Raw data format for resource records.

Type alias for resource records in the answer section.

Type alias for resource records in the answer section.

Type for resource records in the additional section.

This type holds the presentation form of fully-qualified DNS domain names encoded as ASCII A-labels, with '.' separators between labels. Non-printing characters are escaped as \DDD (a backslash, followed by three decimal digits). The special characters: ", $, (, ), ;, @, and \ are escaped by prepending a backslash. The trailing '.' is optional on input, but is recommended, and is always added when decoding from wire form.

The encoding of domain names to wire form, e.g. for transmission in a query, requires the input encodings to be valid, otherwise a DecodeError may be thrown. Domain names received in wire form in DNS messages are escaped to this presentation form as part of decoding the DNSMessage.

This form is ASCII-only. Any conversion between A-label ByteStrings, and U-label Text happens at whatever layer maps user input to DNS names, or presents friendly DNS names to the user. Not all users can read all scripts, and applications that default to U-label form should ideally give the user a choice to see the A-label form. Examples:

www.example.org.           -- Ordinary DNS name.
_25._tcp.mx1.example.net.  -- TLSA RR initial labels have _ prefixes.
\001.exotic.example.       -- First label is Ctrl-A!
just\.one\.label.example.  -- First label is "just.one.label"

Resource record class.

Resource record class for the Internet.

Time to live in second.

Types for resource records.

From type to number.

From number to type.

Raw data format for each type.

RRSIG representation.

As noted in Section 3.1.5 of RFC 4034 the RRsig inception and expiration times use serial number arithmetic. As a result these timestamps are not pure values, their meaning is time-dependent! They depend on the present time and are both at most approximately +/-68 years from the present. This ambiguity is not a problem because cached RRSIG records should only persist a few days, signature lifetimes should be *much* shorter than 68 years, and key rotation should result any misconstrued 136-year-old signatures fail to validate. This also means that the interpretation of a time that is exactly half-way around the clock at now +/-0x80000000 is not important, the signature should never be valid.

The upshot for us is that we need to convert these *impure* relative values to pure absolute values at the moment they are received from from the network (or read from files, ... in some impure I/O context), and convert them back to 32-bit values when encoding. Therefore, the constructor takes absolute 64-bit representations of the inception and expiration times.

The dnsTime function performs the requisite conversion.

Given a 32-bit circle-arithmetic DNS time, and the current absolute epoch time, return the epoch time corresponding to the DNS timestamp.

DNS message format for queries and replies.

Construct a complete query DNSMessage, by combining the defaultQuery template with the specified Identifier, and Question. The QueryControls can be mempty to leave all header and EDNS settings at their default values, or some combination of overrides. A default set of overrides can be enabled via the resolvQueryControls field of ResolvConf. Per-query overrides are possible by using loookupRawCtl.

A query template with QueryControls overrides applied, with just the Question and query Identifier remaining to be filled in.

A DNSMessage template for queries with default settings for the message DNSHeader and EDNSheader. This is the initial query message state, before customization via QueryControls.

Query controls form a Monoid, as with function composition, the left-most value has the last say. The Monoid is generated by two sets of combinators, one that controls query-related DNS header flags, and another that controls EDNS features.

The header flag controls are: rdFlag, adFlag and cdFlag.

The EDNS feature controls are: doFlag, ednsEnabled, ednsSetVersion, ednsSetUdpSize and ednsSetOptions. When EDNS is disabled, all the other EDNS-related controls have no effect.

Example: Disable DNSSEC checking on the server, and request signatures and NSEC records, perhaps for your own independent validation. The UDP buffer size is set large, for use with a local loopback nameserver on the same host.

>>> :{
mconcat [ adFlag FlagClear
        , cdFlag FlagSet
        , doFlag FlagSet
        , ednsSetUdpSize (Just 8192) -- IPv4 loopback server?
        ]
:}
ad:0,cd:1,edns.udpsize:8192,edns.dobit:1

Example: Use EDNS version 1 (yet to be specified), request nameserver ids from the server, and indicate a client subnet of "192.0.2.1/24".

