[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

Internet Engineering Task Force                             Y. Morishita
Internet-Draft                                                      JPRS
Expires: December 16, 2003                                     T. Jinmei
                                                                 Toshiba
                                                           June 17, 2003


       Common Misbehavior against DNS Queries for IPv6 Addresses
         draft-morishita-dnsop-misbehavior-against-aaaa-00.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 16, 2003.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   There is some known misbehavior of DNS authoritative servers when
   they are queried for AAAA resource records.  Such behavior can block
   IPv4 communication which should actually be available, cause a
   significant delay in name resolution, or even make a denial of
   service attack.  This memo describes details of the known cases and
   discusses the effect.

1. Introduction

   Many DNS clients (resolvers) that support IPv6 first search for AAAA



Morishita & Jinmei      Expires December 16, 2003               [Page 1]

Internet-Draft    Common Misbehavior against AAAA Queries      June 2003


   RRs (Resource Records) of a target host name, and then for A RRs of
   the same name.  This fallback mechanism is based on the DNS
   specifications.  Thus, if a DNS server which is responsible for the
   name is not compliant to the specifications, unpleasant results can
   happen.  In some cases, for example, a web browser fails to connect
   to a web server otherwise it could.  In the following sections, this
   memo describes some typical cases of the misbehavior, the rationale,
   and (bad) effects of them.

   This memo shows concrete implementations and domain names that may
   cause problematic cases so that the behavior can be reproduced in a
   practical environment.  The examples are for informational purposes
   only, and the authors do not intend accusation against any
   implementations or zone administrators described in this memo.

2. Network Model

   In this memo, we assume a typical network model of name resolution
   environment using DNS.  It consists of three components; stub
   resolvers, caching servers, and authoritative servers.  A stub
   resolver issues a recursive query to a caching server, which then
   handles the entire name resolution procedure recursively.  The
   caching server caches the result of the query as well as sends the
   result to the stub resolver.  The authoritative servers respond to
   queries for names for which they have the authority, normally in a
   non-recursive manner.

3. Expected Behavior

   Suppose that an authoritative server has an A RR but not a AAAA for a
   host name.  Then the server should return a response to a query for a
   AAAA RR of the name with the RCODE being 0 (indicating no error) and
   with an empty answer section [1].  Such a response indicates that
   there is at least one RR of a different type than AAAA for the
   queried name, and the stub resolver can then look for A RRs.

   This way, the caching server can cache the fact that the queried name
   does not have a AAAA RR (but may have other types of RRs), and thus
   can improve the response time to further queries for a AAAA RR of the
   name.

4. Problematic Behaviors

   There are some known cases not compliant to the expected behavior.
   This section describes those problematic cases.






Morishita & Jinmei      Expires December 16, 2003               [Page 2]

Internet-Draft    Common Misbehavior against AAAA Queries      June 2003


4.1 Return NXDOMAIN

   This type of server returns a response with the RCODE being 3
   (NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
   RRs of any type for the queried name.  In fact, such a server
   apparently returns NXDOMAIN to all queries except those for an A RR.

   With this response, the stub resolver may immediately give up and
   never fall back.  Even if the resolver retries with a query for an A
   RR, the negative response for the name has been cached in the caching
   server, and the caching server will simply return the negative
   response.  As a result, the stub resolver considers this as a fatal
   error in name resolution.

   An example of this case was found by looking for a AAAA RR of
   www.css.vtext.com at 66.174.3.4, although the implementation of the
   authoritative server seemed to change to that described in the next
   section.

4.2 Return NOTIMP

   Other authoritative servers return a response with the RCODE being 4
   (NOTIMP), indicating the servers do not support the requested type of
   query.

   This case is less harmful than the previous one; if the stub resolver
   falls back to querying for an A RR, the caching server will process
   the query correctly and return an appropriate response.

   In this case, the caching server does not cache the fact that the
   queried name has no AAAA RR, resulting in redundant queries for AAAA
   RRs in the future.  The behavior will waste network bandwidth and
   increase the load of the authoritative server.

   The current implementation of an authoritative server for
   css.vtext.com looks to belong to this category.

   Using SERVFAIL or FORMERR would cause the same effect, though the
   authors have not seen such implementations yet.

4.3 Ignore Queries for AAAA

   Some authoritative severs seem to ignore queries for a AAAA RR,
   causing a delay to fall back to a query for an A RR.  This behavior
   may even cause a fatal timeout at the stub resolver.

   This can be seen by trying to ask for a AAAA RR of "ftp-mozilla.gftp-
   mozilla.netscape.com," which is an alias of ftp.mozilla.org, at



Morishita & Jinmei      Expires December 16, 2003               [Page 3]

Internet-Draft    Common Misbehavior against AAAA Queries      June 2003


   205.188.139.70.

