| blob | a286d90854d522f7e6e828aa778ce014b77af1a3 |
7 Network Working Group IAB
8 Request for Comments: 5507 P. Faltstrom, Ed.
9 Category: Informational R. Austein, Ed.
10 P. Koch, Ed.
11 April 2009
14 Design Choices When Expanding the DNS
16 Status of This Memo
18 This memo provides information for the Internet community. It does
19 not specify an Internet standard of any kind. Distribution of this
20 memo is unlimited.
22 Copyright Notice
24 Copyright (c) 2009 IETF Trust and the persons identified as the
25 document authors. All rights reserved.
27 This document is subject to BCP 78 and the IETF Trust's Legal
28 Provisions Relating to IETF Documents in effect on the date of
29 publication of this document (http://trustee.ietf.org/license-info).
30 Please review these documents carefully, as they describe your rights
31 and restrictions with respect to this document.
34 Abstract
36 This note discusses how to extend the DNS with new data for a new
37 application. DNS extension discussions too often focus on reuse of
38 the TXT Resource Record Type. This document lists different
39 mechanisms to extend the DNS, and concludes that the use of a new DNS
40 Resource Record Type is the best solution.
58 IAB, et al. Informational [Page 1]
59 \f
60 RFC 5507 Design Choices When Expanding the DNS April 2009
63 Table of Contents
65 1. Introduction ....................................................3
66 2. Background ......................................................4
67 3. Extension Mechanisms ............................................5
68 3.1. Place Selectors inside the RDATA of Existing
69 Resource Record Types ......................................5
70 3.2. Add a Prefix to the Owner Name .............................6
71 3.3. Add a Suffix to the Owner Name .............................7
72 3.4. Add a New Class ............................................8
73 3.5. Add a New Resource Record Type .............................8
74 4. Zone Boundaries are Invisible to Applications ...................9
75 5. Why Adding a New Resource Record Type Is the Preferred
76 Solution .......................................................10
77 6. Conclusion and Recommendation ..................................14
78 7. Creating a New Resource Record Type ............................14
79 8. Security Considerations ........................................15
80 9. Acknowledgements ...............................................15
81 10. IAB Members at the Time of This Writing .......................16
82 11. References ....................................................16
83 11.1. Normative References .....................................16
84 11.2. Informative References ...................................16
114 IAB, et al. Informational [Page 2]
115 \f
116 RFC 5507 Design Choices When Expanding the DNS April 2009
119 1. Introduction
121 The DNS stores multiple categories of data. The two most commonly
122 used categories are infrastructure data for the DNS system itself (NS
123 and SOA Resource Records) and data that have to do with mappings
124 between domain names and IP addresses (A, AAAA, and PTR Resource
125 Records). There are other categories as well, some of which are tied
126 to specific applications like email (MX Resource Records), while
127 others are generic Resource Record Types used to convey information
128 for multiple protocols (SRV and NAPTR Resource Records).
130 When storing data in the DNS for a new application, the goal must be
131 to store data in such a way that the application can query for the
132 data it wants, while minimizing both the impact on existing
133 applications and the amount of extra data transferred to the client.
134 This implies that a number of design choices have to be made, where
135 the most important is to ensure that a precise selection of what data
136 to return must be made already in the query. A query consists of a
137 triple: {Owner (or name), Resource Record Class, Resource Record
138 Type}.
140 Historically, extending the DNS to store application data tied to a
141 domain name has been done in different ways at different times. MX
142 Resource Records were created as a new Resource Record Type
143 specifically designed to support electronic mail. SRV records are a
144 generic type that use a prefixing scheme in combination with a base
145 domain name. NAPTR records add selection data inside the RDATA. It
146 is clear that the methods used to add new data types to the DNS have
147 been inconsistent, and the purpose of this document is to attempt to
148 clarify the implications of each of these methods, both for the
149 applications that use them and for the rest of the DNS.
151 This document talks extensively about use of DNS wildcards. Many
152 people might think use of wildcards is not something that happens
153 today. In reality though, wildcards are in use, especially for
154 certain application-specific data such as MX Resource Records.
155 Because of this, the choice has to be made with the existence of
156 wildcards in mind.
158 Another overall issue that must be taken into account is what the new
159 data in the DNS are to describe. In some cases, they might be
160 completely new data. In other cases, they might be metadata tied to
161 data that already exist in the DNS. Examples of new data are key
162 information for the Secure SHell (SSH) Protocol and data used for
163 authenticating the sender of email messages (metadata tied to MX
164 Resource Records). If the new data are tied to data that already
165 exist in the DNS, an analysis should be made as to whether having
166 (for example) address records and SSH key information in different
170 IAB, et al. Informational [Page 3]
171 \f
172 RFC 5507 Design Choices When Expanding the DNS April 2009
175 DNS zones is a problem or if it is a bonus, and if it is a problem,
176 whether the specification must require all of the related data to be
177 in the same zone. One specific difference between having the records
178 in the same zone or not has to do with maintenance of the records.
