test/acl
1
0
Fork 0
mirror of https://gitee.com/acl-dev/acl.git synced 2024-11-29 18:37:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

add rfc docs of dns

Browse Source
This commit is contained in:
shuxin   zheng 2021-06-13 17:06:42 +08:00
parent 40ddd8aee5
commit bd77c91d91
12 changed files with 9668 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2512
doc/dhcp/rfc2131.txt Normal file
View File

File diff suppressed because it is too large Load Diff

3077
doc/dns/rfc1035.txt Normal file
View File

File diff suppressed because it is too large Load Diff

369
doc/dns/rfc1996.txt Normal file
View File

@ -0,0 +1,369 @@
Network Working Group P. Vixie
Request for Comments: 1996 ISC
Updates: 1035 August 1996
Category: Standards Track
A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This memo describes the NOTIFY opcode for DNS, by which a master
server advises a set of slave servers that the master's data has been
changed and that a query should be initiated to discover the new
data.
1. Rationale and Scope
1.1. Slow propagation of new and changed data in a DNS zone can be
due to a zone's relatively long refresh times. Longer refresh times
are beneficial in that they reduce load on the master servers, but
that benefit comes at the cost of long intervals of incoherence among
authority servers whenever the zone is updated.
1.2. The DNS NOTIFY transaction allows master servers to inform slave
servers when the zone has changed -- an interrupt as opposed to poll
model -- which it is hoped will reduce propagation delay while not
unduly increasing the masters' load. This specification only allows
slaves to be notified of SOA RR changes, but the architechture of
NOTIFY is intended to be extensible to other RR types.
1.3. This document intentionally gives more definition to the roles
of "Master," "Slave" and "Stealth" servers, their enumeration in NS
RRs, and the SOA MNAME field. In that sense, this document can be
considered an addendum to [RFC1035].
Vixie Standards Track [Page 1]
RFC 1996 DNS NOTIFY August 1996
2. Definitions and Invariants
2.1. The following definitions are used in this document:
Slave an authoritative server which uses zone transfer to
retrieve the zone. All slave servers are named in
the NS RRs for the zone.
Master any authoritative server configured to be the source
of zone transfer for one or more slave servers.
Primary Master master server at the root of the zone transfer
dependency graph. The primary master is named in the
zone's SOA MNAME field and optionally by an NS RR.
There is by definition only one primary master server
per zone.
Stealth like a slave server except not listed in an NS RR for
the zone. A stealth server, unless explicitly
configured to do otherwise, will set the AA bit in
responses and be capable of acting as a master. A
stealth server will only be known by other servers if
they are given static configuration data indicating
its existence.
Notify Set set of servers to be notified of changes to some
zone. Default is all servers named in the NS RRset,
except for any server also named in the SOA MNAME.
Some implementations will permit the name server
administrator to override this set or add elements to
it (such as, for example, stealth servers).
2.2. The zone's servers must be organized into a dependency graph
such that there is a primary master, and all other servers must use
AXFR or IXFR either from the primary master or from some slave which
is also a master. No loops are permitted in the AXFR dependency
graph.
3. NOTIFY Message
3.1. When a master has updated one or more RRs in which slave servers
may be interested, the master may send the changed RR's name, class,
type, and optionally, new RDATA(s), to each known slave server using
a best efforts protocol based on the NOTIFY opcode.
3.2. NOTIFY uses the DNS Message Format, although it uses only a
subset of the available fields. Fields not otherwise described
herein are to be filled with binary zero (0), and implementations
Vixie Standards Track [Page 2]
RFC 1996 DNS NOTIFY August 1996
must ignore all messages for which this is not the case.
3.3. NOTIFY is similar to QUERY in that it has a request message with
the header QR flag "clear" and a response message with QR "set". The
response message contains no useful information, but its reception by
the master is an indication that the slave has received the NOTIFY
and that the master can remove the slave from any retry queue for
