INTERNET-DRAFT M. Sawyer B. Wellington M. Graff Nominum <draft-sawyer-dnsext-edns0-zone-option-00.txt> 9 October 2000 ZONE and VIEW option records in DNS messages Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This draft expires on April 9, 2001. Abstract This document defines two new EDNS option codes used to specify what zone and view should be used in query messages to a remote DNS server. 1 - Introduction Familiarity with DNS [RFC1034, RFC1035] and DNS Extension Mechanisms [RFC2671] is helpful. Domain Concepts and Facilities [RFC1034] Section 3.7 shows a typical reply to a DNS query, containing the answer as well as additional data related to the answer provided. The server's zone database may contain out-of-zone data glue which is internally used but is never returned in a reply to a query. If recursion is requested by the client and available in the server, or if the data is available in Expires April 2001 [Page 1] INTERNET-DRAFT ZONE and VIEW option records October 2000 the server's cache, the additional information will be taken from these sources on most servers. There is no method currently available for an administrator to query a server specifying that only data from a specific zone should be used in formulating the reply and that all available data from that zone's database should be used, including out-of-zone glue. As such, there is no mechanism for an administrator to ensure that out-of-zone data in the zone's database is correct except through direct manipulation of the zone database files. In addition, zone transfers via AXFR or IXFR do not include out-of-zone glue. The ZONE option code is provided to specify directly which zone database should be queried. In addition, DNS server software exists which may present different "views" of the DNS space to different clients. In some cases, a query may match the criteria of multiple views, and a user may wish to specify which of the acceptable views match the query. The VIEW option code is provided to specify which view should be searched for the appropriate zone database. 1.2 - Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2 - Protocol changes: This document updates [RFC2671]. The ZONE and VIEW option records are intended as optional features. Servers MAY support either or both of these options. Servers SHOULD provide configuration options to enable or disable these optional records as needed. Servers and clients SHOULD NOT use the ZONE or VIEW option codes in normal use. Servers SHOULD NOT use the VIEW option record in zone transfers unless the administrator has specifically configured the server to use these records. Servers MAY provide a mechanism for such configuration. Servers SHOULD NOT use the ZONE option record in zone transfers under any configuration. 3 - ZONE option record The ZONE OPTION-DATA MUST contain a standard uncompressed wire-format name in the format specified by [RFC1035] Section 3.3. Wildcards are not permitted in ZONE option records. Expires April 2001 [Page 2] INTERNET-DRAFT ZONE and VIEW option records October 2000 When a server receives a query with a ZONE option record, it MUST reply with a REFUSED reply if it understands the ZONE record but is not configured to allow ZONE specific requests, if the specified zone does not exist on the server, or if the client is not authorized to use the ZONE option. If the ZONE option is allowed, it MUST return a normally formatted reply with a ZONE optional record, containing the same zone as the one queried. When replying to AXFR or IXFR queries with ZONE options, the entire zone, including out-of-zone glue, should be returned to the client. Servers SHOULD treat ZONE options in zone transfer requests as an unauthorized request and return REFUSED. 3.2 - VIEW option record The VIEW OPTION-RECORD contains an arbitrary length text field, which is used to match the name of the view in the server's configuration. When a server receives a query with a VIEW option record, it MUST reply with a REFUSED reply if it understands the VIEW record but is not configured to allow VIEW specific requests, the specified view does not exist, or the client is not authorized to access the specified view. If a VIEW option is allowed, it MUST return a normally formatted reply with a VIEW optional record containing the same view as the one queried. The information used in generating the reply should contain only information from the specified view of the DNS space. 4 - IANA considerations We request IANA assign option codes for the ZONE and VIEW options. 5 - Security considerations This document provides a mechanism for users to override the default behavior of the server when accessing data from its internal zone databases. Software developers and administrators should use some care when enabling these options, as they may provide outside users the ability to retrieve information otherwise not available. 6 - References [RFC1034] P. Mockapetris, ``Domain Names - Concepts and Facilities,'' RFC 1034, ISI, November 1987. [RFC1035] P. Mockapetris, ``Domain Names - Implementation and Specification,'' RFC 1035, ISI, November 1987. Expires April 2001 [Page 3] INTERNET-DRAFT ZONE and VIEW option records October 2000 [RFC2119] S. Brander, ``Key words for use in RFCs to Indicate Requirement Levels,'' RFC 2119, ISI, November 1997. [RFC2671] P. Vixie, ``Extension Mechanisms for DNS (EDNS0),'' RFC 2671, ISI, August, 1999 Author's Address Michael Sawyer Nominum, Inc. 950 Charter St. Redwood City, CA 94063 Phone: +1-650-779-6021 michael.sawyer@nominum.com Brian Wellington Nominum, Inc. 950 Charter St. Redwood City, CA 94063 Phone: +1-650-779-6022 brian.wellington@nominum.com Michael Graff Nominum, Inc. 950 Charter St. Redwood City, CA 94063 Phone: +1-650-779-6034 michael.graff@nominum.com Expires April 2001 [Page 4]