179 If they are in the same zone, the same maintainer (from a DNS
180 perspective) manages the two records. Specifically, they must be
181 signed with the same DNSSEC keys if DNSSEC is in use.
183 This document does not talk about what one should store in the DNS.
184 It also doesn't discuss whether the DNS should be used for service
185 discovery, or whether the DNS should be used for storage of data
186 specific to the service. In general, the DNS is a protocol that,
187 apart from holding metadata that makes the DNS itself function (NS,
188 SOA, DNSSEC Resource Record Types, etc.), only holds references to
189 service locations (SRV, NAPTR, A, AAAA Resource Record Types) --
190 though there are exceptions, such as MX Resource Records.
192 2. Background
194 See RFC 5395 [RFC5395] for a brief summary of the DNS query
195 structure. Readers interested in the full story should start with
196 the base DNS specification in RFC 1035 [RFC1035] and continue with
197 the various documents that update, clarify, and extend the base
198 specification.
200 When composing a DNS query, the parameters used by the protocol are a
201 {owner, class, type} triple. Every Resource Record matching such a
202 triple is said to belong to the same Resource Record Set (RRSet), and
203 the whole RRSet is always returned to the client that queries for it.
204 Splitting an RRSet is a protocol violation (sending a partial RRSet,
205 not truncating the DNS response), because it can result in coherency
206 problems with the DNS caching mechanism. See Section 5 of [RFC2181]
207 for more information.
209 Some discussions around extensions to the DNS include arguments
210 around MTU size. Note that most discussions about DNS and MTU size
211 are about the size of the whole DNS packet, not about the size of a
212 single RRSet.
214 Almost all DNS query traffic is carried over UDP, where a DNS message
215 must fit within a single UDP packet. DNS response messages are
216 almost always larger than DNS query messages, so message size issues
217 are almost always about responses, not queries. The base DNS
218 specification limits DNS messages over UDP to 512 octets; EDNS0
219 [RFC2671] specifies a mechanism by which a client can signal its
220 willingness to receive larger responses, but deployment of EDNS0 is
221 not universal, in part because of firewalls that block fragmented UDP
222 packets or EDNS0. If a response message won't fit in a single
226 IAB, et al. Informational [Page 4]
227 \f
228 RFC 5507 Design Choices When Expanding the DNS April 2009
231 packet, the name server returns a truncated response, at which point
232 the client may retry using TCP. DNS queries over TCP are not subject
233 to this length limitation, but TCP imposes significantly higher per-
234 query overhead on name servers than UDP. It is also the case that
235 the policies in deployed firewalls far too often are such that they
236 block DNS over TCP, so using TCP might not in reality be an option.
237 There are also risks (although possibly small) that a change of
238 routing while a TCP flow is open creates problems when the DNS
239 servers are deployed in an anycast environment.
241 3. Extension Mechanisms
243 The DNS protocol is intended to be extensible to support new kinds of
244 data. This section examines the various ways in which this sort of
245 extension can be accomplished.
247 3.1. Place Selectors inside the RDATA of Existing Resource Record Types
249 For a given query name, one might choose to have a single RRSet (all
250 Resource Records sharing the same {owner, class, type} triple) shared
251 by multiple applications, and have the different applications use
252 selectors within the Resource Record data (RDATA) to determine which
253 records are intended for which applications. This sort of selector
254 mechanism is usually referred to "subtyping", because it is in effect
255 creating an additional type subsystem within a single DNS Resource
256 Record Type.
258 Examples of subtyping include NAPTR Resource Records [RFC3761] and
259 the original DNSSEC KEY Resource Record Type [RFC2535] (which was
260 later updated by RFC 3445 [RFC3445], and obsoleted by RFC 4033
261 [RFC4033], RFC 4034 [RFC4034] and RFC 4035 [RFC4035]).