this NOTIFY event.
3.4. The transport protocol used for a NOTIFY transaction will be UDP
unless the master has reason to believe that TCP is necessary; for
example, if a firewall has been installed between master and slave,
and only TCP has been allowed; or, if the changed RR is too large to
fit in a UDP/DNS datagram.
3.5. If TCP is used, both master and slave must continue to offer
name service during the transaction, even when the TCP transaction is
not making progress. The NOTIFY request is sent once, and a
"timeout" is said to have occurred if no NOTIFY response is received
within a reasonable interval.
3.6. If UDP is used, a master periodically sends a NOTIFY request to
a slave until either too many copies have been sent (a "timeout"), an
ICMP message indicating that the port is unreachable, or until a
NOTIFY response is received from the slave with a matching query ID,
QNAME, IP source address, and UDP source port number.
Note:
The interval between transmissions, and the total number of
retransmissions, should be operational parameters specifiable by
the name server administrator, perhaps on a per-zone basis.
Reasonable defaults are a 60 second interval (or timeout if
using TCP), and a maximum of 5 retransmissions (for UDP). It is
considered reasonable to use additive or exponential backoff for
the retry interval.
3.7. A NOTIFY request has QDCOUNT>0, ANCOUNT>=0, AUCOUNT>=0,
ADCOUNT>=0. If ANCOUNT>0, then the answer section represents an
unsecure hint at the new RRset for this <QNAME,QCLASS,QTYPE>. A
slave receiving such a hint is free to treat equivilence of this
answer section with its local data as a "no further work needs to be
done" indication. If ANCOUNT=0, or ANCOUNT>0 and the answer section
differs from the slave's local data, then the slave should query its
known masters to retrieve the new data.
3.8. In no case shall the answer section of a NOTIFY request be used
to update a slave's local data, or to indicate that a zone transfer
needs to be undertaken, or to change the slave's zone refresh timers.
Vixie Standards Track [Page 3]
RFC 1996 DNS NOTIFY August 1996
Only a "data present; data same" condition can lead a slave to act
differently if ANCOUNT>0 than it would if ANCOUNT=0.
3.9. This version of the NOTIFY specification makes no use of the
authority or additional data sections, and so conforming
implementations should set AUCOUNT=0 and ADCOUNT=0 when transmitting
requests. Since a future revision of this specification may define a
backwards compatible use for either or both of these sections,
current implementations must ignore these sections, but not the
entire message, if AUCOUNT>0 and/or ADCOUNT>0.
3.10. If a slave receives a NOTIFY request from a host that is not a
known master for the zone containing the QNAME, it should ignore the
request and produce an error message in its operations log.
Note:
This implies that slaves of a multihomed master must either know
their master by the "closest" of the master's interface
addresses, or must know all of the master's interface addresses.
Otherwise, a valid NOTIFY request might come from an address
that is not on the slave's state list of masters for the zone,
which would be an error.
3.11. The only defined NOTIFY event at this time is that the SOA RR
has changed. Upon completion of a NOTIFY transaction for QTYPE=SOA,
the slave should behave as though the zone given in the QNAME had
reached its REFRESH interval (see [RFC1035]), i.e., it should query
its masters for the SOA of the zone given in the NOTIFY QNAME, and
check the answer to see if the SOA SERIAL has been incremented since
the last time the zone was fetched. If so, a zone transfer (either
AXFR or IXFR) should be initiated.
Note:
Because a deep server dependency graph may have multiple paths
from the primary master to any given slave, it is possible that
a slave will receive a NOTIFY from one of its known masters even
though the rest of its known masters have not yet updated their
copies of the zone. Therefore, when issuing a QUERY for the
zone's SOA, the query should be directed at the known master who
was the source of the NOTIFY event, and not at any of the other
known masters. This represents a departure from [RFC1035],
which specifies that upon expiry of the SOA REFRESH interval,
all known masters should be queried in turn.
3.12. If a NOTIFY request is received by a slave who does not
implement the NOTIFY opcode, it will respond with a NOTIMP