>>> :set -XOverloadedStrings
>>> let emptyNSID = ""
>>> let mask = 24
>>> let ipaddr = read "192.0.2.1"
>>> :{
mconcat [ ednsSetVersion (Just 1)
        , ednsSetOptions (ODataAdd [OD_NSID emptyNSID])
        , ednsSetOptions (ODataAdd [OD_ClientSubnet mask 0 ipaddr])
        ]
:}
edns.version:1,edns.options:[NSID,ClientSubnet]

Generator of QueryControls that adjusts the RD bit.

>>> rdFlag FlagClear
rd:0

Generator of QueryControls that adjusts the AD bit.

>>> adFlag FlagSet
ad:1

Generator of QueryControls that adjusts the CD bit.

>>> cdFlag FlagSet
cd:1

Generator of QueryControls that adjusts the EDNS DnssecOk (DO) bit.

>>> doFlag FlagSet
edns.dobit:1

Generator of QueryControls that enables or disables EDNS support. When EDNS is disabled, the rest of the EDNS controls are ignored.

>>> ednsHeader $ makeEmptyQuery $ ednsEnabled FlagClear <> doFlag FlagSet
NoEDNS

Generator of QueryControls that adjusts the EDNS version. A value of Nothing makes no changes, while Just v sets the EDNS version to v.

>>> ednsSetVersion (Just 1)
edns.version:1

Generator of QueryControls that adjusts the EDNS UDP buffer size. A value of Nothing makes no changes, while Just n sets the EDNS UDP buffer size to n.

>>> ednsSetUdpSize (Just 2048)
edns.udpsize:2048

Generator of QueryControls that adjusts the list of EDNS options.

>>> :set -XOverloadedStrings
>>> ednsSetOptions (ODataAdd [OD_NSID ""])
edns.options:[NSID]

Boolean flag operations. These form a Monoid. When combined via mappend, as with function composition, the left-most value has the last say.

>>> mempty :: FlagOp
FlagKeep
>>> FlagSet <> mempty
FlagSet
>>> FlagClear <> FlagSet <> mempty
FlagClear
>>> FlagReset <> FlagClear <> FlagSet <> mempty
FlagReset

The default EDNS Option list is empty. We define two operations, one to prepend a list of options, and another to set a specific list of options.

Default response. When responding to EDNS queries, the response must either be an EDNS response, or else FormatErr must be returned. The default response message has EDNS disabled (ednsHeader set to NoEDNS), it should be updated as appropriate.

Do not explicitly add OPT RRs to the additional section, instead let the encoder compute and add the OPT record based on the EDNS pseudo-header.

The RCODE in the DNSHeader should be set to the appropriate 12-bit extended value, which will be split between the primary header and EDNS OPT record during message encoding (low 4 bits in DNS header, high 8 bits in EDNS OPT record). See EDNSheader for more details.

Construct a query response DNSMessage.

Raw data format for the header of DNS Query and Response.

An identifier assigned by the program that generates any kind of query.

Raw data format for the flags of DNS Query and Response.

Query or response.

Default DNSFlags record suitable for making recursive queries. By default the RD bit is set, and the AD and CD bits are cleared.

Kind of query.

Convert the internal representation of a DNS OPCODE to its 16-bit numeric value.

Convert a 16-bit DNS OPCODE number to its internal representation

EDNS extended 12-bit response code. Non-EDNS messages use only the low 4 bits. With EDNS this stores the combined error code from the DNS header and and the EDNS psuedo-header. See EDNSheader for more detail.

Convert an RCODE to its numeric value.

Convert a numeric value to a corresponding RCODE. The behaviour is undefined for values outside the range [0 .. 0xFFF] since the EDNS extended RCODE is a 12-bit value. Values in the range [0xF01 .. 0xFFF] are reserved for private use.

Data type representing the optional EDNS pseudo-header of a DNSMessage When a single well-formed OPT ResourceRecord was present in the message's additional section, it is decoded to an EDNS record and and stored in the message ednsHeader field. The corresponding OPT RR is then removed from the additional section.

