ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

This commit was manufactured by cvs2git to create branch 'v9_4'.

Browse Source
This commit is contained in:
cvs2git
2009-11-19 05:58:24 +00:00
parent f6d3eb745b acf4c05953
commit bc3fc702a1
13 changed files with 12018 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

616
doc/draft/draft-ietf-dnsext-rfc2671bis-edns0-02.txt Normal file
View File

@@ -0,0 +1,616 @@
DNSEXT Working Group M. Graff
Internet-Draft P. Vixie
Obsoletes: 2671 (if approved) Internet Systems Consortium
Intended status: Standards Track July 28, 2009
Expires: January 29, 2010
Extension Mechanisms for DNS (EDNS0)
draft-ietf-dnsext-rfc2671bis-edns0-02
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 29, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
The Domain Name System's wire protocol includes a number of fixed
fields whose range has been or soon will be exhausted and does not
Graff & Vixie Expires January 29, 2010 [Page 1]
Internet-Draft EDNS0 Extensions July 2009
allow requestors to advertise their capabilities to responders. This
document describes backward compatible mechanisms for allowing the
protocol to grow.
This document updates the EDNS0 specification based on 10 years of
operational experience.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. EDNS Support Requirement . . . . . . . . . . . . . . . . . . . 3
4. Affected Protocol Elements . . . . . . . . . . . . . . . . . . 3
4.1. Message Header . . . . . . . . . . . . . . . . . . . . . . 3
4.2. Label Types . . . . . . . . . . . . . . . . . . . . . . . 4
4.3. UDP Message Size . . . . . . . . . . . . . . . . . . . . . 4
5. Extended Label Types . . . . . . . . . . . . . . . . . . . . . 4
6. OPT pseudo-RR . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1. OPT Record Behavior . . . . . . . . . . . . . . . . . . . 4
6.2. OPT Record Format . . . . . . . . . . . . . . . . . . . . 5
6.3. Requestor's Payload Size . . . . . . . . . . . . . . . . . 6
6.4. Responder's Payload Size . . . . . . . . . . . . . . . . . 6
6.5. Payload Size Selection . . . . . . . . . . . . . . . . . . 7
6.6. Middleware Boxes . . . . . . . . . . . . . . . . . . . . . 7
6.7. Extended RCODE . . . . . . . . . . . . . . . . . . . . . . 7
6.8. OPT Options Type Allocation Procedure . . . . . . . . . . 8
7. Transport Considerations . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
11.1. Normative References . . . . . . . . . . . . . . . . . . . 10
11.2. Informative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Graff & Vixie Expires January 29, 2010 [Page 2]
Internet-Draft EDNS0 Extensions July 2009
1. Introduction
DNS [RFC1035] specifies a Message Format and within such messages
there are standard formats for encoding options, errors, and name
compression. The maximum allowable size of a DNS Message is fixed.
Many of DNS's protocol limits are too small for uses which are or
which are desired to become common. There is no way for
implementations to advertise their capabilities.
Unextended agents will not know how to interpret the protocol
extensions detailed here. In practice, these clients will be
upgraded when they have need of a new feature, and only new features
will make use of the extensions. Extended agents must be prepared
for behaviour of unextended clients in the face of new protocol
elements, and fall back gracefully to unextended DNS. [RFC2671]
originally proposed extensions to the basic DNS protocol to overcome
these deficiencies. This memo refines that specification and
obsoletes [RFC2671].
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. EDNS Support Requirement
EDNS support is manditory in a modern world. DNSSEC requires EDNS
support, and many other featres are made possible only by EDNS
support to request or advertise them.
4. Affected Protocol Elements
4.1. Message Header
The DNS Message Header's (see , section 4.1.1 [RFC1035]) second full
16-bit word is divided into a 4-bit OPCODE, a 4-bit RCODE, and a
number of 1-bit flags. The original reserved Z bits have been
allocated to various purposes, and most of the RCODE values are now
in use. More flags and more possible RCODEs are needed. The OPT
pseudo-RR specified below contains subfields that carry a bit field
extension of the RCODE field and additional flag bits, respectively.
Graff & Vixie Expires January 29, 2010 [Page 3]
Internet-Draft EDNS0 Extensions July 2009
4.2. Label Types
The first two bits of a wire format domain label are used to denote
the type of the label. ,section 4.1.4 [RFC1035] allocates two of the
four possible types and reserves the other two. More label types
were proposed in [RFC2671] section 3.
4.3. UDP Message Size
DNS Messages are limited to 512 octets in size when sent over UDP.
While the minimum maximum reassembly buffer size still allows a limit
of 512 octets of UDP payload, most of the hosts now connected to the
Internet are able to reassemble larger datagrams. Some mechanism
must be created to allow requestors to advertise larger buffer sizes
to responders. To this end, the OPT pseudo-RR specified below
contains a maximum payload size field.
5. Extended Label Types
The first octet in the on-the-wire representation of a DNS label
specifies the label type; the basic DNS specification [RFC1035]
dedicates the two most significant bits of that octet for this
purpose.
This document reserves DNS label type 0b01 for use as an indication
for Extended Label Types. A specific extended label type is selected
by the 6 least significant bits of the first octet. Thus, Extended
Label Types are indicated by the values 64-127 (0b01xxxxxx) in the
first octet of the label.
This document does not describe any specific Extended Label Type.
In practice, Extended Label Types are difficult to use due to support
in clients and intermediate gateways. Therefore, the registry of
Extended Label Types is requested to be closed. They cause
interoperability problems and at present no defined label types are
in use.
6. OPT pseudo-RR
6.1. OPT Record Behavior
One OPT pseudo-RR (RR type 41) MAY be added to the additional data
section of a request. If present in requests, compliant responders
which implement EDNS MUST include an OPT record in non-truncated
responses, and SHOULD attempt to include them in all responses. An
Graff & Vixie Expires January 29, 2010 [Page 4]
Internet-Draft EDNS0 Extensions July 2009
OPT is called a pseudo-RR because it pertains to a particular
transport level message and not to any actual DNS data. OPT RRs MUST
NOT be cached, forwarded, or stored in or loaded from master files.
The quantity of OPT pseudo-RRs per message MUST be either zero or
one, but not greater.
6.2. OPT Record Format
An OPT RR has a fixed part and a variable set of options expressed as
{attribute, value} pairs. The fixed part holds some DNS meta data
and also a small collection of basic extension elements which we
expect to be so popular that it would be a waste of wire space to
encode them as {attribute, value} pairs.
The fixed part of an OPT RR is structured as follows:
+------------+--------------+------------------------------+
| Field Name | Field Type | Description |
+------------+--------------+------------------------------+
| NAME | domain name | empty (root domain) |
| TYPE | u_int16_t | OPT |
| CLASS | u_int16_t | requestor's UDP payload size |
| TTL | u_int32_t | extended RCODE and flags |
| RDLEN | u_int16_t | describes RDATA |
| RDATA | octet stream | {attribute,value} pairs |
+------------+--------------+------------------------------+
OPT RR Format
The variable part of an OPT RR is encoded in its RDATA and is
structured as zero or more of the following:
+0 (MSB) +1 (LSB)
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0: | OPTION-CODE |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
2: | OPTION-LENGTH |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
4: | |
/ OPTION-DATA /
/ /
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
Graff & Vixie Expires January 29, 2010 [Page 5]
Internet-Draft EDNS0 Extensions July 2009
OPTION-CODE
Assigned by Expert Review.
OPTION-LENGTH
Size (in octets) of OPTION-DATA.
OPTION-DATA
Varies per OPTION-CODE.
Order of appearance of option tuples is never relevant. Any option
whose meaning is affected by other options is so affected no matter
which one comes first in the OPT RDATA.
Any OPTION-CODE values not understood by a responder or requestor
MUST be ignored. Specifications of such options might wish to
include some kind of signalled acknowledgement. For example, an
option specification might say that if a responder sees option XYZ,
it SHOULD include option XYZ in its response.
6.3. Requestor's Payload Size
The requestor's UDP payload size (which OPT stores in the RR CLASS
field) is the number of octets of the largest UDP payload that can be
reassembled and delivered in the requestor's network stack. Note
that path MTU, with or without fragmentation, may be smaller than
this. Values lower than 512 MUST be treated as equal to 512.
Note that a 512-octet UDP payload requires a 576-octet IP reassembly
buffer. Choosing 1280 for IPv4 over Ethernet would be reasonable.
The consequence of choosing too large a value may be an ICMP message
from an intermediate gateway, or even a silent drop of the response
message.
The requestor's maximum payload size can change over time, and MUST
therefore not be cached for use beyond the transaction in which it is
advertised.
6.4. Responder's Payload Size
The responder's maximum payload size can change over time, but can be
reasonably expected to remain constant between two sequential
transactions; for example, a meaningless QUERY to discover a
responder's maximum UDP payload size, followed immediately by an
UPDATE which takes advantage of this size. (This is considered
preferrable to the outright use of TCP for oversized requests, if
there is any reason to suspect that the responder implements EDNS,
and if a request will not fit in the default 512 payload size limit.)
Graff & Vixie Expires January 29, 2010 [Page 6]
Internet-Draft EDNS0 Extensions July 2009
6.5. Payload Size Selection
Due to transaction overhead, it is unwise to advertise an
architectural limit as a maximum UDP payload size. Just because your
stack can reassemble 64KB datagrams, don't assume that you want to
spend more than about 4KB of state memory per ongoing transaction.
A requestor MAY choose to implement a fallback to smaller advertised
sizes to work around firewall or other network limitations. A
requestor SHOULD choose to use a fallback mechanism which begins with
a large size, such as 4096. If that fails, a fallback around the
1220 byte range SHOULD be tried, as it has a reasonable chance to fit
within a single Ethernet frame. Failing that, a requestor MAY choose
a 512 byte packet, which with large answers may cause a TCP retry.
6.6. Middleware Boxes
Middleware boxes MUST NOT limit DNS messages over UDP to 512 bytes.
Middleware boxes which simply forward requests to a recursive
resolver MUST NOT modify the OPT record contents in either direction.
6.7. Extended RCODE
The extended RCODE and flags (which OPT stores in the RR TTL field)
are structured as follows:
+0 (MSB) +1 (LSB)
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0: | EXTENDED-RCODE | VERSION |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
2: | DO| Z |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
EXTENDED-RCODE
Forms upper 8 bits of extended 12-bit RCODE. Note that
EXTENDED-RCODE value "0" indicates that an unextended RCODE is
in use (values "0" through "15").
VERSION
Indicates the implementation level of whoever sets it. Full
conformance with this specification is indicated by version
``0.'' Requestors are encouraged to set this to the lowest
implemented level capable of expressing a transaction, to
minimize the responder and network load of discovering the
greatest common implementation level between requestor and
responder. A requestor's version numbering strategy MAY
ideally be a run time configuration option.
Graff & Vixie Expires January 29, 2010 [Page 7]
Internet-Draft EDNS0 Extensions July 2009
If a responder does not implement the VERSION level of the
request, then it answers with RCODE=BADVERS. All responses
MUST be limited in format to the VERSION level of the request,
but the VERSION of each response SHOULD be the highest
implementation level of the responder. In this way a requestor
will learn the implementation level of a responder as a side
effect of every response, including error responses and
including RCODE=BADVERS.
DO
DNSSEC OK bit as defined by [RFC3225].
Z
Set to zero by senders and ignored by receivers, unless
modified in a subsequent specification.
6.8. OPT Options Type Allocation Procedure
Allocations assigned by expert review. TBD
7. Transport Considerations
The presence of an OPT pseudo-RR in a request should be taken as an
indication that the requestor fully implements the given version of
EDNS, and can correctly understand any response that conforms to that
feature's specification.
Lack of presence of an OPT record in a request MUST be taken as an
indication that the requestor does not implement any part of this
specification and that the responder MUST NOT use any protocol
extension described here in its response.
Responders who do not implement these protocol extensions MUST
respond with FORMERR messages without any OPT record.
If there is a problem with processing the OPT record itself, such as
an option value that is badly formatted or includes out of range
values, a FORMERR MAY be retured. If this occurs the response MUST
include an OPT record. This MAY be used to distinguish between
servers whcih do not implement EDNS and format errors within EDNS.
If EDNS is used in a request, and the response arrives with TC set
and with no EDNS OPT RR, a requestor SHOULD assume that truncation
prevented the OPT RR from being appended by the responder, and
further, that EDNS is not used in the response. Correspondingly, an
EDNS responder who cannot fit all necessary elements (including an
OPT RR) into a response, SHOULD respond with a normal (unextended)
Graff & Vixie Expires January 29, 2010 [Page 8]
Internet-Draft EDNS0 Extensions July 2009
DNS response, possibly setting TC if the response will not fit in the
unextended response message's 512-octet size.
8. Security Considerations
Requestor-side specification of the maximum buffer size may open a
new DNS denial of service attack if responders can be made to send
messages which are too large for intermediate gateways to forward,
thus leading to potential ICMP storms between gateways and
responders.
Announcing very large UDP buffer sizes may result in dropping by
firewalls. This could cause retransmissions with no hope of success.
Some devices reject fragmented UDP packets.
Announcing too small UDP buffer sizes may result in fallback to TCP.
This is especially important with DNSSEC, where answers are much
larger.
9. IANA Considerations
The IANA has assigned RR type code 41 for OPT.
[RFC2671] specified a number of IANA sub-registries within "DOMAIN
NAME SYSTEM PARAMETERS:" "EDNS Extended Label Type", "EDNS Option
Codes", "EDNS Version Numbers", and "Domain System Response Code."
IANA is advised to re-parent these subregistries to this document.
RFC 2671 created an extended label type registry. We request that
this registry be closed.
This document assigns extended label type 0bxx111111 as "Reserved for
future extended label types." We request that IANA record this
assignment.
This document assigns option code 65535 to "Reserved for future
expansion."
This document expands the RCODE space from 4 bits to 12 bits. This
will allow IANA to assign more than the 16 distinct RCODE values
allowed in RFC 1035 [RFC1035].
This document assigns EDNS Extended RCODE "16" to "BADVERS".
IESG approval should be required to create new entries in the EDNS
Extended Label Type or EDNS Version Number registries, while any
Graff & Vixie Expires January 29, 2010 [Page 9]
Internet-Draft EDNS0 Extensions July 2009
published RFC (including Informational, Experimental, or BCP) should
be grounds for allocation of an EDNS Option Code.
10. Acknowledgements
Paul Mockapetris, Mark Andrews, Robert Elz, Don Lewis, Bob Halley,
Donald Eastlake, Rob Austein, Matt Crawford, Randy Bush, and Thomas
Narten were each instrumental in creating and refining this
specification.
11. References
11.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999.
[RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC",
RFC 3225, December 2001.
11.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Authors' Addresses
Michael Graff
Internet Systems Consortium
950 Charter Street
Redwood City, California 94063
US
Phone: +1 650.423.1304
Email: mgraff@isc.org
Graff & Vixie Expires January 29, 2010 [Page 10]
Internet-Draft EDNS0 Extensions July 2009
Paul Vixie
Internet Systems Consortium
950 Charter Street
Redwood City, California 94063
US
Phone: +1 650.423.1301
Email: vixie@isc.org
Graff & Vixie Expires January 29, 2010 [Page 11]

