Providing AAAA records for free with QTYPE=ACloudFlare Inc.101 Townsend St.San Francisco94107USAmvavrusa@cloudflare.comCloudFlare Inc.101 Townsend St.San Francisco94107USAolafur@cloudflare.com
Internet
DNSThis document enables DNS servers to include AAAA addresses in the answer section for
DNS queries with QTYPE=A in order to reduce the number of resolver round-trips during address lookups,
and also provides guidance for recursive DNS servers in accepting such records.
Over the years, there have been a number of attempts to extend DNS to allow multiple questions in a DNS query. While it is possible to place more than one query in the question section there is is only one RCODE for the combined answer and there are no semantics on how to set the RCODE if there are multiple questions that have different results.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
The reader is assumed to be familiar with the basic DNS concepts described in , , and . Further DNS terminology is clarified in .
The DNS specification doesn't provide any guidance on how to handle records in answer sections
with matching QNAME, but mismatching QTYPE with the exception of CNAME and DNAME records.
The most frequently looked up types are address records, A for IPv4 addresses, and AAAA for IPv6 addresses.
Stub resolvers attempt to optimize latency by issuing both queries in parallel, but both recursive and authoritative DNS servers then treat both queries independently, thus in the worst case, loss of one answer triggers requery for both. Furthermore, when client is behind an anycast resolver cluster, the two queries may go to different resolver instances. Resolvers also use queries for
both record types internally when determining referral chain topology, and the loss of one answer leads either to an
added round-trip if requerying, or suboptimal address selection if the recursor continues without it.
The authoritative server MAY treat a query with QTYPE=A effectively as a request for any IP address type, regardless of the address protocol with all the requirements due to , . Namely, the authoritative server MUST add DNSSEC signatures for any such records if the zone is signed.
However, if there is a direct answer to the original question, but no records for other address protocols, the authoritative DNS server SHOULD NOT prove their non-existence. In this respect, they are treated as additional data.
The recursive resolver MAY accept RRs with TYPE=AAAA and owner equal to SNAME, therefore a direct answer to the query or matching the the final target of the CNAME chain. They MUST be treated as authoritative data as in , 5.4.1.
Notably, a recursive resolver MUST verify DNSSEC signatures on any such records and it MUST reject any such records if the validation fails, and the zone is not provably secure. In other words, they are subject to the same requirements as a direct answer.
A resolver SHOULD accept other IP address records even if there are no records matching the original QTYPE, given that authoritative DNS server proves non-existence of the direct answer.
In cases where a caching resolver either doesn't validate or the authoritative answer is insecure, a successful spoofing
attack may poison both address types in one successful attempt. However, the chance of successful spoofing attack is not affected.
Some resolvers might reject the answer due to “extra” records in the answer section, but more likely the resolver will discard the AAAA records, thus we are no different than today.
Dani Grant, Vicky Shrestha and Filippo Valsorda provided valuable comments on the draft.