(unimplemented feature error) message. A master server who receives
such a NOTIMP should consider the NOTIFY transaction complete for
Vixie Standards Track [Page 4]
RFC 1996 DNS NOTIFY August 1996
that slave.
4. Details and Examples
4.1. Retaining query state information across host reboots is
optional, but it is reasonable to simply execute an SOA NOTIFY
transaction on each authority zone when a server first starts.
4.2. Each slave is likely to receive several copies of the same
NOTIFY request: One from the primary master, and one from each other
slave as that slave transfers the new zone and notifies its potential
peers. The NOTIFY protocol supports this multiplicity by requiring
that NOTIFY be sent by a slave/master only AFTER it has updated the
SOA RR or has determined that no update is necessary, which in
practice means after a successful zone transfer. Thus, barring
delivery reordering, the last NOTIFY any slave receives will be the
one indicating the latest change. Since a slave always requests SOAs
and AXFR/IXFRs only from its known masters, it will have an
opportunity to retry its QUERY for the SOA after each of its masters
have completed each zone update.
4.3. If a master server seeks to avoid causing a large number of
simultaneous outbound zone transfers, it may delay for an arbitrary
length of time before sending a NOTIFY message to any given slave.
It is expected that the time will be chosen at random, so that each
slave will begin its transfer at a unique time. The delay shall not
in any case be longer than the SOA REFRESH time.
Note:
This delay should be a parameter that each primary master name
server can specify, perhaps on a per-zone basis. Random delays
of between 30 and 60 seconds would seem adequate if the servers
share a LAN and the zones are of moderate size.
4.4. A slave which receives a valid NOTIFY should defer action on any
subsequent NOTIFY with the same <QNAME,QCLASS,QTYPE> until it has
completed the transaction begun by the first NOTIFY. This duplicate
rejection is necessary to avoid having multiple notifications lead to
pummeling the master server.
Vixie Standards Track [Page 5]
RFC 1996 DNS NOTIFY August 1996
4.5 Zone has Updated on Primary Master
Primary master sends a NOTIFY request to all servers named in Notify
Set. The NOTIFY request has the following characteristics:
query ID: (new)
op: NOTIFY (4)
resp: NOERROR
flags: AA
qcount: 1
qname: (zone name)
qclass: (zone class)
qtype: T_SOA
4.6 Zone has Updated on a Slave that is also a Master
As above in 4.5, except that this server's Notify Set may be
different from the Primary Master's due to optional static
specification of local stealth servers.
4.7 Slave Receives a NOTIFY Request from a Master
When a slave server receives a NOTIFY request from one of its locally
designated masters for the zone enclosing the given QNAME, with
QTYPE=SOA and QR=0, it should enter the state it would if the zone's
refresh timer had expired. It will also send a NOTIFY response back
to the NOTIFY request's source, with the following characteristics:
query ID: (same)
op: NOTIFY (4)
resp: NOERROR
flags: QR AA
qcount: 1
qname: (zone name)
qclass: (zone class)
qtype: T_SOA
This is intended to be identical to the NOTIFY request, except that
the QR bit is also set. The query ID of the response must be the
same as was received in the request.
4.8 Master Receives a NOTIFY Response from Slave
When a master server receives a NOTIFY response, it deletes this
query from the retry queue, thus completing the "notification
process" of "this" RRset change to "that" server.
Vixie Standards Track [Page 6]
RFC 1996 DNS NOTIFY August 1996
5. Security Considerations
We believe that the NOTIFY operation's only security considerations
are:
1. That a NOTIFY request with a forged IP/UDP source address can
cause a slave to send spurious SOA queries to its masters,
leading to a benign denial of service attack if the forged
requests are sent very often.
2. That TCP spoofing could be used against a slave server given
NOTIFY as a means of synchronizing an SOA query and UDP/DNS
spoofing as a means of forcing a zone transfer.
6. References
[RFC1035]
Mockapetris, P., "Domain Names - Implementation and
Specification", STD 13, RFC 1035, November 1987.
[IXFR]
Ohta, M., "Incremental Zone Transfer", RFC 1995, August 1996.
7. Author's Address
Paul Vixie
Internet Software Consortium
Star Route Box 159A
Woodside, CA 94062
Phone: +1 415 747 0204
EMail: paul@vix.com

