[GH-ISSUE #735] Perform additional processing for NAPTR #285

New issue

Open

opened 2026-03-07 23:16:00 +03:00 by kerem · 2 comments

kerem commented 2026-03-07 23:16:00 +03:00

Owner

Copy link

Originally created by @bluejekyll on GitHub (Apr 7, 2019).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/735

Is your feature request related to a problem? Please describe.

NAPTR records include a reference to a “replacement” name, this should be included in the additional section. This can point to SRV or A/AAAA.

Describe the solution you'd like
In the resolver we may want to process NAPTR and perform additional lookups, but this is zone dependent, so the resolver doing this properly might be wasteful on the query.

The server can do this efficiently, as it has access to the zone, it can return known records on the chain.

Originally created by @bluejekyll on GitHub (Apr 7, 2019). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/735 **Is your feature request related to a problem? Please describe.** NAPTR records include a reference to a “replacement” name, this should be included in the additional section. This can point to SRV or A/AAAA. **Describe the solution you'd like** In the `resolver` we may want to process NAPTR and perform additional lookups, but this is zone dependent, so the resolver doing this properly might be wasteful on the query. The `server` can do this efficiently, as it has access to the zone, it can return known records on the chain.

kerem added the

enhance

crate:server

crate:resolver

labels 2026-03-07 23:16:00 +03:00

kerem commented 2026-03-07 23:16:11 +03:00

Author

Owner

Copy link

@nhoyle commented on GitHub (Apr 7, 2019):

If I remember my RFCs correctly (I'm not looking at them right now), "Additional" record responses are only supposed to be returned when the server already has knowledge of the additional records (making the additional information effectively "zero cost" to provide). This means either the server is authoritative for the zone in question, or the server has recently queried the additional records in question, and still has them in an unexpired cache from that prior lookup.

In the situation where the queried server is authoritative for all records involved, the NAPTR query will likely result in SRV RRs as the response, which in turn could be resolved to A/AAAA records. (Alternately, the NAPTR results could be A/AAAA records, directly.) This would mean that the server could provide an "answer" section to the NAPTR query with the direct results, as well as "additional" SRV and A/AAAA records, at no additional query cost/latency.

If the server is acting (in whole, or in part) as a recursive resolver on behalf of the client, and is not authoritative for one or more of the queried zones in the NAPTR->SRV->A/AAAA chain, then it would be a violation of the RFCs for the server to launch additional queries on behalf of the client to return any information not already cached from prior lookups. (Although, potentially all of that information could be cached, and valid to return.)

That said, in the typical use case of a SIP client attempting to initiate a connection, all of the above components would need to be resolved before the client could achieve any real forward progress. (For example, you can't connect a VoIP phone call without knowing the IP of the next-hop server/user-agent.) It is obviously less efficient, both from a server resource and client latency perspective, to force the client to launch three queries when the server could potentially launch the second and third queries on behalf of the client (for the SRV and A/AAAA records) without the need to round-trip back to the client with the partial results.

Because doing so would violate RFCs however, such behavior should be an optional feature to be enabled, either via resolver/server config, or as part of the request protocol between the client and resolver/server, to indicate this behavior is desired.

In practice, a large number of NAPTR records (which may likely correspond to individual telephone numbers) may fan in to a comparatively small number of server farms and IPs (SRV and A/AAAA records). As such, it is likely that good caching performance may be observed without deviating from the RFC-specified query behavior, so long as the TTLs associated with the SRV and A resource records is not unreasonably short.

As such, I would consider it a priority to support providing "additional" RR information for the SRV and A/AAAA information when available either via virtue of being the zone authority, or via cache, and consider launching additional queries on behalf of the client a possible future extension if experience suggests it is necessary.

(Hopefully the above is not overkill, was trying to provide clarity. If it's still not clear, I can try to muddy the waters further.)

