1 Internet Engineering Task Force (IETF) D. Eastlake 3rd
2 Request for Comments: 6604 Huawei
3 Updates: 1035, 2308, 2672 April 2012
4 Category: Standards Track
5 ISSN: 2070-1721
6
7
8 xNAME RCODE and Status Bits Clarification
9
10 Abstract
11
12 The Domain Name System (DNS) has long provided means, such as the
13 CNAME (Canonical Name), whereby a DNS query can be redirected to a
14 different name. A DNS response header has an RCODE (Response Code)
15 field, used for indicating errors, and response status bits. This
16 document clarifies, in the case of such redirected queries, how the
17 RCODE and status bits correspond to the initial query cycle (where
18 the CNAME or the like was detected) and subsequent or final query
19 cycles.
20
21 Status of This Memo
22
23 This is an Internet Standards Track document.
24
25 This document is a product of the Internet Engineering Task Force
26 (IETF). It represents the consensus of the IETF community. It has
27 received public review and has been approved for publication by the
28 Internet Engineering Steering Group (IESG). Further information on
29 Internet Standards is available in Section 2 of RFC 5741.
30
31 Information about the current status of this document, any errata,
32 and how to provide feedback on it may be obtained at
33 http://www.rfc-editor.org/info/rfc6604.
34
35 Copyright Notice
36
37 Copyright (c) 2012 IETF Trust and the persons identified as the
38 document authors. All rights reserved.
39
40 This document is subject to BCP 78 and the IETF Trust's Legal
41 Provisions Relating to IETF Documents
42 (http://trustee.ietf.org/license-info) in effect on the date of
43 publication of this document. Please review these documents
44 carefully, as they describe your rights and restrictions with respect
45 to this document. Code Components extracted from this document must
46 include Simplified BSD License text as described in Section 4.e of
47 the Trust Legal Provisions and are provided without warranty as
48 described in the Simplified BSD License.
49
50
51
52 Eastlake Standards Track [Page 1]
53 RFC 6604 xNAME RCODE Clarification April 2012
54
55
56 Table of Contents
57
58 1. Introduction ....................................................2
59 1.1. Conventions Used in This Document ..........................3
60 2. Restatement of Status Bits and What They Mean ...................3
61 2.1. The Authoritative Answer Bit ...............................3
62 2.2. The Authentic Data Bit .....................................3
63 3. RCODE Clarification .............................................3
64 4. Security Considerations .........................................4
65 5. References ......................................................4
66 5.1. Normative References .......................................4
67 5.2. Informative References .....................................5
68
69 1. Introduction
70
71 The Domain Name System (DNS) has long provided means, such as the
72 CNAME (Canonical Name [RFC1035]) and DNAME [RFC2672] RRs (Resource
73 Records), whereby a DNS query can be redirected to a different name.
74 In particular, CNAME normally causes a query to its owner name to be
75 redirected, while DNAME normally causes a query to any lower-level
76 name to be redirected. There has been a proposal for another
77 redirection RR. In addition, as specified in [RFC2672], redirection
78 through a DNAME also results in the synthesis of a CNAME RR in the
79 response. In this document, we will refer to all RRs causing such
80 redirection as xNAME RRs.
81
82 xNAME RRs can be explicitly retrieved by querying for the xNAME type.
83 When a different type is queried and an xNAME RR is encountered, the
84 xNAME RR (and possibly a synthesized CNAME) is added to the answer in
85 the response, DNS Security Extensions (DNSSEC) [RFC4035] RRs
86 applicable to the xNAME RR may be added to the response, and the
87 query is restarted with the name to which it was redirected.
88
89 An xNAME may redirect a query to a name at which there is another
90 xNAME and so on. In this document, we use "xNAME chain" to refer to
91 a series of one or more xNAMEs each of which refers to another xNAME
92 except the last, which refers to a non-xNAME or results in an error.
93
94 A DNS response header has an RCODE (Response Code) field, used for
95 indicating errors, and status bits that indicate whether an answer is
96 authoritative and/or authentic. This document clarifies, in the case
97 of such redirected queries, how the RCODE and status bits correspond
98 to the initial query cycle (where the (first) xNAME was detected) and
99 subsequent or final query cycles.
100
101
102
103
104
105
106
107 Eastlake Standards Track [Page 2]
108 RFC 6604 xNAME RCODE Clarification April 2012
109
110
111 1.1. Conventions Used in This Document
112
113 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
114 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
115 document are to be interpreted as described in [RFC2119].
116
117 2. Restatement of Status Bits and What They Mean
118
119 There are two status bits returned in query responses for which a
120 question could arise as to how, in the case of an xNAME chain, they
121 relate to the first, possible intermediate, and/or last queries, as
122 below. Note that the following is unchanged from [RFC1035] and
123 [RFC4035]. The meaning of these bits is simply restated here for
124 clarity, because of observations of released implementations that did
125 not follow these meanings.