729
doc/draft/draft-ietf-dnsop-default-local-zones-09.txt Normal file
View File

@@ -0,0 +1,729 @@
Network Working Group M. Andrews
Internet-Draft ISC
Intended status: BCP November 19, 2009
Expires: May 23, 2010
Locally-served DNS Zones
draft-ietf-dnsop-default-local-zones-09
Abstract
Experience with the Domain Name System (DNS) has shown that there are
a number of DNS zones all iterative resolvers and recursive
nameservers should automatically serve, unless configured otherwise.
RFC 4193 specifies that this should occur for D.F.IP6.ARPA. This
document extends the practice to cover the IN-ADDR.ARPA zones for RFC
1918 address space and other well known zones with similar
characteristics.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 23, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Andrews Expires May 23, 2010 [Page 1]
Internet-Draft Locally-served DNS Zones November 2009
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Andrews Expires May 23, 2010 [Page 2]
Internet-Draft Locally-served DNS Zones November 2009
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . . 3
2. Effects on sites using RFC 1918 addresses. . . . . . . . . . . 4
3. Changes to Iterative Resolver Behaviour. . . . . . . . . . . . 4
4. Lists Of Zones Covered . . . . . . . . . . . . . . . . . . . . 5
4.1. RFC1918 Zones . . . . . . . . . . . . . . . . . . . . . . 5
4.2. RFC3330 Zones . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Local IPv6 Unicast Addresses . . . . . . . . . . . . . . . 6
4.4. IPv6 Locally Assigned Local Addresses . . . . . . . . . . 6
4.5. IPv6 Link Local Addresses . . . . . . . . . . . . . . . . 7
4.6. IPv6 Example Prefix . . . . . . . . . . . . . . . . . . . 7
5. Zones that are Out-Of-Scope . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . . 10
Appendix A. Change History [To Be Removed on Publication] . . . . 10
A.1. draft-ietf-dnsop-default-local-zones-09.txt . . . . . . . 10
A.2. draft-ietf-dnsop-default-local-zones-08.txt . . . . . . . 10
A.3. draft-ietf-dnsop-default-local-zones-07.txt . . . . . . . 10
A.4. draft-ietf-dnsop-default-local-zones-06.txt . . . . . . . 10
A.5. draft-ietf-dnsop-default-local-zones-05.txt . . . . . . . 11
A.6. draft-ietf-dnsop-default-local-zones-04.txt . . . . . . . 11
A.7. draft-ietf-dnsop-default-local-zones-03.txt . . . . . . . 11
A.8. draft-ietf-dnsop-default-local-zones-02.txt . . . . . . . 11
A.9. draft-ietf-dnsop-default-local-zones-01.txt . . . . . . . 11
A.10. draft-ietf-dnsop-default-local-zones-00.txt . . . . . . . 11
A.11. draft-andrews-full-service-resolvers-03.txt . . . . . . . 11
A.12. draft-andrews-full-service-resolvers-02.txt . . . . . . . 12
Appendix B. Proposed Status [To Be Removed on Publication] . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
Andrews Expires May 23, 2010 [Page 3]
Internet-Draft Locally-served DNS Zones November 2009
1. Introduction
Experience with the Domain Name System (DNS, [RFC1034] and [RFC1035])
has shown that there are a number of DNS zones that all iterative
resolvers and recursive nameservers SHOULD automatically serve,
unless intentionally configured otherwise. These zones include, but
are not limited to, the IN-ADDR.ARPA zones for the address space
allocated by [RFC1918] and the IP6.ARPA zones for locally assigned
unique local IPv6 addresses defined in [RFC4193].
This recommendation is made because data has shown that significant
leakage of queries for these name spaces is occurring, despite
instructions to restrict them, and because it has therefore become
necessary to deploy sacrificial name servers to protect the immediate
parent name servers for these zones from excessive, unintentional,
query load [AS112] [I-D.draft-ietf-dnsop-as112-ops]
[I-D.draft-ietf-dnsop-as112-under-attack-help-help]. There is every
expectation that the query load will continue to increase unless
steps are taken as outlined here.
Additionally, queries from clients behind badly configured firewalls
that allow outgoing queries for these name spaces but drop the
responses, put a significant load on the root servers (forward but no
reverse zones configured). They also cause operational load for the
root server operators as they have to reply to enquiries about why
the root servers are "attacking" these clients. Changing the default
configuration will address all these issues for the zones listed in
Section 4.
[RFC4193] recommends that queries for D.F.IP6.ARPA be handled
locally. This document extends the recommendation to cover the IN-
ADDR.ARPA zones for [RFC1918] and other well known IN-ADDR.ARPA and
IP6.ARPA zones for which queries should not appear on the public
Internet.
It is hoped that by doing this the number of sacrificial servers
[AS112] will not have to be increased, and may in time be reduced.
This recommendation should also help DNS responsiveness for sites
which are using [RFC1918] addresses but do not follow the last
paragraph in Section 3 of [RFC1918].
1.1. Reserved Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Andrews Expires May 23, 2010 [Page 4]
Internet-Draft Locally-served DNS Zones November 2009
2. Effects on sites using RFC 1918 addresses.
For most sites using [RFC1918] addresses, the changes here will have
little or no detrimental effect. If the site does not already have
the reverse tree populated the only effect will be that the name
error responses will be generated locally rather than remotely.
For sites that do have the reverse tree populated, most will either
have a local copy of the zones or will be forwarding the queries to
servers which have local copies of the zone. Therefore this
recommendation will not be relevant.
The most significant impact will be felt at sites that make use of
delegations for [RFC1918] addresses and have populated these zones.
These sites will need to override the default configuration expressed
in this document to allow resolution to continue. Typically, such
sites will be fully disconnected from the Internet and have their own
root servers for their own non-Internet DNS tree.
3. Changes to Iterative Resolver Behaviour.
Unless configured otherwise, an iterative resolver will now return
authoritatively (aa=1) name errors (RCODE=3) for queries within the
zones in Section 4, with the obvious exception of queries for the
zone name itself where SOA, NS and "no data" responses will be
returned as appropriate to the query type. One common way to do this
all at once is to serve empty (SOA and NS only) zones.
An implementation of this recommendation MUST provide a mechanism to
disable this new behaviour, and SHOULD allow this decision on a zone
by zone basis.
If using empty zones one SHOULD NOT use the same NS and SOA records
as used on the public Internet servers as that will make it harder to
detect the origin of the responses and thus any leakage to the public
Internet servers. This document recommends that the NS record
defaults to the name of the zone and the SOA MNAME defaults to the
name of the only NS RR's target. The SOA RNAME should default to
"nobody.invalid." [RFC2606]. Implementations SHOULD provide a
mechanism to set these values. No address records need to be
provided for the name server.
Below is an example of a generic empty zone in master file format.
It will produce a negative cache TTL of 3 hours.
@ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
@ 10800 IN NS @
Andrews Expires May 23, 2010 [Page 5]
Internet-Draft Locally-served DNS Zones November 2009
The SOA RR is needed to support negative caching [RFC2308] of name
error responses and to point clients to the primary master for DNS
dynamic updates.
SOA values of particular importance are the MNAME, the SOA RR's TTL
and the negTTL value. Both TTL values SHOULD match. The rest of the
SOA timer values MAY be chosen arbitrarily since they are not
intended to control any zone transfer activity.
The NS RR is needed as some UPDATE [RFC2136] clients use NS queries
to discover the zone to be updated. Having no address records for
the name server is expected to abort UPDATE processing in the client.
4. Lists Of Zones Covered
The following subsections are intended to seed the IANA registry as
requested in the IANA Considerations Section. The zone name is the
entity to be registered.
4.1. RFC1918 Zones
The following zones correspond to the IPv4 address space reserved in
[RFC1918].
+----------------------+
| Zone |
+----------------------+
| 10.IN-ADDR.ARPA |
| 16.172.IN-ADDR.ARPA |
| 17.172.IN-ADDR.ARPA |
| 18.172.IN-ADDR.ARPA |
| 19.172.IN-ADDR.ARPA |
| 20.172.IN-ADDR.ARPA |
| 21.172.IN-ADDR.ARPA |
| 22.172.IN-ADDR.ARPA |
| 23.172.IN-ADDR.ARPA |
| 24.172.IN-ADDR.ARPA |
| 25.172.IN-ADDR.ARPA |
| 26.172.IN-ADDR.ARPA |
| 27.172.IN-ADDR.ARPA |
| 28.172.IN-ADDR.ARPA |
| 29.172.IN-ADDR.ARPA |
| 30.172.IN-ADDR.ARPA |
| 31.172.IN-ADDR.ARPA |
| 168.192.IN-ADDR.ARPA |
+----------------------+
Andrews Expires May 23, 2010 [Page 6]
Internet-Draft Locally-served DNS Zones November 2009
4.2. RFC3330 Zones
The following zones correspond to those address ranges from [RFC3330]
that are not expected to appear as source or destination addresses on
the public Internet and to not have a unique name to associate with.
The recommendation to serve an empty zone 127.IN-ADDR.ARPA is not a
attempt to discourage any practice to provide a PTR RR for
1.0.0.127.IN-ADDR.ARPA locally. In fact, a meaningful reverse
mapping should exist, but the exact setup is out of the scope of this
document. Similar logic applies to the reverse mapping for ::1
(Section 4.3). The recommendations made here simply assume no other
coverage for these domains exists.
+------------------------------+------------------------+
| Zone | Description |
+------------------------------+------------------------+
| 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK |
| 127.IN-ADDR.ARPA | IPv4 LOOP-BACK NETWORK |
| 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL |
| 2.0.192.IN-ADDR.ARPA | IPv4 TEST NET |
| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST |
+------------------------------+------------------------+
4.3. Local IPv6 Unicast Addresses
The reverse mappings ([RFC3596], Section 2.5 IP6.ARPA Domain) for the
IPv6 Unspecified (::) and Loopback (::1) addresses ([RFC4291],
Sections 2.4, 2.5.2 and 2.5.3) are covered by these two zones:
+-------------------------------------------+
| Zone |
+-------------------------------------------+
| 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
| 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA |
| 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
| 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA |
+-------------------------------------------+
Note: Line breaks and a escapes '\' have been inserted above for
readability and to adhere to line width constraints. They are not
parts of the zone names.
4.4. IPv6 Locally Assigned Local Addresses
Section 4.4 of [RFC4193] already required special treatment of:
Andrews Expires May 23, 2010 [Page 7]
Internet-Draft Locally-served DNS Zones November 2009
+--------------+
| Zone |
+--------------+
| D.F.IP6.ARPA |
+--------------+
4.5. IPv6 Link Local Addresses
IPv6 Link-Local Addresses as of [RFC4291], Section 2.5.6 are covered
by four distinct reverse DNS zones:
+----------------+
| Zone |
+----------------+
| 8.E.F.IP6.ARPA |
| 9.E.F.IP6.ARPA |
| A.E.F.IP6.ARPA |
| B.E.F.IP6.ARPA |
+----------------+
4.6. IPv6 Example Prefix
IPv6 example prefix [RFC3849].
+--------------------------+
| Zone |
+--------------------------+
| 8.B.D.0.1.0.0.2.IP6.ARPA |
+--------------------------+
Note: 8.B.D.0.1.0.0.2.IP6.ARPA is not being used as a example here.
5. Zones that are Out-Of-Scope
IPv6 site-local addresses (deprecated, see [RFC4291] Sections 2.4 and
2.5.7), and IPv6 Non-Locally Assigned Local addresses ([RFC4193]) are
not covered here.
It is expected that IPv6 site-local addresses will be self correcting
as IPv6 implementations remove support for site-local addresses.
However, sacrificial servers for the zones C.E.F.IP6.ARPA through
F.E.F.IP6.ARPA may still need to be deployed in the short term if the
traffic becomes excessive.
For IPv6 Non-Locally Assigned Local addresses (L = 0) [RFC4193],
there has been no decision made about whether the Regional Internet
Registries (RIRs) will provide delegations in this space or not. If
Andrews Expires May 23, 2010 [Page 8]
Internet-Draft Locally-served DNS Zones November 2009
they don't, then C.F.IP6.ARPA will need to be added to the list in
Section 4.4. If they do, then registries will need to take steps to
ensure that name servers are provided for these addresses.
This document also ignores IP6.INT. IP6.INT has been wound up with
only legacy resolvers now generating reverse queries under IP6.INT
[RFC4159].
This document has also deliberately ignored names immediately under
the root domain. While there is a subset of queries to the root name
servers which could be addressed using the techniques described here
(e.g. .local, .workgroup and IPv4 addresses), there is also a vast
amount of traffic that requires a different strategy (e.g. lookups
for unqualified hostnames, IPv6 addresses).
6. IANA Considerations
This document requests that IANA establish a registry of zones which
require this default behaviour. The initial contents of this
registry are defined in Section 4. Implementors are encouraged to
periodically check this registry and adjust their implementations to
reflect changes therein.
This registry can be amended through "IETF Review" as per [RFC5226].
IANA should co-ordinate with the RIRs to ensure that, as DNSSEC is
deployed in the reverse tree, delegations for these zones are made in
the manner described in Section 7.
7. Security Considerations
During the initial deployment phase, particularly where [RFC1918]
addresses are in use, there may be some clients that unexpectedly
receive a name error rather than a PTR record. This may cause some
service disruption until their recursive name server(s) have been re-
configured.
As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
namespaces, the zones listed above will need to be delegated as
insecure delegations, or be within insecure zones. This will allow
DNSSEC validation to succeed for queries in these spaces despite not
being answered from the delegated servers.
It is recommended that sites actively using these namespaces secure
them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
anchors. This will protect the clients from accidental import of
Andrews Expires May 23, 2010 [Page 9]
Internet-Draft Locally-served DNS Zones November 2009
unsigned responses from the Internet.
8. Acknowledgements
This work was supported by the US National Science Foundation
(research grant SCI-0427144) and DNS-OARC.
9. References
9.1. Normative References
[RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
SPECIFICATION", STD 13, RFC 1035, November 1987.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2136] Vixie, P., Thomson, A., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, April 1997.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2398, March 1998.
[RFC2606] Eastlake, D. and A. Panitz, "Reserved Top Level DNS
Names", BCP 32, RFC 2606, June 1999.
[RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
"DNS Extensions to Support IPv6", RFC 3596, October 2003.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4159] Huston, G., "Deprecation of "ip6.int"", BCP 109, RFC 4159,
August 2005.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
Andrews Expires May 23, 2010 [Page 10]
Internet-Draft Locally-served DNS Zones November 2009
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
October 2008.
9.2. Informative References
[AS112] "AS112 Project", <http://www.as112.net/>.
[I-D.draft-ietf-dnsop-as112-ops]
Abley, J. and W. Maton, "AS112 Nameserver Operations",
draft-ietf-dnsop-as112-ops-01 (work in progress),
November 2007.
[I-D.draft-ietf-dnsop-as112-under-attack-help-help]
Abley, J. and W. Maton, "I'm Being Attacked by
PRISONER.IANA.ORG!",
draft-ietf-dnsop-as112-under-attack-help-help-01 (work in
progress), November 2007.
[RFC3330] "Special-Use IPv4 Addresses", RFC 3330, September 2002.
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849, July 2004.
Appendix A. Change History [To Be Removed on Publication]
A.1. draft-ietf-dnsop-default-local-zones-09.txt
refresh awaiting writeup
A.2. draft-ietf-dnsop-default-local-zones-08.txt
editorial, reference updates
A.3. draft-ietf-dnsop-default-local-zones-07.txt
none, expiry prevention
A.4. draft-ietf-dnsop-default-local-zones-06.txt
add IPv6 example prefix
Andrews Expires May 23, 2010 [Page 11]
Internet-Draft Locally-served DNS Zones November 2009
A.5. draft-ietf-dnsop-default-local-zones-05.txt
none, expiry prevention
A.6. draft-ietf-dnsop-default-local-zones-04.txt
Centrally Assigned Local addresses -> Non-Locally Assigned Local
address
A.7. draft-ietf-dnsop-default-local-zones-03.txt
expanded section 4 descriptions
Added references [RFC2136], [RFC3596],
[I-D.draft-ietf-dnsop-as112-ops] and
[I-D.draft-ietf-dnsop-as112-under-attack-help-help].
Revised language.
A.8. draft-ietf-dnsop-default-local-zones-02.txt
RNAME now "nobody.invalid."
Revised language.
A.9. draft-ietf-dnsop-default-local-zones-01.txt
Revised impact description.
Updated to reflect change in IP6.INT status.
A.10. draft-ietf-dnsop-default-local-zones-00.txt
Adopted by DNSOP.
"Author's Note" re-titled "Zones that are Out-Of-Scope"
Add note that these zone are expected to seed the IANA registry.
Title changed.
A.11. draft-andrews-full-service-resolvers-03.txt
Added "Proposed Status".
Andrews Expires May 23, 2010 [Page 12]
Internet-Draft Locally-served DNS Zones November 2009
A.12. draft-andrews-full-service-resolvers-02.txt
Added 0.IN-ADDR.ARPA.
Appendix B. Proposed Status [To Be Removed on Publication]
This Internet-Draft is being submitted for eventual publication as an
RFC with a proposed status of Best Current Practice.
Author's Address
Mark P. Andrews
Internet Systems Consortium
950 Charter Street
Redwood City, CA 94063
US
Email: Mark_Andrews@isc.org
Andrews Expires May 23, 2010 [Page 13]

