Internet-Draft | dns+cbor | July 2023 |
Lenders, et al. | Expires 11 January 2024 | [Page] |
This document specifies a compressed data format of DNS messages using the Concise Binary Object Representation [RFC8949]. The primary purpose is to keep DNS messages small in constrained networks.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://anr-bmbf-pivot.github.io/draft-lenders-dns-cbor/draft-lenders-dns-cbor.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-lenders-dns-cbor/.¶
Discussion of this document takes place on the CBOR Working Group mailing list (mailto:[email protected]), which is archived at https://mailarchive.ietf.org/arch/browse/cbor/. Subscribe at https://www.ietf.org/mailman/listinfo/cbor/.¶
Source for this draft and an issue tracker can be found at https://github.com/anr-bmbf-pivot/draft-lenders-dns-cbor.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In constrained networks [RFC7228], the link layer may restrict the payload sizes to only a few hundreds bytes. Encrypted DNS resolution, such as DNS over HTTPS (DoH) [RFC8484] or DNS over CoAP (DoC) [I-D.ietf-core-dns-over-coap], may lead to DNS message sizes that exceed this limit, even when implementing header compression such as 6LoWPAN IPHC [RFC6282] or SCHC [RFC8724], [RFC8824].¶
Although adoption layers such as 6LoWPAN [RFC4944] or SCHC [RFC8724] offer fragmentation to comply with small MTUs, fragmentation should be avoided in constrained networks, because fragmentation combined with high packet loss multiplies the loss. As such, a compression format for DNS messages is needed.¶
This document specifies a compressed data format for DNS messages. DNS messages are encoded in Concise Binary Object Representation (CBOR) [RFC8949] and, additionally, unnecessary or redundant information is removed. To use the outcome of this specification in DoH and DoC, this document also specifies a Media Type header for DoH and a Content-Format option for DoC.¶
CBOR types (unsigned integer, byte string, text string, arrays, etc.) are used as defined in [RFC8949].¶
TBD DNS server and client.¶
A DNS query is a message that queries DNS information from an upstream DNS resolver.¶
The term "constrained networks" is used as defined in [RFC7228].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
To keep overhead minimal, a DNS message is represented as CBOR arrays. All CBOR items used in this specification are of definite length. CBOR arrays that do not follow the length definitions of this or follow-up specifications, MUST be silently ignored. It is assumed that DNS query and DNS response are distinguished message types and that the query can be mapped to the response by the transport protocol of choice. To define the representation of binary objects we use the Concise Data Definition Language (CDDL) [RFC8610].¶
If, for any reason, a DNS message is not representable in the CBOR format specified in this document, a fallback to the another DNS message format, e.g., the classic DNS wire format, MUST always be possible.¶
Domain names are represented in their commonly known string format (e.g., "example.org", see Section 2.3.1 in [RFC1035]) and in IDNA encoding [RFC5890] as a text string. For the purpose of this document, domain names remain case-insensitive as specified in [RFC1035].¶
The representation of a domain name is defined in Figure 1.¶
DNS resource records are encoded either in their binary form as a byte string or as CBOR arrays containing 2 to 5 entries in the following order:¶
If the first item of the resource record is a text string, it is its name. If the name is elided, the name is derived from the question section of the message. For responses, the question section is either taken from the query (see Section 3.3) or provided with the response see Section 3.4. The query may be derived from the transport context.¶
If the record type is elided, the record type from the question is assumed. If record class is elided, the record class from the question is assumed. When a record class is required, the record type MUST also be provided.¶
The byte format of the record data as a byte string follows the wire format as specified in Section 3.3 [RFC1035] (or other specifications of the respective record type). Note that this format does not include the RDLENGTH field from [RFC1035] as this value is encoded in the length field of the CBOR byte string.¶
If the record data represents a domain name (e.g., for CNAME or PTR records), the record data MAY be represented as a text string as specified in Section 3.1. This can save 1 byte of data, because the byte representation of DNS names requires both an additional byte to define the length of the first name component and well as a zero byte at the end of the name. With CBOR on the other hand only 1 byte is required to define type and length of the text string up until a string length of 23 characters. Likewise, if the record data is purely a numerical value, it can be expressed as either an unsigned or negative integer.¶
The representation of a DNS resource records is defined in Figure 2.¶
DNS queries are encoded as CBOR arrays containing up to 5 entries in the following order:¶
If the first item of the query is an array, it is the question section, if it is an unsigned integer, it is the transaction ID. If the transaction ID is present and followed by another unsigned integer, that item is a flag field and maps to the header flags in [RFC1035] and the "DNS Header Flags" IANA registry including the QR flag and the Opcode. It MUST be lesser than 2^16.¶
If the transaction ID is elided, the value 0 is assumed, same for the flags. The transaction ID MUST be included and set to an unpredictable value lesser than 2^32, if the DNS transport can not ensure the prevention of DNS response spoofing. An example for such a transport is unencrypted DoC (see [I-D.ietf-core-dns-over-coap], Section 6).¶
The question section is encoded as a CBOR array containing up to 3 entries:¶
If the record type is elided, record type AAAA
as specified in [RFC3596] is assumed.
