1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
Internet Engineering Task Force (IETF) R. Bellis
Request for Comments: 9619 ISC
Updates: 1035 J. Abley
Category: Standards Track Cloudflare
ISSN: 2070-1721 July 2024
In the DNS, QDCOUNT Is (Usually) One
Abstract
This document updates RFC 1035 by constraining the allowed value of
the QDCOUNT parameter in DNS messages with OPCODE = 0 (QUERY) to a
maximum of one, and it specifies the required behavior when values
that are not allowed are encountered.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9619.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
2. Terminology Used in This Document
3. QDCOUNT Is (Usually) One
4. Updates to RFC 1035
5. Security Considerations
6. IANA Considerations
7. References
7.1. Normative References
7.2. Informative References
Appendix A. Guidance for the Use of QDCOUNT in the DNS
Specification
A.1. OPCODE = 0 (QUERY) and 1 (IQUERY)
A.2. OPCODE = 4 (NOTIFY)
A.3. OPCODE = 5 (UPDATE)
A.4. OPCODE = 6 (DNS Stateful Operations, DSO)
A.5. Conclusion
Acknowledgements
Authors' Addresses
1. Introduction
The DNS protocol [RFC1034] [RFC1035] includes a parameter QDCOUNT in
the DNS message header whose value is specified to mean the number of
questions in the Question section of a DNS message.
In a general sense, it seems perfectly plausible for the QDCOUNT
parameter, an unsigned 16-bit value, to take a considerable range of
values. However, in the specific case of messages that encode DNS
queries and responses (messages with OPCODE = 0), there are other
limitations inherent in the protocol that constrain values of QDCOUNT
to be either 0 or 1. In particular, several parameters specified for
DNS response messages such as AA and RCODE have no defined meaning
when the message contains multiple queries as there is no way to
signal which question those parameters relate to.
In this document, we briefly survey the existing written DNS
specification; provide a description of the semantic and practical
requirements for DNS queries that naturally constrain the allowable
values of QDCOUNT; and update the DNS base specification to clarify
the allowable values of the QDCODE parameter in the specific case of
DNS messages with OPCODE = 0.
2. Terminology Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. QDCOUNT Is (Usually) One
A brief summary of the guidance provided in the existing DNS
specification ([RFC1035] and many other documents) for the use of
QDCOUNT can be found in Appendix A. While the specification is clear
in many cases, there is some ambiguity in the specific case of OPCODE
= 0, which this document aims to eliminate.
4. Updates to RFC 1035
A DNS message with OPCODE = 0 MUST NOT include a QDCOUNT parameter
whose value is greater than 1. It follows that the Question section
of a DNS message with OPCODE = 0 MUST NOT contain more than one
question.
A DNS message with OPCODE = 0 and QDCOUNT > 1 MUST be treated as an
incorrectly formatted message. The value of the RCODE parameter in
the response message MUST be set to 1 (FORMERR).
Middleboxes (e.g., firewalls) that process DNS messages in order to
eliminate unwanted traffic SHOULD treat messages with OPCODE = 0 and
QDCOUNT > 1 as malformed traffic and return a FORMERR response as
described above. Such firewalls MUST NOT treat messages with OPCODE
= 0 and QDCOUNT = 0 as malformed. See Section 4 of [RFC8906] for
further guidance.
5. Security Considerations
This document clarifies the DNS specification [RFC1035] and aims to
improve interoperability between different DNS implementations. In
general, the elimination of ambiguity seems well-aligned with
security hygiene.
6. IANA Considerations
This document has no IANA actions.
7. References
7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3425] Lawrence, D., "Obsoleting IQUERY", RFC 3425,
DOI 10.17487/RFC3425, November 2002,
<https://www.rfc-editor.org/info/rfc3425>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
August 1996, <https://www.rfc-editor.org/info/rfc1996>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997,
<https://www.rfc-editor.org/info/rfc2136>.
[RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol
(AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010,
<https://www.rfc-editor.org/info/rfc5936>.
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
<https://www.rfc-editor.org/info/rfc7873>.
[RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
Lemon, T., and T. Pusateri, "DNS Stateful Operations",
RFC 8490, DOI 10.17487/RFC8490, March 2019,
<https://www.rfc-editor.org/info/rfc8490>.
[RFC8906] Andrews, M. and R. Bellis, "A Common Operational Problem
in DNS Servers: Failure to Communicate", BCP 231,
RFC 8906, DOI 10.17487/RFC8906, September 2020,
<https://www.rfc-editor.org/info/rfc8906>.