507
doc/rfc/rfc3755.txt Normal file
View File

@@ -0,0 +1,507 @@
Network Working Group S. Weiler
Request for Comments: 3755 SPARTA, Inc.
Updates: 3658, 2535 May 2004
Category: Standards Track
Legacy Resolver Compatibility for Delegation Signer (DS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
As the DNS Security (DNSSEC) specifications have evolved, the syntax
and semantics of the DNSSEC resource records (RRs) have changed.
Many deployed nameservers understand variants of these semantics.
Dangerous interactions can occur when a resolver that understands an
earlier version of these semantics queries an authoritative server
that understands the new delegation signer semantics, including at
least one failure scenario that will cause an unsecured zone to be
unresolvable. This document changes the type codes and mnemonics of
the DNSSEC RRs (SIG, KEY, and NXT) to avoid those interactions.
1. Introduction
The DNSSEC protocol has been through many iterations whose syntax and
semantics are not completely compatible. This has occurred as part
of the ordinary process of proposing a protocol, implementing it,
testing it in the increasingly complex and diverse environment of the
Internet, and refining the definitions of the initial Proposed
Standard. In the case of DNSSEC, the process has been complicated by
DNS's criticality and wide deployment and the need to add security
while minimizing daily operational complexity.
A weak area for previous DNS specifications has been lack of detail
in specifying resolver behavior, leaving implementors largely on
their own to determine many details of resolver function. This,
combined with the number of iterations the DNSSEC specifications have
been through, has resulted in fielded code with a wide variety of
Weiler Standards Track [Page 1]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
behaviors. This variety makes it difficult to predict how a protocol
change will be handled by all deployed resolvers. The risk that a
change will cause unacceptable or even catastrophic failures makes it
difficult to design and deploy a protocol change. One strategy for
managing that risk is to structure protocol changes so that existing
resolvers can completely ignore input that might confuse them or
trigger undesirable failure modes.
This document addresses a specific problem caused by Delegation
Signer's (DS) [RFC3658] introduction of new semantics for the NXT RR
that are incompatible with the semantics in [RFC2535]. Answers
provided by DS-aware servers can trigger an unacceptable failure mode
in some resolvers that implement RFC 2535, which provides a great
disincentive to sign zones with DS. The changes defined in this
document allow for the incremental deployment of DS.
1.1. Terminology
In this document, the term "unsecure delegation" means any delegation
for which no DS record appears at the parent. An "unsecure referral"
is an answer from the parent containing an NS RRset and a proof that
no DS record exists for that name.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
1.2. The Problem
Delegation Signer (DS) introduces new semantics for the NXT RR that
are incompatible with the semantics in RFC 2535. In RFC 2535, NXT
records were only required to be returned as part of a non-existence
proof. With DS, an unsecure referral returns, in addition to the NS,
a proof of non-existence of a DS RR in the form of an NXT and
SIG(NXT). RFC 2535 didn't specify how a resolver was to interpret a
response with RCODE=0, AA=0, and both an NS and an NXT in the
authority section. Some widely deployed 2535-aware resolvers
interpret any answer with an NXT as a proof of non-existence of the
requested record. This results in unsecure delegations being
invisible to 2535-aware resolvers and violates the basic
architectural principle that DNSSEC must do no harm -- the signing of
zones must not prevent the resolution of unsecured delegations.
2. Possible Solutions
This section presents several solutions that were considered.
Section 3 describes the one selected.
Weiler Standards Track [Page 2]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
2.1. Change SIG, KEY, and NXT type codes
To avoid the problem described above, legacy (RFC2535-aware)
resolvers need to be kept from seeing unsecure referrals that include
NXT records in the authority section. The simplest way to do that is
to change the type codes for SIG, KEY, and NXT.
The obvious drawback to this is that new resolvers will not be able
to validate zones signed with the old RRs. This problem already
exists, however, because of the changes made by DS, and resolvers
that understand the old RRs (and have compatibility issues with DS)
are far more prevalent than 2535-signed zones.
2.2. Change a subset of type codes
The observed problem with unsecure referrals could be addressed by
changing only the NXT type code or another subset of the type codes
that includes NXT. This has the virtue of apparent simplicity, but
it risks introducing new problems or not going far enough. It's
quite possible that more incompatibilities exist between DS and
earlier semantics. Legacy resolvers may also be confused by seeing
records they recognize (SIG and KEY) while being unable to find NXTs.
Although it may seem unnecessary to fix that which is not obviously
broken, it's far cleaner to change all of the type codes at once.
This will leave legacy resolvers and tools completely blinded to
DNSSEC -- they will see only unknown RRs.
2.3. Replace the DO bit
Another way to keep legacy resolvers from ever seeing DNSSEC records
with DS semantics is to have authoritative servers only send that
data to DS-aware resolvers. It's been proposed that assigning a new
EDNS0 flag bit to signal DS-awareness (tentatively called "DA"), and
having authoritative servers send DNSSEC data only in response to
queries with the DA bit set, would accomplish this. This bit would
presumably supplant the DO bit described in [RFC3225].
This solution is sufficient only if all 2535-aware resolvers zero out
EDNS0 flags that they don't understand. If one passed through the DA
bit unchanged, it would still see the new semantics, and it would
probably fail to see unsecure delegations. Since it's impractical to
know how every DNS implementation handles unknown EDNS0 flags, this
is not a universal solution. It could, though, be considered in
addition to changing the RR type codes.
Weiler Standards Track [Page 3]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
2.4. Increment the EDNS version
Another possible solution is to increment the EDNS version number as
defined in [RFC2671], on the assumption that all existing
implementations will reject higher versions than they support, and
retain the DO bit as the signal for DNSSEC awareness. This approach
has not been tested.
2.5. Do nothing
There is a large deployed base of DNS resolvers that understand
DNSSEC as defined by the standards track RFC 2535 and [RFC2065] and,
due to under specification in those documents, interpret any answer
with an NXT as a non-existence proof. So long as that is the case,
zone owners will have a strong incentive to not sign any zones that
contain unsecure delegations, lest those delegations be invisible to
such a large installed base. This will dramatically slow DNSSEC
adoption.
Unfortunately, without signed zones there's no clear incentive for
operators of resolvers to upgrade their software to support the new
version of DNSSEC, as defined in RFC 3658. Historical data suggests
that resolvers are rarely upgraded, and that old nameserver code
never dies.
Rather than wait years for resolvers to be upgraded through natural
processes before signing zones with unsecure delegations, addressing
this problem with a protocol change will immediately remove the
disincentive for signing zones and allow widespread deployment of
DNSSEC.
3. Protocol changes
This document changes the type codes of SIG, KEY, and NXT. This
approach is the cleanest and safest of those discussed above, largely
because the behavior of resolvers that receive unknown type codes is
well understood. This approach has also received the most testing.
To avoid operational confusion, it's also necessary to change the
mnemonics for these RRs. DNSKEY will be the replacement for KEY,
with the mnemonic indicating that these keys are not for application
use, per [RFC3445]. RRSIG (Resource Record SIGnature) will replace
SIG, and NSEC (Next SECure) will replace NXT. These new types
completely replace the old types, except that SIG(0) [RFC2931] and
TKEY [RFC2930] will continue to use SIG and KEY.
Weiler Standards Track [Page 4]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
The new types will have exactly the same syntax and semantics as
specified for SIG, KEY, and NXT in RFC 2535 and RFC 3658 except for
the following:
1) Consistent with [RFC3597], domain names embedded in RRSIG and NSEC
RRs MUST NOT be compressed,
2) Embedded domain names in RRSIG and NSEC RRs are not downcased for
purposes of DNSSEC canonical form and ordering nor for equality
comparison, and
3) An RRSIG with a type-covered field of zero has undefined
semantics. The meaning of such a resource record may only be
defined by IETF Standards Action.
If a resolver receives the old types, it SHOULD treat them as unknown
RRs and SHOULD NOT assign any special meaning to them or give them
any special treatment. It MUST NOT use them for DNSSEC validations
or other DNS operational decision making. For example, a resolver
MUST NOT use DNSKEYs to validate SIGs or use KEYs to validate RRSIGs.
If SIG, KEY, or NXT RRs are included in a zone, they MUST NOT receive
special treatment. As an example, if a SIG is included in a signed
zone, there MUST be an RRSIG for it. Authoritative servers may wish
to give error messages when loading zones containing SIG or NXT
records (KEY records may be included for SIG(0) or TKEY).
As a clarification to previous documents, some positive responses,
particularly wildcard proofs and unsecure referrals, will contain
NSEC RRs. Resolvers MUST NOT treat answers with NSEC RRs as negative
answers merely because they contain an NSEC.
4. IANA Considerations
4.1. DNS Resource Record Types
This document updates the IANA registry for DNS Resource Record Types
by assigning types 46, 47, and 48 to the RRSIG, NSEC, and DNSKEY RRs,
respectively.
Types 24 and 25 (SIG and KEY) are retained for SIG(0) [RFC2931] and
TKEY [RFC2930] use only.
Type 30 (NXT) should be marked as Obsolete.
Weiler Standards Track [Page 5]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
4.2. DNS Security Algorithm Numbers
To allow zone signing (DNSSEC) and transaction security mechanisms
(SIG(0) and TKEY) to use different sets of algorithms, the existing
"DNS Security Algorithm Numbers" registry is modified to include the
applicability of each algorithm. Specifically, two new columns are
added to the registry, showing whether each algorithm may be used for
zone signing, transaction security mechanisms, or both. Only
algorithms usable for zone signing may be used in DNSKEY, RRSIG, and
DS RRs. Only algorithms usable for SIG(0) and/or TSIG may be used in
SIG and KEY RRs.
All currently defined algorithms except for Indirect (algorithm 252)
remain usable for transaction security mechanisms. Only RSA/SHA-1
[RFC3110], DSA/SHA-1 [RFC2536], and private algorithms (types 253 and
254) may be used for zone signing. Note that the registry does not
contain the requirement level of each algorithm, only whether or not
an algorithm may be used for the given purposes. For example,
RSA/MD5, while allowed for transaction security mechanisms, is NOT
RECOMMENDED, per [RFC3110].
Additionally, the presentation format algorithm mnemonics from
[RFC2535] Section 7 are added to the registry. This document assigns
RSA/SHA-1 the mnemonic RSASHA1.
As before, assignment of new algorithms in this registry requires
IETF Standards Action. Additionally, modification of algorithm
mnemonics or applicability requires IETF Standards Action. Documents
defining a new algorithm must address the applicability of the
algorithm and should assign a presentation mnemonic to the algorithm.
4.3. DNSKEY Flags
Like the KEY resource record, DNSKEY contains a 16-bit flags field.
This document creates a new registry for the DNSKEY flags field.
Initially, this registry only contains an assignment for bit 7 (the
ZONE bit). Bits 0-6 and 8-15 are available for assignment by IETF
Standards Action.
4.4. DNSKEY Protocol Octet
Like the KEY resource record, DNSKEY contains an eight bit protocol
field. The only defined value for this field is 3 (DNSSEC). No
other values are allowed, hence no IANA registry is needed for this
field.
Weiler Standards Track [Page 6]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
5. Security Considerations
The changes introduced here do not materially affect security. The
implications of trying to use both new and legacy types together are
not well understood, and attempts to do so would probably lead to
unintended and dangerous results.
Changing type codes will leave code paths in legacy resolvers that
are never exercised. Unexercised code paths are a frequent source of
security holes, largely because those code paths do not get frequent
scrutiny.
Doing nothing, as described in section 2.5, will slow DNSSEC
deployment. While this does not decrease security, it also fails to
increase it.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999.
[RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
(DNS)", RFC 2536, March 1999.
[RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)",
RFC 2930, September 2000.
[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
(SIG(0)s)", RFC 2931, September 2000.
[RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
Name System (DNS)", RFC 3110, May 2001.
[RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record
(RR)", RFC 3658, December 2003.
Weiler Standards Track [Page 7]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
6.2. Informative References
[RFC2065] Eastlake, 3rd, D. and C. Kaufman, "Domain Name System
Security Extensions", RFC 2065, January 1997.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
2671, August 1999.
[RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
3225, December 2001.
[RFC3445] Massey, D., and S. Rose, "Limiting the Scope of the KEY
Resource Record (RR)", RFC 3445, December 2002.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003.
7. Acknowledgments
The changes introduced here and the analysis of alternatives had many
contributors. With apologies to anyone overlooked, those include:
Michael Graff, Johan Ihren, Olaf Kolkman, Mark Kosters, Ed Lewis,
Bill Manning, Paul Vixie, and Suzanne Woolf.
Thanks to Jakob Schlyter and Mark Andrews for identifying the
incompatibility described in section 1.2.
In addition to the above, the author would like to thank Scott Rose,
Olafur Gudmundsson, and Sandra Murphy for their substantive comments.
8. Author's Address
Samuel Weiler
SPARTA, Inc.
7075 Samuel Morse Drive
Columbia, MD 21046
USA
EMail: weiler@tislabs.com
Weiler Standards Track [Page 8]
RFC 3755 Legacy Resolver Compatibility for DS May 2004
9. Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Weiler Standards Track [Page 9]

