idnits 2.17.00 (12 Aug 2021) /tmp/idnits7145/draft-wkumari-dnsop-multiple-responses-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 06, 2015) is 2511 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 154 -- Looks like a reference, but probably isn't: '2' on line 157 -- Looks like a reference, but probably isn't: '3' on line 175 == Unused Reference: 'RFC5395' is defined on line 323, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-sidr-iana-objects' is defined on line 333, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5395 (Obsoleted by RFC 6195) == Outdated reference: draft-ietf-sidr-iana-objects has been published as RFC 6491 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Standards Track Z. Yan 5 Expires: January 07, 2016 CNNIC 6 W. Hardaker 7 Parsons, Inc. 8 July 06, 2015 10 Returning multiple answers in DNS responses. 11 draft-wkumari-dnsop-multiple-responses-01 13 Abstract 15 This document (re)introduces the ability to provide multiple answers 16 in a DNS response. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on January 07, 2016. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Returning multiple answers . . . . . . . . . . . . . . . . . 3 57 5. Additional records pseudo-RR . . . . . . . . . . . . . . . . 5 58 5.1. File Format . . . . . . . . . . . . . . . . . . . . . . . 5 59 5.2. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 5 60 6. Signaling support . . . . . . . . . . . . . . . . . . . . . . 6 61 7. Stub-Resolver Considerations . . . . . . . . . . . . . . . . 6 62 8. Use of Additional information . . . . . . . . . . . . . . . . 6 63 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 64 10. Security Considerations . . . . . . . . . . . . . . . . . . . 7 65 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 66 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 67 12.1. Normative References . . . . . . . . . . . . . . . . . . 7 68 12.2. Informative References . . . . . . . . . . . . . . . . . 7 69 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 72 1. Introduction 74 Often the name being resolved in the DNS provides information about 75 why the name is being resolved, allowing the authoritative name 76 server operator to predict what other answers the client will soon 77 query for. By providing multiple answers in the response, an 78 authoritative name server operator can ensure that the recursive 79 server that the client is using has all the answers in its cache. 81 For example, the name server operator of Example Widgets, Inc 82 (example.com) knows that the example.com web page at www.example.com 83 contains various other resources, including some images (served from 84 images.example.com), some Cascading Style Sheets (served from 85 css.example.com) and some JavaScript (data.example.com). A client 86 attempting to resolve www.example.com is very likely to be a web 87 browser rendering the page and so will need to also resolve all of 88 the other names to obtain these other resources. Providing all of 89 these answers in response to a query for www.example.com allows the 90 recursive server to populate its cache and have all of the answers 91 available when the client asks for them. 93 Other examples where this technique is useful include SMTP (including 94 the mail server address when serving the MX record), SRV (providing 95 the target information in addition to the SRV response) and TLSA 96 (providing any TLSA records associated with a name). 98 This is purely an optimization - by providing all of other, related 99 answers that the client is likely to need along with the answer that 100 they requested, users get a better experience, iterative servers need 101 to perform less queries, authoritative servers have to answer fewer 102 queries, etc. 104 1.1. Requirements notation 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 108 document are to be interpreted as described in [RFC2119]. 110 2. Background 112 The existing DNS specifications allow for additional information to 113 be included in the "additional" section of the DNS response, but in 114 order to defeat cache poisoning attacks most implementations either 115 ignore or don't trust additional information (other than for "glue"). 116 For some more background, see [Ref.Bellovin], [RFC1034], [RFC2181]. 