   Again, these servers apparently ignore all queries except those for
   an A RR.

4.4 Return a Broken Response

   Some other type of authoritative servers return broken responses to
   AAAA queries.

   An example of such a response can be seen by querying for a AAAA RR
   of "www.gslb.mainichi.co.jp" at 210.173.172.2.  This authoritative
   server returns a response whose RR type is AAAA, but the length of
   the RDATA is 4 bytes.  The 4-byte data looks like the IPv4 address of
   the queried host name.  That is, the RR in the answer section would
   be described like this:

     www.gslb.mainichi.co.jp. 600 IN AAAA 210.158.208.73

   which is, of course, bogus (or at least meaningless).

   The same behavior can be found with the name vip.alt.ihp.sony.co.jp
   (which is an alias of www.sony.co.jp) at 210.139.255.204.

   BIND 8 caching servers transparently return the broken response (as
   well as cache it) to the stub resolver.  BIND 9 caching servers parse
   the response by themselves, and send a separate response with the
   RCODE being 2 (SERVFAIL).

   In the former case, many stub resolvers consider this as a fatal
   error, and do not fall back to querying for an A RR.  This is the
   case for the BIND resolver library and (reportedly) that implemented
   in Internet Explorer on Windows XP SP1.

   In the latter case, if the stub resolver retries the query for an A
   RR, it will get an appropriate response.

   There are reportedly other kinds of resolver implementations that can
   fall back to queries for an A RR even in the first case, but the
   authors actually do not know of such implementations.

4.5 Make a Delegation Loop

   Some authoritative servers constantly indicate a (loop) delegation
   for any queries except those for an A RR.

   For example, such a server would return a response to a query for a
   AAAA RR of "www.bad.example" as follows:



Morishita & Jinmei      Expires December 16, 2003               [Page 4]

Internet-Draft    Common Misbehavior against AAAA Queries      June 2003


    www.bad.example. IN NS ns.foo.bad.example.
    ns.foo.bad.example. IN A 10.0.0.1

   Then the caching server will ask 10.0.0.1 for a AAAA RR of
   "www.bad.example" and see the same answer.

   Caching servers interpret this as a lame delegation, and return a
   response with the RCODE being 2 (SERVFAIL) to the stub resolver.
   Furthermore, BIND 8 caching servers record the authoritative server
   as lame and will not use it for a certain period of time.  BIND 9
   caching servers relax the rule a little bit.  They basically try to
   avoid using the lame server, but still continue to try it as a last
   resort.

   With a BIND 8 caching server, even if the stub resolver falls back to
   querying for an A RR, the caching server will simply return a
   response with the RCODE being SERVFAIL, since all the servers are
   known to be "lame."

   This behavior was previously found by asking for a AAAA RR of
   "www.united.com" at 64.95.89.4, which has recently been fixed.

5. Security Considerations

   The CERT/CC pointed out that the response with NXDOMAIN described in
   Section 4.1 can be used for a denial of service attack [2].  The same
   argument applies to the cases of "broken responses" and "delegation
   loop" described in Section 4.4 and Section 4.5, respectively.

6. Acknowledgements

   Erik Nordmark encouraged the authors to publish this document as an
   Internet Draft.  Akira Kato and Paul Vixie reviewed a preliminary
   version of this draft.

Normative References

   [1]  Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
        1034, November 1987.

   [2]  The CERT Coordination Center, "Incorrect NXDOMAIN responses from
        AAAA queries could cause denial-of-service conditions", March
        2003, <http://www.kb.cert.org/vuls/id/714121>.








Morishita & Jinmei      Expires December 16, 2003               [Page 5]

Internet-Draft    Common Misbehavior against AAAA Queries      June 2003


Authors' Addresses

   MORISHITA Orange Yasuhiro
   Research and Development Department, Japan Registry Service Co.,Ltd.
   Fuundo Bldg 3F, 1-2 Kanda-Ogawamachi
   Chiyoda-ku, Tokyo  101-0052
   Japan

   EMail: yasuhiro@jprs.co.jp


   JINMEI Tatuya
   Corporate Research & Development Center, Toshiba Corporation
   1 Komukai Toshiba-cho, Saiwai-ku
   Kawasaki-shi, Kanagawa  212-8582
   Japan

   EMail: jinmei@isl.rdc.toshiba.co.jp

































Morishita & Jinmei      Expires December 16, 2003               [Page 6]

Internet-Draft    Common Misbehavior against AAAA Queries      June 2003


Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Morishita & Jinmei      Expires December 16, 2003               [Page 7]


Html markup produced by rfcmarkup 1.111, available from https://tools.ietf.org/tools/rfcmarkup/