<?xml version='1.0' encoding='utf-8'?>

<!DOCTYPE rfc>

<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
     please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
     (Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
     (using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->

<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
        category="info" consensus="true"
        docName="draft-ietf-dnsop-grease-03"
        ipr="trust200902" updates="" obsoletes=""
        submissionType="IETF" xml:lang="en"
        tocInclude="true" tocDepth="4"
        symRefs="true" sortRefs="true" version="3">

  <!-- ***** FRONT MATTER ***** -->

  <front>

    <title abbrev="DNS Greasing">
       Greasing Protocol Extension Points in the DNS
    </title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-grease-03"/>

    <author fullname="Shumon Huque" initials="S." surname="Huque">
      <organization>Salesforce</organization>
      <address>
        <email>shuque@gmail.com</email>
      </address>
    </author>

    <author fullname="Mark Andrews" initials="M." surname="Andrews">
      <organization>Internet Systems Consortium</organization>
      <address>
        <email>marka@isc.org</email>
      </address>
    </author>

    <date day="6" month="7" year="2026"/>
    <!-- Meta-data Declarations -->

    <area>General</area>
    <workgroup>Internet Engineering Task Force</workgroup>
    <keyword>Internet-Draft</keyword>
    <keyword>DNS</keyword>
    <keyword>Grease</keyword>
    <keyword>Protocol</keyword>
    <keyword>Extensibility</keyword>
    <keyword>Evolvability</keyword>
    <keyword>Maintainability</keyword>

    <abstract>
     <t>
        Long term evolvability of the Domain Name System (DNS) protocol
        requires the ability to support change. Greasing is one technique
        that exercises the regular use of unallocated protocol extension
        points to prevent ossification of their current usage patterns
        by middleboxes or DNS implementations. This document describes
        considerations and proposals for applying grease to the DNS protocol.
     </t>
    </abstract>

    <note removeInRFC="true">
       <name>Discussion Venues</name>
       <t>Source for this draft and an issue tracker can be found at
       <eref target="https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-grease"/>.</t>
    </note>

  </front>

  <middle>

    <section anchor="intro" numbered="true" toc="default">
      <name>Introduction</name>
      <t>
        Long term evolvability of the Domain Name System (DNS) protocol
        requires the ability to support change.
        <xref target="GREASING">Greasing</xref> is one technique
        that exercises the regular use of unallocated protocol extension
        points to prevent ossification of their current usage patterns
        by middleboxes or DNS implementations.
      </t>
      <t>
        Greasing was originally developed for the TLS protocol
        <xref target="RFC8701" />. Ongoing discussion of improving
        the technique as well as applying it more generally to other
        protocols continues in the IETF.
      </t>
      <t>
        This document outlines considerations and proposals for
        applying grease to the
        <xref target="RFC1034" /><xref target="RFC1035" />
        Domain Name System (DNS).
      </t>
    </section>

    <section anchor="background" numbered="true" toc="default">
      <name>Background</name>
      <t>
        Historically, DNS protocol evolution has encountered some
        significant barriers. There are various reasons,
        including outdated systems, inertia, faulty implementations of
        DNS servers, middleboxes that have actively blocked the deployment
        of new protocol features, etc. Over time as some of these
        impediments have been uncovered and repaired, progress has
        been possible. However, a more systematic approach to ensure
        future progress is desirable.
      </t>
      <t>
        Remarkably, the Extension Mechanisms for DNS (EDNS)
        specification, originally published in 1999
        <xref target="RFC2671" /> and later updated by
        <xref target="RFC6891" />, is still not universally deployed,
        and often deployed incorrectly or incompletely. This eventually resulted in
        the exercise of a <xref target="FLAGDAY">DNS Flag Day effort</xref>
        to identify and eradicate implementations and network paths not
        compliant with the specification. Tools like ednscomp.isc.org
        <xref target="EDNSCOMP" /> have been testing this and other
        protocol defects in deployed infrastructure for many years.
        Even then, some level of incorrect behavior remains prevalent,
        necessitating probing and pre-arrangement of the use of some
        extension features like
        <xref target="RFC7871" />EDNS Client Subnet and
        <xref target="RFC7873" />DNS Cookies.
      </t>
    </section>

    <section anchor="opportunities" numbered="true" toc="default">
      <name>Greasing Opportunities</name>
      <t>
        The DNS has a number of protocol elements where the greasing of
        unallocated code points could be employed. Some of them are
        listed in the table below.
      </t>