368
doc/dns/rfc2671.txt Normal file
View File

@ -0,0 +1,368 @@
Network Working Group P. Vixie
Request for Comments: 2671 ISC
Category: Standards Track August 1999
Extension Mechanisms for DNS (EDNS0)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
The Domain Name System's wire protocol includes a number of fixed
fields whose range has been or soon will be exhausted and does not
allow clients to advertise their capabilities to servers. This
document describes backward compatible mechanisms for allowing the
protocol to grow.
1 - Rationale and Scope
1.1. DNS (see [RFC1035]) specifies a Message Format and within such
messages there are standard formats for encoding options, errors,
and name compression. The maximum allowable size of a DNS Message
is fixed. Many of DNS's protocol limits are too small for uses
which are or which are desired to become common. There is no way
for implementations to advertise their capabilities.
1.2. Existing clients will not know how to interpret the protocol
extensions detailed here. In practice, these clients will be
upgraded when they have need of a new feature, and only new
features will make use of the extensions. We must however take
account of client behaviour in the face of extra fields, and design
a fallback scheme for interoperability with these clients.
Vixie Standards Track [Page 1]
RFC 2671 Extension Mechanisms for DNS (EDNS0) August 1999
2 - Affected Protocol Elements
2.1. The DNS Message Header's (see [RFC1035 4.1.1]) second full 16-bit
word is divided into a 4-bit OPCODE, a 4-bit RCODE, and a number of
1-bit flags. The original reserved Z bits have been allocated to
various purposes, and most of the RCODE values are now in use.
More flags and more possible RCODEs are needed.
2.2. The first two bits of a wire format domain label are used to denote
the type of the label. [RFC1035 4.1.4] allocates two of the four
possible types and reserves the other two. Proposals for use of
the remaining types far outnumber those available. More label
types are needed.
2.3. DNS Messages are limited to 512 octets in size when sent over UDP.
While the minimum maximum reassembly buffer size still allows a
limit of 512 octets of UDP payload, most of the hosts now connected
to the Internet are able to reassemble larger datagrams. Some
mechanism must be created to allow requestors to advertise larger
buffer sizes to responders.
3 - Extended Label Types
3.1. The "0 1" label type will now indicate an extended label type,
whose value is encoded in the lower six bits of the first octet of
a label. All subsequently developed label types should be encoded
using an extended label type.
3.2. The "1 1 1 1 1 1" extended label type will be reserved for future
expansion of the extended label type code space.
4 - OPT pseudo-RR
4.1. One OPT pseudo-RR can be added to the additional data section of
either a request or a response. An OPT is called a pseudo-RR
because it pertains to a particular transport level message and not
to any actual DNS data. OPT RRs shall never be cached, forwarded,
or stored in or loaded from master files. The quantity of OPT
pseudo-RRs per message shall be either zero or one, but not
greater.
4.2. An OPT RR has a fixed part and a variable set of options expressed
as {attribute, value} pairs. The fixed part holds some DNS meta
data and also a small collection of new protocol elements which we
expect to be so popular that it would be a waste of wire space to
encode them as {attribute, value} pairs.
Vixie Standards Track [Page 2]
RFC 2671 Extension Mechanisms for DNS (EDNS0) August 1999
4.3. The fixed part of an OPT RR is structured as follows:
Field Name Field Type Description
------------------------------------------------------
NAME domain name empty (root domain)
TYPE u_int16_t OPT
CLASS u_int16_t sender's UDP payload size
TTL u_int32_t extended RCODE and flags
RDLEN u_int16_t describes RDATA
RDATA octet stream {attribute,value} pairs
4.4. The variable part of an OPT RR is encoded in its RDATA and is
structured as zero or more of the following:
+0 (MSB) +1 (LSB)
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0: | OPTION-CODE |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
2: | OPTION-LENGTH |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
4: | |
/ OPTION-DATA /
/ /
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
OPTION-CODE (Assigned by IANA.)
OPTION-LENGTH Size (in octets) of OPTION-DATA.
OPTION-DATA Varies per OPTION-CODE.
4.5. The sender's UDP payload size (which OPT stores in the RR CLASS
field) is the number of octets of the largest UDP payload that can
be reassembled and delivered in the sender's network stack. Note
that path MTU, with or without fragmentation, may be smaller than
this.
4.5.1. Note that a 512-octet UDP payload requires a 576-octet IP
reassembly buffer. Choosing 1280 on an Ethernet connected
requestor would be reasonable. The consequence of choosing too
large a value may be an ICMP message from an intermediate
gateway, or even a silent drop of the response message.
4.5.2. Both requestors and responders are advised to take account of the
path's discovered MTU (if already known) when considering message
sizes.
Vixie Standards Track [Page 3]
RFC 2671 Extension Mechanisms for DNS (EDNS0) August 1999
4.5.3. The requestor's maximum payload size can change over time, and
should therefore not be cached for use beyond the transaction in
which it is advertised.