Appendix A. Guidance for the Use of QDCOUNT in the DNS Specification
The DNS specification [RFC1035] provides some guidance about the
values of QDCOUNT that are appropriate in various situations. A
brief summary of this guidance is collated below.
A.1. OPCODE = 0 (QUERY) and 1 (IQUERY)
[RFC1035] significantly predates the use of the normative requirement
key words specified in BCP 14 [RFC2119] [RFC8174], and parts of it
are consequently somewhat open to interpretation.
Section 4.1.2 ("Question section format") of [RFC1035] states the
following about QDCOUNT:
"The section contains QDCOUNT (usually 1) entries"
The only documented exceptions within [RFC1035] relate to the IQuery
OpCode, where the request has "an empty question section" (QDCOUNT =
0), and the response has "zero, one, or multiple domain names for the
specified resource as QNAMEs in the question section". The IQuery
OpCode was obsoleted by [RFC3425].
In the absence of clearly expressed normative requirements, we rely
on other text in [RFC1035] that makes use of the definite article or
that implies a singular question and, by implication, QDCOUNT = 1.
For example, Section 4.1 of [RFC1035] states the following:
"the question for the name server"
and
"The question section contains fields that describe a question to
a name server."
And per Section 4.1.1 ("Header section format") of [RFC1035]:
"AA: Authoritative Answer - this bit is valid in responses, and
specifies that the responding name server is an authority for the
domain name in question section."
DNS Cookies (Section 5.4 of [RFC7873]) allow a client to receive a
valid Server Cookie without sending a specific question by sending a
request (QR = 0) with OPCODE = 0 and QDCOUNT = 0, with the resulting
response also containing no question.
The DNS Zone Transfer Protocol (Section 2.2 of [RFC5936]) allows an
authoritative server to optionally send a response message (QR = 1)
to a standard Authoritative Transfer (AXFR) query (OPCODE = 0,
QTYPE=252) with QDCOUNT = 0 in the second or subsequent message of a
multi-message response.
A.2. OPCODE = 4 (NOTIFY)
DNS Notify [RFC1996] also lacks a clearly defined range of values for
QDCOUNT. Section 3.7 states that:
"A NOTIFY request has QDCOUNT>0"
However, all other text in the RFC discusses the <QNAME, QCLASS,
QTYPE> tuple in the singular form.
A.3. OPCODE = 5 (UPDATE)
DNS Update [RFC2136] renames the QDCOUNT field to ZOCOUNT, but the
value is constrained to be one by Section 2.3 ("Zone Section"):
"All records to be updated must be in the same zone, and therefore
the Zone Section is allowed to contain exactly one record."
A.4. OPCODE = 6 (DNS Stateful Operations, DSO)
DNS Stateful Operations (DSO) (OpCode 6) [RFC8490] preserves
compatibility with the standard DNS 12-octet header by requiring all
four of the section count values to be set to zero.
A.5. Conclusion
There is no text in [RFC1035] that describes how other parameters in
the DNS message, such as AA and RCODE, should be interpreted in the
case where a message includes more than one question. An originator
of a query with QDCOUNT > 1 can have no expectations of how it will
be processed, and the receiver of a response with QDCOUNT > 1 has no
guidance for how it should be interpreted.
The allowable values of QDCOUNT seem to be clearly specified for
OPCODE = 4 (NOTIFY), OPCODE = 5 (UPDATE), and OPCODE = 6 (DNS
Stateful Operations, DSO). OPCODE = 1 (IQUERY) is obsolete and
OPCODE = 2 (STATUS) is not specified. OPCODE = 3 is reserved.
However, the allowable values of QDCOUNT for OPCODE = 0 (QUERY) are
specified in [RFC1035] without the clarity of normative language, and
this looseness of language results in some ambiguity.
Acknowledgements
The clarifications in this document were prompted by questions posed
by Ted Lemon, which reminded the authors of earlier, similar
questions and motivated them to pick up their pens. Ondrej Sury,
Warren Kumari, Peter Thomassen, Mark Andrews, Lars-Johan Liman, Jim
Reid, and Niall O'Reilly provided useful feedback.
Authors' Addresses
Ray Bellis
Internet Systems Consortium, Inc.
PO Box 360
Newmarket, NH 03857
United States of America
Phone: +1 650 423 1300
Email: ray@isc.org
Joe Abley
Cloudflare
Amsterdam
Netherlands
Phone: +31 6 45 56 36 34
Email: jabley@cloudflare.com
|