[PR #3070] [MERGED] hickory-dns: implement RFC 5001 NSID for auth. server #3539

New issue

Closed

opened 2026-03-16 11:49:04 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:49:04 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/3070
Author: @cpu
Created: 6/19/2025
Status: ✅ Merged
Merged: 6/20/2025
Merged by: @djc

Base: main ← Head: cpu-nsid_dev

📝 Commits (6)

1df6c21 proto/rr: add EdnsOption::NSID
4b924a9 server/authority: inline send_response helper
37087a1 server/authority: response EDNS as MessageResponseBuilder arg
a8f6eb8 tests/integration: rm superfluous Query type annotation
73687e7 server/authority: process EDNS NSID request
5e87d03 hickory-dns: add --nsid and --nsid-hostname args

📊 Changes

9 files changed (+385 additions, -101 deletions)

View changed files

📝 Cargo.lock (+24 -5)
📝 Cargo.toml (+2 -0)
📝 bin/Cargo.toml (+2 -0)
📝 bin/src/hickory-dns.rs (+67 -0)
📝 crates/proto/src/rr/rdata/opt.rs (+65 -1)
📝 crates/server/src/authority/catalog.rs (+80 -80)
📝 crates/server/src/authority/message_response.rs (+5 -4)
📝 crates/server/src/server/mod.rs (+1 -1)
📝 tests/integration-tests/tests/integration/catalog_tests.rs (+139 -10)

📄 Description

Description

RFC 5001 "DNS Name Server Identifier (NSID) Option" specifies a mechanism where clients can ask an authoritative or recursive server to include an identifier for the server that processed the request in the generated response.

Clients opt-in via sending an NSID EDNS option (0x03) with an empty value in outbound requests, and if the processing server has an NSID it includes EDNS data in the response with the same NSID EDNS option, but using the unstructured binary identifier as the option value. This can be helpful information when using DNS anycast, load balancing, or some other configuration that means it's not trivial to know ahead of time which particular nameserver handled a request.

This branch implements NSID support for the hickory-dns authoritative server binary. The nameserver ID can be set in two ways:

Using --nsid-hostname to use the system hostname as the identifier
Using --nsid <value> to use a specific identifier value, e.g. --nsid HickoryDNS

Since the NSID payload is arbitrary binary data, the --nsid <value> argument can be prefixed with 0x to treat it as hex encoded data (e.g. --nsid 0xC0FFEE).

By default, no NSID is configured, matching the status quo. Some nameservers (e.g. knot) default to --nsid-hostname unless NSID is specifically disabled, but to me this seems like a risky default and so I've made it opt-in. Happy to revisit if folks disagree.

Examples

Using a string NSID:

Running with hickory-dns --config config.toml --zonedir . --port 5454 --nsid "Hello World!":

$ dig -p5454 +nsid @localhost example.com | grep NSID
; NSID: 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 ("Hello World!")

Using a hex NSID:

Running with hickory-dns --config config.toml --zonedir . --port 5454 --nsid "0xC0FFEE":

$ dig -p5454 +nsid @localhost example.com | grep NSID
; NSID: c0 ff ee ("...")

Using the hostname as NSID:

Running with `hickory-dns --config config.toml --zonedir . --port 5454 --nsid-hostname

$ hostname
noire

$ dig -p5454 +nsid @localhost example.com | grep NSID
; NSID: 6e 6f 69 72 65 ("noire")

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/3070 **Author:** [@cpu](https://github.com/cpu) **Created:** 6/19/2025 **Status:** ✅ Merged **Merged:** 6/20/2025 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `cpu-nsid_dev` --- ### 📝 Commits (6) - [`1df6c21`](https://github.com/hickory-dns/hickory-dns/commit/1df6c211f43ccf8fb004459348fc21665fc9b291) proto/rr: add EdnsOption::NSID - [`4b924a9`](https://github.com/hickory-dns/hickory-dns/commit/4b924a92349b5055c56de9306dcce68086f5fa65) server/authority: inline send_response helper - [`37087a1`](https://github.com/hickory-dns/hickory-dns/commit/37087a172660a840b1aa2594ff106e93568dd224) server/authority: response EDNS as MessageResponseBuilder arg - [`a8f6eb8`](https://github.com/hickory-dns/hickory-dns/commit/a8f6eb8ed5eff779f3cb7e04607ddc4cf1426416) tests/integration: rm superfluous Query type annotation - [`73687e7`](https://github.com/hickory-dns/hickory-dns/commit/73687e7b33a5d6f7ccbf44e0714ffbf8907e134a) server/authority: process EDNS NSID request - [`5e87d03`](https://github.com/hickory-dns/hickory-dns/commit/5e87d03d3aa4ca59e34007f1fa6a8f2a5d7cc4ae) hickory-dns: add --nsid and --nsid-hostname args ### 📊 Changes **9 files changed** (+385 additions, -101 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+24 -5) 📝 `Cargo.toml` (+2 -0) 📝 `bin/Cargo.toml` (+2 -0) 📝 `bin/src/hickory-dns.rs` (+67 -0) 📝 `crates/proto/src/rr/rdata/opt.rs` (+65 -1) 📝 `crates/server/src/authority/catalog.rs` (+80 -80) 📝 `crates/server/src/authority/message_response.rs` (+5 -4) 📝 `crates/server/src/server/mod.rs` (+1 -1) 📝 `tests/integration-tests/tests/integration/catalog_tests.rs` (+139 -10) </details> ### 📄 Description ### Description [RFC 5001](https://www.rfc-editor.org/rfc/rfc5001) _"DNS Name Server Identifier (NSID) Option"_ specifies a mechanism where clients can ask an authoritative or recursive server to include an identifier for the server that processed the request in the generated response. Clients opt-in via sending an NSID EDNS option (0x03) with an empty value in outbound requests, and if the processing server has an NSID it includes EDNS data in the response with the same NSID EDNS option, but using the unstructured binary identifier as the option value. This can be helpful information when using DNS anycast, load balancing, or some other configuration that means it's not trivial to know ahead of time which particular nameserver handled a request. This branch implements NSID support for the `hickory-dns` authoritative server binary. The nameserver ID can be set in two ways: * Using `--nsid-hostname` to use the system hostname as the identifier * Using `--nsid <value>` to use a specific identifier value, e.g. `--nsid HickoryDNS` Since the NSID payload is arbitrary binary data, the `--nsid <value>` argument can be prefixed with `0x` to treat it as hex encoded data (e.g. `--nsid 0xC0FFEE`). By default, no NSID is configured, matching the status quo. Some nameservers (e.g. `knot`) default to `--nsid-hostname` unless NSID is specifically disabled, but to me this seems like a risky default and so I've made it opt-in. Happy to revisit if folks disagree. ### Examples <details> <summary>Using a string NSID:</summary> Running with `hickory-dns --config config.toml --zonedir . --port 5454 --nsid "Hello World!"`: ``` $ dig -p5454 +nsid @localhost example.com | grep NSID ; NSID: 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 ("Hello World!") ``` </details> <details> <summary>Using a hex NSID:</summary> Running with `hickory-dns --config config.toml --zonedir . --port 5454 --nsid "0xC0FFEE"`: ``` $ dig -p5454 +nsid @localhost example.com | grep NSID ; NSID: c0 ff ee ("...") ``` </details> <details> <summary>Using the hostname as NSID:</summary> Running with `hickory-dns --config config.toml --zonedir . --port 5454 --nsid-hostname ``` $ hostname noire $ dig -p5454 +nsid @localhost example.com | grep NSID ; NSID: 6e 6f 69 72 65 ("noire") ``` </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>