idnits 2.17.00 (12 Aug 2021) /tmp/idnits6485/draft-wkumari-dnsop-multiple-responses-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 11, 2015) is 2687 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 149 -- Looks like a reference, but probably isn't: '2' on line 152 -- Looks like a reference, but probably isn't: '3' on line 166 == Unused Reference: 'I-D.ietf-sidr-iana-objects' is defined on line 312, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5395 (Obsoleted by RFC 6195) == Outdated reference: draft-ietf-sidr-iana-objects has been published as RFC 6491 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Standards Track Z. Yan 5 Expires: July 15, 2015 CNNIC 6 W. Hardaker 7 Parsons, Inc. 8 January 11, 2015 10 Returning multiple answers in a DNS response. 11 draft-wkumari-dnsop-multiple-responses-00 13 Abstract 15 This document (re)introduces the ability to provide multiple answers 16 in a DNS response. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on July 15, 2015. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Returning multiple answers . . . . . . . . . . . . . . . . . 3 57 5. Additional records pseudo-RR . . . . . . . . . . . . . . . . 4 58 6. Signalling support . . . . . . . . . . . . . . . . . . . . . 5 59 7. Use of Additional information . . . . . . . . . . . . . . . . 6 60 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 61 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 62 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 63 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 64 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 65 11.2. Informative References . . . . . . . . . . . . . . . . . 7 66 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 7 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 69 1. Introduction 71 Often the name being resolved in the DNS provides information about 72 why the name is being resolved, allowing the authoritative name 73 server operator to predict what other answers the client will soon 74 query for. By providing multiple answers in the response, the 75 authoritative name server operator can ensure that the recursive 76 server that the client is using has all the answers in its cache. 78 For example, the name server operator of Example Widgets, Inc 79 (example.com) knows that the example.com web page at www.example.com 80 contains various resources, including some images (served from 81 images.example.com), some Cascading Style Sheets (served from 82 css.example.com) and some JavaScript (data.example.com). A client 83 attempting to resolve www.example.com is very likely to be a web 84 browser, rendering the page, and so will need to also resolve all of 85 the other names for these other resources. Providing all of these 86 answers in response to a query for www.example.com allows the 87 recursive server to populate its cache and have all of the answers 88 available when the client asks for them. 90 Other examples where this technique is useful include SMTP (including 91 the mail server address when serving the MX record), SRV (providing 92 the target information in addition to the SRV response) and TLSA 93 (providing any TLSA records associated with a name). 95 This is purely an optimization - by providing all of other, related 96 answers that the client is likely to need along with the answer that 97 they requested, users get a better experience, iterative servers need 98 to perform less queries, authoritative servers have to answer fewer 99 queries, etc. 101 1.1. Requirements notation 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 105 document are to be interpreted as described in [RFC2119]. 107 2. Background 109 The existing DNS specifications allow for additional information to 110 be included in the "additional" section of the DNS response, but in 111 order to defeat cache poisoning attacks most implementations either 112 ignore or don't trust additional information (other than for "glue"). 113 For some more background, see [Ref.Bellovin], [RFC1034], [RFC2181]. 115 Not trusting the information in the additional section was necessary 116 because there was no way to authenticate it. If you queried for 117 www.example.com and got back answers for www.invalid.com you couldn't 118 tell if these were actually from invalid.com or if an attacker was 119 trying to get bad information for invalid.com into your cache. In a 120 world of ubiquitous DNSSEC deployment [Ed note: By the time this 121 document is published, there *will* be ubiquitous DNSSEC :-) ] the 122 iterative server can validate the information and trust it. 124 3. Terminology 126 Additional records Additional records are records that the 127 authoritative nameserver has included in the Additional section. 129 Primary query A Primary query (or primary question) is a QNAME that 130 the name server operator would like to return additional answers 131 for. 133 Supporting information Supporting information is the DNSSEC RRSIGs 134 that prove the authenticity of the Additional records. 136 4. Returning multiple answers 138 The authoritative nameserver should include as many of the instructed 139 Additional records and Supporting information as will fit in the 140 response packet. 142 In order to include Additional records in a response, certain 143 conditions need to be met. [Ed note: Some discussion on each rule is 144 below] 145 1. Additional records MUST only be included when the primary name is 146 DNSSEC secured. 148 2. Additional records MUST only be served over TCP connections. 149 This is to mitigate Denial of Service reflection attacks.[1] 151 3. Additional records MUST be leaf records at the same node in the 152 DNS tree[2] 154 4. The DNSSEC supporting information must be included. This is the 155 RRSIGs required to validate the Additional record information. 