4.5.4. The responder's maximum payload size can change over time, but
can be reasonably expected to remain constant between two
sequential transactions; for example, a meaningless QUERY to
discover a responder's maximum UDP payload size, followed
immediately by an UPDATE which takes advantage of this size.
(This is considered preferrable to the outright use of TCP for
oversized requests, if there is any reason to suspect that the
responder implements EDNS, and if a request will not fit in the
default 512 payload size limit.)
4.5.5. Due to transaction overhead, it is unwise to advertise an
architectural limit as a maximum UDP payload size. Just because
your stack can reassemble 64KB datagrams, don't assume that you
want to spend more than about 4KB of state memory per ongoing
transaction.
4.6. The extended RCODE and flags (which OPT stores in the RR TTL field)
are structured as follows:
+0 (MSB) +1 (LSB)
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0: | EXTENDED-RCODE | VERSION |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
2: | Z |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
EXTENDED-RCODE Forms upper 8 bits of extended 12-bit RCODE. Note
that EXTENDED-RCODE value "0" indicates that an
unextended RCODE is in use (values "0" through "15").
VERSION Indicates the implementation level of whoever sets
it. Full conformance with this specification is
indicated by version "0." Requestors are encouraged
to set this to the lowest implemented level capable
of expressing a transaction, to minimize the
responder and network load of discovering the
greatest common implementation level between
requestor and responder. A requestor's version
numbering strategy should ideally be a run time
configuration option.
If a responder does not implement the VERSION level
of the request, then it answers with RCODE=BADVERS.
All responses will be limited in format to the
Vixie Standards Track [Page 4]
RFC 2671 Extension Mechanisms for DNS (EDNS0) August 1999
VERSION level of the request, but the VERSION of each
response will be the highest implementation level of
the responder. In this way a requestor will learn
the implementation level of a responder as a side
effect of every response, including error responses,
including RCODE=BADVERS.
Z Set to zero by senders and ignored by receivers,
unless modified in a subsequent specification.
5 - Transport Considerations
5.1. The presence of an OPT pseudo-RR in a request should be taken as an
indication that the requestor fully implements the given version of
EDNS, and can correctly understand any response that conforms to
that feature's specification.
5.2. Lack of use of these features in a request must be taken as an
indication that the requestor does not implement any part of this
specification and that the responder may make no use of any
protocol extension described here in its response.
5.3. Responders who do not understand these protocol extensions are
expected to send a response with RCODE NOTIMPL, FORMERR, or
SERVFAIL. Therefore use of extensions should be "probed" such that
a responder who isn't known to support them be allowed a retry with
no extensions if it responds with such an RCODE. If a responder's
capability level is cached by a requestor, a new probe should be
sent periodically to test for changes to responder capability.
6 - Security Considerations
Requestor-side specification of the maximum buffer size may open a
new DNS denial of service attack if responders can be made to send
messages which are too large for intermediate gateways to forward,
thus leading to potential ICMP storms between gateways and
responders.
7 - IANA Considerations
The IANA has assigned RR type code 41 for OPT.
It is the recommendation of this document and its working group
that IANA create a registry for EDNS Extended Label Types, for EDNS
Option Codes, and for EDNS Version Numbers.
This document assigns label type 0b01xxxxxx as "EDNS Extended Label
Type." We request that IANA record this assignment.
Vixie Standards Track [Page 5]
RFC 2671 Extension Mechanisms for DNS (EDNS0) August 1999
This document assigns extended label type 0bxx111111 as "Reserved
for future extended label types." We request that IANA record this
assignment.
This document assigns option code 65535 to "Reserved for future
expansion."
This document expands the RCODE space from 4 bits to 12 bits. This
will allow IANA to assign more than the 16 distinct RCODE values
allowed in [RFC1035].
This document assigns EDNS Extended RCODE "16" to "BADVERS".
IESG approval should be required to create new entries in the EDNS
Extended Label Type or EDNS Version Number registries, while any
published RFC (including Informational, Experimental, or BCP)
should be grounds for allocation of an EDNS Option Code.
8 - Acknowledgements
Paul Mockapetris, Mark Andrews, Robert Elz, Don Lewis, Bob Halley,
Donald Eastlake, Rob Austein, Matt Crawford, Randy Bush, and Thomas
Narten were each instrumental in creating and refining this
specification.
9 - References
[RFC1035] Mockapetris, P., "Domain Names - Implementation and
Specification", STD 13, RFC 1035, November 1987.
10 - Author's Address
Paul Vixie
Internet Software Consortium
950 Charter Street
Redwood City, CA 94063
Phone: +1 650 779 7001
EMail: vixie@isc.org
Vixie Standards Track [Page 6]
RFC 2671 Extension Mechanisms for DNS (EDNS0) August 1999
11 - Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.