If the record class is elided, record class IN
as specified in [RFC1035] is assumed.
When a record class is required, the record type MUST also be provided.¶
The remainder of the query is either empty or MUST consist of up to two arrays. The first array, if present, encodes the authority section of the query as an array of DNS resource records (see Section 3.2) The second array, if present, encodes the additional section of the query as an array of DNS resource records (see Section 3.2)¶
The representation of a DNS query is defined in Figure 3.¶
DNS responses are encoded as a CBOR array containing up to 7 entries.¶
If the CBOR array is a response to a query that contains a transaction ID, it MUST be included and set to the corresponding value present in the query. If it is not included, the transaction ID is implied to be 0.¶
If the CBOR array is a response to a query for which the flags indicate that flags are set in the response, they MUST be set accordingly and thus included in the response. If the flags are not included, the flags are implied to be 0x8000 (everything unset except for the QR flag).¶
If the response includes only 1 array, this is the DNS answer section represented as an array of one or more DNS Resource Records (see Section 3.2).¶
If the response includes 2 arrays, the first entry is a question section and the second entry is an answer section. The question section is encoded like as specified in Section 3.3, the answer section is represented as an array of one or more DNS Resource Records (see Section 3.2).¶
If the response includes 3 arrays, the first section is a question section, the second an answer section, and the third an additional section (TBD: back choice to favor additional section by empirical data). Again, the question section is encoded like a DNS query as specified in Section 3.3 and both answer and additional sections are represented each as an array of one or more DNS Resource Records (see Section 3.2).¶
If the response includes 4 arrays, the first section is a question section, the second an answer section, the third an authority section, and the fourth an additional section (TBD: back by empirical data). They follow the specification of 3 arrays in the answer. The authority section is also represented as an array of one or more DNS Resource Records (see Section 3.2).¶
If both DNS server and client support packed CBOR [I-D.ietf-cbor-packed], it MAY be used for name and address compression in DNS responses.¶
A DNS client uses media type "application/dns+cbor;packed=1" to negotiate (see, e.g., [RFC9110] or [RFC7252], Section 5.5.4) with the DNS server if the server supports packed CBOR. If it does, it MAY request the response to be in packed CBOR (media type "applicaton/dns+cbor;packed=1"). The server then SHOULD reply with the response in packed CBOR.¶
The representation of DNS responses in packed CBOR differs, in that responses are now represented as a CBOR array of two arrays. The first array is a packing table that is used both as shared item table and argument table (see [I-D.ietf-cbor-packed], Section 2.1), the second is the compressed response.¶
If an index in the packing table is referenced with shared item reference ([I-D.ietf-cbor-packed], Section 2.2) a decoder uses the packing table as a shared item table. If an index in the packing table is referenced as an argument ([I-D.ietf-cbor-packed], Sections 2.3 and 4), a decoder uses the packing table as an argument table.¶
How the compressor constructs the packing table, i.e., how the compression is applied, is out of scope of this document. Several potential compression algorithms were evaluated in [TBD].¶
The DNS-specific specification for packed CBOR merges the argument and shared item table into one packed table. This differentiates it from the Basic Packed CBOR format specified in [I-D.ietf-cbor-packed].¶
