idnits 2.17.00 (12 Aug 2021)
/tmp/idnits46028/draft-ietf-dnsop-qname-minimisation-02.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
** The abstract seems to contain references
([I-D.ietf-dprive-problem-statement]), which it shouldn't. Please
replace those with straight textual mentions of the documents in question.
== There are 2 instances of lines with non-RFC2606-compliant FQDNs in the
document.
-- The document has examples using IPv4 documentation addresses according
to RFC6890, but does not use any IPv6 documentation addresses. Maybe
there should be IPv6 examples, too?
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (March 4, 2015) is 2635 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 355
-- Looks like a reference, but probably isn't: '2' on line 357
-- Looks like a reference, but probably isn't: '3' on line 360
== Outdated reference: draft-ietf-dprive-problem-statement has been
published as RFC 7626
-- Obsolete informational reference (is this intentional?): RFC 6982
(Obsoleted by RFC 7942)
== Outdated reference: A later version (-03) exists of
draft-wkumari-dnsop-hammer-01
Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 6 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Domain Name System Operations (dnsop) Working Group S. Bortzmeyer
3 Internet-Draft AFNIC
4 Intended status: Experimental March 4, 2015
5 Expires: September 5, 2015
7 DNS query name minimisation to improve privacy
8 draft-ietf-dnsop-qname-minimisation-02
10 Abstract
12 This document describes one of the techniques that could be used to
13 improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a
14 technique called "qname minimisation".
16 REMOVE BEFORE PUBLICATION Discussions of the document should take
17 place on the DNSOP working group mailing list [dnsop].
19 Status of This Memo
21 This Internet-Draft is submitted in full conformance with the
22 provisions of BCP 78 and BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF). Note that other groups may also distribute
26 working documents as Internet-Drafts. The list of current Internet-
27 Drafts is at http://datatracker.ietf.org/drafts/current/.
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 This Internet-Draft will expire on September 5, 2015.
36 Copyright Notice
38 Copyright (c) 2015 IETF Trust and the persons identified as the
39 document authors. All rights reserved.
41 This document is subject to BCP 78 and the IETF Trust's Legal
42 Provisions Relating to IETF Documents
43 (http://trustee.ietf.org/license-info) in effect on the date of
44 publication of this document. Please review these documents
45 carefully, as they describe your rights and restrictions with respect
46 to this document. Code Components extracted from this document must
47 include Simplified BSD License text as described in Section 4.e of
48 the Trust Legal Provisions and are provided without warranty as
49 described in the Simplified BSD License.
51 Table of Contents
53 1. Introduction and background . . . . . . . . . . . . . . . . . 2
54 2. Qname minimisation . . . . . . . . . . . . . . . . . . . . . 2
55 3. Operational considerations . . . . . . . . . . . . . . . . . 3
56 4. Performance implications . . . . . . . . . . . . . . . . . . 5
57 5. Security considerations . . . . . . . . . . . . . . . . . . . 6
58 6. Implementation status - REMOVE BEFORE PUBLICATION . . . . . . 6
59 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
60 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
61 8.1. Normative References . . . . . . . . . . . . . . . . . . 7
62 8.2. Informative References . . . . . . . . . . . . . . . . . 7
63 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 8
64 Appendix A. An algorithm to find the zone cut . . . . . . . . . 8
65 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9
67 1. Introduction and background
69 The problem statement is exposed in
70 [I-D.ietf-dprive-problem-statement] TODO: add a reference to the
71 specific section when ietf-dprive-problem-statement will be published
72 as RFC. The terminology ("qname", "resolver", etc) is also defined
73 in this companion document. This specific solution is not intended
74 to fully solve the DNS privacy problem; instead, it should be viewed
75 as one tool amongst many.
77 It follows the principle explained in section 6.1 of [RFC6973]: the
78 less data you send out, the fewer privacy problems you'll get.
80 2. Qname minimisation
82 The idea is to minimise the amount of data sent from the DNS
83 resolver. Under current practice, when a resolver receives the query
84 "What is the AAAA record for www.example.com?", it sends to the root
85 (assuming a cold resolver, whose cache is empty) the very same
86 question. Sending "What are the NS records for .com?" would be
87 sufficient (since it will be the answer from the root anyway). This
88 is compatible with the current DNS system and therefore can easily be
89 deployed; since it is a unilateral change to the resolver, it does
90 not change the protocol. Because of that, resolver implementers may
91 do qname minmisation in slightly different ways.