648
doc/dns/rfc2782.txt Normal file
View File

@ -0,0 +1,648 @@
Network Working Group A. Gulbrandsen
Request for Comments: 2782 Troll Technologies
Obsoletes: 2052 P. Vixie
Category: Standards Track Internet Software Consortium
L. Esibov
Microsoft Corp.
February 2000
A DNS RR for specifying the location of services (DNS SRV)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document describes a DNS RR which specifies the location of the
server(s) for a specific protocol and domain.
Overview and rationale
Currently, one must either know the exact address of a server to
contact it, or broadcast a question.
The SRV RR allows administrators to use several servers for a single
domain, to move services from host to host with little fuss, and to
designate some hosts as primary servers for a service and others as
backups.
Clients ask for a specific service/protocol for a specific domain
(the word domain is used here in the strict RFC 1034 sense), and get
back the names of any available servers.
Note that where this document refers to "address records", it means A
RR's, AAAA RR's, or their most modern equivalent.
Gulbrandsen, et al. Standards Track [Page 1]
RFC 2782 DNS SRV RR February 2000
Definitions
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY"
used in this document are to be interpreted as specified in [BCP 14].
Other terms used in this document are defined in the DNS
specification, RFC 1034.
Applicability Statement
In general, it is expected that SRV records will be used by clients
for applications where the relevant protocol specification indicates
that clients should use the SRV record. Such specification MUST
define the symbolic name to be used in the Service field of the SRV
record as described below. It also MUST include security
considerations. Service SRV records SHOULD NOT be used in the absence
of such specification.
Introductory example
If a SRV-cognizant LDAP client wants to discover a LDAP server that
supports TCP protocol and provides LDAP service for the domain
example.com., it does a lookup of
_ldap._tcp.example.com
as described in [ARM]. The example zone file near the end of this
memo contains answering RRs for an SRV query.
Note: LDAP is chosen as an example for illustrative purposes only,
and the LDAP examples used in this document should not be considered
a definitive statement on the recommended way for LDAP to use SRV
records. As described in the earlier applicability section, consult
the appropriate LDAP documents for the recommended procedures.
The format of the SRV RR
Here is the format of the SRV RR, whose DNS type code is 33:
_Service._Proto.Name TTL Class SRV Priority Weight Port Target
(There is an example near the end of this document.)
Service
The symbolic name of the desired service, as defined in Assigned
Numbers [STD 2] or locally. An underscore (_) is prepended to
the service identifier to avoid collisions with DNS labels that
occur in nature.
Gulbrandsen, et al. Standards Track [Page 2]
RFC 2782 DNS SRV RR February 2000
Some widely used services, notably POP, don't have a single
universal name. If Assigned Numbers names the service
indicated, that name is the only name which is legal for SRV
lookups. The Service is case insensitive.
Proto
The symbolic name of the desired protocol, with an underscore
(_) prepended to prevent collisions with DNS labels that occur
in nature. _TCP and _UDP are at present the most useful values
for this field, though any name defined by Assigned Numbers or
locally may be used (as for Service). The Proto is case
insensitive.
Name
The domain this RR refers to. The SRV RR is unique in that the
name one searches for is not this name; the example near the end
shows this clearly.
TTL
Standard DNS meaning [RFC 1035].
Class
Standard DNS meaning [RFC 1035]. SRV records occur in the IN
Class.
Priority
The priority of this target host. A client MUST attempt to
contact the target host with the lowest-numbered priority it can
reach; target hosts with the same priority SHOULD be tried in an
order defined by the weight field. The range is 0-65535. This
is a 16 bit unsigned integer in network byte order.
Weight
A server selection mechanism. The weight field specifies a
relative weight for entries with the same priority. Larger
weights SHOULD be given a proportionately higher probability of
being selected. The range of this number is 0-65535. This is a
16 bit unsigned integer in network byte order. Domain
administrators SHOULD use Weight 0 when there isn't any server
selection to do, to make the RR easier to read for humans (less
noisy). In the presence of records containing weights greater
than 0, records with weight 0 should have a very small chance of
being selected.
In the absence of a protocol whose specification calls for the
use of other weighting information, a client arranges the SRV
RRs of the same Priority in the order in which target hosts,
Gulbrandsen, et al. Standards Track [Page 3]
RFC 2782 DNS SRV RR February 2000
specified by the SRV RRs, will be contacted. The following
algorithm SHOULD be used to order the SRV RRs of the same
priority:
To select a target to be contacted next, arrange all SRV RRs
(that have not been ordered yet) in any order, except that all
those with weight 0 are placed at the beginning of the list.
Compute the sum of the weights of those RRs, and with each RR
associate the running sum in the selected order. Then choose a
uniform random number between 0 and the sum computed
(inclusive), and select the RR whose running sum value is the
first in the selected order which is greater than or equal to
the random number selected. The target host specified in the
selected SRV RR is the next one to be contacted by the client.
Remove this SRV RR from the set of the unordered SRV RRs and
apply the described algorithm to the unordered SRV RRs to select
the next target host. Continue the ordering process until there
are no unordered SRV RRs. This process is repeated for each
Priority.
Port
The port on this target host of this service. The range is 0-
65535. This is a 16 bit unsigned integer in network byte order.
This is often as specified in Assigned Numbers but need not be.
Target
The domain name of the target host. There MUST be one or more