1123
doc/rfc/rfc4294.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1459
doc/rfc/rfc4339.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1291
doc/rfc/rfc4471.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1627
doc/rfc/rfc4472.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1011
doc/rfc/rfc4697.txt Normal file
View File

File diff suppressed because it is too large Load Diff

395
doc/rfc/rfc4955.txt Normal file
View File

@@ -0,0 +1,395 @@
Network Working Group D. Blacka
Request for Comments: 4955 VeriSign, Inc.
Category: Standards Track July 2007
DNS Security (DNSSEC) Experiments
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes a methodology for deploying alternate, non-
backwards-compatible, DNS Security (DNSSEC) methodologies in an
experimental fashion without disrupting the deployment of standard
DNSSEC.
Table of Contents
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Definitions and Terminology . . . . . . . . . . . . . . . . . . 2
3. Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Defining an Experiment . . . . . . . . . . . . . . . . . . . . 4
6. Considerations . . . . . . . . . . . . . . . . . . . . . . . . 5
7. Use in Non-Experiments . . . . . . . . . . . . . . . . . . . . 5
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1. Normative References . . . . . . . . . . . . . . . . . . . 6
9.2. Informative References . . . . . . . . . . . . . . . . . . 6
Blacka Standards Track [Page 1]
RFC 4955 DNS Security (DNSSEC) Experiments July 2007
1. Overview
Historically, experimentation with DNSSEC alternatives has been a
problematic endeavor. There has typically been a desire to both
introduce non-backwards-compatible changes to DNSSEC and to try these
changes on real zones in the public DNS. This creates a problem when
the change to DNSSEC would make all or part of the zone using those
changes appear bogus (bad) or otherwise broken to existing security-
aware resolvers.
This document describes a standard methodology for setting up DNSSEC
experiments. This methodology addresses the issue of coexistence
with standard DNSSEC and DNS by using unknown algorithm identifiers
to hide the experimental DNSSEC protocol modifications from standard
security-aware resolvers.
2. Definitions and Terminology
Throughout this document, familiarity with the DNS system (RFC 1035
[5]) and the DNS security extensions (RFC 4033 [2], RFC 4034 [3], and
RFC 4035 [4]) is assumed.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
3. Experiments
When discussing DNSSEC experiments, it is necessary to classify these
experiments into two broad categories:
Backwards-Compatible: describes experimental changes that, while not
strictly adhering to the DNSSEC standard, are nonetheless
interoperable with clients and servers that do implement the
DNSSEC standard.
Non-Backwards-Compatible: describes experiments that would cause a
standard security-aware resolver to (incorrectly) determine that
all or part of a zone is bogus, or to otherwise not interoperate
with standard DNSSEC clients and servers.
Not included in these terms are experiments with the core DNS
protocol itself.
The methodology described in this document is not necessary for
backwards-compatible experiments, although it certainly may be used
if desired.
Blacka Standards Track [Page 2]
RFC 4955 DNS Security (DNSSEC) Experiments July 2007
4. Method
The core of the methodology is the use of strictly unknown algorithm
identifiers when signing the experimental zone, and more importantly,
having only unknown algorithm identifiers in the DS records for the
delegation to the zone at the parent.
This technique works because of the way DNSSEC-compliant validators
are expected to work in the presence of a DS set with only unknown
algorithm identifiers. From RFC 4035 [4], Section 5.2:
If the validator does not support any of the algorithms listed in
an authenticated DS RRset, then the resolver has no supported
authentication path leading from the parent to the child. The
resolver should treat this case as it would the case of an
authenticated NSEC RRset proving that no DS RRset exists, as
described above.
And further:
If the resolver does not support any of the algorithms listed in
an authenticated DS RRset, then the resolver will not be able to
verify the authentication path to the child zone. In this case,
the resolver SHOULD treat the child zone as if it were unsigned.
Although this behavior isn't strictly mandatory (as marked by MUST),
it is unlikely for a validator to implement a substantially different
behavior. Essentially, if the validator does not have a usable chain
of trust to a child zone, then it can only do one of two things:
treat responses from the zone as insecure (the recommended behavior),
or treat the responses as bogus. If the validator chooses the
latter, this will both violate the expectation of the zone owner and
defeat the purpose of the above rule. However, with local policy, it
is within the right of a validator to refuse to trust certain zones
based on any criteria, including the use of unknown signing
algorithms.
Because we are talking about experiments, it is RECOMMENDED that
private algorithm numbers be used (see RFC 4034 [3], Appendix A.1.1.
Note that secure handling of private algorithms requires special
handing by the validator logic. See "Clarifications and
Implementation Notes for DNSSECbis" [6] for further details.)
Normally, instead of actually inventing new signing algorithms, the
recommended path is to create alternate algorithm identifiers that
are aliases for the existing, known algorithms. While, strictly
speaking, it is only necessary to create an alternate identifier for
the mandatory algorithms, it is suggested that all optional defined
algorithms be aliased as well.
Blacka Standards Track [Page 3]
RFC 4955 DNS Security (DNSSEC) Experiments July 2007
It is RECOMMENDED that for a particular DNSSEC experiment, a
particular domain name base is chosen for all new algorithms, then
the algorithm number (or name) is prepended to it. For example, for
experiment A, the base name of "dnssec-experiment-a.example.com" is
chosen. Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are
defined to be "3.dnssec-experiment-a.example.com" and
"5.dnssec-experiment-a.example.com". However, any unique identifier
will suffice.
Using this method, resolvers (or, more specifically, DNSSEC
validators) essentially indicate their ability to understand the
DNSSEC experiment's semantics by understanding what the new algorithm
identifiers signify.
This method creates two classes of security-aware servers and
resolvers: servers and resolvers that are aware of the experiment
(and thus recognize the experiment's algorithm identifiers and
experimental semantics), and servers and resolvers that are unaware
of the experiment.
This method also precludes any zone from being both in an experiment
and in a classic DNSSEC island of security. That is, a zone is
either in an experiment and only possible to validate experimentally,
or it is not.
5. Defining an Experiment
The DNSSEC experiment MUST define the particular set of (previously
unknown) algorithm identifiers that identify the experiment and
define what each unknown algorithm identifier means. Typically,
unless the experiment is actually experimenting with a new DNSSEC
algorithm, this will be a mapping of private algorithm identifiers to
existing, known algorithms.
Normally the experiment will choose a DNS name as the algorithm
identifier base. This DNS name SHOULD be under the control of the
authors of the experiment. Then the experiment will define a mapping
between known mandatory and optional algorithms into this private
algorithm identifier space. Alternately, the experiment MAY use the
Object Identifier (OID) private algorithm space instead (using
algorithm number 254), or MAY choose non-private algorithm numbers,
although this would require an IANA allocation.
For example, an experiment might specify in its description the DNS
name "dnssec-experiment-a.example.com" as the base name, and declare
that "3.dnssec-experiment-a.example.com" is an alias of DNSSEC
algorithm 3 (DSA), and that "5.dnssec-experiment-a.example.com" is an
alias of DNSSEC algorithm 5 (RSASHA1).
Blacka Standards Track [Page 4]
RFC 4955 DNS Security (DNSSEC) Experiments July 2007
Resolvers MUST only recognize the experiment's semantics when present
in a zone signed by one or more of these algorithm identifiers. This
is necessary to isolate the semantics of one experiment from any
others that the resolver might understand.
In general, resolvers involved in the experiment are expected to
understand both standard DNSSEC and the defined experimental DNSSEC
protocol, although this isn't required.
6. Considerations
There are a number of considerations with using this methodology.
1. If an unaware validator does not correctly follow the rules laid
out in RFC 4035 (e.g., the validator interprets a DNSSEC record
prior to validating it), or if the experiment is broader in scope
that just modifying the DNSSEC semantics, the experiment may not
be sufficiently masked by this technique. This may cause
unintended resolution failures.
2. It will not be possible for security-aware resolvers unaware of
the experiment to build a chain of trust through an experimental
zone.
7. Use in Non-Experiments
This general methodology MAY be used for non-backwards compatible
DNSSEC protocol changes that start out as or become standards. In
this case:
o The protocol change SHOULD use public IANA allocated algorithm
identifiers instead of private algorithm identifiers. This will
help identify the protocol change as a standard, rather than an
experiment.
o Resolvers MAY recognize the protocol change in zones not signed
(or not solely signed) using the new algorithm identifiers.
8. Security Considerations
Zones using this methodology will be considered insecure by all
resolvers except those aware of the experiment. It is not generally
possible to create a secure delegation from an experimental zone that
will be followed by resolvers unaware of the experiment.
Implementers should take into account any security issues that may
result from environments being configured to trust both experimental
and non-experimental zones. If the experimental zone is more
Blacka Standards Track [Page 5]
RFC 4955 DNS Security (DNSSEC) Experiments July 2007
vulnerable to attacks, it could, for example, be used to promote
trust in zones not part of the experiment, possibly under the control
of an attacker.
9. References
9.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033,
March 2005.
[3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Resource Records for the DNS Security Extensions", RFC 4034,
March 2005.
[4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Protocol Modifications for the DNS Security Extensions",
RFC 4035, March 2005.
9.2. Informative References
[5] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[6] Weiler, S. and R. Austein, "Clarifications and Implementation
Notes for DNSSECbis", Work in Progress, March 2007.
Author's Address
David Blacka
VeriSign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
US
Phone: +1 703 948 3200
EMail: davidb@verisign.com
URI: http://www.verisignlabs.com
Blacka Standards Track [Page 6]
RFC 4955 DNS Security (DNSSEC) Experiments July 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Blacka Standards Track [Page 7]