93 To do such minimisation, the resolver needs to know the zone cut
94 [RFC2181]. Zone cuts do not necessarily exist at every label
95 boundary. If we take the name www.foo.bar.example, it is possible
96 that there is a zone cut between "foo" and "bar" but not between
97 "bar" and "example". So, assuming the resolver already knows the
98 name servers of .example, when it receives the query "What is the
99 AAAA record of www.foo.bar.example", it does not always know whether
100 the request should be sent to the name servers of bar.example or to
101 those of example. [RFC2181] suggests a method to find the zone cut
102 (section 6), so resolvers may try it.
104 Note that DNSSEC-validating resolvers already have access to this
105 information, since they have to find the zone cut (the DNSKEY record
106 set is just below, the DS record set just above).
108 One should note that the behaviour suggested here (minimising the
109 amount of data sent in qnames from the resolver) is NOT forbidden by
110 the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). Sending
111 the full qname to the authoritative name server is a tradition, not a
112 protocol requirement. This tradition comes[mockapetris-history] from
113 a desire to optimize the number of requests, when the same name
114 server is authoritative for many zones in a given name (something
115 which was more common in the old days, where the same name servers
116 served .com and the root) or when the same name server is both
117 recursive and authoritative (something which is strongly discouraged
118 now). Whatever the merits of this choice at this time, the DNS is
119 quite different now.
121 It may be noticed that many documents explaining the DNS and intended
122 for a wide audience, incorrectly describe the resolution process as
123 using qname minimisation, for instance by showing a request going to
124 the root, with just the TLD in the query. As a result, these
125 documents may confuse the privacy analysis of the users who see them.
127 As mentioned before, there are several ways to implement qname
128 minimisation. Two main strategies are the aggressive one and the
129 lazy one. In the aggressive one, the resolver only sends NS queries
130 as long as it does not know the zone cuts. This is the safest, from
131 a privacy point of view. The lazy way "piggybacks" on the
132 traditional resolution code. It sends traditional full qnames and
133 learns the zone cuts from the referrals received, then switches to NS
134 queries asking only for the minimum domain name. This leaks more
135 data but probably requires fewer changes in the existing resolver
136 codebase.
138 3. Operational considerations
140 The administrators of the forwarders, and of the authoritative name
141 servers, will get less data, which will reduce the utility of the
142 statistics they can produce (such as the percentage of the various
143 qtypes). On the other hand, it may decrease their legal
144 responsibility in some jurisdictions. (TODO: do we keep any mention
145 of legal issues? We're not lawyers.)
147 Some broken name servers do not react properly to qtype=NS requests.
148 For instance, some authoritative name servers embedded in load
149 balancers reply properly to A queries but send REFUSED to NS queries.
150 REMOVE THIS SENTENCE BEFORE PUBLICATION: As an example of today, look
151 at www.ratp.fr (not ratp.fr). This behaviour is a gross protocol
152 violation, and there is no need to stop improving the DNS because of
153 such brokenness. However, qname minimisation may still work with
154 such domains since they are only leaf domains (no need to send them
155 NS requests). Such setup breaks more than just qname minimisation.
156 It breaks negative answers, since the servers don't return the
157 correct SOA, and it also breaks anything dependent upon NS and SOA
158 records existing at the top of the zone.
160 A problem can also appear when a name server does not react properly
161 to ENT (Empty Non-Terminals). If ent.example.com has no resource
162 records but foobar.ent.example.com does, then ent.example.com is an
163 ENT. A query, whatever the qtype, for ent.example.com must return
164 NODATA (NOERROR / ANSWER: 0). However, some broken name servers
165 return NXDOMAIN for ENTs. REMOVE THIS SENTENCE BEFORE PUBLICATION:
166 As an example of today, look at com.akadns.net or www.upenn.edu with
167 its delegations to Akamai. If a resolver queries only
168 foobar.ent.example.com, everything will be OK but, if it implements
169 qname minimisation, it may query ent.example.com and get a NXDOMAIN.
170 See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad
171 consequences of this brokenness.
173 Another way to deal with such broken name servers would be to try
174 with A requests (A being chosen because it is the most common and
175 hence a qtype which will be always accepted, while a qtype NS may
176 ruffle the feathers of some middleboxes). Instead of querying name
177 servers with a query "NS example.com", we could use "A _.example.com"
178 and see if we get a referral.