address records for this name, the name MUST NOT be an alias (in
the sense of RFC 1034 or RFC 2181). Implementors are urged, but
not required, to return the address record(s) in the Additional
Data section. Unless and until permitted by future standards
action, name compression is not to be used for this field.
A Target of "." means that the service is decidedly not
available at this domain.
Domain administrator advice
Expecting everyone to update their client applications when the first
server publishes a SRV RR is futile (even if desirable). Therefore
SRV would have to coexist with address record lookups for existing
protocols, and DNS administrators should try to provide address
records to support old clients:
- Where the services for a single domain are spread over several
hosts, it seems advisable to have a list of address records at
the same DNS node as the SRV RR, listing reasonable (if perhaps
Gulbrandsen, et al. Standards Track [Page 4]
RFC 2782 DNS SRV RR February 2000
suboptimal) fallback hosts for Telnet, NNTP and other protocols
likely to be used with this name. Note that some programs only
try the first address they get back from e.g. gethostbyname(),
and we don't know how widespread this behavior is.
- Where one service is provided by several hosts, one can either
provide address records for all the hosts (in which case the
round-robin mechanism, where available, will share the load
equally) or just for one (presumably the fastest).
- If a host is intended to provide a service only when the main
server(s) is/are down, it probably shouldn't be listed in
address records.
- Hosts that are referenced by backup address records must use the
port number specified in Assigned Numbers for the service.
- Designers of future protocols for which "secondary servers" is
not useful (or meaningful) may choose to not use SRV's support
for secondary servers. Clients for such protocols may use or
ignore SRV RRs with Priority higher than the RR with the lowest
Priority for a domain.
Currently there's a practical limit of 512 bytes for DNS replies.
Until all resolvers can handle larger responses, domain
administrators are strongly advised to keep their SRV replies below
512 bytes.
All round numbers, wrote Dr. Johnson, are false, and these numbers
are very round: A reply packet has a 30-byte overhead plus the name
of the service ("_ldap._tcp.example.com" for instance); each SRV RR
adds 20 bytes plus the name of the target host; each NS RR in the NS
section is 15 bytes plus the name of the name server host; and
finally each A RR in the additional data section is 20 bytes or so,
and there are A's for each SRV and NS RR mentioned in the answer.
This size estimate is extremely crude, but shouldn't underestimate
the actual answer size by much. If an answer may be close to the
limit, using a DNS query tool (e.g. "dig") to look at the actual
answer is a good idea.
The "Weight" field
Weight, the server selection field, is not quite satisfactory, but
the actual load on typical servers changes much too quickly to be
kept around in DNS caches. It seems to the authors that offering
administrators a way to say "this machine is three times as fast as
that one" is the best that can practically be done.
Gulbrandsen, et al. Standards Track [Page 5]
RFC 2782 DNS SRV RR February 2000
The only way the authors can see of getting a "better" load figure is
asking a separate server when the client selects a server and
contacts it. For short-lived services an extra step in the
connection establishment seems too expensive, and for long-lived
services, the load figure may well be thrown off a minute after the
connection is established when someone else starts or finishes a
heavy job.
Note: There are currently various experiments at providing relative
network proximity estimation, available bandwidth estimation, and
similar services. Use of the SRV record with such facilities, and in
particular the interpretation of the Weight field when these
facilities are used, is for further study. Weight is only intended
for static, not dynamic, server selection. Using SRV weight for
dynamic server selection would require assigning unreasonably short
TTLs to the SRV RRs, which would limit the usefulness of the DNS
caching mechanism, thus increasing overall network load and
decreasing overall reliability. Server selection via SRV is only
intended to express static information such as "this server has a
faster CPU than that one" or "this server has a much better network
connection than that one".
The Port number
Currently, the translation from service name to port number happens
at the client, often using a file such as /etc/services.
Moving this information to the DNS makes it less necessary to update
these files on every single computer of the net every time a new
service is added, and makes it possible to move standard services out
of the "root-only" port range on unix.
Usage rules
A SRV-cognizant client SHOULD use this procedure to locate a list of
servers and connect to the preferred one:
Do a lookup for QNAME=_service._protocol.target, QCLASS=IN,
QTYPE=SRV.
If the reply is NOERROR, ANCOUNT>0 and there is at least one
SRV RR which specifies the requested Service and Protocol in
the reply:
If there is precisely one SRV RR, and its Target is "."
(the root domain), abort.
Gulbrandsen, et al. Standards Track [Page 6]
RFC 2782 DNS SRV RR February 2000
Else, for all such RR's, build a list of (Priority, Weight,
Target) tuples
Sort the list by priority (lowest number first)
Create a new empty list
For each distinct priority level
While there are still elements left at this priority
level
Select an element as specified above, in the
description of Weight in "The format of the SRV
RR" Section, and move it to the tail of the new
list
For each element in the new list
query the DNS for address records for the Target or
use any such records found in the Additional Data
section of the earlier SRV response.
for each address record found, try to connect to the
(protocol, address, service).
else
Do a lookup for QNAME=target, QCLASS=IN, QTYPE=A
for each address record found, try to connect to the
(protocol, address, service)
Notes:
- Port numbers SHOULD NOT be used in place of the symbolic service