157 5. All of the records MUST be signed with the same DNSSEC keys. 159 6. The authoritative nameserver SHOULD include as many of the 160 additional records as will fit in the response. Each Additional 161 record MUST have its matching Supporting information. Additional 162 records MUST be inserted in the order specified in the Additional 163 records list. 165 7. Operators SHOULD only include Additional answers that they expect 166 a client to actually need. [3] 168 [Ed note 1: The above MAY be troll bait. I'm not really sure if this 169 is a good idea or not - moving folk towards TCP is probably a good 170 idea, and this is somewhat of an optional record type. Then again, 171 special handing (TCP only) for a record would be unusual. Additional 172 records could cause responses to become really large, but there are 173 already enough large records that can be used for reflection attacks 174 that we can just give up on the whole "keep responses as small as 175 possible" ship. ] 177 [Ed note 2: This is poorly worded. I mumbled about bailiwick, 178 subdomains, etc but nothing I could come up with was better. Also, 179 is this rule actually needed? I *think* it would be bad for .com 180 servers to be able to include Additional records for 181 www.foo.bar.baz.example.com, but perhaps public-suffix- 182 list?! This rule also makes it easier to decide what all DNSSEC 183 information is required.] 185 [Ed note 3: This is not enforceable. ] 187 5. Additional records pseudo-RR 189 To allow the authoritative nameserver operator to configure what 190 additional records to serve when it receives a query to a label, we 191 introduce the Additional pseudo Resource Record (RR). This is a 192 pseudo-record as it provides instruction to the authoritative 193 nameserver, and does not appear on the wire. [Ed note: I had 194 originally considered a comment, or some sort of format where we 195 listed additional records under the primary one, but we a: wanted it 196 to survive zone transfers, and b: not trip up zone file parsers. ] 198 The format of the Additional pseudo-RR is: 200 label ADD "label,typel; label,type; label,type; ..." 202 For example, if the operator of example.com would like to also return 203 A record answers for images.example.com, css.example.com and both an 204 A and AAAA for data.example.com when queried for www.example.com he 205 would enter: 207 www ADD "images,A; css,A; data,A; data,AAA;" 209 The entries in the ADD list are ordered. An authoritative nameserver 210 MUST attempt to insert the records in the order listed when filling 211 the response packet. This is to allow the operator to express a 212 preference in case all the records to not fit. The TTL of the 213 records added to the Additional section are the same as if queried 214 directly. 216 In some cases the operator might not really know what all additional 217 records clients need. For example, the owner of www.example.com may 218 have outsourced his DNS operations to a third party. The DNS 219 operator may be able to mine their query logs, and see that, in a 220 large majority of cases, a recursive server asks for foo.example.com 221 and then very soon after asks for bar.example.com, and so may decide 222 to optimize this by opportunistically returning bar when queried for 223 foo. This functionality could also be included in the authoritative 224 name server software itself, but discussions of these re outside the 225 scope of this document. 227 6. Signalling support 229 Iterative nameservers that support Additional records signal this by 230 setting the Z bit (bit 25 of the DNS header). 232 [RFC5395] Section 2.1 says: 234 There have been ancient DNS implementations for which the Z bit 235 being on in a query meant that only a response from the primary 236 server for a zone is acceptable. It is believed that current 237 DNS implementations ignore this bit. 239 Assigning a meaning to the Z bit requires an IETF Standards Action. 241 [ Ed note: Hey, was worth a try :-) I'm fine with an EDNS0 bit 242 instead... ] 244 7. Use of Additional information 246 When receiving Additional information, an iterative server follows 247 certain rules: 249 1. Additional records MUST be validated before being used. 251 2. Additional records SHOULD be annotated in the cache as having 252 been received as Additional records. 254 3. Additional records SHOULD have lower priority in the cache than 255 answers received because they were requested. This is to help 256 evict Additional records from the cache first, and help stop 257 cache filling attacks. 259 4. Iterative servers MAY choose to ignore Additional records for any 260 reason, including CPU or cache space concerns, phase of the moon, 261 etc. It may choose to only accept all, some or none of the 262 Additional records. 264 8. IANA Considerations 266 This document contains no IANA considerations.Template: Fill this in! 268 9. Security Considerations 270 Additional records will make DNS responses even larger than they are 271 currently, leading to more large records that can be used for DNS 272 reflection attacks. We mitigate this by only serving these over TCP. 274 A malicious authorative server could include a large number of 275 Additional records (and associated DNSSEC information) and attempt to 276 DoS the recursive by making it do lots of DNSSEC validation. I don't 277 view this as a very serious threat (CPU for validation is cheap 278 compared to bandwith), but we mitigate this by allowing the iterative 279 to ignore Additional records whenever it wants. 281 By requiring the ALL of the Additional records are signed, and all 282 necessary DNSSEC information for validation be included we avoid 283 cache poisoning (I hope :-)) 285 10. Acknowledgements 287 The authors wish to thank some folk. 289 11. References 291 11.1. Normative References 293 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 294 STD 13, RFC 1034, November 1987. 296 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 297 Requirement Levels", BCP 14, RFC 2119, March 1997. 299 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 300 Specification", RFC 2181, July 1997. 302 [RFC5395] Eastlake, D., "Domain Name System (DNS) IANA 303 Considerations", RFC 5395, November 2008. 305 [Ref.Bellovin] 306 Bellovin, S., "Using the Domain Name System for System 307 Break-Ins", 1995, . 310 11.2. Informative References 312 [I-D.ietf-sidr-iana-objects] 313 Manderson, T., Vegoda, L., and S. Kent, "RPKI Objects 314 issued by IANA", draft-ietf-sidr-iana-objects-03 (work in 315 progress), May 2011. 317 Appendix A. Changes / Author Notes. 319 [RFC Editor: Please remove this section before publication ] 321 From -00 to -01. 323 o Nothing changed in the template! 325 Authors' Addresses 326 Warren Kumari 327 Google 328 1600 Amphitheatre Parkway 329 Mountain View, CA 94043 330 US 332 Email: warren@kumari.net 334 Zhiwei Yan 335 CNNIC 336 No.4 South 4th Street, Zhongguancun 337 Beijing 100190 338 P. R. China 340 Email: yanzhiwei@cnnic.cn 342 Wes Hardaker 343 Parsons, Inc. 344 P.O. Box 382 345 Davis, CA 95617 346 US 348 Email: ietf@hardakers.net