      <!-- NOTE: The "Unallocated (approx.)" figures below are estimates
           and MUST be verified against the current IANA registries before
           publication. In particular: Opcode (0,2,4,5,6 assigned, 1
           obsolete), EDNS Header Flags (DO and CO assigned), Class (only a
           handful assigned: IN, CH, HS, NONE, ANY, plus reserved 0/65535),
           and the reserved/private-use/experimental sub-ranges of the RR
           Type and EDNS Opt Code spaces. -->
      <table>
        <thead>
          <tr><th>Protocol Element</th><th>Field Size</th><th>Total Code Points</th><th>Unallocated (approx.)</th></tr>
        </thead>
        <tbody>
          <tr><td>DNS Header Flags</td><td>1-bit each</td><td>7 flag positions</td><td>1</td></tr>
          <tr><td>Opcode</td><td>4-bit</td><td>16</td><td>10</td></tr>
          <tr><td>EDNS Version</td><td>8-bit</td><td>256</td><td>255</td></tr>
          <tr><td>EDNS Header Flags</td><td>1-bit each</td><td>16 flag positions</td><td>~14</td></tr>
          <tr><td>Class</td><td>16-bit</td><td>65,536</td><td>~65,530</td></tr>
          <tr><td>Resource Record Type</td><td>16-bit</td><td>65,536</td><td>~64,700</td></tr>
          <tr><td>EDNS Opt Code</td><td>16-bit</td><td>65,536</td><td>~65,000</td></tr>
        </tbody>
      </table>

      <t>
        The unallocated column indicates roughly how many code points are
        currently available for greasing, and it varies enormously across
        protocol elements. Note that the header flag fields are not single
        multi-bit code points but collections of independent 1-bit flags,
        so their totals count flag positions rather than 2^n values. These
        counts are approximate and subject to change as IANA allocations
        proceed.
      </t>

      <t>
        The elements listed above are ones whose unknown values a
        conforming receiver is expected to tolerate transparently, which
        makes them suitable candidates for greasing. Some other DNS
        protocol elements are deliberately omitted. In particular, the
        RCODE and Extended RCODE fields are only meaningful when set by a
        responder, and altering them changes the querier's assessment of
        the status of the response; greasing these is therefore fraught
        and of little value.
      </t>

      <t>
        The goals of periodically exercising the use of unallocated
        code points are (1) to discourage and prevent middleboxes and
        DNS implementations from hardcoding notions of what are the only
        allowable protocol parameter values, and (2) to prevent future
        extensibility failures by not causing them to malfunction
        in the presence of new values when they are defined.
      </t>
      <t>
        If and when encrypted transports are common on the DNS resolver
        to authoritative server path, middleboxes will have less
        capability to interfere with DNS traffic. Greasing would still
        however continue to be useful for identifying deficient DNS
        proxies, load balancers, authoritative servers, etc.
      </t>
      <t>
        Note that <xref target="RFC6891">EDNS</xref>
        options have a more complex structure involving both a code
        point and data. So greasing EDNS options would also require
        generating some random option data.
      </t>
      <t>
        Correctly implemented DNS servers will ignore these values and
        interoperate. Servers that do not tolerate unknown values will
        fail to interoperate and return an error (or may fail to respond).
        These failures could be logged and be used to identify broken
        implementations in the field that could be targeted for repair.
        DNS resolvers should generally retry such failed queries without
        the unallocated extension, except for greasing operations where
        new queries are constructed (for example, greasing new resource
        record types).
      </t>
      <t>
        Where the additional latency of retrying failed queries is a
        concern, a resolver could instead issue the queries in parallel:
        a regular query without any greasing, alongside a separate greased
        query. The response to the regular query is used to serve the
        resolution as usual, while the outcome of the greased query is
        recorded purely for telemetry purposes. This avoids adding latency
        to the resolution when a greased query fails, at the cost of
        additional query volume. As with the sampled approach described in
        <xref target="sampling" />, only a small fraction of queries need
        be duplicated in this way to obtain a useful picture of
        non-compliant servers.
      </t>
    </section>