or protocol names (for the same reason why variant names cannot
be allowed: Applications would have to do two or more lookups).
- If a truncated response comes back from an SRV query, the rules
described in [RFC 2181] shall apply.
- A client MUST parse all of the RR's in the reply.
- If the Additional Data section doesn't contain address records
for all the SRV RR's and the client may want to connect to the
target host(s) involved, the client MUST look up the address
record(s). (This happens quite often when the address record
has shorter TTL than the SRV or NS RR's.)
Gulbrandsen, et al. Standards Track [Page 7]
RFC 2782 DNS SRV RR February 2000
- Future protocols could be designed to use SRV RR lookups as the
means by which clients locate their servers.
Fictional example
This example uses fictional service "foobar" as an aid in
understanding SRV records. If ever service "foobar" is implemented,
it is not intended that it will necessarily use SRV records. This is
(part of) the zone file for example.com, a still-unused domain:
$ORIGIN example.com.
@ SOA server.example.com. root.example.com. (
1995032001 3600 3600 604800 86400 )
NS server.example.com.
NS ns1.ip-provider.net.
NS ns2.ip-provider.net.
; foobar - use old-slow-box or new-fast-box if either is
; available, make three quarters of the logins go to
; new-fast-box.
_foobar._tcp SRV 0 1 9 old-slow-box.example.com.
SRV 0 3 9 new-fast-box.example.com.
; if neither old-slow-box or new-fast-box is up, switch to
; using the sysdmin's box and the server
SRV 1 0 9 sysadmins-box.example.com.
SRV 1 0 9 server.example.com.
server A 172.30.79.10
old-slow-box A 172.30.79.11
sysadmins-box A 172.30.79.12
new-fast-box A 172.30.79.13
; NO other services are supported
*._tcp SRV 0 0 0 .
*._udp SRV 0 0 0 .
Gulbrandsen, et al. Standards Track [Page 8]
RFC 2782 DNS SRV RR February 2000
In this example, a client of the "foobar" service in the
"example.com." domain needs an SRV lookup of
"_foobar._tcp.example.com." and possibly A lookups of "new-fast-
box.example.com." and/or the other hosts named. The size of the SRV
reply is approximately 365 bytes:
30 bytes general overhead
20 bytes for the query string, "_foobar._tcp.example.com."
130 bytes for 4 SRV RR's, 20 bytes each plus the lengths of "new-
fast-box", "old-slow-box", "server" and "sysadmins-box" -
"example.com" in the query section is quoted here and doesn't
need to be counted again.
75 bytes for 3 NS RRs, 15 bytes each plus the lengths of "server",
"ns1.ip-provider.net." and "ns2" - again, "ip-provider.net." is
quoted and only needs to be counted once.
120 bytes for the 6 address records (assuming IPv4 only) mentioned
by the SRV and NS RR's.
IANA Considerations
The IANA has assigned RR type value 33 to the SRV RR. No other IANA
services are required by this document.
Changes from RFC 2052
This document obsoletes RFC 2052. The major change from that
previous, experimental, version of this specification is that now the
protocol and service labels are prepended with an underscore, to
lower the probability of an accidental clash with a similar name used
for unrelated purposes. Aside from that, changes are only intended
to increase the clarity and completeness of the document. This
document especially clarifies the use of the Weight field of the SRV
records.
Security Considerations
The authors believe this RR to not cause any new security problems.
Some problems become more visible, though.
- The ability to specify ports on a fine-grained basis obviously
changes how a router can filter packets. It becomes impossible
to block internal clients from accessing specific external
services, slightly harder to block internal users from running
unauthorized services, and more important for the router
operations and DNS operations personnel to cooperate.
- There is no way a site can keep its hosts from being referenced
as servers. This could lead to denial of service.
Gulbrandsen, et al. Standards Track [Page 9]
RFC 2782 DNS SRV RR February 2000
- With SRV, DNS spoofers can supply false port numbers, as well as
host names and addresses. Because this vulnerability exists
already, with names and addresses, this is not a new
vulnerability, merely a slightly extended one, with little
practical effect.
References
STD 2: Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC
1700, October 1994.
RFC 1034: Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
RFC 1035: Mockapetris, P., "Domain names - Implementation and
Specification", STD 13, RFC 1035, November 1987.
RFC 974: Partridge, C., "Mail routing and the domain system", STD
14, RFC 974, January 1986.
BCP 14: Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
RFC 2181: Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997.
RFC 2219: Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
Services", BCP 17, RFC 2219, October 1997.
BCP 14: Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
ARM: Armijo, M., Esibov, L. and P. Leach, "Discovering LDAP
Services with DNS", Work in Progress.
KDC-DNS: Hornstein, K. and J. Altman, "Distributing Kerberos KDC and
Realm Information with DNS", Work in Progress.
Gulbrandsen, et al. Standards Track [Page 10]
RFC 2782 DNS SRV RR February 2000
Acknowledgements
The algorithm used to select from the weighted SRV RRs of equal
priority is adapted from one supplied by Dan Bernstein.
Authors' Addresses
Arnt Gulbrandsen
Troll Tech
Waldemar Thranes gate 98B
N-0175 Oslo, Norway
Fax: +47 22806380
Phone: +47 22806390
EMail: arnt@troll.no
Paul Vixie
Internet Software Consortium
950 Charter Street
Redwood City, CA 94063
Phone: +1 650 779 7001
Levon Esibov
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
EMail: levone@microsoft.com
Gulbrandsen, et al. Standards Track [Page 11]
RFC 2782 DNS SRV RR February 2000
Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.

1011
doc/dns/rfc2915.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1683
doc/dns/rfc7871.txt Normal file
View File

File diff suppressed because it is too large Load Diff

0
doc/rfc8484.pdf → doc/dns/rfc8484.pdf
View File

0
doc/rfc3492.txt → doc/http/rfc3492.txt
View File

0
doc/websocket.pdf → doc/http/websocket.pdf
View File

0
doc/mqtt-v3.1.1-cn.pdf → doc/mqtt/mqtt-v3.1.1-cn.pdf
View File

0
doc/mqtt-v3.1.1.pdf → doc/mqtt/mqtt-v3.1.1.pdf
View File