0

During the reading rfc1035 I faced the questions.

Here is resource record format section.

Here is message compression section.

4.1.3. Resource record format

The answer, authority, and additional sections all share the same
format: a variable number of resource records, where the number of
records is specified in the corresponding count field in the header.
Each resource record has the following format:
                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                                               |
    /                                               /
    /                      NAME                     /
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      TYPE                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     CLASS                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      TTL                      |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                   RDLENGTH                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
    /                     RDATA                     /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

where:

NAME            a domain name to which this resource record pertains.

Questions:

  1. Why NAME field is presented as at least 2 bytes field, but indeed, it can be 1 byte for ROOT.
  2. Is there a case when NAME doesn't use compression? If yes, could you please provide a dump.
  3. Is there a case when NAME field is mixed - e.g. sequenve of labels and pointers.

Related 1. and 2. questions I assume it the answers are yes. E.g. Message compression section provides an example where domain name is presented as mix of label sequences and pointers. However, I couldn't find pcap dumps with real examples.

UPD.0: Replace Resource record format image with quote from rfc

slinkin
  • 375
  • 3
  • 15
  • I've found example of NAME mixed case in that dump: https://www.cloudshark.org/captures/7ee39c3b583f. I assume 1. and 2. questions are resolved. – slinkin Nov 01 '22 at 08:15
  • Your question is offtopic here as not really related to programming, but no compression is not mandatory. A client has to be able to handle it depending on the answers it get, but a server is free to use it or not. – Patrick Mevzek Nov 01 '22 at 18:05
  • Please don't quote RFCs (or any other thing being text) as images... You can inline code/quotes in your text directly. – Patrick Mevzek Nov 01 '22 at 18:06
  • 1
    For 0) note the `//` which means "undefined" length. For 1) yes, compression is optional, and there are examples in the RFC and same for 2) there are examples. See right the end of 4.1.4 – Patrick Mevzek Nov 01 '22 at 18:07
  • 1
    More important: except for learning purposes, **DO NOT** handle low level DNS details yourself. No matter your programming language, you should already have a proper library handling things, and you should rely on it. Specifically, compression is tricky and often done wrong (think about forward pointers, loops, pointers outside of packet, etc.). See recent https://www.ietf.org/rfc/rfc9267.html for some examples. – Patrick Mevzek Nov 01 '22 at 18:09
  • "Why NAME field is presented as at least 2 bytes field" See 4.1.4: any name field starts with a 2 bytes field that encodes either a length or a pointer. So a "NAME" is always at least 2 bytes, plus then "undefined" length depending on those 2 bytes value. – Patrick Mevzek Nov 01 '22 at 18:15
  • @PatrickMevzek thanks for your comments. I couldn't find that `//` means "undefined" length. Could you specify section where it is described. Also, "So a "NAME" is always at least 2 bytes, plus then "undefined" length depending on those 2 bytes value" - maybe I miss something, but it doesn't work for root domain. It is showed in 4.1.4. example and also I found a dump with that. – slinkin Nov 02 '22 at 09:30
  • 1
    Yes the root label is just `0x00`, the ASCII art tries to be generic and most cases will be about a "name" in general, not just root domain. `//` is a convention, it won't be explained in that RFCs, all RFCs use that convention. Not sure to where it can be traced for explanation, will see if I can find one. But do note that this is a direct consequence also of the text, explaining how a name is encoded makes it clear its length will vary, it is not a fixed size field in the DNS message, as it can happen for other fields (like record type or length) – Patrick Mevzek Nov 02 '22 at 14:18
  • 1
    Re: ASCII Art. RFC2360 §3.1 says "and broken boxes for variable-length fields" but uses an example with `+` and space to show broken box. – Patrick Mevzek Nov 02 '22 at 16:21
  • Pro tip also when you deal with such low level stuff, two in fact: 1) use an existing DNS client (ex: `dig`), do various queries and observe what goes on the network to try to correlate what you did to what the tool did "on the wire". Some tools have a "raw" mode as well and 2) using any existing good DNS library - or maybe even scapy - you could programatically build any DNS packet and then ask for its "on the wire" representation, so that again you can correlate the high level parts to the low level ones. – Patrick Mevzek Nov 06 '22 at 23:21
  • This is also an interesting modern reference about ASCII diagrams to define packets: https://datatracker.ietf.org/doc/html/draft-mcquistin-augmented-ascii-diagrams-11 For non fixed lengths it uses `:` and `...` though, not `//`. – Patrick Mevzek Nov 06 '22 at 23:27

1 Answers1

0

I've found example of mixed case - see the comment. It helped me to resolved 1. and 2. questions.

About 0. question:

I still confused why NAME is illustrated like that, because for ROOT case it occupies 1 byte only. (BTW, here is StackOverflow topic about that)

However, it doesn't block me anymore. If label length has highest bits 1,1 - it is a pointer. If 0,0 - it is length (maximum is 63). 1,0 and 0,1 are reserved.

UPD.0: See the comments. Patrick Mevzek provides the good answers to resolve the questions.

slinkin
  • 375
  • 3
  • 15