180 Other strange and illegal practices may pose a problem: there is a
181 common DNS anti-pattern used by low-end web hosters that also do DNS
182 hosting that exploits the fact that the DNS protocol (pre-DNSSEC)
183 allows certain serious misconfigurations, such as parent and child
184 zones disagreeing on the location of a zone cut. Basically, they
185 have a single zone with wildcards for each TLD like:
187 *.example. 60 IN A 192.0.2.6
189 (It is not known why they don't just wildcard all of "*." and be done
190 with it.)
191 This lets them turn up many web hosting customers without having to
192 configure thousands of individual zones on their nameservers. They
193 just tell the prospective customer to point their NS records at the
194 hoster's nameservers, and the Web hoster doesn't have to provision
195 anything in order to make the customer's domain resolve. NS queries
196 to the hoster will therefore do not give the right result, which may
197 endanger qname minimisation (it will be a problem for DNSSEC, too).
199 Qname minimisation can decrease performance in some cases, for
200 instance for a deep domain name (like
201 www.host.group.department.example.com where
202 host.group.department.example.com is hosted on example.com's name
203 servers). For such a name, a cold resolver will, depending how qname
204 minimisation is implemented, send more queries. Once the cache is
205 warm, there will be no difference with a traditional resolver. A
206 possible solution is to always use the traditional algorithm when the
207 cache is cold and then to move to qname minimisation. This will
208 decrease the privacy a bit but will guarantee no degradation of
209 performance.
211 Another useful optimisation may be, in the spirit of the HAMMER idea
212 [I-D.wkumari-dnsop-hammer] to probe in advance for the introduction
213 of zone cuts where none previously existed (i.e. confirm their
214 continued absence, or discover them.)
216 4. Performance implications
218 The main goal of qname minimisation is to improve privacy by sending
219 less data. However, it may have other advantages. For instance, if
220 a root name server receives a query from some resolver for A.CORP
221 followed by B.CORP followed by C.CORP, the result will be three
222 NXDOMAINs, since .CORP does not exist in the root zone. Under query
223 name minimisation, the root name servers would hear only one question
224 (for .CORP itself) to which they could answer NXDOMAIN, thus opening
225 up a negative caching opportunity in which the full resolver could
226 know a priori that neither B.CORP or C.CORP could exist. Thus in
227 this common case the total number of upstream queries under qname
228 minimisation would be counter-intuitively inferior to the number of
229 queries under the traditional iteration (as described in the DNS
230 standard).
232 Qname minimisation may also improve look-up performance for TLD
233 operators. For a typical TLD, delegation-only, and with delegations
234 just under the TLD, a 2-label QNAME query is optimal for finding the
235 delegation owner name.
237 5. Security considerations
239 Qname minimisation's benefits are clear in the case where you want to
240 decrease exposure to the authoritative name server. But minimising
241 the amount of data sent also, in part, addresses the case of a wire
242 sniffer as well the case of privacy invasion by the servers.
243 (Encryption is of course a better defense against wire sniffers but,
244 unlike qname minimisation, it changes the protocol and cannot be
245 deployed unilaterally.)
247 Qname minimisation offers zero protection against the recursive
248 resolver, which still sees the full request coming from the stub
249 resolver.
251 At this stage, this document does not recommend one of the two qname
252 minimisation approaches (aggressive or lazy) against the other.
254 No security consequence (besides privacy improvment) is known at this
255 time.
257 6. Implementation status - REMOVE BEFORE PUBLICATION
259 This section records the status of known implementations of the
260 protocol defined by this specification at the time of posting of this
261 Internet-Draft, and is based on a proposal described in [RFC6982].
262 The description of implementations in this section is intended to
263 assist the IETF in its decision processes in progressing drafts to
264 RFCs. Please note that the listing of any individual implementation
265 here does not imply endorsement by the IETF. Furthermore, no effort
266 has been spent to verify the information presented here that was
267 supplied by IETF contributors. This is not intended as, and must not
268 be construed to be, a catalog of available implementations or their
269 features. Readers are advised to note that other implementations may
270 exist.
272 According to [RFC6982], "this will allow reviewers and working groups
273 to assign due consideration to documents that have the benefit of
274 running code, which may serve as evidence of valuable experimentation
275 and feedback that have made the implemented protocols more mature.
276 It is up to the individual working groups to use this information as
277 they see fit".
