Network Working Group                                         R. Austein
draft-ietf-dnsext-edns0dot5-02.txt               InterNetShare.com, Inc.
                                                           H. Alvestrand
                                                           Cisco Systems
                                                           November 2000


         A Proposed Enhancement to the EDNS0 Version Mechanism


Status of this document

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC 2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   <http://www.ietf.org/ietf/1id-abstracts.txt>

   The list of Internet-Draft Shadow Directories can be accessed at
   <http://www.ietf.org/shadow.html>

   Distribution of this document is unlimited.  Please send comments to
   the Namedroppers mailing list <namedroppers@ops.ietf.org>.

Motivation and Scope

   EDNS0 [EDNS0] specifies a general framework for extending the packet
   format used by the Domain Name System protocols.  The framework
   includes a simple version numbering scheme to allow the parties in a
   DNS protocol exchange to determine which extension features the other
   party understands.  While having the advantage of simplicity, the
   version numbering scheme as specified has drawbacks:

   - It provides no way to deprecate a protocol feature;

   - It provides no way to deploy experimental protocol features.





Austein & Alvestrand       Expires 22 May 2001                  [Page 1]


draft-ietf-dnsext-edns0dot5-02.txt                         November 2000


   This note proposes to augument the monolithic version numbering
   mechanism with a mechanism for listing an explicit set of protocol
   features that a particular implementation supports.  We retain
   version numbering as a way of abbreviating the feature sets that we
   expect to see in common use.

Model

   Our revised extension model for the DNS is designed with three goals
   in mind:

   - We want the protocol to be as simple as possible for the common
     case of a client or server that implements "mainstream standard
     DNS";

   - We want to provide a safe way to experiment with new protocol
     features, both inside and outside the deployed DNS;

   - We want to provide a safe way to deprecate protocol features.

   Our revised extension model has two parts, both of which are carried
   in the OPT pseudo-RR: the VERSION, which stored in the second octet
   of the TTL field of the OPT RR, and a variable-length list of
   FEATURES, stored in the variable part of the OPT RR.

   All FEATUREs are extensions of the DNS.  We reserve the range of
   FEATURE numbers from 1 to 100 for describing features of the original
   RFC 1034/1035 DNS specification that we might eventually choose to
   deprecate.

   Any query/response pair can be described as using a set of DNS
   FEATUREs.  Such features might for instance be:

   - Domain binary labels according to [BINARY-LABELS];

   - Extended RCODEs (the general principle, not specific values);

   - Multi-packet UDP response;

   - Increased maximum UDP payload size;

   - Character set identification in DNS labels;

   - SIG record parsing and checking;

   FEATURE numbers are handed out by IANA on a first-come-first-served
   basis within their appropriate ranges.  Any revised specification of
   a format or function should have its own FEATURE number; in the IETF



Austein & Alvestrand       Expires 22 May 2001                  [Page 2]


draft-ietf-dnsext-edns0dot5-02.txt                         November 2000


   process, any significantly changed Internet-Draft should have a new
   FEATURE number assigned for experimentation.

   An assigned VERSION number names a set of FEATUREs.  VERSION numbers
   are assigned by the IETF through a standards action.

   Normally, any VERSION number encompasses every FEATURE of all lower
   VERSION numbers, but the possibility of removing FEATUREs exists for
   two reasons:

   - To remove the need for supporting FEATUREs that turned out to be a
     Really Bad Idea;

   - To allow replacing a badly specified FEATURE with a better
     specified FEATURE performing the same function that has a new
     FEATURE number.

Mechanism

   We transport explicit feature sets as lists of integers carried in
   the variable RDATA portion of the EDNS0 OPT pseudo-RR.

   The OPTION-CODE for FEATURES is [TBD].

   The OPTION-DATA for FEATURES is an ordered list of "feature numbers";
   a feature number is represented as a big-endian 16-bit unsigned
   integer, and the list is sorted into numerically increasing order.

   Each feature number names a particular protocol feature that is
   supported by the implementation that generated this OPT pseudo-RR.

Usage

   In most respects, the FEATURE mechanism is used symmetrically by
   clients and servers; exceptions to this rule are stated after the
   general explanation.

   When composing a DNS message, a client or server includes an OPT
   record indicating a set of FEATUREs that:

   - MUST include all FEATUREs that the client or server believes are
     relevant to this message;

   - MAY include all FEATURES that the client or server is prepared to
     receive.

