | |||
Email: hsalgado@nic.cl | Email: hsalgado@nic.cl | |||
Mauricio Vergara Ereche | Mauricio Vergara Ereche | |||
DigitalOcean | DigitalOcean | |||
101 6th Ave | 101 6th Ave | |||
New York, NY 10013 | New York, NY 10013 | |||
United States of America | United States of America | |||
Email: mvergara@digitalocean.com | Email: mvergara@digitalocean.com | |||
Duane Wessels | ||||
Verisign | ||||
12061 Bluemont Way | ||||
Reston, VA 20190 | ||||
United States of America | ||||
Phone: +1 703 948-3200 | ||||
Email: dwessels@verisign.com | ||||
URI: https://verisign.com | ||||
End of changes. 70 change blocks. | ||||
217 lines changed or deleted | 359 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |