Improve additional RRs for delegating DNS records
When responding to a query for a delegation record, Knot DNS generally tries to include the A/AAAA records of any targets it is authoritative for in the response. While this is helpful, there is room for improvement.
I've identified resource records that are relevant for any client making a query, along with the specifications describing their role. The general principle is that the nameserver SHOULD provide everything a client must need to make use of the record it asked for.
For the sake of brevity, I'm not including CNAMEs in the descriptions below: in all cases, they SHOULD be followed to their target RRset if Knot DNS is authoritative for it.
When attaching a record, Knot DNS SHOULD recursively add relevant records for it as well. This is particularly important when SVCB-compatible records are involved.
If there is room in the response, Knot SHOULD include authoritative NSEC/NSEC3 records where applicable, in keeping with RFC 8198.
Note that some of these behaviors are based on Internet Drafts.
MX
Specifications
Behavior
If no MX records exist in response to a query, Knot DNS SHOULD attach additional records based on the implicit MX record (that is, as if there was an MX record pointing to its own owner).
For each MX record, implicit or explicit, Knot DNS SHOULD attach:
- Any authoritative A records at
[exchange]
- Any authoritative AAAA records at
[exchange]
- Any authoritative TLSA records at
_25._tcp.[exchange]
If response size is a concern, Knot DNS MAY attach records only for the exchanges with the lowest preference (that is, the highest priority) that it is authoritative for.
NS
Specifications
- draft-ietf-dnsop-glue-is-not-optional-07
- draft-ietf-dnsop-svcb-https-11
- draft-ietf-dnsop-svcb-dane-00
Behavior
Knot DNS MUST include all authoritative A/AAAA records it has for [nameserver]
. If space allows, Knot DNS SHOULD also attach:
- Any authoritative SVCB records at
_dns.[nameserver]
SRV
Specifications
Behavior
Iff the record has a [service] name of ssh
, Knot DNS SHOULD attach:
- Any authoritative A records at
[target]
- Any authoritative AAAA records at
[target]
- Any authoritative SSHFP records at
[target]
Otherwise, for each SRV record, Knot DNS SHOULD attach:
- Any authoritative A records at
[target]
- Any authoritative AAAA records at
[target]
- Any authoritative TLSA records at
_[port]._[proto].[target]
Knot DNS MAY forgo including NSEC/NSEC3 records for services it does not know (likely based on a predefined list) to use TLSA records, as their nonexistence may not be relevant. Given the difficulty of maintaining such a list, it may be best to forgo them for everything besides SSH and skip the hassle entirely.
If response size is a concern, Knot DNS MAY attach records only for the exchanges with the lowest preference (that is, the highest priority) that it is authoritative for.
SVCB/HTTPS/[any future SVCB-compatible record]
Specifications
Behavior
For a single random AliasMode record (unless that record has a [TargetName] of .
), Knot DNS SHOULD attach:
- Any authoritative records of the same type at
[TargetName]
If no AliasMode records are present, for each ServiceMode record (including those with a [TargetName] of .
, where the [TargetName] is interpreted as the owner name of that record), Knot DNS SHOULD attach:
- Any authoritative A records at
[TargetName]
- Any authoritative AAAA records at
[TargetName]
- Any authoritative TLSA records at
_[port]._[ALPN-derived transport].[TargetName]
In contrast to SRV records, Knot DNS SHOULD attempt to maintain a list of the default ports and transports for services and protocols, as well as any new tags. Specific behavior should be added for each use as appropriate: for example, if any are defined to not use TLSA records in the future, that SHOULD be left out.
For the purpose of adding additional records, Knot DNS MUST ignore records that contain a mandatory tag it does not understand.
If response size is a concern, Knot DNS MAY attach additional records only for ServiceMode records with the lowest [SvcPriority] (that is, the highest priority) that it is authoritative for.