    <section anchor="reserving" numbered="true" toc="default">
      <name>Randomized or Reserved code points</name>
      <t>
        DNS resolver implementations are proposed to periodically
        advertise unallocated code points at random in requests that
        they send out.
      </t>
      <t>
        The choice between reserving a dedicated range of code points for
        greasing and simply selecting at random from the unallocated space
        involves several competing considerations, and the right answer may
        differ from one protocol element to another.
      </t>
      <t>
        Arguments in favor of reserving a range include:
      </t>
      <ul spacing="normal">
        <li>
          <strong>Detectability.</strong> If a receiver actively
          special-cases and ignores a known reserved grease range, that
          behavior becomes observable, whereas an implementation that
          silently drops any unknown value is harder to distinguish from
          one that is behaving correctly. In this sense, a receiver that
          mishandles the reserved range is itself a useful signal that
          greasing is doing its job.
        </li>
        <li>
          <strong>Avoiding collisions with real values.</strong> Selecting
          at random from the entire unallocated space risks exercising a
          code point that is later allocated for genuine use. Deployed
          software that has learned to ignore that value during greasing
          may then mishandle it once it carries real meaning. A reserved
          range quarantines greasing values away from points that may be
          assigned in the future.
        </li>
      </ul>
      <t>
        Arguments against reserving a range include:
      </t>
      <ul spacing="normal">
        <li>
          <strong>Ossification of the reserved range itself.</strong> If
          implementations hardcode the notion of "the grease range" and
          treat it specially, rather than handling all unknown code points
          uniformly, the reserved values can become ossified in exactly the
          way greasing is meant to prevent.
        </li>
        <li>
          <strong>Limited effectiveness against a determined
          implementation.</strong> An implementation that wishes to single
          out and ignore greasing can do so regardless of whether the
          values are drawn from a reserved range or the full unallocated
          space; the size of the reserved range does not materially change
          this. Reserving primarily aids diagnosis and avoids accidental
          collisions rather than defeating deliberate special-casing.
        </li>
        <li>
          <strong>Element-specific constraints.</strong> Some DNS protocol
          elements have only a small range of values (see the table in
          <xref target="opportunities" />) and cannot readily spare a
          subset for reservation; for these, random selection or forgoing
          greasing may be the only practical options. Others have internal
          structure, such as the data/meta/QTYPE classification of the RR
          Type space, where a single reserved range would not exercise each
          sub-range; reserving for these elements is still feasible but
          would require designating multiple ranges.
        </li>
      </ul>
      <t>
        The concern about random selection colliding with future real
        allocations can be mitigated without a reserved range by equipping
        greasing implementations with a pre-configured or configurable
        end-of-test date, after which a given greasing operation is retired
        so that it does not interfere with subsequent code point
        assignments. The amount of the space to reserve, if any, might also
        be informed empirically by the observed frequency of greasing
        traffic.
      </t>
      <t>
        [The working group has not yet reached consensus on whether to
        reserve ranges, and if so for which protocol elements. This section
        will be updated to record that decision.]
      </t>
    </section>

    <section anchor="reserved-values" numbered="true" toc="default">
      <name>Reserved Code Point Values</name>
      <t>
        [Propose reserved ranges for some DNS protocol elements]
      </t>
    </section>

    <section anchor="sampling" numbered="true" toc="default">
      <name>Sampled Selection of Traffic</name>
      <t>
        To avoid the overhead of needing to retry many queries in the
        event of large scale intolerance of unallocated code points, only
        a sampled fraction of DNS requests emitted by a resolver should
        advertise unallocated code points. Many DNS resolvers are very
        high transaction rate systems, so only a small sample size of
        such DNS requests is sufficient to get a rough picture of
        non-compliant servers, perhaps 1 in 1000 requests? Furthermore,
        a community effort of aggregating and analysing the results of
        failed queries from many DNS resolver operators can provide an
        even more comprehensive view of the ecosystem.
      </t>
    </section>

    <section anchor="telemetry" numbered="true" toc="default">
      <name>Telemetry and Results Evaluation</name>
      <t>
        DNS resolvers are expected to record the results of failures
        from the use of unallocated code points. This could be in a
        traditional log file, or a more complex centralized telemetry
        system.
      </t>
      <t>
        Additionally, the
        <xref target="ERROR-RPT">DNS Error Reporting</xref> mechanism
        could be employed to proactively notify operators that their
        authoritative DNS servers are deficient.
      </t>
    </section>