126
127 2.1. The Authoritative Answer Bit
128
129 The AA, or Authoritative Answer bit, in the DNS response header
130 indicates that the answer returned is from a DNS server authoritative
131 for the zone containing that answer. For an xNAME chain, this
132 "authoritative" status could be different for each answer in that
133 chain.
134
135 [RFC1035] states that the AA bit is to be set based on whether the
136 server providing the answer with the first owner name in the answer
137 section is authoritative. This specification of the AA bit has not
138 been changed.
139
140 2.2. The Authentic Data Bit
141
142 The AD, or Authentic Data bit, indicates that the response returned
143 is authentic according to the dictates of DNSSEC [RFC4035].
144 [RFC4035] unambiguously states that the AD bit is to be set in a DNS
145 response header only if the DNSSEC-enabled server believes all RRs in
146 the answer and authority sections of that response to be authentic.
147 This specification of the AD bit has not been changed.
148
149 3. RCODE Clarification
150
151 The RCODE field in a DNS query response header is non-zero to
152 indicate an error. Section 4.3.2 of [RFC1034] has a resolution
153 algorithm that includes CNAME processing but has been found to be
154 unclear concerning the ultimate setting of RCODE in the case of such
155 redirection. Section 2.1 of [RFC2308] implies that the RCODE should
156 be set based on the last query cycle in the case of an xNAME chain,
157 but Section 2.2.1 of [RFC2308] says that some servers don't do that!
158
159
160
161
162 Eastlake Standards Track [Page 3]
163 RFC 6604 xNAME RCODE Clarification April 2012
164
165
166 When there is an xNAME chain, the RCODE field is set as follows:
167
168 When an xNAME chain is followed, all but the last query cycle
169 necessarily had no error. The RCODE in the ultimate DNS response
170 MUST BE set based on the final query cycle leading to that
171 response. If the xNAME chain was terminated by an error, it will
172 be that error code. If the xNAME chain terminated without error,
173 it will be zero.
174
175 4. Security Considerations
176
177 The AA header flag bit is not protected by DNSSEC [RFC4033]. To
178 secure it, secure communications are needed between the querying
179 resolver and the DNS server. Such security can be provided by DNS
180 transaction security, either TSIG [RFC2845] or SIG(0) [RFC2931].
181
182 An AD header flag bit and the RCODE in a response are not, in
183 general, protected by DNSSEC, so the same conditions as stated in the
184 previous paragraph generally apply to them; however, this is not
185 always true. In particular, if the following apply, then the AD bit
186 and an NXDOMAIN RCODE are protected by DNSSEC in the sense that the
187 querier can calculate whether they are correct:
188
189 1. The zone where an NXDOMAIN RCODE occurs or all the zones where the
190 data whose authenticity would be indicated by the AD flag bit are
191 signed zones.
192
193 2. The query or queries involved indicate that DNSSEC RRs are OK in
194 responses.
195
196 3. The responses providing these indications are from servers that
197 include the additional DNSSEC RRs required by DNSSEC.
198
199 4. The querier has appropriate trust anchor(s) and appropriately
200 validates and processes the DNSSEC RRs in the response.
201
202 5. References
203
204 5.1. Normative References
205
206 [RFC1034] Mockapetris, P., "Domain names - concepts and
207 facilities", STD 13, RFC 1034, November 1987.
208
209 [RFC1035] Mockapetris, P., "Domain names - implementation and
210 specification", STD 13, RFC 1035, November 1987.
211
212 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
213 Requirement Levels", BCP 14, RFC 2119, March 1997.
214
215
216
217 Eastlake Standards Track [Page 4]
218 RFC 6604 xNAME RCODE Clarification April 2012
219
220
221 [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
222 RFC 2672, August 1999.
223
224 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
225 Rose, "Protocol Modifications for the DNS Security
226 Extensions", RFC 4035, March 2005.
227
228 5.2. Informative References
229
230 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
231 NCACHE)", RFC 2308, March 1998.
232
233 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
234 Wellington, "Secret Key Transaction Authentication for
235 DNS (TSIG)", RFC 2845, May 2000.
236
237 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
238 ( SIG(0)s )", RFC 2931, September 2000.
239
240 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
241 Rose, "DNS Security Introduction and Requirements",
242 RFC 4033, March 2005.
243
244 Author's Address
245
246 Donald E. Eastlake 3rd
247 Huawei R&D USA
248 155 Beaver Street
249 Milford, MA 01757
250
251 Phone: +1-508-333-2270
252 EMail: d3e3e3@gmail.com
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272 Eastlake Standards Track [Page 5]
273
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.
This RFC is implemented in BIND 9.18 (all versions).