263 All DNS subtyping schemes share a common weakness: with subtyping
264 schemes, it is impossible for a client to query for just the data it
265 wants. Instead, the client must fetch the entire RRSet, then select
266 the Resource Records in which it is interested. Furthermore, since
267 DNSSEC signatures operate on complete RRSets, the entire RRSet must
268 be re-signed if any Resource Record in it changes. As a result, each
269 application that uses a subtyped Resource Record incurs higher
270 overhead than any of the applications would have incurred had they
271 not been using a subtyping scheme. The fact the RRSet is always
272 passed around as an indivisible unit increases the risk the RRSet
273 will not fit in a UDP packet, which in turn increases the risk that
274 the client will have to retry the query with TCP, which substantially
275 increases the load on the name server. More precisely: having one
276 query fail over to TCP is not a big deal, but since the typical ratio
282 IAB, et al. Informational [Page 5]
283 \f
284 RFC 5507 Design Choices When Expanding the DNS April 2009
287 of clients to servers in today's deployed DNS is very high, having a
288 substantial number of DNS messages fail over to TCP may cause the
289 queried name servers to be overloaded by TCP overhead.
291 Because of the size limitations, using a subtyping scheme to list a
292 large number of services for a single domain name risks triggering
293 truncation and fallback to TCP, which may in turn force the zone
294 administrator to announce only a subset of available services.
296 3.2. Add a Prefix to the Owner Name
298 By adding an application-specific prefix to a domain name, we get a
299 different {owner, class, type} triple, and therefore a different
300 RRSet. One problem with adding prefixes has to do with wildcards,
301 especially if one has records like:
303 *.example.com. IN MX 1 mail.example.com.
305 and one wants records tied to those names. Suppose one creates the
306 prefix "_mail". One would then have to say something like:
308 _mail.*.example.com. IN X-FOO A B C D
310 but DNS wildcards only work with the "*" as the leftmost token in the
311 domain name (see also RFC 4592 [RFC4592]).
313 There have been proposals to deal with the problem that DNS wildcards
314 are always terminal records. These proposals introduce an additional
315 set of trade-offs that would need to be taken into account when
316 assessing which extension mechanism to choose. Aspects of extra
317 response time needed to perform the extra queries, costs of pre-
318 calculation of possible answers, or the costs induced to the system
319 as a whole come to mind. At the time of writing, none of these
320 proposals has been published as Standards Track RFCs.
322 Even when a specific prefix is chosen, the data will still have to be
323 stored in some Resource Record Type. This Resource Record Type can
324 be either a new Resource Record Type or an existing Resource Record
325 Type that has an appropriate format to store the data. One also
326 might need some other selection mechanism, such as the ability to
327 distinguish between the records in an RRSet, given they have the same
328 Resource Record Type. Because of this, one needs to both register a
329 unique prefix and define what Resource Record Type is to be used for
330 this specific service.
338 IAB, et al. Informational [Page 6]
339 \f
340 RFC 5507 Design Choices When Expanding the DNS April 2009
343 If the record has some relationship with another record in the zone,
344 the fact that the two records can be in different zones might have
345 implications on the trust the application has in the records. For
346 example:
348 example.com. IN MX 10 mail.example.com.
349 _foo.example.com. IN X-BAR "metadata for the mail service"
351 In this example, the two records might be in two different zones, and
352 as a result might be administered by two different organizations, and
353 signed by two different entities when using DNSSEC. For these two
354 reasons, using a prefix has recently become a very interesting
355 solution for many protocol designers. In some cases, e.g.,
356 DomainKeys Identified Mail Signatures [RFC4871], TXT records have
357 been used. In others, such as SRV, entirely new Resource Record
358 Types have been added.
360 3.3. Add a Suffix to the Owner Name
362 Adding a suffix to a domain name changes the {owner, class, type}
363 triple, and therefore the RRSet. In this case, since the query name
364 can be set to exactly the data one wants, the size of the RRSet is
365 minimized. The problem with adding a suffix is that it creates a
366 parallel tree within the IN class. Further, there is no technical
367 mechanism to ensure that the delegation for "example.com" and
368 "example.com._bar" are made to the same organization. Furthermore,
369 data associated with a single entity will now be stored in two
370 different zones, such as "example.com" and "example.com._bar", which,
371 depending on who controls "_bar", can create new synchronization and
372 update authorization issues.
374 One way of solving the administrative issues is by using the DNAME
375 Resource Record Type specified in RFC 2672 [RFC2672].
377 Even when using a different name, the data will still have to be
378 stored in some Resource Record Type that has an appropriate format to
379 store the data. This implies that one might have to mix the prefix
380 based selection mechanism with some other mechanism so that the right
381 Resource Record can be found out of many in a potential larger RRSet.
383 In RFC 2163 [RFC2163] an infix token is inserted directly below the
384 Top-Level Domain (TLD), but the result is equivalent to adding a
385 suffix to the owner name (instead of creating a TLD, one is creating
386 a second level domain).
394 IAB, et al. Informational [Page 7]
395 \f
396 RFC 5507 Design Choices When Expanding the DNS April 2009
399 3.4. Add a New Class
401 DNS zones are class-specific in the sense that all the records in
402 that zone share the same class as the zone's SOA record and the
403 existence of a zone in one class does not guarantee the existence of
404 the zone in any other class. In practice, only the IN class has ever
405 seen widespread deployment, and the administrative overhead of
406 deploying an additional class would almost certainly be prohibitive.
