Extended DNS

Under Extended DNS ( EDNS ) different protocol extensions of the domain name system (DNS) summarized that the transport of DNS data in UDP relate to packages.

motivation

The DNA developed in the first half of the 1980s has been given numerous other functions over the years. The flags, return codes and label types in DNS packets were ultimately no longer sufficient to describe all situations. Another serious problem arose from the length restriction of the DNS-UDP packet of 512 bytes . These restrictions made an extension of the DNS packet format inevitable. In 1999 Paul Vixie formulated a corresponding standard in RFC 2671 .

functionality

Since there was no longer a flag available in the DNS header to differentiate between the conventional and EDNS format, a so-called pseudo record was introduced, the so-called OPT resource record . Such a pseudo RR is only used on the transport route between client and server. It never appears in zone files or in caches . A DNS subscriber who wants to mark a DNS packet as EDNS inserts a corresponding pseudo RR in the Additional Data Section of the DNS request or response.

In addition to the task of marking a package as an EDNS package, an OPT resource record has the following functions:

Provision of 16 additional flags
Extension of the response code by eight bytes (a total of three response codes can be accommodated in one package)

The total length of the UDP packet and the version number (currently 0) are also included. In the future, further information can be entered in a data field of variable length.

Another extension specified in RFC 2671 relates to the label format. Originally there were two label types in DNS packets, which are defined by the first two bits ( RFC 1035 ):

00 = standard label
11 = compressed label

To enable a larger number of other label types, type 01 = "Extended Label" is defined. A total of 63 label subtypes can be formed from the following 6 bits of the first byte.

practice

EDNS is absolutely necessary for DNSSEC , as the DO flag (DNSSEC OK) can no longer be accommodated in the standard header. The DO flag is also the first newly defined flag.

Problems can arise in connection with older firewalls if they assume a maximum DNS message length of 512 bytes and discard longer packets.

Example of the representation of OPT data when outputting the dig tool:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096

Norms and standards

RFC 2671 Extension Mechanisms for DNS (EDNS0) 1999

Individual evidence

↑ After deploying a Windows-based DNS server, some DNS name queries are unsuccessful. In: Microsoft Support. April 24, 2017. Retrieved January 28, 2019 .

[1] After deploying a Windows-based DNS server, some DNS name queries are unsuccessful. In: Microsoft Support. April 24, 2017. Retrieved January 28, 2019 .