118 Not trusting the information in the additional section was necessary 119 because there was no way to authenticate it. If you queried for 120 www.example.com and got back answers for www.invalid.com you couldn't 121 tell if these were actually from invalid.com or if an attacker was 122 trying to get bad information for invalid.com into your cache. In a 123 world of ubiquitous DNSSEC deployment [Ed note: By the time this 124 document is published, there *will* be ubiquitous DNSSEC :-) ] the 125 iterative server can validate the information and trust it. 127 3. Terminology 129 Additional records Additional records are records that the 130 authoritative nameserver has included in the Additional section. 132 Primary query A Primary query (or primary question) is a QNAME that 133 the name server operator would like to return additional answers 134 for. 136 Supporting information Supporting information is the DNSSEC RRSIGs 137 that prove the authenticity of the Additional records. 139 4. Returning multiple answers 141 The authoritative nameserver should include as many of the instructed 142 Additional records and Supporting information as will fit in the 143 response packet. 145 In order to include Additional records in a response, certain 146 conditions need to be met. [Ed note: Some discussion on each rule is 147 below] 149 1. Additional records MUST only be included when the primary name 150 and each additional record are signed using DNSSEC "valid". 152 2. Additional records MUST only be served over TCP connections, or 153 when DNS Cookies [ToDo: Ref] are in use. This is to mitigate 154 Denial of Service reflection attacks.[1] 156 3. Additional records SHOULD be contained within the same zone as 157 the primary name[2], or MAY be additionally be contained within a 158 child zone for which the name server is authoritative for, 159 assuming all DNSSEC validation records required to validate the 160 child(ren) are included as well. Note that the DS record, and NS 161 and glue records for a child zone may be returned even when no 162 other additional data for the child will be included. 164 4. The DNSSEC supporting information necessary to perform validation 165 on the records must be included. I.E., the RRSIGs required to 166 validate the Additional record information must be included. 168 5. The authoritative nameserver SHOULD include as many of the 169 additional records as will fit in the response. Each Additional 170 record MUST have its matching Supporting information. Additional 171 records MUST be inserted in the order specified in the Additional 172 records list. 174 6. Operators SHOULD only include Additional answers that they expect 175 a client to actually need. [3] 177 [Ed note 1: The above MAY be troll bait. I'm not really sure if this 178 is a good idea or not - moving folk towards TCP is probably a good 179 idea, and this is somewhat of an optional record type. Then again, 180 special handing (TCP only) for a record would be unusual. Additional 181 records could cause responses to become really large, but there are 182 already enough large records that can be used for reflection attacks 183 that we can just give up on the whole "keep responses as small as 184 possible" ship. ] 186 [Ed note 2: This is poorly worded. I mumbled about bailiwick, 187 subdomains, etc but nothing I could come up with was better. Also, 188 is this rule actually needed? I *think* it would be bad for .com 189 servers to be able to include Additional records for 190 www.foo.bar.baz.example.com, but perhaps public-suffix- 191 list?! This rule also makes it easier to decide what all DNSSEC 192 information is required.] 194 [Ed note 3: This is not enforceable. ] 196 5. Additional records pseudo-RR 198 To allow the authoritative nameserver operator to configure the name 199 server with the additional records to serve when it receives a query 200 to a label, we introduce the Additional Resource Record (RR). 202 5.1. File Format 204 The format of the Additional RR is: 206 label ADD "label,type; label,type; label,type; ..." 208 For example, if the operator of example.com would like to also return 209 A record answers for images.example.com, css.html.example.com and 210 both an A and AAAA for data.example.com when queried for 211 www.example.com he would enter: 213 www ADD "images,A; css.html,A; data,A; data,AAA;" 215 The entries in the ADD list are ordered. An authoritative nameserver 216 SHOULD insert the records in the order listed when filling the 217 response packet. This is to allow the operator to express a 218 preference in case all the records to not fit. The TTL of the 219 records added to the Additional section are MUST be the same as if 220 queried directly. 