In DNS compression only affix compression, i.e. straight/inverse referencing, and shared value referencing are needed for DNS compression, but no further functions. Since for those types of references, the arguments of the affix compression and the shared values do not collide—shared values are just affixes with an empty rump—we only need one table. Using this specific constrained for DNS, allows us to save the additional bytes that would be required for the 113 tag and the extra array in the Basic Packed CBOR format.¶
Compression of queries is not specified, as apart from EDNS(0) (TBD), they only consist of one question most of the time.¶
TBD: Table comparing DNS wire-format, DNS+CBOR, and DNS+CBOR-packed¶
TODO Security¶
This document registers a media type for the serialization format of DNS messages in CBOR. It follows the procedures specified in [RFC6838].¶
Type name: application¶
Subtype name: dns+cbor¶
Required parameters: None¶
Optional parameters: packed¶
Encoding considerations: Must be encoded as using [RFC8949]. See [TBD-this-spec] for details.¶
Security considerations: See Section 6 of this draft¶
Interoperability considerations: TBD¶
Published specification: [TBD-this-spec]¶
Applications that use this media type: TBD DNS over X systems¶
Fragment Identifier Considerations: TBD¶
Additional information:¶
Deprecated alias names for this type: N/A¶
Magic number(s): N/A¶
File extension(s): dnsc¶
Macintosh file type code(s): none¶
Person & email address to contact for further information: Martine S. Lenders [email protected]¶
Intended usage: COMMON¶
Restrictions on Usage: None?¶
Author: Martine S. Lenders [email protected]¶
Change controller: Martine S. Lenders [email protected]¶
Provisional registrations? No¶
IANA is requested to assign CoAP Content-Format ID for the new DNS message media types in the "CoAP Content-Formats" sub-registry, within the "CoRE Parameters" registry [RFC7252], corresponding the "application/dns+cbor" media type specified in Section 7.1:¶
A DNS query of the record AAAA
in class IN
for name "example.org" is
represented in CBOR extended diagnostic notation (EDN) (see Section 8 in
[RFC8949] and Appendix G in [RFC8610]) as follows:¶
[["example.org"]]¶
A query of an A
record for the same name is represented as¶
[["example.org", 1]]¶
A query of ANY
record for that name is represented as¶
[["example.org", 255, 255]]¶
The responses to the examples provided in Appendix A.1 are shown below. We use the CBOR extended diagnostic notation (EDN) (see Section 8 in [RFC8949] and Appendix G in [RFC8610]).¶
To represent an AAAA
record with TTL 300 seconds for the IPv6 address 2001:db8::1, a minimal
response to ["example.org"]
could be¶
[[[300, h'20010db8000000000000000000000001']]]¶
In this case, the name is derived from the query.¶
If the name or the context is required, the following response would also be valid:¶
[[["example.org", 300, h'20010db8000000000000000000000001']]]¶
If the query can not be mapped to the response for some reason, a response would look like:¶
[["example.org"], [[300, h'20010db8000000000000000000000001']]]¶
To represent a minimal response of an A
record with TTL 3600 seconds for the IPv4 address
192.0.2.1, a minimal response to ["example.org", 1]
could be¶
[[300, h'c0000201']]¶
Note that here also the 1 of record type A
can be elided, as this record
type is specified in the question section.¶
Lastly, a response to ["example.org", 255, 255]
could be¶
[ ["example.org", 12, 1], [[3600, "_coap._udp.local"]], [ [3600, 2, "ns1.example.org"], [3600, 2, "ns2.example.org"] ], [ [ "_coap._udp.local", 3600, 28, h'20010db8000000000000000000000001' ], [ "_coap._udp.local", 3600, 28, h'20010db8000000000000000000000002' ], [ "ns1.example.org", 3600, 28, h'20010db8000000000000000000000035' ], [ "ns2.example.org", 3600, 28, h'20010db8000000000000000000003535' ] ] ]¶
This one advertises two local CoAP servers (identified by service name _coap._udp.local
) at
2001:db8::1 and 2001:db8::2 and two nameservers for the example.org domain, ns1.example.org at
2001:db8::35 and ns2.example.org at 2001.db8::3535. Each of the transmitted records has a TTL of
3600 seconds.¶
TODO acknowledge.¶