<!-- gh-comment-id:480638729 --> @nhoyle commented on GitHub (Apr 7, 2019): If I remember my RFCs correctly (I'm not looking at them right now), "Additional" record responses are only supposed to be returned when the server already has knowledge of the additional records (making the additional information effectively "zero cost" to provide). This means either the server is authoritative for the zone in question, or the server has recently queried the additional records in question, and still has them in an unexpired cache from that prior lookup. In the situation where the queried server is authoritative for all records involved, the NAPTR query will likely result in SRV RRs as the response, which in turn could be resolved to A/AAAA records. (Alternately, the NAPTR results could be A/AAAA records, directly.) This would mean that the server could provide an "answer" section to the NAPTR query with the direct results, as well as "additional" SRV and A/AAAA records, at no additional query cost/latency. If the server is acting (in whole, or in part) as a recursive resolver on behalf of the client, and is not authoritative for one or more of the queried zones in the NAPTR->SRV->A/AAAA chain, then it would be a violation of the RFCs for the server to launch additional queries on behalf of the client to return any information not already cached from prior lookups. (Although, potentially all of that information could be cached, and valid to return.) That said, in the typical use case of a SIP client attempting to initiate a connection, all of the above components would need to be resolved before the client could achieve any real forward progress. (For example, you can't connect a VoIP phone call without knowing the IP of the next-hop server/user-agent.) It is obviously less efficient, both from a server resource and client latency perspective, to force the client to launch three queries when the server could potentially launch the second and third queries on behalf of the client (for the SRV and A/AAAA records) without the need to round-trip back to the client with the partial results. Because doing so would violate RFCs however, such behavior should be an optional feature to be enabled, either via resolver/server config, or as part of the request protocol between the client and resolver/server, to indicate this behavior is desired. In practice, a large number of NAPTR records (which may likely correspond to individual telephone numbers) may fan in to a comparatively small number of server farms and IPs (SRV and A/AAAA records). As such, it is likely that good caching performance may be observed without deviating from the RFC-specified query behavior, so long as the TTLs associated with the SRV and A resource records is not unreasonably short. As such, I would consider it a priority to support providing "additional" RR information for the SRV and A/AAAA information when available either via virtue of being the zone authority, or via cache, and consider launching additional queries on behalf of the client a possible future extension if experience suggests it is necessary. (Hopefully the above is not overkill, was trying to provide clarity. If it's still not clear, I can try to muddy the waters further.)

kerem commented 2026-03-07 23:16:16 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Apr 8, 2019):

Yes, this all sounds accurate to what I would think is the case.

<!-- gh-comment-id:480673046 --> @bluejekyll commented on GitHub (Apr 8, 2019): Yes, this all sounds accurate to what I would think is the case.