955
doc/rfc/rfc4956.txt Normal file
View File

@@ -0,0 +1,955 @@
Network Working Group R. Arends
Request for Comments: 4956 Nominet
Category: Experimental M. Kosters
D. Blacka
VeriSign, Inc.
July 2007
DNS Security (DNSSEC) Opt-In
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
In the DNS security (DNSSEC) extensions, delegations to unsigned
subzones are cryptographically secured. Maintaining this
cryptography is not always practical or necessary. This document
describes an experimental "Opt-In" model that allows administrators
to omit this cryptography and manage the cost of adopting DNSSEC with
large zones.
Arends, et al. Experimental [Page 1]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
Table of Contents
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions and Terminology . . . . . . . . . . . . . . . . . 3
3. Experimental Status . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Server Considerations . . . . . . . . . . . . . . . . . . 6
4.1.1. Delegations Only . . . . . . . . . . . . . . . . . . . 6
4.1.2. Insecure Delegation Responses . . . . . . . . . . . . 6
4.1.3. Dynamic Update . . . . . . . . . . . . . . . . . . . . 6
4.2. Client Considerations . . . . . . . . . . . . . . . . . . 7
4.2.1. Delegations Only . . . . . . . . . . . . . . . . . . . 7
4.2.2. Validation Process Changes . . . . . . . . . . . . . . 7
4.2.3. NSEC Record Caching . . . . . . . . . . . . . . . . . 8
4.2.4. Use of the AD bit . . . . . . . . . . . . . . . . . . 8
5. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 13
Appendix A. Implementing Opt-In Using "Views" . . . . . . . . . . 15
Arends, et al. Experimental [Page 2]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
1. Overview
The cost to cryptographically secure delegations to unsigned zones is
high for large delegation-centric zones and zones where insecure
delegations will be updated rapidly. For these zones, the costs of
maintaining the NextSECure (NSEC) record chain may be extremely high
relative to the gain of cryptographically authenticating existence of
unsecured zones.
This document describes an experimental method of eliminating the
superfluous cryptography present in secure delegations to unsigned
zones. Using "Opt-In", a zone administrator can choose to remove
insecure delegations from the NSEC chain. This is accomplished by
extending the semantics of the NSEC record by using a redundant bit
in the type map.
2. Definitions and Terminology
Throughout this document, familiarity with the DNS system (RFC 1035
[1]), DNS security extensions ([4], [5], and [6], referred to in this
document as "standard DNSSEC"), and DNSSEC terminology (RFC 3090
[10]) is assumed.
The following abbreviations and terms are used in this document:
RR: is used to refer to a DNS resource record.
RRset: refers to a Resource Record Set, as defined by [8]. In this
document, the RRset is also defined to include the covering RRSIG
records, if any exist.
signed name: refers to a DNS name that has, at minimum, a (signed)
NSEC record.
unsigned name: refers to a DNS name that does not (at least) have an
NSEC record.
covering NSEC record/RRset: is the NSEC record used to prove
(non)existence of a particular name or RRset. This means that for
a RRset or name 'N', the covering NSEC record has the name 'N', or
has an owner name less than 'N' and "next" name greater than 'N'.
delegation: refers to an NS RRset with a name different from the
current zone apex (non-zone-apex), signifying a delegation to a
subzone.
Arends, et al. Experimental [Page 3]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
secure delegation: refers to a signed name containing a delegation
(NS RRset), and a signed DS RRset, signifying a delegation to a
signed subzone.
insecure delegation: refers to a signed name containing a delegation
(NS RRset), but lacking a DS RRset, signifying a delegation to an
unsigned subzone.
Opt-In insecure delegation: refers to an unsigned name containing
only a delegation NS RRset. The covering NSEC record uses the
Opt-In methodology described in this document.
The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [2].
3. Experimental Status
This document describes an EXPERIMENTAL extension to DNSSEC. It
interoperates with non-experimental DNSSEC using the technique
described in [7]. This experiment is identified with the following
private algorithms (using algorithm 253):
"3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA,
and
"5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5,
RSASHA1.
Servers wishing to sign and serve zones that utilize Opt-In MUST sign
the zone with only one or more of these private algorithms and MUST
NOT use any other algorithms.
Resolvers MUST NOT apply the Opt-In validation rules described in
this document unless a zone is signed using one or more of these
private algorithms.
This experimental protocol relaxes the restriction that validators
MUST ignore the setting of the NSEC bit in the type map as specified
in RFC 4035 [6] Section 5.4.
The remainder of this document assumes that the servers and resolvers
involved are aware of and are involved in this experiment.
Arends, et al. Experimental [Page 4]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
4. Protocol Additions
In DNSSEC, delegation NS RRsets are not signed, but are instead
accompanied by an NSEC RRset of the same name and (possibly) a DS
record. The security status of the subzone is determined by the
presence or absence of the DS RRset, cryptographically proven by the
NSEC record. Opt-In expands this definition by allowing insecure
delegations to exist within an otherwise signed zone without the
corresponding NSEC record at the delegation's owner name. These
insecure delegations are proven insecure by using a covering NSEC
record.
Since this represents a change of the interpretation of NSEC records,
resolvers must be able to distinguish between RFC standard DNSSEC
NSEC records and Opt-In NSEC records. This is accomplished by
"tagging" the NSEC records that cover (or potentially cover) insecure
delegation nodes. This tag is indicated by the absence of the NSEC
bit in the type map. Since the NSEC bit in the type map merely
indicates the existence of the record itself, this bit is redundant
and safe for use as a tag.
An Opt-In tagged NSEC record does not assert the (non)existence of
the delegations that it covers (except for a delegation with the same
name). This allows for the addition or removal of these delegations
without recalculating or resigning records in the NSEC chain.
However, Opt-In tagged NSEC records do assert the (non)existence of
other RRsets.
An Opt-In NSEC record MAY have the same name as an insecure
delegation. In this case, the delegation is proven insecure by the
lack of a DS bit in the type map, and the signed NSEC record does
assert the existence of the delegation.
Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC
records and standard DNSSEC NSEC records. If an NSEC record is not
Opt-In, there MUST NOT be any insecure delegations (or any other
records) between it and the RRsets indicated by the 'next domain
name' in the NSEC RDATA. If it is Opt-In, there MUST only be
insecure delegations between it and the next node indicated by the
'next domain name' in the NSEC RDATA.
In summary,
o An Opt-In NSEC type is identified by a zero-valued (or not-
specified) NSEC bit in the type bit map of the NSEC record.
Arends, et al. Experimental [Page 5]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
o A standard DNSSEC NSEC type is identified by a one-valued NSEC bit
in the type bit map of the NSEC record.
and
o An Opt-In NSEC record does not assert the non-existence of a name
between its owner name and "next" name, although it does assert
that any name in this span MUST be an insecure delegation.
o An Opt-In NSEC record does assert the (non)existence of RRsets
with the same owner name.
4.1. Server Considerations
Opt-In imposes some new requirements on authoritative DNS servers.
4.1.1. Delegations Only
This specification dictates that only insecure delegations may exist
between the owner and "next" names of an Opt-In tagged NSEC record.
Signing tools MUST NOT generate signed zones that violate this
restriction. Servers MUST refuse to load and/or serve zones that
violate this restriction. Servers also MUST reject AXFR or IXFR
responses that violate this restriction.
4.1.2. Insecure Delegation Responses
When returning an Opt-In insecure delegation, the server MUST return
the covering NSEC RRset in the Authority section.
In standard DNSSEC, NSEC records already must be returned along with
the insecure delegation. The primary difference that this proposal
introduces is that the Opt-In tagged NSEC record will have a
different owner name from the delegation RRset. This may require
implementations to search for the covering NSEC RRset.
4.1.3. Dynamic Update
Opt-In changes the semantics of Secure DNS Dynamic Update [9]. In
particular, it introduces the need for rules that describe when to
add or remove a delegation name from the NSEC chain. This document
does not attempt to define these rules. Until these rules are
defined, servers MUST NOT process DNS Dynamic Update requests against
zones that use Opt-In NSEC records. Servers SHOULD return responses
to update requests with RCODE=REFUSED.
Arends, et al. Experimental [Page 6]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
4.2. Client Considerations
Opt-In imposes some new requirements on security-aware resolvers
(caching or otherwise).
4.2.1. Delegations Only
As stated in Section 4.1 above, this specification restricts the
namespace covered by Opt-In tagged NSEC records to insecure
delegations only. Clients are not expected to take any special
measures to enforce this restriction; instead, it forms an underlying
assumption that clients may rely on.
4.2.2. Validation Process Changes
This specification does not change the resolver's resolution
algorithm. However, it does change the DNSSEC validation process.
4.2.2.1. Referrals
Resolvers MUST be able to use Opt-In tagged NSEC records to
cryptographically prove the validity and security status (as
insecure) of a referral. Resolvers determine the security status of
the referred-to zone as follows:
o In standard DNSSEC, the security status is proven by the existence
or absence of a DS RRset at the same name as the delegation. The
existence of the DS RRset indicates that the referred-to zone is
signed. The absence of the DS RRset is proven using a verified
NSEC record of the same name that does not have the DS bit set in
the type map. This NSEC record MAY also be tagged as Opt-In.
o Using Opt-In, the security status is proven by the existence of a
DS record (for signed) or the presence of a verified Opt-In tagged
NSEC record that covers the delegation name. That is, the NSEC
record does not have the NSEC bit set in the type map, and the
delegation name falls between the NSEC's owner and "next" name.
Using Opt-In does not substantially change the nature of following
referrals within DNSSEC. At every delegation point, the resolver
will have cryptographic proof that the referred-to subzone is signed
or unsigned.
4.2.2.2. Queries for DS Resource Records
Since queries for DS records are directed to the parent side of a
zone cut (see [5], Section 5), negative responses to these queries
may be covered by an Opt-In flagged NSEC record.
Arends, et al. Experimental [Page 7]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
Resolvers MUST be able to use Opt-In tagged NSEC records to
cryptographically prove the validity and security status of negative
responses to queries for DS records. In particular, a NOERROR/NODATA
(i.e., RCODE=3, but the answer section is empty) response to a DS
query may be proven by an Opt-In flagged covering NSEC record, rather
than an NSEC record matching the query name.
4.2.3. NSEC Record Caching
Caching resolvers MUST be able to retrieve the appropriate covering
Opt-In NSEC record when returning referrals that need them. This
requirement differs from standard DNSSEC in that the covering NSEC
will not have the same owner name as the delegation. Some
implementations may have to use new methods for finding these NSEC
records.
4.2.4. Use of the AD bit
The AD bit, as defined by [3] and [6], MUST NOT be set when:
o sending a Name Error (RCODE=3) response where the covering NSEC is
tagged as Opt-In.
o sending an Opt-In insecure delegation response, unless the
covering (Opt-In) NSEC record's owner name equals the delegation
name.
o sending a NOERROR/NODATA response when query type is DS and the
covering NSEC is tagged as Opt-In, unless NSEC record's owner name
matches the query name.
This rule is based on what the Opt-In NSEC record actually proves:
for names that exist between the Opt-In NSEC record's owner and
"next" names, the Opt-In NSEC record cannot prove the non-existence
or existence of the name. As such, not all data in the response has
been cryptographically verified, so the AD bit cannot be set.
5. Benefits
Using Opt-In allows administrators of large and/or changing
delegation-centric zones to minimize the overhead involved in
maintaining the security of the zone.
Opt-In accomplishes this by eliminating the need for NSEC records for
insecure delegations. This, in a zone with a large number of
delegations to unsigned subzones, can lead to substantial space
savings (both in memory and on disk). Additionally, Opt-In allows
for the addition or removal of insecure delegations without modifying
Arends, et al. Experimental [Page 8]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
the NSEC record chain. Zones that are frequently updating insecure
delegations (e.g., Top-Level Domains (TLDs)) can avoid the
substantial overhead of modifying and resigning the affected NSEC
records.
6. Example
Consider the zone EXAMPLE shown below. This is a zone where all of
the NSEC records are tagged as Opt-In.
Example A: Fully Opt-In Zone.
EXAMPLE. SOA ...
EXAMPLE. RRSIG SOA ...
EXAMPLE. NS FIRST-SECURE.EXAMPLE.
EXAMPLE. RRSIG NS ...
EXAMPLE. DNSKEY ...
EXAMPLE. RRSIG DNSKEY ...
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (
SOA NS RRSIG DNSKEY )
EXAMPLE. RRSIG NSEC ...
FIRST-SECURE.EXAMPLE. A ...
FIRST-SECURE.EXAMPLE. RRSIG A ...
FIRST-SECURE.EXAMPLE. NSEC NOT-SECURE-2.EXAMPLE. A RRSIG
FIRST-SECURE.EXAMPLE. RRSIG NSEC ...
NOT-SECURE.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE.
NS.NOT-SECURE.EXAMPLE. A ...
NOT-SECURE-2.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE.
NOT-SECURE-2.EXAMPLE NSEC SECOND-SECURE.EXAMPLE NS RRSIG
NOT-SECURE-2.EXAMPLE RRSIG NSEC ...
SECOND-SECURE.EXAMPLE. NS NS.ELSEWHERE.
SECOND-SECURE.EXAMPLE. DS ...
SECOND-SECURE.EXAMPLE. RRSIG DS ...
SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DNSKEY
SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE.
NS.UNSIGNED.EXAMPLE. A ...
Example A.
Arends, et al. Experimental [Page 9]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
In this example, a query for a signed RRset (e.g., "FIRST-
SECURE.EXAMPLE A") or a secure delegation ("WWW.SECOND-SECURE.EXAMPLE
A") will result in a standard DNSSEC response.
A query for a nonexistent RRset will result in a response that
differs from standard DNSSEC by the following: the NSEC record will
be tagged as Opt-In, there may be no NSEC record proving the non-
existence of a matching wildcard record, and the AD bit will not be
set.
A query for an insecure delegation RRset (or a referral) will return
both the answer (in the Authority section) and the corresponding
Opt-In NSEC record to prove that it is not secure.
Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A
RCODE=NOERROR, AD=0
Answer Section:
Authority Section:
UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE
SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DS
SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
Additional Section:
NS.UNSIGNED.EXAMPLE. A ...
Example A.1
In the Example A.1 zone, the EXAMPLE. node MAY use either style of
NSEC record, because there are no insecure delegations that occur
between it and the next node, FIRST-SECURE.EXAMPLE. In other words,
Example A would still be a valid zone if the NSEC record for EXAMPLE.
was changed to the following RR:
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS
RRSIG DNSKEY NSEC )
However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND-
SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are insecure
delegations in the range they define. (NOT-SECURE.EXAMPLE. and
UNSIGNED.EXAMPLE., respectively).
NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is
part of the NSEC chain and also covered by an Opt-In tagged NSEC
record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be
Arends, et al. Experimental [Page 10]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
removed from the zone without modifying and resigning the prior NSEC
record. Delegations with names that fall between NOT-SECURE-
2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without
resigning any NSEC records.
7. Transition Issues
Opt-In is not backwards compatible with standard DNSSEC and is
considered experimental. Standard DNSSEC-compliant implementations
would not recognize Opt-In tagged NSEC records as different from
standard NSEC records. Because of this, standard DNSSEC
implementations, if they were to validate Opt-In style responses,
would reject all Opt-In insecure delegations within a zone as
invalid. However, by only signing with private algorithms, standard
DNSSEC implementations will treat Opt-In responses as unsigned.
It should be noted that all elements in the resolution path between
(and including) the validator and the authoritative name server must
be aware of the Opt-In experiment and implement the Opt-In semantics
for successful validation to be possible. In particular, this
includes any caching middleboxes between the validator and
authoritative name server.
8. Security Considerations
Opt-In allows for unsigned names, in the form of delegations to
unsigned subzones, to exist within an otherwise signed zone. All
unsigned names are, by definition, insecure, and their validity or
existence cannot be cryptographically proven.
In general:
o Records with unsigned names (whether or not existing) suffer from
the same vulnerabilities as records in an unsigned zone. These
vulnerabilities are described in more detail in [12] (note in
particular Sections 2.3, "Name Games" and 2.6, "Authenticated
Denial").
o Records with signed names have the same security whether or not
Opt-In is used.
Note that with or without Opt-In, an insecure delegation may have its
contents undetectably altered by an attacker. Because of this, the
primary difference in security that Opt-In introduces is the loss of
the ability to prove the existence or nonexistence of an insecure
delegation within the span of an Opt-In NSEC record.
Arends, et al. Experimental [Page 11]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
In particular, this means that a malicious entity may be able to
insert or delete records with unsigned names. These records are
normally NS records, but this also includes signed wildcard
expansions (while the wildcard record itself is signed, its expanded
name is an unsigned name), which can be undetectably removed or used
to replace an existing unsigned delegation.
For example, if a resolver received the following response from the
example zone above:
Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A
RCODE=NOERROR
Answer Section:
Authority Section:
DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED.
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS \
RRSIG DNSKEY
EXAMPLE. RRSIG NSEC ...
Additional Section:
Attacker has forged a name
The resolver would have no choice but to believe that the referral to
NS.FORGED. is valid. If a wildcard existed that would have been
expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
have undetectably removed it and replaced it with the forged
delegation.
Note that being able to add a delegation is functionally equivalent
to being able to add any record type: an attacker merely has to forge
a delegation to the nameserver under his/her control and place
whatever records are needed at the subzone apex.
While in particular cases, this issue may not present a significant
security problem, in general it should not be lightly dismissed.
Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
In particular, zone signing tools SHOULD NOT default to Opt-In, and
MAY choose not to support Opt-In at all.
Arends, et al. Experimental [Page 12]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
9. Acknowledgments
The contributions, suggestions, and remarks of the following persons
(in alphabetic order) to this document are acknowledged:
Mats Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill
Manning, Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter,
Brian Wellington.
10. References
10.1. Normative References
[1] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[3] Wellington, B. and O. Gudmundsson, "Redefinition of DNS
Authenticated Data (AD) bit", RFC 3655, November 2003.
[4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033,
March 2005.
[5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Resource Records for the DNS Security Extensions", RFC 4034,
March 2005.
[6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Protocol Modifications for the DNS Security Extensions",
RFC 4035, March 2005.
[7] Blacka, D., "DNSSEC Experiments", RFC 4955, July 2007.
10.2. Informative References
[8] Elz, R. and R. Bush, "Clarifications to the DNS Specification",
RFC 2181, July 1997.
[9] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000.
[10] Lewis, E., "DNS Security Extension Clarification on Zone
Status", RFC 3090, March 2001.
Arends, et al. Experimental [Page 13]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
[11] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225,
December 2001.
[12] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
System (DNS)", RFC 3833, August 2004.
Arends, et al. Experimental [Page 14]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
Appendix A. Implementing Opt-In Using "Views"
In many cases, it may be convenient to implement an Opt-In zone by
combining two separately maintained "views" of a zone at request
time. In this context, "view" refers to a particular version of a
zone, not to any specific DNS implementation feature.
In this scenario, one view is the secure view, the other is the
insecure (or legacy) view. The secure view consists of an entirely
signed zone using Opt-In tagged NSEC records. The insecure view
contains no DNSSEC information. It is helpful, although not
necessary, for the secure view to be a subset (minus DNSSEC records)
of the insecure view.
In addition, the only RRsets that may solely exist in the insecure
view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and
the zone apex NS RRset) MUST be signed and in the secure view.
These two views may be combined at request time to provide a virtual,
single Opt-In zone. The following algorithm is used when responding
to each query:
V_A is the secure view as described above.
V_B is the insecure view as described above.
R_A is a response generated from V_A, following standard DNSSEC.
R_B is a response generated from V_B, following DNS resolution as
per RFC 1035 [1].
R_C is the response generated by combining R_A with R_B, as
described below.
A query is DNSSEC-aware if it either has the DO bit [11] turned on
or is for a DNSSEC-specific record type.
1. If V_A is a subset of V_B and the query is not DNSSEC-aware,
generate and return R_B, otherwise
2. Generate R_A.
3. If R_A's RCODE != NXDOMAIN, return R_A, otherwise
Arends, et al. Experimental [Page 15]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
4. Generate R_B and combine it with R_A to form R_C:
For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the
records from R_A into R_B, EXCEPT the AUTHORITY section SOA
record, if R_B's RCODE = NOERROR.
5. Return R_C.
Authors' Addresses
Roy Arends
Nominet
Sandford Gate
Sandy Lane West
Oxford OX4 6LB
UNITED KINGDOM
Phone: +44 1865 332211
EMail: roy@nominet.org.uk
Mark Kosters
VeriSign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
US
Phone: +1 703 948 3200
EMail: mkosters@verisign.com
URI: http://www.verisignlabs.com
David Blacka
VeriSign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
US
Phone: +1 703 948 3200
EMail: davidb@verisign.com
URI: http://www.verisignlabs.com
Arends, et al. Experimental [Page 16]
RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Arends, et al. Experimental [Page 17]