408 Nevertheless, one could, in theory, use the DNS class mechanism to
409 distinguish between different kinds of data. However, since the DNS
410 delegation tree (represented by NS Resource Records) is itself tied
411 to a specific class, attempting to resolve a query by crossing a
412 class boundary may produce unexpected results because there is no
413 guarantee that the name servers for the zone in the new class will be
414 the same as the name servers in the IN class. The MIT Hesiod system
415 [Dyer87] used a scheme like this for storing data in the HS class,
416 but only on a very small scale (within a single institution), and
417 with an administrative fiat requiring that the delegation trees for
418 the IN and HS trees be identical. The use of the HS class for such
419 storage of non-sensitive data was, over time, replaced by use of the
420 Lightweight Directory Access Protocol (LDAP) [RFC4511].
422 Even when using a different class, the data will still have to be
423 stored in some Resource Record Type that has an appropriate format.
425 3.5. Add a New Resource Record Type
427 When adding a new Resource Record Type to the system, entities in
428 four different roles have to be able to handle the new Type:
430 1. There must be a way to insert the new Resource Records into the
431 zone at the Primary Master name server. For some server
432 implementations, the user interface only accepts Resource Record
433 Types that it understands (perhaps so that the implementation can
434 attempt to validate the data). Other implementations allow the
435 zone administrator to enter an integer for the Resource Record
436 Type code and the RDATA in Base64 or hexadecimal encoding (or
437 even as raw data). RFC 3597 [RFC3597] specifies a standard
438 generic encoding for this purpose.
440 2. A slave authoritative name server must be able to do a zone
441 transfer, receive the data from some other authoritative name
442 server, and serve data from the zone even though the zone
443 includes records of unknown Resource Record Types. Historically,
444 some implementations have had problems parsing stored copies of
445 the zone file after restarting, but those problems have not been
446 seen for a few years. Some implementations use an alternate
450 IAB, et al. Informational [Page 8]
451 \f
452 RFC 5507 Design Choices When Expanding the DNS April 2009
455 mechanism (e.g., LDAP) to transfer Resource Records in a zone,
456 and are primarily used within corporate environments; in this
457 case, name servers must be able to transfer new Resource Record
458 Types using whatever mechanism is used. However, today this
459 alternative mechanism may not support unknown Resource Record
460 Types. Hence, in Internet environments, unknown Resource Record
461 Types are supported, but in corporate environments they are
462 problematic.
464 3. A caching resolver (most commonly a recursive name server) will
465 cache the records that are responses to queries. As mentioned in
466 RFC 3597 [RFC3597], there are various pitfalls where a recursive
467 name server might end up having problems.
469 4. The application must be able to get the RRSet with a new Resource
470 Record Type. The application itself may understand the RDATA,
471 but the resolver library might not. Support for a generic
472 interface for retrieving arbitrary DNS Resource Record Types has
473 been a requirement since 1989 (see Section 6.1.4.2 of [RFC1123]).
474 Some stub resolver library implementations neglect to provide
475 this functionality and cannot handle unknown Resource Record
476 Types, but implementation of a new stub resolver library is not
477 particularly difficult, and open source libraries that already
478 provide this functionality are available.
480 Historically, adding a new Resource Record Type has been very
481 problematic. The review process has been cumbersome, DNS servers
482 have not been able to handle new Resource Record Types, and firewalls
483 have dropped queries or responses with Resource Record Types that are
484 unknown to the firewall. This is, for example, one of the reasons
485 the ENUM standard reuses the NAPTR Resource Record, a decision that
486 today might have gone to creating a new Resource Record Type instead.
488 Today, there is a requirement that DNS software handle unknown
489 Resource Record Types, and investigations have shown that software
490 that is deployed, in general, does support it, except in some
491 alternate mechanisms for transferring Resource Records such as LDAP,
492 as noted above. Also, the approval process for new Resource Record
493 Types has been updated [RFC5395] so the effort that is needed for
494 various Resource Record Types is more predictable.
496 4. Zone Boundaries are Invisible to Applications
498 Regardless of the possible choices above, we have seen a number of
499 cases where the application made assumptions about the structure of
500 the namespace and the location where specific information resides.
501 We take a small sidestep to argue against such approaches.
506 IAB, et al. Informational [Page 9]
507 \f
508 RFC 5507 Design Choices When Expanding the DNS April 2009
511 The DNS namespace is a hierarchy, technically speaking. However,
512 this only refers to the way names are built from multiple labels.
