Extension mechanisms for DNS

The term EDNS (Extended DNS), various extensions to the Domain Name System summarized that affect the transport of DNS data in UDP packets.

Motivation

The DNA in the first half of the 1980s developed has been updated over the years with many features. The present in DNS packets flags, return codes and label types eventually were no longer sufficient to describe all situations. Another serious problem was due to the length limitation of the DNS UDP packet of 512 bytes. These limitations made ​​an extension of the DNS packet format unavoidable. 1999 was formulated by Paul Vixie in RFC 2671, a corresponding standard.

Operation

There stood in the DNS header flag is no longer available to distinguish between conventional and EDNS format, a so-called pseudo -Record was introduced, called OPT resource record. Such a pseudo -RR is used only in transit between client and server. He never appears in zone files or caches. A DNS operator wishing to identify a DNS packet as EDNS, adds a corresponding pseudo -RR into the Additional Data Section of the DNS request or response.

Besides the task to mark a package as EDNS packet, an OPT resource record has the following functions:

  • Provision of 16 additional flags
  • Enhancements of the response code by eight bytes ( for a total of three response codes may be stored in one package)

In addition, the total length of the UDP packet and the version number (currently 0) is included. In a data variable length field in the future, further information can be entered.

Another specified in RFC 2671 extension refers to the label format. Originally there were two packets in DNS label types that are defined by the first two bits (RFC 1035):

  • 00 = standard label
  • 11 = compressed Label

To allow a greater number of other label types, the type is defined 01 = "Extended Label ". For the following 6 bits of the first byte 63 Label subtypes can thus be formed.

Practice

EDNS is mandatory for DNSSEC, since the DO flag ( DNSSEC OK) can no longer be accommodated in the standard header. The DO flag is also the first newly defined flag.

In connection with older firewalls difficulties can occur when these consider a maximum DNS message length of 512 bytes and block out longer packets.

Example of displaying OPT data at the output of the dig tools:

;; OPT PSEUDO SECTION:; EDNS: version: 0, flags: do; udp: 4096 reference

  • RFC 2671 Extension Mechanisms for DNS ( EDNS0 ) 1999
  • Domain Name System
  • Abbreviation
Flag word Cache (computing) Domain Name System Security Extensions Dig (command)
254594
de