619
doc/rfc/rfc5001.txt Normal file
View File

@@ -0,0 +1,619 @@
Network Working Group R. Austein
Request for Comments: 5001 ISC
Category: Standards Track August 2007
DNS Name Server Identifier (NSID) Option
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
With the increased use of DNS anycast, load balancing, and other
mechanisms allowing more than one DNS name server to share a single
IP address, it is sometimes difficult to tell which of a pool of name
servers has answered a particular query. While existing ad-hoc
mechanisms allow an operator to send follow-up queries when it is
necessary to debug such a configuration, the only completely reliable
way to obtain the identity of the name server that responded is to
have the name server include this information in the response itself.
This note defines a protocol extension to support this functionality.
Austein Standards Track [Page 1]
RFC 5001 DNS NSID August 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . . 3
2. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Resolver Behavior . . . . . . . . . . . . . . . . . . . . 3
2.2. Name Server Behavior . . . . . . . . . . . . . . . . . . . 3
2.3. The NSID Option . . . . . . . . . . . . . . . . . . . . . 4
2.4. Presentation Format . . . . . . . . . . . . . . . . . . . 4
3. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. The NSID Payload . . . . . . . . . . . . . . . . . . . . . 4
3.2. NSID Is Not Transitive . . . . . . . . . . . . . . . . . . 7
3.3. User Interface Issues . . . . . . . . . . . . . . . . . . 7
3.4. Truncation . . . . . . . . . . . . . . . . . . . . . . . . 8
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . . 10
1. Introduction
With the increased use of DNS anycast, load balancing, and other
mechanisms allowing more than one DNS name server to share a single
IP address, it is sometimes difficult to tell which of a pool of name
servers has answered a particular query.
Existing ad-hoc mechanisms allow an operator to send follow-up
queries when it is necessary to debug such a configuration, but there
are situations in which this is not a totally satisfactory solution,
since anycast routing may have changed, or the server pool in
question may be behind some kind of extremely dynamic load balancing
hardware. Thus, while these ad-hoc mechanisms are certainly better
than nothing (and have the advantage of already being deployed), a
better solution seems desirable.
Given that a DNS query is an idempotent operation with no retained
state, it would appear that the only completely reliable way to
obtain the identity of the name server that responded to a particular
query is to have that name server include identifying information in
the response itself. This note defines a protocol enhancement to
achieve this.
Austein Standards Track [Page 2]
RFC 5001 DNS NSID August 2007
1.1. Reserved Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Protocol
This note uses an EDNS [RFC2671] option to signal the resolver's
desire for information identifying the name server and to hold the
name server's response, if any.
2.1. Resolver Behavior
A resolver signals its desire for information identifying a name
server by sending an empty NSID option (Section 2.3) in an EDNS OPT
pseudo-RR in the query message.
The resolver MUST NOT include any NSID payload data in the query
message.
The semantics of an NSID request are not transitive. That is: the
presence of an NSID option in a query is a request that the name
server which receives the query identify itself. If the name server
side of a recursive name server receives an NSID request, the client
is asking the recursive name server to identify itself; if the
resolver side of the recursive name server wishes to receive
identifying information, it is free to add NSID requests in its own
queries, but that is a separate matter.
2.2. Name Server Behavior
A name server that understands the NSID option and chooses to honor a
particular NSID request responds by including identifying information
in a NSID option (Section 2.3) in an EDNS OPT pseudo-RR in the
response message.
The name server MUST ignore any NSID payload data that might be
present in the query message.
The NSID option is not transitive. A name server MUST NOT send an
NSID option back to a resolver which did not request it. In
particular, while a recursive name server may choose to add an NSID
option when sending a query, this has no effect on the presence or
absence of the NSID option in the recursive name server's response to
the original client.
Austein Standards Track [Page 3]
RFC 5001 DNS NSID August 2007
As stated in Section 2.1, this mechanism is not restricted to
authoritative name servers; the semantics are intended to be equally
applicable to recursive name servers.
2.3. The NSID Option
The OPTION-CODE for the NSID option is 3.
The OPTION-DATA for the NSID option is an opaque byte string, the
semantics of which are deliberately left outside the protocol. See
Section 3.1 for discussion.
2.4. Presentation Format
User interfaces MUST read and write the contents of the NSID option
as a sequence of hexadecimal digits, two digits per payload octet.
The NSID payload is binary data. Any comparison between NSID
payloads MUST be a comparison of the raw binary data. Copy
operations MUST NOT assume that the raw NSID payload is null-
terminated. Any resemblance between raw NSID payload data and any
form of text is purely a convenience, and does not change the
underlying nature of the payload data.
See Section 3.3 for discussion.
3. Discussion
This section discusses certain aspects of the protocol and explains
considerations that led to the chosen design.
3.1. The NSID Payload
The syntax and semantics of the content of the NSID option are
deliberately left outside the scope of this specification.
Choosing the NSID content is a prerogative of the server
administrator. The server administrator might choose to encode the
NSID content in such a way that the server operator (or clients
authorized by the server operator) can decode the NSID content to
obtain more information than other clients can. Alternatively, the
server operator might choose unencoded NSID content that is equally
meaningful to any client.
This section describes some of the kinds of data that server
administrators might choose to provide as the content of the NSID
option, and explains the reasoning behind specifying a simple opaque
byte string in Section 2.3.
Austein Standards Track [Page 4]
RFC 5001 DNS NSID August 2007
There are several possibilities for the payload of the NSID option:
o It could be the "real" name of the specific name server within the
name server pool.
o It could be the "real" IP address (IPv4 or IPv6) of the name
server within the name server pool.
o It could be some sort of pseudo-random number generated in a
predictable fashion somehow using the server's IP address or name
as a seed value.
o It could be some sort of probabilistically unique identifier
initially derived from some sort of random number generator then
preserved across reboots of the name server.
o It could be some sort of dynamically generated identifier so that
only the name server operator could tell whether or not any two
queries had been answered by the same server.
o It could be a blob of signed data, with a corresponding key which
might (or might not) be available via DNS lookups.
o It could be a blob of encrypted data, the key for which could be
restricted to parties with a need to know (in the opinion of the
server operator).
o It could be an arbitrary string of octets chosen at the discretion
of the name server operator.
Each of these options has advantages and disadvantages:
o Using the "real" name is simple, but the name server may not have
a "real" name.
o Using the "real" address is also simple, and the name server
almost certainly does have at least one non-anycast IP address for
maintenance operations, but the operator of the name server may
not be willing to divulge its non-anycast address.
o Given that one common reason for using anycast DNS techniques is
an attempt to harden a critical name server against denial of
service attacks, some name server operators are likely to want an
identifier other than the "real" name or "real" address of the
name server instance.
o Using a hash or pseudo-random number can provide a fixed length
value that the resolver can use to tell two name servers apart
Austein Standards Track [Page 5]
RFC 5001 DNS NSID August 2007
without necessarily being able to tell where either one of them
"really" is, but makes debugging more difficult if one happens to
be in a friendly open environment. Furthermore, hashing might not
add much value, since a hash based on an IPv4 address still only
involves a 32-bit search space, and DNS names used for servers
that operators might have to debug at 4am tend not to be very
random.
o Probabilistically unique identifiers have properties similar to
hashed identifiers, but (given a sufficiently good random number
generator) are immune to the search space issues. However, the
strength of this approach is also its weakness: there is no
algorithmic transformation by which even the server operator can
associate name server instances with identifiers while debugging,
which might be annoying. This approach also requires the name
server instance to preserve the probabilistically unique
identifier across reboots, but this does not appear to be a
serious restriction, since authoritative nameservers almost always
have some form of non-volatile storage. In the rare case of a
name server that does not have any way to store such an
identifier, nothing terrible will happen if the name server
generates a new identifier every time it reboots.
o Using an arbitrary octet string gives name server operators yet
another setting to configure, or mis-configure, or forget to
configure. Having all the nodes in an anycast name server
constellation identify themselves as "My Name Server" would not be
particularly useful.
o A signed blob is not particularly useful as an NSID payload unless
the signed data is dynamic and includes some kind of replay
protection, such as a timestamp or some kind of data identifying
the requestor. Signed blobs that meet these criteria could
conceivably be useful in some situations but would require
detailed security analysis beyond the scope of this document.
o A static encrypted blob would not be particularly useful, as it
would be subject to replay attacks and would, in effect, just be a
random number to any party that does not possess the decryption
key. Dynamic encrypted blobs could conceivably be useful in some
situations but, as with signed blobs, dynamic encrypted blobs
would require detailed security analysis beyond the scope of this
document.
Given all of the issues listed above, there does not appear to be a
single solution that will meet all needs. Section 2.3 therefore
defines the NSID payload to be an opaque byte string and leaves the
choice of payload up to the implementor and name server operator.
Austein Standards Track [Page 6]
RFC 5001 DNS NSID August 2007
The following guidelines may be useful to implementors and server
operators:
o Operators for whom divulging the unicast address is an issue could
use the raw binary representation of a probabilistically unique
random number. This should probably be the default implementation
behavior.
o Operators for whom divulging the unicast address is not an issue
could just use the raw binary representation of a unicast address
for simplicity. This should only be done via an explicit
configuration choice by the operator.
o Operators who really need or want the ability to set the NSID
payload to an arbitrary value could do so, but this should only be
done via an explicit configuration choice by the operator.
This approach appears to provide enough information for useful
debugging without unintentionally leaking the maintenance addresses
of anycast name servers to nogoodniks, while also allowing name
server operators who do not find such leakage threatening to provide
more information at their own discretion.
3.2. NSID Is Not Transitive
As specified in Section 2.1 and Section 2.2, the NSID option is not
transitive. This is strictly a hop-by-hop mechanism.
Most of the discussion of name server identification to date has
focused on identifying authoritative name servers, since the best
known cases of anycast name servers are a subset of the name servers
for the root zone. However, given that anycast DNS techniques are
also applicable to recursive name servers, the mechanism may also be
useful with recursive name servers. The hop-by-hop semantics support
this.
While there might be some utility in having a transitive variant of
this mechanism (so that, for example, a stub resolver could ask a
recursive server to tell it which authoritative name server provided
a particular answer to the recursive name server), the semantics of
such a variant would be more complicated, and are left for future
work.
3.3. User Interface Issues
Given the range of possible payload contents described in
Section 3.1, it is not possible to define a single presentation
format for the NSID payload that is efficient, convenient,
Austein Standards Track [Page 7]
RFC 5001 DNS NSID August 2007
unambiguous, and aesthetically pleasing. In particular, while it is
tempting to use a presentation format that uses some form of textual
strings, attempting to support this would significantly complicate
what's intended to be a very simple debugging mechanism.
In some cases the content of the NSID payload may be binary data
meaningful only to the name server operator, and may not be
meaningful to the user or application, but the user or application
must be able to capture the entire content anyway in order for it to
be useful. Thus, the presentation format must support arbitrary
binary data.
In cases where the name server operator derives the NSID payload from
textual data, a textual form such as US-ASCII or UTF-8 strings might
at first glance seem easier for a user to deal with. There are,
however, a number of complex issues involving internationalized text
which, if fully addressed here, would require a set of rules
significantly longer than the rest of this specification. See
[RFC2277] for an overview of some of these issues.
It is much more important for the NSID payload data to be passed
unambiguously from server administrator to user and back again than
it is for the payload data to be pretty while in transit. In
particular, it's critical that it be straightforward for a user to
cut and paste an exact copy of the NSID payload output by a debugging
tool into other formats such as email messages or web forms without
distortion. Hexadecimal strings, while ugly, are also robust.
3.4. Truncation
In some cases, adding the NSID option to a response message may
trigger message truncation. This specification does not change the
rules for DNS message truncation in any way, but implementors will
need to pay attention to this issue.
Including the NSID option in a response is always optional, so this
specification never requires name servers to truncate response
messages.
By definition, a resolver that requests NSID responses also supports
EDNS, so a resolver that requests NSID responses can also use the
"sender's UDP payload size" field of the OPT pseudo-RR to signal a
receive buffer size large enough to make truncation unlikely.
4. IANA Considerations
IANA has allocated EDNS option code 3 for the NSID option
(Section 2.3).
Austein Standards Track [Page 8]
RFC 5001 DNS NSID August 2007
5. Security Considerations
This document describes a channel signaling mechanism intended
primarily for debugging. Channel signaling mechanisms are outside
the scope of DNSSEC, per se. Applications that require integrity
protection for the data being signaled will need to use a channel
security mechanism such as TSIG [RFC2845].
Section 3.1 discusses a number of different kinds of information that
a name server operator might choose to provide as the value of the
NSID option. Some of these kinds of information are security
sensitive in some environments. This specification deliberately
leaves the syntax and semantics of the NSID option content up to the
implementation and the name server operator.
Two of the possible kinds of payload data discussed in Section 3.1
involve a digital signature and encryption, respectively. While this
specification discusses some of the pitfalls that might lurk for
careless users of these kinds of payload data, full analysis of the
issues that would be involved in these kinds of payload data would
require knowledge of the content to be signed or encrypted,
algorithms to be used, and so forth, which is beyond the scope of
this document. Implementors should seek competent advice before
attempting to use these kinds of NSID payloads.
6. Acknowledgements
Thanks to: Joe Abley, Harald Alvestrand, Dean Anderson, Mark Andrews,
Roy Arends, Steve Bellovin, Alex Bligh, Randy Bush, David Conrad,
John Dickinson, Alfred Hoenes, Johan Ihren, Daniel Karrenberg, Peter
Koch, William Leibzon, Ed Lewis, Thomas Narten, Mike Patton, Geoffrey
Sisson, Andrew Sullivan, Mike StJohns, Tom Taylor, Paul Vixie, Sam
Weiler, and Suzanne Woolf, none of whom are responsible for what the
author did with their comments and suggestions. Apologies to anyone
inadvertently omitted from the above list.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999.
Austein Standards Track [Page 9]
RFC 5001 DNS NSID August 2007
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000.
7.2. Informative References
[RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
Languages", RFC 2277, BCP 18, January 1998.
Author's Address
Rob Austein
ISC
950 Charter Street
Redwood City, CA 94063
USA
EMail: sra@isc.org
Austein Standards Track [Page 10]
RFC 5001 DNS NSID August 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Austein Standards Track [Page 11]