513 DNS hierarchy neither follows nor implies administrative hierarchy.
514 Because of that, it cannot be assumed that data attached to a node in
515 the DNS tree is valid for the whole subtree. Technically, there are
516 zone boundaries partitioning the namespace, and administrative
517 boundaries (or policy boundaries) may even exist elsewhere.
519 The false assumption has lead to an approach called "tree climbing",
520 where a query that does not receive a positive response (either the
521 requested RRSet was missing or the name did not exist) is retried by
522 repeatedly stripping off the leftmost label (climbing towards the
523 root) until the root domain is reached. Sometimes these proposals
524 try to avoid the query for the root or the TLD level, but still this
525 approach has severe drawbacks:
527 o Technically, the DNS was built as a query-response tool without
528 any search capability [RFC3467]. Adding the search mechanism
529 imposes additional burden on the technical infrastructure, in the
530 worst case on TLD and root name servers.
532 o For reasons similar to those outlined in RFC 1535 [RFC1535],
533 querying for information in a domain outside the control of the
534 intended entity may lead to incorrect results and may also put
535 security at risk. Finding the exact policy boundary is impossible
536 without an explicit marker, which does not exist at present. At
537 best, software can detect zone boundaries (e.g., by looking for
538 SOA Resource Records), but some TLD registries register names
539 starting at the second level (e.g., CO.UK), and there are various
540 other "registry" types at second, third, or other level domains
541 that cannot be identified as such without policy knowledge
542 external to the DNS.
544 To restate, the zone boundary is purely a boundary that exists in the
545 DNS for administrative purposes, and applications should be careful
546 not to draw unwarranted conclusions from zone boundaries. A
547 different way of stating this is that the DNS does not support
548 inheritance, e.g., an MX RRSet for a TLD will not be valid for any
549 subdomain of that particular TLD.
551 5. Why Adding a New Resource Record Type Is the Preferred Solution
553 By now, the astute reader might be wondering what conclusions to draw
554 from the issues presented so far. We will now attempt to clear up
555 the reader's confusion by following the thought processes of a
556 typical application designer who wishes to store data in the DNS.
557 We'll show how such a designer almost inevitably hits upon the idea
558 of just using a TXT Resource Record, why this is a bad thing, and why
562 IAB, et al. Informational [Page 10]
563 \f
564 RFC 5507 Design Choices When Expanding the DNS April 2009
567 a new Resource Record Type should be allocated instead. We'll also
568 explain how the reuse of an existing Resource Record, including TXT,
569 can be made less harmful.
571 The overall problem with most solutions has to do with two main
572 issues:
574 o No semantics to prevent collision with other use
576 o Space considerations in the DNS message
578 A typical application designer is not interested in the DNS for its
579 own sake, but rather regards it as a distributed database in which
580 application data can be stored. As a result, the designer of a new
581 application is usually looking for the easiest way to add whatever
582 new data the application needs to the DNS in a way that naturally
583 associates the data with a DNS name and does not require major
584 changes to DNS servers.
586 As explained in Section 3.4, using the DNS class system as an
587 extension mechanism is not really an option, and in fact, most users
588 of the system don't even realize that the mechanism exists. As a
589 practical matter, therefore any extension is likely to be within the
590 IN class.
592 Adding a new Resource Record Type is the technically correct answer
593 from the DNS protocol standpoint (more on this below), but doing so
594 requires some DNS expertise, due to the issues listed in Section 3.5.
595 Consequently, this option is often rejected. Note that according to
596 RFC 5395 [RFC5395], some Types require IETF Consensus, while others
597 only require a specification.
599 There is a drawback to defining new RR types that is worth
600 mentioning. The Resource Record Type (RRTYPE) is a 16-bit value and
601 hence is a limited resource. In order to prevent hoarding the
602 registry has a review-based allocation policy [RFC5395]; however,
603 this may not be sufficient if extension of the DNS by addition of new
604 RR types takes up significantly and the registry starts nearing
605 completion. In that case, the trade-offs with respect to choosing an
606 extension mechanism may need to change.
608 The application designer is thus left with the prospect of reusing
609 some existing DNS Types within the IN class, but when the designer
610 looks at the existing Types, almost all of them have well-defined
611 semantics, none of which quite match the needs of the new
612 application. This has not completely prevented proposals from
618 IAB, et al. Informational [Page 11]
619 \f
620 RFC 5507 Design Choices When Expanding the DNS April 2009
623 reusing existing Resource Record Types in ways incompatible with
624 their defined semantics, but it does tend to steer application
625 designers away from this approach.