kerem referenced this issue 2026-03-16 02:01:20 +03:00

[PR #285] [MERGED] Support for TLSA #1342

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

david/conformance-dnssec-negative-tests

prepare-0.26.1

release/0.26

query-api

opt-types

cname-nsec

no-cname-recursion

conformance-min-ttl

dname-base

drop-message-request

no-error-queries

cpu-sig0-rm-message-sig_dev

cpu-tsig-test-update_dev

windows-config

dnssec-net

release/0.25

opp-enc-persist

integration-test

cpu-tidying-recursor-opts_dev

happy-eyeballs

david/authoritative-zone-storage-trait

dnssec-ad

no-authority

release/0.24

pvdrz/remove-top-file

pvdrz/h3-handshake-timeout

pvdrz/quic-handshake-timeout

nxdomain-for-recursor

ja-test-merque-queue

ja-fix-ci-again

sz-add-ede-tests

sz-test-tc-bit-with-large-response

sz-fix-tokio-dependency

gh-2275-test-rrsig-signature

refactor-sign-zone-file

fix-1.79-cleanliness

update-nightly-hash

release/0.23

gh-pages

use-just-for-server-toml

release/0.22

revert-1874-cpu-zone-parse-default-class

disable-bind-compatibility-tests

disable-test_tls_client_stream_ipv4

update-native-tls-0.2.11

recursor-tests

fix-clippy-self

release/0.20

saethlin-fix-rdata-zero

release/0.19

flat_name

drop_unused_futures

release/0.18

release-r0.12-cs0.17

release/r0.12-cs0.17

trust-dns-book

r0.10

test-connections-not-dropped

fix_exec_status_on_rs_files

release-0.9

add-mutex-to-integration-tests

0.8_release

bfry/dns-crypt

v0.26.0

v0.26.0-beta.4

v0.26.0-beta.3

v0.26.0-beta.2

v0.26.0-beta.1

v0.26.0-alpha.1

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.25.0-alpha.5

v0.24.2

v0.25.0-alpha.4

v0.25.0-alpha.3

v0.25.0-alpha.2

v0.25.0-alpha.1

v0.24.1

v0.23.2

v0.24.0

v0.23.1

v0.23.0

v0.23.0-alpha.5

v0.23.0-alpha.4

v0.23.0-alpha.3

v0.22.1

v0.23.0-alpha.2

v0.23.0-alpha.1

v0.22.0

v0.21.2

v0.21.1

v0.21.0

v0.21.0-alpha.5

v0.20.4

v0.21.0-alpha.4

v0.21.0-alpha.3

v0.21.0-alpha.2

v0.21.0-alpha.1

v0.20.3

v0.20.2

v0.20.1

v0.19.7

v0.20.0

0.19.6

v0.20.0-alpha.3

v0.20.0-alpha.2

v0.20.0-alpha.1

0.19.5

0.19.4

0.19.3

0.19.0

0.18.1

0.18

0.18.0.alpha.2

r0.12_cs0.17

r0.11.1

cs0.16.1

r0.11

cs0.16

r0.10.1

r0.10.0

cs0.15.0

r0.9.1

v0.14.0

r0.9.0

r0.8.1

r0.8.0

v0.13.0

r0.7.0

c0.12.0

r0.6.0

r0.5.0

resolver.0.4.0

0.11.0

0.10.5

0.10.4

0.10.3

0.10.2

0.10.1

0.10.0

0.9.3

0.9.2

0.9.1

0.9.0

0.8.1

0.8.0

0.7.3

0.7.2

0.7.1

0.7.0

0.6.0

0.5.3

0.5.1

0.5.0

0.4.0

0.3.1

0.3.0

0.2.1

0.2.0

0.1.0

Labels

Clear labels   

blocked

  

breaking-change

  

bug

  

bug:critical

  

bug:tests

  

cleanup

  

compliance

  

compliance

  

compliance

  

crate:all

  

crate:client

  

crate:native-tls

  

crate:proto

  

crate:recursor

  

crate:resolver

  

crate:resolver

  

crate:rustls

  

crate:server

  

crate:util

  

dependencies

  

docs

  

duplicate

  

easy

  

easy

  

enhance

  

enhance

  

enhance

  

feature:dns-over-https

  

feature:dns-over-quic

  

feature:dns-over-tls

  

feature:dnsssec

  

feature:global_lb

  

feature:mdns

  

feature:tsig

  

features:edns

  

has workaround

  

ops

  

perf

  

platform:WASM

  

platform:android

  

platform:fuchsia

  

platform:linux

  

platform:macos

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

test

  

tools

  

tools

  

trust

  

unclear

  

wontfix

No labels

blocked

breaking-change

bug

bug:critical

bug:tests

cleanup

compliance

compliance

compliance

crate:all

crate:client

crate:native-tls

crate:proto

crate:recursor

crate:resolver

crate:resolver

crate:rustls

crate:server

crate:util

dependencies

docs

duplicate

easy

easy

enhance

enhance

enhance

feature:dns-over-https

feature:dns-over-quic

feature:dns-over-tls

feature:dnsssec

feature:global_lb

feature:mdns

feature:tsig

features:edns

has workaround

ops

perf

platform:WASM

platform:android

platform:fuchsia

platform:linux

platform:macos

platform:windows

pull-request

question

test

tools

tools

trust

unclear

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hickory-dns#285

No description provided.