279 As of today, no production resolver implements qname minimisation.
280 For Unbound, see ticket 648 [1].
282 The algorithm to find the zone cuts described in Appendix A is
283 implemented with qname minimisation in the sample code zonecut.go
285 [2]. It is also implemented, for a much longer time, in an option of
286 dig, "dig +trace", but without qname minimisation.
288 7. Acknowledgments
290 Thanks to Olaf Kolkman for the original idea although the concept is
291 probably much older [3]. Thanks to Mark Andrews and Francis Dupont
292 for the interesting discussions. Thanks to Brian Dickson, Warren
293 Kumari, Evan Hunt and David Conrad for remarks and suggestions.
294 Thanks to Mohsen Souissi for proofreading. Thanks to Tony Finch for
295 the zone cut algorithm in Appendix A. Thanks to Paul Vixie for
296 pointing out that there are practical advantages (besides privacy) to
297 qname minimisation. Thanks to Phillip Hallam-Baker for the fallback
298 on A queries, to deal with broken servers. Thanks to Robert Edmonds
299 for an interesting anti-pattern.
301 8. References
303 8.1. Normative References
305 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
306 STD 13, RFC 1034, November 1987.
308 [RFC1035] Mockapetris, P., "Domain names - implementation and
309 specification", STD 13, RFC 1035, November 1987.
311 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
312 Morris, J., Hansen, M., and R. Smith, "Privacy
313 Considerations for Internet Protocols", RFC 6973, July
314 2013.
316 [I-D.ietf-dprive-problem-statement]
317 Bortzmeyer, S., "DNS privacy considerations", draft-ietf-
318 dprive-problem-statement-01 (work in progress), January
319 2015.
321 8.2. Informative References
323 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
324 Specification", RFC 2181, July 1997.
326 [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
327 Code: The Implementation Status Section", RFC 6982, July
328 2013.
330 [I-D.wkumari-dnsop-hammer]
331 Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly
332 Automated Method for Maintaining Expiring Records", draft-
333 wkumari-dnsop-hammer-01 (work in progress), July 2014.
335 [I-D.vixie-dnsext-resimprove]
336 Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS
337 Resolvers for Resiliency, Robustness, and Responsiveness",
338 draft-vixie-dnsext-resimprove-00 (work in progress), June
339 2010.
341 [dnsop] IETF, , "The DNSOP working group of IETF", March 2014,
342 .
344 [mockapetris-history]
345 Mockapetris, P., "Private discussion", January 2015.
347 [kaliski-minimum]
348 Kaliski, B., "Minimum Disclosure: What Information Does a
349 Name Server Need to Do Its Job?", March 2015,
350 .
353 8.3. URIs
355 [1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=648
357 [2] https://github.com/bortzmeyer/my-IETF-work/blob/master/draft-
358 ietf-dnsop-qname-minimisation/zonecut.go
360 [3] https://lists.dns-oarc.net/pipermail/dns-
361 operations/2010-February/005003.html
363 Appendix A. An algorithm to find the zone cut
365 Although a validating resolver already has the logic to find the zone
366 cut, other resolvers may be interested by this algorithm to follow in
367 order to locate this cut:
369 (0) If the query can be answered from the cache, do so, otherwise
370 iterate as follows:
372 (1) Find closest enclosing NS RRset in your cache. The owner of
373 this NS RRset will be a suffix of the QNAME - the longest suffix
374 of any NS RRset in the cache. Call this PARENT.
376 (2) Initialize CHILD to the same as PARENT.
378 (3) If CHILD is the same as the QNAME, resolve the original query
379 using PARENT's name servers, and finish.
381 (4) Otherwise, add a label from the QNAME to the start of CHILD.
383 (5) If you have a negative cache entry for the NS RRset at CHILD,
384 go back to step 3.
386 (6) Query for CHILD IN NS using PARENT's name servers. The
387 response can be:
389 (6a) A referral. Cache the NS RRset from the authority section
390 and go back to step 1.
392 (6b) An authoritative answer. Cache the NS RRset from the
393 answer section and go back to step 1.
395 (6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response
396 to the original query and stop.
398 (6d) A NOERROR/NODATA answer. Cache this negative answer and
399 go back to step 3.
401 Author's Address
403 Stephane Bortzmeyer
404 AFNIC
405 1, rue Stephenson
406 Montigny-le-Bretonneux 78180
407 France
409 Phone: +33 1 39 30 83 46
410 Email: bortzmeyer+ietf@nic.fr
411 URI: http://www.afnic.fr/