627 For example, Resource Record Type 40 was registered for the SINK
628 Resource Record Type. This Resource Record Type was discussed in the
629 DNSIND working group of the IETF, and it was decided at the 46th IETF
630 to not move the I-D forward to become an RFC because of the risk of
631 encouraging application designers to use the SINK Resource Record
632 Type instead of registering a new Resource Record Type, which would
633 result in infeasibly large SINK RRsets.
635 Eliminating all of the above leaves the TXT Resource Record Type in
636 the IN class. The TXT RDATA format is free form text, and there are
637 no existing semantics to get in the way. Some attempts have been
638 made, for example, in [DNSEXT-DNS-SD], to specify a structured format
639 for TXT Resource Record Types, but no such attempt has reached RFC
640 status. Furthermore, the TXT Resource Record can obviously just be
641 used as a bucket in which to carry around data to be used by some
642 higher-level parser, perhaps in some human-readable programming or
643 markup language. Thus, for many applications, TXT Resource Records
644 are the "obvious" choice. Unfortunately, this conclusion, while
645 understandable, is also problematic, for several reasons.
647 The first reason why TXT Resource Records are not well suited to such
648 use is precisely what makes them so attractive: the lack of pre-
649 defined common syntax or structure. As a result, each application
650 that uses them creates its own syntax/structure, and that makes it
651 difficult to reliably distinguish one application's record from
652 others, and for its parser to avoid problems when it encounters other
653 TXT records.
655 Arguably, the TXT Resource Record is misnamed, and should have been
656 called the Local Container record, because a TXT Resource Record
657 means only what the data producer says it means. This is fine, so
658 long as TXT Resource Records are being used by human beings or by
659 private agreement between data producer and data consumer. However,
660 it becomes a problem once one starts using them for standardized
661 protocols in which there is no prior relationship between data
662 producer and data consumer. If TXT records are used without one of
663 the naming modifications discussed earlier (and in some cases even if
664 one uses such naming mechanisms), there is nothing to prevent
665 collisions with some other incompatible use of TXT Resource Records.
667 This is even worse than the general subtyping problem described in
668 Section 3.1 because TXT Resource Records don't even have a
669 standardized selector field in which to store the subtype. RFC 1464
670 [RFC1464] tried, but it was not a success. At best, a definition of
674 IAB, et al. Informational [Page 12]
675 \f
676 RFC 5507 Design Choices When Expanding the DNS April 2009
679 a subtype is reduced to hoping that whatever scheme one has come up
680 with will not accidently conflict with somebody else's subtyping
681 scheme, and that it will not be possible to mis-parse one
682 application's use of TXT Resource Records as data intended for a
683 different application. Any attempt to impose a standardized format
684 within the TXT Resource Record format would be at least fifteen years
685 too late, even if it were put into effect immediately; at best, one
686 can restrict the syntax that a particular application uses within a
687 TXT Resource Record and accept the risk that unrelated TXT Resource
688 Record uses will collide with it.
690 Using one of the naming modifications discussed in Section 3.2 and
691 Section 3.3 would address the subtyping problem, (and have been used
692 in combinations with reuse of TXT record, such as for the dns/txt
693 lookup mechanism in Domain Keys Identified Mail (DKIM)) but each of
694 these approaches brings in new problems of its own. The prefix
695 approach (that for example SRV Resource Records use) does not work
696 well with wildcards, which is a particular problem for mail-related
697 applications, since MX Resource Records are probably the most common
698 use of DNS wildcards. The suffix approach doesn't have wildcard
699 issues, but, as noted previously, it does have synchronization and
700 update authorization issues, since it works by creating a second
701 subtree in a different part of the global DNS namespace.
703 The next reason why TXT Resource Records are not well suited to
704 protocol use has to do with the limited data space available in a DNS
705 message. As alluded to briefly in Section 3.1, typical DNS query
706 traffic patterns involve a very large number of DNS clients sending
707 queries to a relatively small number of DNS servers. Normal path MTU
708 discovery schemes do little good here because, from the server's
709 perspective, there isn't enough repeat traffic from any one client
710 for it to be worth retaining state. UDP-based DNS is an idempotent
711 query, whereas TCP-based DNS requires the server to keep state (in
712 the form of TCP connection state, usually in the server's kernel) and
713 roughly triples the traffic load. Thus, there's a strong incentive
714 to keep DNS messages short enough to fit in a UDP datagram,
715 preferably a UDP datagram short enough not to require IP
716 fragmentation.
718 Subtyping schemes are therefore again problematic because they
719 produce larger Resource RRSets than necessary, but verbose text
720 encodings of data are also wasteful since the data they hold can
721 usually be represented more compactly in a Resource Record designed
722 specifically to support the application's particular data needs. If
723 the data that need to be carried are so large that there is no way to
724 make them fit comfortably into the DNS regardless of encoding, it is
725 probably better to move the data somewhere else, and just use the DNS
726 as a pointer to the data, as with NAPTR.