   This set is expressed as a VERSION and any additional FEATURES
   required.



Austein & Alvestrand       Expires 22 May 2001                  [Page 3]


draft-ietf-dnsext-edns0dot5-02.txt                         November 2000


   In general, we expect that a client or server will include an OPT
   pseudo-RR that indicates:

   - The highest VERSION number that the entity generating the message
     supports; and

   - A small (possibly empty) set of additional FEATUREs not encompassed
     by the VERSION that the entity deems necessary or desirable.

   The above symmetry notwithstanding, we impose one important
   constraint on the server: while a server is allowed to indicate
   whatever FEATUREs it believes are relevant or useful, a server MUST
   NOT make use of any FEATURE in a response that is not within the set
   of FEATUREs indicated by the client that generated the corresponding
   request.  That is, a response may say "I support FEATURE FOO"
   regardless of what the client supports, but the rest of the response
   must not use FEATURE FOO unless the client also supports it.

   As a special case, if a client explicitly queries for the OPT RR of
   the root zone, the server returns an OPT record including all
   FEATUREs that the server supports.  This functionality is provided
   strictly for diagnostic purposes.

Life Cycle

   We expect the life cycle of new features to proceed as follows:

   - VERSION X is defined and deployed.

   - A new FEATURE is defined and experimentally implemented.  All
     clients and servers taking part in the experiment use FEATURE to
     indicate support.

   - Community consensus is reached that this FEATURE is genuinely
     useful.

   - VERSION X+1 is defined, encompassing all FEATUREs from VERSION X,
     plus the new FEATURE (and perhaps others).

   - The next generation of DNS software supports VERSION X+1, and never
     use FEATURE.

Risks

   While we have tried to provide the ability to deprecate old bad
   protocol features, such an ability should be used only rarely, if at
   all, since by any realistic estimate it takes years (decades?)  to
   upgrade all the DNS implementations already in the field.



Austein & Alvestrand       Expires 22 May 2001                  [Page 4]


draft-ietf-dnsext-edns0dot5-02.txt                         November 2000


   A flexible extension mechanism of this type increases the risk that
   some implementors might chose to deploy features designed to hinder
   interoperability (so-called "labeled noninteroperability").

Security Considerations

   We do not believe that this protocol enhancement adds any major new
   security risks, but we do believe that it would be helpful in getting
   complicated DNS extensions such as [DNSSEC] deployed more quickly.

   As with any enhancement to or complication of the DNS protocol, this
   enhancement offers attackers yet another way to increase the load on
   a name server.  Root, TLD and other "major" name servers should view
   excessively complicated FEATURE sets with suspicion, and should not
   allow themselves to be tricked into performing more work than is
   really necessary.

IANA Considerations

   IANA will need to allocate an EDNS0 option code for FEATURES.

   IANA will need to create a new registry of feature numbers.

Acknowledgments

   The authors would like to thank the following people for their help
   in improving this document: Randy Bush, Patrik Faltstrom, Olafur
   Gudmundsson, Bob Halley, and XXX.

References

   [DNSSEC]  Eastlake, D., "Domain Name System Security Extensions", RFC
        2535, March 1999.

   [DNS-CONCEPTS]  Mockapetris, P., "Domain names - concepts and
        facilities", RFC 1034, November 1987.

   [DNS-IMPLEMENTATION]  Mockapetris, P., "Domain names - implementation
        and specification", RFC 1035, November 1987.

   [EDNS0]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
        August 1999.

   [BINARY-LABELS]  Crawford, M., "Binary Labels in the Domain Name
        System", RFC 2673 August 1999.






Austein & Alvestrand       Expires 22 May 2001                  [Page 5]


draft-ietf-dnsext-edns0dot5-02.txt                         November 2000


Author's addresses:

      Rob Austein
      InterNetShare.com, Inc.
      505 West Olive Ave., Suite 321
      Sunnyvale, CA 94086
      USA

      sra@hactrn.net

      Harald Tveit Alvestrand
      Cisco Systems
      Weidemanns vei 27
      N-7043 Trondheim
      NORWAY

      +47 73 50 33 52
      Harald@Alvestrand.no

































Austein & Alvestrand       Expires 22 May 2001                  [Page 6]