7Internet Engineering Task Force (IETF) D. Eastlake 3rd
8Request for Comments: 6604 Huawei
9Updates: 1035, 2308, 2672 April 2012
10Category: Standards Track
14 xNAME RCODE and Status Bits Clarification
18 The Domain Name System (DNS) has long provided means, such as the
19 CNAME (Canonical Name), whereby a DNS query can be redirected to a
20 different name. A DNS response header has an RCODE (Response Code)
21 field, used for indicating errors, and response status bits. This
22 document clarifies, in the case of such redirected queries, how the
23 RCODE and status bits correspond to the initial query cycle (where
24 the CNAME or the like was detected) and subsequent or final query
29 This is an Internet Standards Track document.
31 This document is a product of the Internet Engineering Task Force
32 (IETF). It represents the consensus of the IETF community. It has
33 received public review and has been approved for publication by the
34 Internet Engineering Steering Group (IESG). Further information on
35 Internet Standards is available in Section 2 of RFC 5741.
37 Information about the current status of this document, any errata,
38 and how to provide feedback on it may be obtained at
39 http://www.rfc-editor.org/info/rfc6604.
43 Copyright (c) 2012 IETF Trust and the persons identified as the
44 document authors. All rights reserved.
46 This document is subject to BCP 78 and the IETF Trust's Legal
47 Provisions Relating to IETF Documents
48 (http://trustee.ietf.org/license-info) in effect on the date of
49 publication of this document. Please review these documents
50 carefully, as they describe your rights and restrictions with respect
51 to this document. Code Components extracted from this document must
52 include Simplified BSD License text as described in Section 4.e of
53 the Trust Legal Provisions and are provided without warranty as
54 described in the Simplified BSD License.
58Eastlake Standards Track [Page 1]
60RFC 6604 xNAME RCODE Clarification April 2012
65 1. Introduction ....................................................2
66 1.1. Conventions Used in This Document ..........................3
67 2. Restatement of Status Bits and What They Mean ...................3
68 2.1. The Authoritative Answer Bit ...............................3
69 2.2. The Authentic Data Bit .....................................3
70 3. RCODE Clarification .............................................3
71 4. Security Considerations .........................................4
72 5. References ......................................................4
73 5.1. Normative References .......................................4
74 5.2. Informative References .....................................5
78 The Domain Name System (DNS) has long provided means, such as the
79 CNAME (Canonical Name [RFC1035]) and DNAME [RFC2672] RRs (Resource
80 Records), whereby a DNS query can be redirected to a different name.
81 In particular, CNAME normally causes a query to its owner name to be
82 redirected, while DNAME normally causes a query to any lower-level
83 name to be redirected. There has been a proposal for another
84 redirection RR. In addition, as specified in [RFC2672], redirection
85 through a DNAME also results in the synthesis of a CNAME RR in the
86 response. In this document, we will refer to all RRs causing such
87 redirection as xNAME RRs.
89 xNAME RRs can be explicitly retrieved by querying for the xNAME type.
90 When a different type is queried and an xNAME RR is encountered, the
91 xNAME RR (and possibly a synthesized CNAME) is added to the answer in
92 the response, DNS Security Extensions (DNSSEC) [RFC4035] RRs
93 applicable to the xNAME RR may be added to the response, and the
94 query is restarted with the name to which it was redirected.
96 An xNAME may redirect a query to a name at which there is another
97 xNAME and so on. In this document, we use "xNAME chain" to refer to
98 a series of one or more xNAMEs each of which refers to another xNAME
99 except the last, which refers to a non-xNAME or results in an error.
101 A DNS response header has an RCODE (Response Code) field, used for
102 indicating errors, and status bits that indicate whether an answer is
103 authoritative and/or authentic. This document clarifies, in the case
104 of such redirected queries, how the RCODE and status bits correspond
105 to the initial query cycle (where the (first) xNAME was detected) and
106 subsequent or final query cycles.
114Eastlake Standards Track [Page 2]
116RFC 6604 xNAME RCODE Clarification April 2012
1191.1. Conventions Used in This Document
121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
123 document are to be interpreted as described in [RFC2119].
1252. Restatement of Status Bits and What They Mean
127 There are two status bits returned in query responses for which a
128 question could arise as to how, in the case of an xNAME chain, they
129 relate to the first, possible intermediate, and/or last queries, as
130 below. Note that the following is unchanged from [RFC1035] and
131 [RFC4035]. The meaning of these bits is simply restated here for
132 clarity, because of observations of released implementations that did
133 not follow these meanings.