730 IAB, et al. Informational [Page 13]
731 \f
732 RFC 5507 Design Choices When Expanding the DNS April 2009
735 6. Conclusion and Recommendation
737 Given the problems detailed in Section 5, it is worth reexamining the
738 oft-jumped-to conclusion that specifying a new Resource Record Type
739 is hard. Historically, this was indeed the case, but recent surveys
740 suggest that support for unknown Resource Record Types [RFC3597] is
741 now widespread in the public Internet, and because of that, the DNS
742 infrastructure can handle new Resource Record Types. The lack of
743 support for unknown Types remains an issue for relatively old
744 provisioning software and in corporate environments.
746 Of all the issues detailed in Section 3.5, provisioning the data is
747 in some respects the most difficult. Investigations with zone
748 transfers show that the problem is less difficult for the
749 authoritative name servers themselves than the front-end systems used
750 to enter (and perhaps validate) the data. Hand editing does not work
751 well for maintenance of large zones, so some sort of tool is
752 necessary, and the tool may not be tightly coupled to the name server
753 implementation itself. Note, however, that this provisioning problem
754 exists to some degree with any new form of data to be stored in the
755 DNS, regardless of data format, Resource Record type (even if TXT
756 Resource Record Types are in use), or naming scheme. Adapting front-
757 end systems to support a new Resource Record Type may be a bit more
758 difficult than reusing an existing type, but this appears to be a
759 minor difference in degree rather than a difference in kind.
761 Given the various issues described in this note, we believe that:
763 o there is no magic solution that allows a completely painless
764 addition of new data to the DNS, but
766 o on the whole, the best solution is still to use the DNS Resource
767 Record Type mechanism designed for precisely this purpose,
768 whenever possible, and
770 o of all the alternate solutions, the "obvious" approach of using
771 TXT Resource Records for arbitrary names is almost certainly the
772 worst, especially for the two reasons outlined above (lack of
773 semantics and its implementations, and size leading to the need to
774 use TCP).
776 7. Creating a New Resource Record Type
778 The process for creating a new Resource Record Type is specified in
779 RFC 5395 [RFC5395].
786 IAB, et al. Informational [Page 14]
787 \f
788 RFC 5507 Design Choices When Expanding the DNS April 2009
791 8. Security Considerations
793 DNS RRSets can be signed using DNSSEC. DNSSEC is almost certainly
794 necessary for any application mechanism that stores authorization
795 data in the DNS. DNSSEC signatures significantly increase the size
796 of the messages transported, and because of this, the DNS message
797 size issues discussed in Sections 3.1 and 5 are more serious than
798 they might at first appear.
800 Adding new Resource Record Types (as discussed in Section 3.5) can
801 create two different kinds of problems: in the DNS software and in
802 applications. In the DNS software, it might conceivably trigger bugs
803 and other bad behavior in software that is not compliant with RFC
804 3597 [RFC3597], but most such DNS software is old enough and insecure
805 enough that it should be updated for other reasons in any case. In
806 applications and provisioning software, the changes for the new
807 features that need the new data in the DNS can be updated to
808 understand the structure of the new data format (regardless of
809 whether a new Resource Record Type is used or some other mechanism is
810 chosen). Basic API support for retrieving arbitrary Resource Record
811 Types has been a requirement since 1989 [RFC1123].
813 Any new protocol that proposes to use the DNS to store data used to
814 make authorization decisions would be well advised not only to use
815 DNSSEC but also to encourage upgrades to DNS server software recent
816 enough not to be riddled with well-known exploitable bugs.
818 9. Acknowledgements
820 This document has been created over a number of years, with input
821 from many people. The question on how to expand and use the DNS is
822 sensitive, and a document like this can not please everyone. The
823 goal is instead to describe the architecture and tradeoffs, and make
824 some recommendations about best practices.