    <section anchor="detailed" numbered="true" toc="default">
      <name>Detailed Behavior</name>
      <t>
        Work in-progress section .. Some topics to expand on:
      </t>
      <ul spacing="normal">
        <li>Detailed expected behavior of DNS resolvers/clients.</li>
        <li>Detailed expected behavior of DNS servers.</li>
        <li>Detection of errors.</li>
        <li>Fallback behavior (or not).</li>
        <li>Settings: nameservers should be shipped with a default
            end-of-test date to prevent tests from interfering with
            future code point assignments.</li>
        <li>Testing should be multi-factored.</li>
        <li>Tests should be able to be individually disabled.</li>
        <li>Sharing telemetry.</li>
      </ul>
    </section>

    <section anchor="from-responder" numbered="true" toc="default">
      <name>Greasing Initiated By DNS Responders</name>
      <t>
        This document largely focusses on greasing initiated by
        the DNS resolver or querier. Greasing operations could also
        be initiated by an authoritative server or DNS responder.
        This seems potentially a bit more fraught, since the responder
        cannot necessarily know what the result of the greasing action
        was, e.g., did the querier accept the answer with no problems,
        did it not accept it and retry other servers, did it not
        accept it and just fail, causing a denial of service to the
        downstream application, etc. However, greasing in this direction
        can be very helpful in targeted experiments. For example, some
        early measurements for DELEG proposals utilized server side
        greasing to insert unexpected record types in referral responses
        to test the behavior of DNS resolvers. Operators of DNS zones
        could perform targeted active measurements or rely on reports
        by users to determine if server side greasing works well.
      </t>
      <t>
        Some things a responder could do include: test setting the
        final DNS header flag (Z), send back unknown EDNS header flags,
        options, higher EDNS versions, etc. All of these should in theory
        be ignored on reception.
      </t>
      <t>
        Greasing by DNS responders should be disabled by default.
      </t>
    </section>

    <section anchor="security" numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>
        If an implementation does not select GREASE values at random,
        it may allow others to fingerprint specific resolvers or
        resolver implementations.
      </t>
      <t>
        Some DNS resolver implementations have traditionally resorted
        to falling back to retrying queries with various extension
        options disabled in the face of interoperability problems.
        Depending on the specific extension affected, this may allow
        an adversary to silently disable a security feature. Greasing
        of unallocated code points aims to identify such interoperability
        problems and help DNS resolver operators and implementations to
        decide when it is ok to disable fallback behavior for future
        extensions. Hence, this mechanism is expected to generally
        reduce the need for resolver fallback behavior, and improve
        security over time.
      </t>
    </section>

    <section anchor="iana" numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>
        [If reserved code point ranges are decided, IANA will need to
        formally reserve them in the relevant protocol parameter
        registries. The annotation "Reserved for Greasing" should be
        employed to clearly distinguish such ranges from other ranges
        that might be reserved for private use or other purposes.]
      </t>
    </section>

  </middle>

  <!--  *****BACK MATTER ***** -->

  <back>

    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6891.xml"/>
      </references>
      <references>
        <name>Informative References</name>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2671.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7871.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7873.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8701.xml"/>
        <reference anchor="GREASING"
                 target="https://datatracker.ietf.org/doc/html/draft-edm-protocol-greasing">
          <front>
            <title>Maintaining Protocols Using Grease and Variability</title>
            <author fullname="Lucas Pardue" initials="L" surname="Pardue" />
            <date />
          </front>
      </reference>
        <reference anchor="ERROR-RPT"
                 target="https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting">
          <front>
            <title>DNS Error Reporting</title>
            <author fullname="Roy Arends" initials="R" surname="Arends" />
            <author fullname="Matt Larson" initials="M" surname="Larson" />
            <date />
          </front>
      </reference>
        <reference anchor="FLAGDAY"
                 target="https://www.isc.org/blogs/dns-flag-day/">
          <front>
            <title>DNS Flag Day 2019</title>
            <author fullname="Internet Systems Consortium" surname="ISC" />
            <date />
          </front>
      </reference>
        <reference anchor="EDNSCOMP"
                 target="https://ednscomp.isc.org/">
          <front>
            <title>EDNS Compliance Tester</title>
            <author fullname="Internet Systems Consortium" surname="ISC" />
            <date />
          </front>
      </reference>
      </references>
    </references>

  </back>

</rfc>