1352.1. The Authoritative Answer Bit
137 The AA, or Authoritative Answer bit, in the DNS response header
138 indicates that the answer returned is from a DNS server authoritative
139 for the zone containing that answer. For an xNAME chain, this
140 "authoritative" status could be different for each answer in that
143 [RFC1035] states that the AA bit is to be set based on whether the
144 server providing the answer with the first owner name in the answer
145 section is authoritative. This specification of the AA bit has not
1482.2. The Authentic Data Bit
150 The AD, or Authentic Data bit, indicates that the response returned
151 is authentic according to the dictates of DNSSEC [RFC4035].
152 [RFC4035] unambiguously states that the AD bit is to be set in a DNS
153 response header only if the DNSSEC-enabled server believes all RRs in
154 the answer and authority sections of that response to be authentic.
155 This specification of the AD bit has not been changed.
1573. RCODE Clarification
159 The RCODE field in a DNS query response header is non-zero to
160 indicate an error. Section 4.3.2 of [RFC1034] has a resolution
161 algorithm that includes CNAME processing but has been found to be
162 unclear concerning the ultimate setting of RCODE in the case of such
163 redirection. Section 2.1 of [RFC2308] implies that the RCODE should
164 be set based on the last query cycle in the case of an xNAME chain,
165 but Section 2.2.1 of [RFC2308] says that some servers don't do that!
170Eastlake Standards Track [Page 3]
172RFC 6604 xNAME RCODE Clarification April 2012
175 When there is an xNAME chain, the RCODE field is set as follows:
177 When an xNAME chain is followed, all but the last query cycle
178 necessarily had no error. The RCODE in the ultimate DNS response
179 MUST BE set based on the final query cycle leading to that
180 response. If the xNAME chain was terminated by an error, it will
181 be that error code. If the xNAME chain terminated without error,
1844. Security Considerations
186 The AA header flag bit is not protected by DNSSEC [RFC4033]. To
187 secure it, secure communications are needed between the querying
188 resolver and the DNS server. Such security can be provided by DNS
189 transaction security, either TSIG [RFC2845] or SIG(0) [RFC2931].
191 An AD header flag bit and the RCODE in a response are not, in
192 general, protected by DNSSEC, so the same conditions as stated in the
193 previous paragraph generally apply to them; however, this is not
194 always true. In particular, if the following apply, then the AD bit
195 and an NXDOMAIN RCODE are protected by DNSSEC in the sense that the
196 querier can calculate whether they are correct:
198 1. The zone where an NXDOMAIN RCODE occurs or all the zones where the
199 data whose authenticity would be indicated by the AD flag bit are
202 2. The query or queries involved indicate that DNSSEC RRs are OK in
205 3. The responses providing these indications are from servers that
206 include the additional DNSSEC RRs required by DNSSEC.
208 4. The querier has appropriate trust anchor(s) and appropriately
209 validates and processes the DNSSEC RRs in the response.
2135.1. Normative References
215 [RFC1034] Mockapetris, P., "Domain names - concepts and
216 facilities", STD 13, RFC 1034, November 1987.
218 [RFC1035] Mockapetris, P., "Domain names - implementation and
219 specification", STD 13, RFC 1035, November 1987.
221 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
222 Requirement Levels", BCP 14, RFC 2119, March 1997.
226Eastlake Standards Track [Page 4]
228RFC 6604 xNAME RCODE Clarification April 2012
231 [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
232 RFC 2672, August 1999.
234 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
235 Rose, "Protocol Modifications for the DNS Security
236 Extensions", RFC 4035, March 2005.
2385.2. Informative References
240 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
241 NCACHE)", RFC 2308, March 1998.
243 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
244 Wellington, "Secret Key Transaction Authentication for
245 DNS (TSIG)", RFC 2845, May 2000.
247 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
248 ( SIG(0)s )", RFC 2931, September 2000.
250 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
251 Rose, "DNS Security Introduction and Requirements",
252 RFC 4033, March 2005.
256 Donald E. Eastlake 3rd
261 Phone: +1-508-333-2270
262 EMail: d3e3e3@gmail.com
282Eastlake Standards Track [Page 5]