When the constructor is NoEDNS, no EDNS OPT record was present in the message additional section. When InvalidEDNS, the message holds either a malformed OPT record or more than one OPT record, which can still be found in (have not been removed from) the message additional section.

The EDNS OPT record augments the message error status with an 8-bit field that forms 12-bit extended RCODE when combined with the 4-bit RCODE from the unextended DNS header. In EDNS messages it is essential to not use just the bare 4-bit RCODE from the original DNS header. Therefore, in order to avoid potential misinterpretation of the response RCODE, when the OPT record is decoded, the upper eight bits of the error status are automatically combined with the rcode of the message header, so that there is only one place in which to find the full 12-bit result. Therefore, the decoded EDNS pseudo-header, does not hold any error status bits.

The reverse process occurs when encoding messages. The low four bits of the message header rcode are encoded into the wire-form DNS header, while the upper eight bits are encoded as part of the OPT record. In DNS responses with an rcode larger than 15, EDNS extensions SHOULD be enabled by providing a value for ednsHeader with a constructor of EDNSheader. If EDNS is not enabled in such a message, in order to avoid truncation of RCODE values that don't fit in the non-extended DNS header, the encoded wire-form RCODE is set to FormatErr.

When encoding messages for transmission, the ednsHeader is used to generate the additional OPT record. Do not add explicit OPT records to the aditional section, configure EDNS via the EDNSheader instead.

>>> let getopts eh = mapEDNS eh ednsOptions []
>>> let optsin     = [OD_ClientSubnet 24 0 $ read "192.0.2.1"]
>>> let masked     = [OD_ClientSubnet 24 0 $ read "192.0.2.0"]
>>> let message    = makeEmptyQuery $ ednsSetOptions $ ODataSet optsin
>>> let optsout    = getopts. ednsHeader <$> (decode $ encode message)
>>> optsout       == Right masked
True

Return the second argument for EDNS messages, otherwise the third.

Return the output of a function applied to the EDNS pseudo-header if EDNS is enabled, otherwise return a default value.

EDNS information defined in RFC 6891.

The default EDNS pseudo-header for queries. The UDP buffer size is set to 1216 bytes, which should result in replies that fit into the 1280 byte IPv6 minimum MTU. Since IPv6 only supports fragmentation at the source, and even then not all gateways forward IPv6 pre-fragmented IPv6 packets, it is best to keep DNS packet sizes below this limit when using IPv6 nameservers. A larger value may be practical when using IPv4 exclusively.

defaultEDNS = EDNS
    { ednsVersion = 0      -- The default EDNS version is 0
    , ednsUdpSize = 1232   -- IPv6-safe UDP MTU (RIPE recommendation)
    , ednsDnssecOk = False -- We don't do DNSSEC validation
    , ednsOptions = []     -- No EDNS options by default
    }

Maximum UDP size that can be advertised. If the ednsUdpSize of EDNS is larger, then this value is sent instead. This value is likely to work only for local nameservers on the loopback network. Servers may enforce a smaller limit.

>>> maxUdpSize
16384

Minimum UDP size to advertise. If ednsUdpSize of EDNS is smaller, then this value is sent instead.

>>> minUdpSize
512

RData formats for a few EDNS options, and an opaque catchall

EDNS Option Code (RFC 6891).

From option code to number.

From number to option code.

Raw data format for DNS questions.

An enumeration of all possible DNS errors that can occur.

Type for a mailbox encoded on the wire as a DNS name, but the first label is conceptually the local part of an email address, and may contain internal periods that are not label separators. Therefore, in mailboxes @ is used as the separator between the first and second labels, and any '.' characters in the first label are not escaped. The encoding is otherwise the same as Domain above. This is most commonly seen in the rname of SOA records, and is also employed in the mbox-dname field of RP records. On input, if there is no unescaped @ character in the Mailbox, it is reparsed with '.' as the first label separator. Thus the traditional format with all labels separated by dots is also accepted, but decoding from wire form always uses @ between the first label and the domain-part of the address. Examples:

hostmaster@example.org.  -- First label is simply hostmaster
john.smith@examle.com.   -- First label is john.smith