826 People that have helped include: Dean Anderson, Mark Andrews, John
827 Angelmo, Roy Badami, Dan Bernstein, Alex Bligh, Nathaniel Borenstein,
828 Stephane Bortzmeyer, Brian Carpenter, Leslie Daigle, Elwyn Davies,
829 Mark Delany, Richard Draves, Martin Duerst, Donald Eastlake, Robert
830 Elz, Jim Fenton, Tony Finch, Jim Gilroy, Olafur Gudmundsson, Eric
831 Hall, Phillip Hallam-Baker, Ted Hardie, Bob Hinden, Paul Hoffman,
832 Geoff Houston, Christian Huitema, Johan Ihren, John Klensin, Ben
833 Laurie, William Leibzon, John Levine, Edward Lewis, David MacQuigg,
834 Allison Mankin, Bill Manning, David Meyer, Pekka Nikander, Mans
835 Nilsson, Masataka Ohta, Douglas Otis, Michael Patton, Jonathan
836 Rosenberg, Anders Rundgren, Miriam Sapiro, Carsten Strotmann, Pekka
837 Savola, Chip Sharp, James Snell, Michael Thomas, Paul Vixie, Sam
838 Weiler, Florian Weimer, Bert Wijnen, and Dan Wing.
842 IAB, et al. Informational [Page 15]
843 \f
844 RFC 5507 Design Choices When Expanding the DNS April 2009
847 10. IAB Members at the Time of This Writing
849 Loa Andersson
850 Gonzalo Camarillo
851 Stuart Cheshire
852 Russ Housley
853 Olaf Kolkman
854 Gregory Lebovitz
855 Barry Leiba
856 Kurtis Lindqvist
857 Andrew Malis
858 Danny McPherson
859 David Oran
860 Dave Thaler
861 Lixia Zhang
863 11. References
865 11.1. Normative References
867 [RFC1035] Mockapetris, P., "Domain names - implementation and
868 specification", STD 13, RFC 1035, November 1987.
870 [RFC1464] Rosenbaum, R., "Using the Domain Name System To
871 Store Arbitrary String Attributes", RFC 1464,
872 May 1993.
874 [RFC2535] Eastlake, D., "Domain Name System Security
875 Extensions", RFC 2535, March 1999.
877 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
878 RFC 2671, August 1999.
880 [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource
881 Record (RR) Types", RFC 3597, September 2003.
883 [RFC5395] Eastlake, D., "Domain Name System (DNS) IANA
884 Considerations", BCP 42, RFC 5395, November 2008.
886 11.2. Informative References
888 [DNSEXT-DNS-SD] Cheshire, S. and M. Krochmal, "DNS-Based Service
889 Discovery", Work in Progress, September 2008.
891 [Dyer87] Dyer, S. and F. Hsu, "Hesiod, Project Athena
892 Technical Plan - Name Service", Version 1.9,
893 April 1987.
898 IAB, et al. Informational [Page 16]
899 \f
900 RFC 5507 Design Choices When Expanding the DNS April 2009
903 [RFC1123] Braden, R., "Requirements for Internet Hosts -
904 Application and Support", STD 3, RFC 1123,
905 October 1989.
907 [RFC1535] Gavron, E., "A Security Problem and Proposed
908 Correction With Widely Deployed DNS Software",
909 RFC 1535, October 1993.
911 [RFC2163] Allocchio, C., "Using the Internet DNS to Distribute
912 MIXER Conformant Global Address Mapping (MCGAM)",
913 RFC 2163, January 1998.
915 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
916 Specification", RFC 2181, July 1997.
918 [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
919 RFC 2672, August 1999.
921 [RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the
922 KEY Resource Record (RR)", RFC 3445, December 2002.
924 [RFC3467] Klensin, J., "Role of the Domain Name System (DNS)",
925 RFC 3467, February 2003.
927 [RFC3761] Faltstrom, P. and M. Mealling, "The E.164 to Uniform
928 Resource Identifiers (URI) Dynamic Delegation
929 Discovery System (DDDS) Application (ENUM)",
930 RFC 3761, April 2004.
932 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and
933 S. Rose, "DNS Security Introduction and
934 Requirements", RFC 4033, March 2005.
936 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and
937 S. Rose, "Resource Records for the DNS Security
938 Extensions", RFC 4034, March 2005.
940 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and
941 S. Rose, "Protocol Modifications for the DNS
942 Security Extensions", RFC 4035, March 2005.
944 [RFC4511] Sermersheim, J., "Lightweight Directory Access
945 Protocol (LDAP): The Protocol", RFC 4511, June 2006.
947 [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name
948 System", RFC 4592, July 2006.
954 IAB, et al. Informational [Page 17]
955 \f
956 RFC 5507 Design Choices When Expanding the DNS April 2009
959 [RFC4871] Allman, E., Callas, J., Delany, M., Libbey, M.,
960 Fenton, J., and M. Thomas, "DomainKeys Identified
961 Mail (DKIM) Signatures", RFC 4871, May 2007.
963 Authors' Addresses
965 Internet Architecture Board
967 EMail: iab@iab.org
970 Patrik Faltstrom (editor)
972 EMail: paf@cisco.com
975 Rob Austein (editor)
977 EMail: sra@isc.org
980 Peter Koch (editor)
982 EMail: pk@denic.de
1010 IAB, et al. Informational [Page 18]
1011 \f