Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the
Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
(DNS) protocol which had size restrictions that the
Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
as , also known as EDNS0 which was updated by in 2013 changing abbreviation slightly to EDNS(0).
Motivation
The
Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
was first developed in the early 1980s. Since then, it has been progressively enhanced with new features, while maintaining compatibility with earlier versions of the protocol.
The restrictions in the size of several flags fields, return codes and label types available in the basic DNS protocol prevented the support of some desirable features. Moreover, DNS messages carried by
UDP were restricted to 512 bytes, not considering the
Internet Protocol
The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP h ...
(IP) and
transport layer
In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet protocol suite and the OSI model. The protocols of this layer provide end-to-end ...
headers. Resorting to a
virtual circuit
A virtual circuit (VC) is a means of transporting data over a data network, based on packet switching and in which a connection is established within the network between two endpoints. The network, rather than having a fixed data rate reservation ...
transport, using the
Transmission Control Protocol
The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly ...
(TCP), would greatly increase overhead. This presented a major obstacle to adding new features to DNS. In 1999,
Paul Vixie
Paul Vixie is an American computer scientist whose technical contributions include Domain Name System (DNS) protocol design and procedure, mechanisms to achieve operational robustness of DNS implementations, and significant contributions to open s ...
proposed extending DNS to allow for new flags and response codes and to provide support for longer responses in a framework that is backwards compatible with previous implementations.
Mechanism
Since no new flags could be added in the DNS header, EDNS adds information to DNS messages in the form of ''pseudo-
Resource Record
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
s ("pseudo-RR"s)'' included in the "additional data" section of a DNS message. Note that this section exists in both requests and responses.
EDNS introduces a single pseudo-RR type:
OPT
.
As pseudo-RRs, OPT type RRs never appear in any zone file; they exist only in messages, fabricated by the DNS participants.
The mechanism is
backward compatible
Backward compatibility (sometimes known as backwards compatibility) is a property of an operating system, product, or technology that allows for interoperability with an older legacy system, or with input designed for such a system, especially i ...
, because older DNS responders ignore any RR of the unknown OPT type in a request and a newer DNS responder never includes an OPT in a response unless there was one in the request. The presence of the OPT in the request signifies a newer requester that knows what to do with an OPT in the response.
The OPT pseudo-record provides space for up to 16 flags and it extends the space for the response code. The overall size of the
UDP packet
In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages (transported as datagrams in packets) to other hosts on an Internet Protocol (IP) network. ...
and the version number (at present 0) are contained in the OPT record. A variable length data field allows further information to be registered in future versions of the protocol. The original DNS protocol provided two label types, which are defined by the first two bits in DNS packets (RFC 1035): 00 (standard label) and 11 (compressed label). EDNS introduces the label type 01 as ''extended label''. The lower 6 bits of the first byte may be used to define up to 63 new extended labels.
Example
An example of an OPT pseudo-record, as displayed by the ''
dig command'':
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
The result of "EDNS: version: 0" indicates full conformance with EDNS0. The result "flags: do" indicates that "DNSSEC OK" is set.
Applications
EDNS is essential for the implementation of DNS Security Extensions (
DNSSEC
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...
). EDNS is also used for sending general information from resolvers to name servers about clients' geographic location in the form of the
EDNS Client Subnet EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up th ...
(ECS) option.
There are proposals for using EDNS to set how much padding should be around a DNS message and for indicating how long a TCP connection should be kept alive.
Issues
In practice, difficulties can arise when using EDNS traversing firewalls, since some firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets.
The introduction of EDNS made feasible the
DNS amplification attack
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
, a type of
reflected denial-of-service attack
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
, since EDNS facilitates very large response packets compared to relatively small request packets.
The IETF DNS Extensions working group (dnsext) has finished work on a refinement of EDNS0, which has been published as RFC 6891.
References
{{reflist, 30em
See also
*
EDNS Client Subnet EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up th ...
DNS Flag Day 2019
Domain Name System
*