draft-ietf-dnsext-obsolete-iquery-00.txt   draft-ietf-dnsext-obsolete-iquery-01.txt 
DNSEXT Working Group David C Lawrence
DNSEXT Working Group David Lawrence (Nominum) INTERNET-DRAFT Nominum
<draft-ietf-dnsext-obsolete-iquery-01.txt> June 2001
<draft-ietf-dnsext-obsolete-iquery-00.txt>
Updates: RFC 1035 Updates: RFC 1035
Obsoleting IQUERY Obsoleting IQUERY
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at page 1, line 34 skipping to change at page 1, line 33
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org. namedroppers@ops.ietf.org.
This draft expires on August 22, 2001. This draft expires on December 20, 2001.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All rights reserved. Copyright (C) The Internet Society (2001). All rights reserved.
Abstract Abstract
Based on a lack of working implementations of the IQUERY method Based on a lack of working implementations of the IQUERY method
of performing inverse DNS lookups, and because an alternative of performing inverse DNS lookups, and because an alternative
mechanism for doing inverse queries of address records has been mechanism for doing inverse queries of address records has been
skipping to change at page 2, line 28 skipping to change at page 1, line 70
use, particularly for servers that are authoritative for millions use, particularly for servers that are authoritative for millions
of names. of names.
Response packet from these megaservers could be exceptionally Response packet from these megaservers could be exceptionally
large, and easily run into megabyte sizes. For example, using large, and easily run into megabyte sizes. For example, using
IQUERY to find every domain that is delegated to one of the IQUERY to find every domain that is delegated to one of the
nameservers of a large ISP could return tens of thousands of nameservers of a large ISP could return tens of thousands of
3-tuples in the question section. This could easily be used to 3-tuples in the question section. This could easily be used to
launch denial of service attacks. launch denial of service attacks.
Furthermore, many organizations would opt to disable IQUERY, if it Operators of servers that do support IQUERY in some form (such as
existed, because it could expose large blocks of names in their very old BIND 4 servers) generally opt to disable it. This is
zones, such as if many of those names have a common mail largely due to bugs in insufficiently-exercised code, or concerns
exchanger. about exposure of large blocks of names in their zones by probes
such as inverse MX queries.
IQUERY is also somewhat inherently crippled by being unable to tell IQUERY is also somewhat inherently crippled by being unable to tell
a requestor where it needs to go to get the information that was a requestor where it needs to go to get the information that was
requested. The answer is very specific to the single server that requested. The answer is very specific to the single server that
was queried. This would undeniably be handy at times as a was queried. This is sometimes a handy diagnostic tool, but
diagnostic tool, but apparently not enough so that anyone's apparently not enough so that server operators like to enable it,
bothered to implement it since it was described in 1987. or request implementation where it's lacking.
No known clients use IQUERY to provide any meaningful service. The No known clients use IQUERY to provide any meaningful service. The
only common reverse mapping support on the Internet, mapping only common reverse mapping support on the Internet, mapping
address records to names, is provided through the use of PTR address records to names, is provided through the use of PTR
records in the in-addr.arpa tree and has served the community well records in the in-addr.arpa tree and has served the community well
for many years. for many years.
Based on all of these factors, this draft proposes that the IQUERY Based on all of these factors, this draft proposes that the IQUERY
operation for DNS servers be officially obsoleted. operation for DNS servers be officially obsoleted.
skipping to change at page 3, line 47 skipping to change at page 1, line 143
DNSSEC is extremely difficult without out-on-the-fly digital signing. DNSSEC is extremely difficult without out-on-the-fly digital signing.
5 - IANA Considerations: 5 - IANA Considerations:
The IQUERY opcode of 1 should be permanently retired, not to be The IQUERY opcode of 1 should be permanently retired, not to be
assigned to any future opcode. assigned to any future opcode.
6 - Acknowledgments: 6 - Acknowledgments:
Olafur Gudmundsson was the instigator for this action. Olafur Gudmundsson was the instigator for this action.
Matt Crawford contributed some improved wording to the Introduction.
References: References:
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
Specification'', STD 13, RFC 1035, November 1987. Specification'', STD 13, RFC 1035, November 1987.
Author's Address 7 - Author's Address
David Lawrence David Lawrence
Nominum Inc. Nominum, Inc.
950 Charter Street 950 Charter St
Redwood City CA 94063 Redwood City CA 94063
USA USA
+1.650.779.6042
<tale@nominum.com> Phone: +1.650.779.6042
EMail: tale@nominum.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/