1011
doc/rfc/rfc5452.txt Normal file
View File

File diff suppressed because it is too large Load Diff

675
doc/rfc/rfc5625.txt Normal file
View File

@@ -0,0 +1,675 @@
Network Working Group R. Bellis
Request for Comments: 5625 Nominet UK
BCP: 152 August 2009
Category: Best Current Practice
DNS Proxy Implementation Guidelines
Abstract
This document provides guidelines for the implementation of DNS
proxies, as found in broadband gateways and other similar network
devices.
Status of This Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Bellis Best Current Practice [Page 1]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
Table of Contents
1. Introduction ....................................................2
2. Terminology .....................................................3
3. The Transparency Principle ......................................3
4. Protocol Conformance ............................................4
4.1. Unexpected Flags and Data ..................................4
4.2. Label Compression ..........................................4
4.3. Unknown Resource Record Types ..............................4
4.4. Packet Size Limits .........................................4
4.4.1. TCP Transport .......................................5
4.4.2. Extension Mechanisms for DNS (EDNS0) ................6
4.4.3. IP Fragmentation ....................................6
4.5. Secret Key Transaction Authentication for DNS (TSIG) .......7
5. DHCP's Interaction with DNS .....................................7
5.1. Domain Name Server (DHCP Option 6) .........................7
5.2. Domain Name (DHCP Option 15) ...............................8
5.3. DHCP Leases ................................................8
6. Security Considerations .........................................9
6.1. Forgery Resilience .........................................9
6.2. Interface Binding .........................................10
6.3. Packet Filtering ..........................................10
7. Acknowledgements ...............................................10
8. References .....................................................11
8.1. Normative References ......................................11
8.2. Informative References ....................................12
1. Introduction
Research has found ([SAC035], [DOTSE]) that many commonly used
broadband gateways (and similar devices) contain DNS proxies that are
incompatible in various ways with current DNS standards.
These proxies are usually simple DNS forwarders, but typically do not
have any caching capabilities. The proxy serves as a convenient
default DNS resolver for clients on the LAN, but relies on an
upstream resolver (e.g., at an ISP) to perform recursive DNS lookups.
Note that to ensure full DNS protocol interoperability it is
preferred that client stub resolvers should communicate directly with
full-feature, upstream recursive resolvers wherever possible.
That notwithstanding, this document describes the incompatibilities
that have been discovered and offers guidelines to implementors on
how to provide better interoperability in those cases where the
client must use the broadband gateway's DNS proxy.
Bellis Best Current Practice [Page 2]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. The Transparency Principle
It is not considered practical for a simple DNS proxy to implement
all current and future DNS features.
There are several reasons why this is the case:
o Broadband gateways usually have limited hardware resources.
o Firmware upgrade cycles are long, and many users do not routinely
apply upgrades when they become available.
o No one knows what those future DNS features will be or how they
might be implemented.
o Doing so would substantially complicate the configuration user
interface (UI) of the device.
Furthermore, some modern DNS protocol extensions (see, e.g., EDNS0
below) are intended to be used as "hop-by-hop" mechanisms. If the
DNS proxy is considered to be such a "hop" in the resolution chain,
then for it to function correctly, it would need to be fully
compliant with all such mechanisms.
[SAC035] shows that the more actively a proxy participates in the DNS
protocol, the more likely it is that it will somehow interfere with
the flow of messages between the DNS client and the upstream
recursive resolvers.
The role of the proxy should therefore be no more and no less than to
receive DNS requests from clients on the LAN side, forward those
verbatim to one of the known upstream recursive resolvers on the WAN
side, and ensure that the whole response is returned verbatim to the
original client.
It is RECOMMENDED that proxies should be as transparent as possible,
such that any "hop-by-hop" mechanisms or newly introduced protocol
extensions operate as if the proxy were not there.
Except when required to enforce an active security or network policy
(such as maintaining a pre-authentication "walled garden"), end-users
SHOULD be able to send their DNS queries to specified upstream
Bellis Best Current Practice [Page 3]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
resolvers, thereby bypassing the proxy altogether. In this case, the
gateway SHOULD NOT modify the DNS request or response packets in any
way.
4. Protocol Conformance
4.1. Unexpected Flags and Data
The Transparency Principle above, when combined with Postel's
Robustness Principle [RFC0793], suggests that DNS proxies should not
arbitrarily reject or otherwise drop requests or responses based on
perceived non-compliance with standards.
For example, some proxies have been observed to drop any packet
containing either the "Authentic Data" (AD) or "Checking Disabled"
(CD) bits from DNSSEC [RFC4035]. This may be because [RFC1035]
originally specified that these unused "Z" flag bits "MUST" be zero.
However, these flag bits were always intended to be reserved for
future use, so refusing to proxy any packet containing these flags
(now that uses for those flags have indeed been defined) is not
appropriate.
Therefore, proxies MUST ignore any unknown DNS flags and proxy those
packets as usual.
4.2. Label Compression
Compression of labels as per Section 4.1.4 of [RFC1035] is optional.
Proxies MUST forward packets regardless of the presence or absence of
compressed labels therein.
4.3. Unknown Resource Record Types
[RFC3597] requires that resolvers MUST handle Resource Records (RRs)
of unknown type transparently.
All requests and responses MUST be proxied regardless of the values
of the QTYPE and QCLASS fields.
Similarly, all responses MUST be proxied regardless of the values of
the TYPE and CLASS fields of any Resource Record therein.
4.4. Packet Size Limits
[RFC1035] specifies that the maximum size of the DNS payload in a UDP
packet is 512 octets. Where the required portions of a response
would not fit inside that limit, the DNS server MUST set the
Bellis Best Current Practice [Page 4]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
"TrunCation" (TC) bit in the DNS response header to indicate that
truncation has occurred. There are however two standard mechanisms
(described in Sections 4.4.1 and 4.4.2) for transporting responses
larger than 512 octets.
Many proxies have been observed to truncate all responses at 512
octets, and others at a packet size related to the WAN MTU, in either
case doing so without correctly setting the TC bit.
Other proxies have been observed to remove the TC bit in server
responses that correctly had the TC bit set by the server.
If a DNS response is truncated but the TC bit is not set, then client
failures may result. In particular, a naive DNS client library might
suffer crashes due to reading beyond the end of the data actually
received.
Since UDP packets larger than 512 octets are now expected in normal
operation, proxies SHOULD NOT truncate UDP packets that exceed that
size. See Section 4.4.3 for recommendations for packet sizes
exceeding the WAN MTU.
If a proxy must unilaterally truncate a response, then the proxy MUST
set the TC bit. Similarly, proxies MUST NOT remove the TC bit from
responses.
4.4.1. TCP Transport
Should a UDP query fail because of truncation, the standard fail-over
mechanism is to retry the query using TCP, as described in Section
6.1.3.2 of [RFC1123].
Whilst TCP transport is not strictly mandatory, it is supported by
the vast majority of stub resolvers and recursive servers. Lack of
support in the proxy prevents this fail-over mechanism from working.
DNS proxies MUST therefore be prepared to receive and forward queries
over TCP.
Note that it is unlikely that a client would send a request over TCP
unless it had already received a truncated UDP response. Some
"smart" proxies have been observed to first forward any request
received over TCP to an upstream resolver over UDP, only for the
response to be truncated, causing the proxy to retry over TCP. Such
behaviour increases network traffic and causes delay in DNS
resolution since the initial UDP request is doomed to fail.
Bellis Best Current Practice [Page 5]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
Therefore, whenever a proxy receives a request over TCP, the proxy
SHOULD forward the query over TCP and SHOULD NOT attempt the same
query over UDP first.
4.4.2. Extension Mechanisms for DNS (EDNS0)
The "Extension Mechanism for DNS" [RFC2671] was introduced to allow
the transport of larger DNS packets over UDP and also to allow for
additional request and response flags.
A client may send an OPT Resource Record (OPT RR) in the Additional
Section of a request to indicate that it supports a specific receive
buffer size. The OPT RR also includes the "DNSSEC OK" (DO) flag used
by DNSSEC to indicate that DNSSEC-related RRs should be returned to
the client.
However, some proxies have been observed to either reject (with a
FORMERR response code) or black-hole any packet containing an OPT RR.
As per Section 4.1, proxies MUST NOT refuse to proxy such packets.
4.4.3. IP Fragmentation
Support for UDP packet sizes exceeding the WAN MTU depends on the
gateway's algorithm for handling fragmented IP packets. Several
methods are possible:
1. Fragments are dropped.
2. Fragments are forwarded individually as they're received.
3. Complete packets are reassembled on the gateway and then re-
fragmented (if necessary) as they're forwarded to the client.
Method 1 above will cause compatibility problems with EDNS0 unless
the DNS client is configured to advertise an EDNS0 buffer size
limited to the WAN MTU less the size of the IP header. Note that RFC
2671 does recommend that the path MTU should be taken into account
when using EDNS0.
Also, whilst the EDNS0 specification allows for a buffer size of up
to 65535 octets, most common DNS server implementations do not
support a buffer size above 4096 octets.
Therefore (irrespective of which of the above methods is in use),
proxies SHOULD be capable of forwarding UDP packets up to a payload
size of at least 4096 octets.
Bellis Best Current Practice [Page 6]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
NB: in theory, IP fragmentation may also occur if the LAN MTU is
smaller than the WAN MTU, although the author has not observed such a
configuration in use on any residential broadband service.
4.5. Secret Key Transaction Authentication for DNS (TSIG)
[RFC2845] defines TSIG, which is a mechanism for authenticating DNS
requests and responses at the packet level.
Any modifications made to the DNS portions of a TSIG-signed query or
response packet (with the exception of the Query ID) will cause a
TSIG authentication failure.
DNS proxies MUST implement Section 4.7 of [RFC2845] and either
forward packets unchanged (as recommended above) or fully implement
TSIG.
As per Section 4.3, DNS proxies MUST be capable of proxying packets
containing TKEY [RFC2930] Resource Records.
NB: any DNS proxy (such as those commonly found in WiFi hotspot
"walled gardens") that transparently intercepts all DNS queries and
that returns unsigned responses to signed queries, will also cause
TSIG authentication failures.
5. DHCP's Interaction with DNS
Whilst this document is primarily about DNS proxies, most consumers
rely on DHCP [RFC2131] to obtain network configuration settings.
Such settings include the client machine's IP address, subnet mask,
and default gateway, but also include DNS-related settings.
It is therefore appropriate to examine how DHCP affects client DNS
configuration.
5.1. Domain Name Server (DHCP Option 6)
Most gateways default to supplying their own IP address in the DHCP
"Domain Name Server" option [RFC2132]. The net result is that
without explicit re-configuration many DNS clients will, by default,
send queries to the gateway's DNS proxy. This is understandable
behaviour given that the correct upstream settings are not usually
known at boot time.
Bellis Best Current Practice [Page 7]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
Most gateways learn their own DNS settings via values supplied by an
ISP via DHCP or PPP over the WAN interface. However, whilst many
gateways do allow the device administrator to override those values,
some gateways only use those supplied values to affect the proxy's
own forwarding function, and do not offer these values via DHCP.
When using such a device, the only way to avoid using the DNS proxy
is to hard-code the required values in the client operating system.
This may be acceptable for a desktop system but it is inappropriate
for mobile devices that are regularly used on many different
networks.
As per Section 3, end-users SHOULD be able to send their DNS queries
directly to specified upstream resolvers, ideally without hard-coding
those settings in their stub resolver.
It is therefore RECOMMENDED that gateways SHOULD support device-
administrator configuration of values for the "Domain Name Server"
DHCP option.
5.2. Domain Name (DHCP Option 15)
A significant amount of traffic to the DNS Root Name Servers is for
invalid top-level domain names, and some of that traffic can be
attributed to particular equipment vendors whose firmware defaults
this DHCP option to specific values.
Since no standard exists for a "local" scoped domain name suffix, it
is RECOMMENDED that the default value for this option SHOULD be
empty, and that this option MUST NOT be sent to clients when no value
is configured.
5.3. DHCP Leases
It is noted that some DHCP servers in broadband gateways offer, by
default, their own IP address for the "Domain Name Server" option (as
described above) but then automatically start offering the upstream
servers' addresses once they've been learnt over the WAN interface.
In general, this behaviour is highly desirable, but the effect for
the end-user is that the settings used depend on whether the DHCP
lease was obtained before or after the WAN link was established.
If the DHCP lease is obtained whilst the WAN link is down, then the
DHCP client (and hence the DNS client) will not receive the correct
values until the DHCP lease is renewed.
Bellis Best Current Practice [Page 8]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
Whilst no specific recommendations are given here, vendors may wish
to give consideration to the length of DHCP leases and to whether
some mechanism for forcing a DHCP lease renewal might be appropriate.
Another possibility is that the learnt upstream values might be
persisted in non-volatile memory such that on reboot the same values
can be automatically offered via DHCP. However, this does run the
risk that incorrect values are initially offered if the device is
moved or connected to another ISP.
Alternatively, the DHCP server might only issue very short (i.e., 60
second) leases while the WAN link is down, only reverting to more
typical lease lengths once the WAN link is up and the upstream DNS
servers are known. Indeed, with such a configuration it may be
possible to avoid the need to implement a DNS proxy function in the
broadband gateway at all.
6. Security Considerations
This document introduces no new protocols. However, there are some
security-related recommendations for vendors that are listed here.
6.1. Forgery Resilience
Whilst DNS proxies are not usually full-feature resolvers, they
nevertheless share some characteristics with them.
Notwithstanding the recommendations above about transparency, many
DNS proxies are observed to pick a new Query ID for outbound requests
to ensure that responses are directed to the correct client.
NB: changing the Query ID is acceptable and compatible with proxying
TSIG-signed packets since the TSIG signature calculation is based on
the original message ID, which is carried in the TSIG RR.
It has been standard guidance for many years that each DNS query
should use a randomly generated Query ID. However, many proxies have
been observed picking sequential Query IDs for successive requests.
It is strongly RECOMMENDED that DNS proxies follow the relevant
recommendations in [RFC5452], particularly those in Section 9.2
relating to randomisation of Query IDs and source ports. This also
applies to source port selection within any NAT function.
If a DNS proxy is running on a broadband gateway with NAT that is
compliant with [RFC4787], then it SHOULD also follow the
recommendations in Section 10 of [RFC5452] concerning how long DNS
state is kept.
Bellis Best Current Practice [Page 9]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
6.2. Interface Binding
Some gateways have been observed to have their DNS proxy listening on
both internal (LAN) and external (WAN) interfaces. In this
configuration, it is possible for the proxy to be used to mount
reflector attacks as described in [RFC5358].
The DNS proxy in a gateway SHOULD NOT, by default, be accessible from
the WAN interfaces of the device.
6.3. Packet Filtering
The Transparency and Robustness Principles are not entirely
compatible with the deep packet-inspection features of security
appliances such as firewalls, which are intended to protect systems
on the inside of a network from rogue traffic.
However, a clear distinction may be made between traffic that is
intrinsically malformed and that which merely contains unexpected
data.
Examples of malformed packets that MAY be dropped include:
o invalid compression pointers (i.e., those that point outside of
the current packet or that might cause a parsing loop)
o incorrect counts for the Question, Answer, Authority, and
Additional Sections (although care should be taken where
truncation is a possibility)
Dropped packets will cause the client to repeatedly retransmit the
original request, with the client only detecting the error after
several retransmit intervals.
In these circumstances, proxies SHOULD synthesise a suitable DNS
error response to the client (i.e., SERVFAIL) instead of dropping the
packet completely. This will allow the client to detect the error
immediately.
7. Acknowledgements
The author would particularly like to acknowledge the assistance of
Lisa Phifer of Core Competence. In addition, the author is grateful
for the feedback from the members of the DNSEXT Working Group.
Bellis Best Current Practice [Page 10]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
8. References
8.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC1123] Braden, R., "Requirements for Internet Hosts - Application
and Support", STD 3, RFC 1123, October 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, March 1997.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000.
[RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY
RR)", RFC 2930, September 2000.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127,
RFC 4787, January 2007.
[RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive
Nameservers in Reflector Attacks", BCP 140, RFC 5358,
October 2008.
Bellis Best Current Practice [Page 11]
RFC 5625 DNS Proxy Implementation Guidelines August 2009
[RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More
Resilient against Forged Answers", RFC 5452, January 2009.
8.2. Informative References
[DOTSE] Ahlund and Wallstrom, "DNSSEC Tests of Consumer Broadband
Routers", February 2008,
<http://www.iis.se/docs/Routertester_en.pdf>.
[SAC035] Bellis, R. and L. Phifer, "Test Report: DNSSEC Impact on
Broadband Routers and Firewalls", September 2008,
<http://www.icann.org/committees/security/sac035.pdf>.
Author's Address
Ray Bellis
Nominet UK
Edmund Halley Road
Oxford OX4 4DQ
United Kingdom
Phone: +44 1865 332211
EMail: ray.bellis@nominet.org.uk
URI: http://www.nominet.org.uk/
Bellis Best Current Practice [Page 12]