222 In some cases the operator might not know what all additional records 223 clients need. For example, the owner of www.example.com may have 224 outsourced his DNS operations to a third party. DNS operators may be 225 able to mine their query logs, and see that, in a large majority of 226 cases, a recursive server asks for foo.example.com and then very soon 227 after asks for bar.example.com, and so may decide to optimize this by 228 opportunistically returning bar when queried for foo. This 229 functionality could also be included in the authoritative name server 230 software itself, but discussions of these re outside the scope of 231 this document. 233 5.2. Wire Format 235 The wire format of the Additional RR is the same as the wire format 236 for a TXT RR: 238 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 239 / TXT-DATA / 240 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 242 Where TXT-DATA is one or more charter-strings. 244 The Additional RR has RR type TBD [RFC Editor: insert the IANA 245 assigned value and delete this note] 247 6. Signaling support 249 Iterative nameservers that support Additional records signal this by 250 setting the OPT record's PL ("plus") bit (bit NN [TBD: assigned by 251 IANA] in the EDNS0 extension header to 1. 253 7. Stub-Resolver Considerations 255 No modifications need to be made to stub-resolvers to get the 256 predominate benefit of this protocol, since the majority of the speed 257 gain will take place between the validating recursive resolver and 258 the authoritative name server. However, stub resolvers may wish to 259 query directly for the Additional RR if it wants to pre-query for 260 data that will likely be needed in the process of supporting its 261 application. 263 8. Use of Additional information 265 When receiving Additional information, an iterative server follows 266 certain rules: 268 1. Additional records MUST be validated before being used. 270 2. Additional records SHOULD be annotated in the cache as having 271 been received as Additional records. 273 3. Additional records SHOULD have lower priority in the cache than 274 answers received because they were requested. This is to help 275 evict Additional records from the cache first, and help stop 276 cache filling attacks. 278 4. Iterative servers MAY choose to ignore Additional records for any 279 reason, including CPU or cache space concerns, phase of the moon, 280 etc. It may choose to only accept all, some or none of the 281 Additional records. 283 9. IANA Considerations 285 This document contains the following IANA assignment requirements: 287 1. The PL bit discussed in Section 6 needs to be allocated. 289 10. Security Considerations 291 Additional records will make DNS responses even larger than they are 292 currently, leading to more large records that can be used for DNS 293 reflection attacks. We mitigate this by only serving these over TCP. 295 A malicious authoritative server could include a large number of 296 Additional records (and associated DNSSEC information) and attempt to 297 DoS the recursive by making it do lots of DNSSEC validation. I don't 298 view this as a very serious threat (CPU for validation is cheap 299 compared to bandwidth), but we mitigate this by allowing the 300 iterative to ignore Additional records whenever it wants. 302 By requiring the ALL of the Additional records are signed, and all 303 necessary DNSSEC information for validation be included we avoid 304 cache poisoning (I hope :-)) 306 11. Acknowledgements 308 The authors wish to thank some folk. 310 12. References 312 12.1. Normative References 314 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 315 STD 13, RFC 1034, November 1987. 317 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 318 Requirement Levels", BCP 14, RFC 2119, March 1997. 320 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 321 Specification", RFC 2181, July 1997. 323 [RFC5395] Eastlake, D., "Domain Name System (DNS) IANA 324 Considerations", RFC 5395, November 2008. 326 [Ref.Bellovin] 327 Bellovin, S., "Using the Domain Name System for System 328 Break-Ins", 1995, . 331 12.2. Informative References 333 [I-D.ietf-sidr-iana-objects] 334 Manderson, T., Vegoda, L., and S. Kent, "RPKI Objects 335 issued by IANA", draft-ietf-sidr-iana-objects-03 (work in 336 progress), May 2011. 338 Appendix A. Changes / Author Notes. 340 [RFC Editor: Please remove this section before publication ] 342 From -00 to -01. 344 o Nothing changed in the template! 346 Authors' Addresses 348 Warren Kumari 349 Google 350 1600 Amphitheatre Parkway 351 Mountain View, CA 94043 352 US 354 Email: warren@kumari.net 356 Zhiwei Yan 357 CNNIC 358 No.4 South 4th Street, Zhongguancun 359 Beijing 100190 360 P. R. China 362 Email: yanzhiwei@cnnic.cn 364 Wes Hardaker 365 Parsons, Inc. 366 P.O. Box 382 367 Davis, CA 95617 368 US 370 Email: ietf@hardakers.net