draft-andrews-dns-no-response-issue-14.txt   draft-andrews-dns-no-response-issue-15.txt 
Network Working Group M. Andrews Network Working Group M. Andrews
Internet-Draft ISC Internet-Draft ISC
Intended status: Informational November 10, 2015 Intended status: Best Current Practice November 11, 2015
Expires: May 13, 2016 Expires: May 14, 2016
A Common Operational Problem in DNS Servers - Failure To Respond. A Common Operational Problem in DNS Servers - Failure To Respond.
draft-andrews-dns-no-response-issue-14 draft-andrews-dns-no-response-issue-15
Abstract Abstract
The DNS is a query / response protocol. Failure to respond to The DNS is a query / response protocol. Failure to respond or to
queries causes both immediate operational problems and long term respond correctly to queries causes both immediate operational
problems with protocol development. problems and long term problems with protocol development.
This document identifies a number of common classes of queries that This document identifies a number of common classes of queries that
some servers fail to respond too. This document also suggests some servers fail to respond too or respond incorrectly to. This
procedures for TLD and other similar zone operators to apply to help document also suggests procedures for TLD and other similar zone
reduce / eliminate the problem. operators to apply to help reduce / eliminate the problem.
The document does not look at the DNS data itself, just the structure
of the responses.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 13, 2016. This Internet-Draft will expire on May 14, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 20
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Common queries class that result in non responses. . . . . . 3 2. Common queries class that result in non responses. . . . . . 3
2.1. EDNS Queries - Version Independent . . . . . . . . . . . 3 2.1. EDNS Queries - Version Independent . . . . . . . . . . . 3
2.2. EDNS Queries - Version Specific . . . . . . . . . . . . . 4 2.2. EDNS Queries - Version Specific . . . . . . . . . . . . . 4
2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . . . 4 2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . . . 4
2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . . . 4 2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . . . 4
2.5. DNS Flags . . . . . . . . . . . . . . . . . . . . . . . . 4 2.5. DNS Flags . . . . . . . . . . . . . . . . . . . . . . . . 4
2.6. Unknown / Unsupported Type Queries . . . . . . . . . . . 4 2.6. Unknown / Unsupported Type Queries . . . . . . . . . . . 5
2.7. Unknown DNS opcodes . . . . . . . . . . . . . . . . . . . 5 2.7. Unknown DNS opcodes . . . . . . . . . . . . . . . . . . . 5
2.8. TCP Queries . . . . . . . . . . . . . . . . . . . . . . . 5 2.8. TCP Queries . . . . . . . . . . . . . . . . . . . . . . . 5
3. Remediating . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Remediating . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 7 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 7
5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 8 5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 8
6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 8 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 8
7. Response Code Selection . . . . . . . . . . . . . . . . . . . 8 7. Response Code Selection . . . . . . . . . . . . . . . . . . . 9
8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
11. Normative References . . . . . . . . . . . . . . . . . . . . 14 11. Normative References . . . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure
to respond to queries causes both immediate operational problems and to respond to queries or to respond incorrectly causes both immediate
long term problems with protocol development. operational problems and long term problems with protocol
development.
Failure to respond to a query is indistinguishable from a packet loss Failure to respond to a query is indistinguishable from a packet loss
without doing a analysis of query response patterns and results in without doing a analysis of query response patterns and results in
unnecessary additional queries being made by DNS clients and unnecessary additional queries being made by DNS clients and
unnecessary delays being introduced to the resolution process. unnecessary delays being introduced to the resolution process.
Due to the inability to distinguish between packet loss and Due to the inability to distinguish between packet loss and
nameservers dropping EDNS [RFC6891] queries, packet loss is sometimes nameservers dropping EDNS [RFC6891] queries, packet loss is sometimes
misclassified as lack of EDNS support which can lead to DNSSEC misclassified as lack of EDNS support which can lead to DNSSEC
validation failures. validation failures.
skipping to change at page 9, line 43 skipping to change at page 9, line 50
This first set of tests cover basic DNS server behaviour and all This first set of tests cover basic DNS server behaviour and all
servers should pass these tests. servers should pass these tests.
Verify the server is configured for the zone: Verify the server is configured for the zone:
dig +noedns +noad +norec soa $zone @$server dig +noedns +noad +norec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record expect: SOA record
expect: flag: aa to be present
Check that TCP queries work: Check that TCP queries work:
dig +noedns +noad +norec +tcp soa $zone @$server dig +noedns +noad +norec +tcp soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record expect: SOA record
expect: flag: aa to be present
Check that queries for an unknown type to work: Check that queries for an unknown type to work:
dig +noedns +noad +norec type1000 $zone @$server dig +noedns +noad +norec type1000 $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: an empty answer section. expect: an empty answer section.
expect: flag: aa to be present
Check that queries with CD=1 work: Check that queries with CD=1 work:
dig +noedns +noad +norec +cd soa $zone @$server dig +noedns +noad +norec +cd soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: flag: aa to be present
Check that queries with AD=1 work: Check that queries with AD=1 work:
dig +noedns +norec +ad soa $zone @$server dig +noedns +norec +ad soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: flag: aa to be present
Check that queries with the last unassigned DNS header flag to work: Check that queries with the last unassigned DNS header flag to work:
dig +noedns +noad +norec +zflag soa $zone @$server dig +noedns +noad +norec +zflag soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: MBZ to not be in the response expect: MBZ to not be in the response
expect: flag: aa to be present
MBZ (Must Be Zero) presence indicates the flag bit has been copied. MBZ (Must Be Zero) presence indicates the flag bit has been copied.
Check that new opcodes are handled: Check that new opcodes are handled:
dig +noedns +noad +opcode=15 +norec soa $zone @$server dig +noedns +noad +opcode=15 +norec soa $zone @$server
expect: status: NOTIMP expect: status: NOTIMP
expect: SOA record to not be present expect: SOA record to not be present
expect: flag: aa to NOT be present
The next set of test cover various aspects of EDNS behaviour. If any The next set of test cover various aspects of EDNS behaviour. If any
of these tests succeed, then all of them should succeed. There are of these tests succeed, then all of them should succeed. There are
servers that support EDNS but fail to handle plain EDNS queries servers that support EDNS but fail to handle plain EDNS queries
correctly so a plain EDNS query is not a good indicator of lack of correctly so a plain EDNS query is not a good indicator of lack of
EDNS support. EDNS support.
Check that plain EDNS queries work: Check that plain EDNS queries work:
dig +nocookie +edns=0 +noad +norec soa $zone @$server dig +nocookie +edns=0 +noad +norec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: OPT record to be present expect: OPT record to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present
+nocookie disables sending a EDNS COOKIE option in which is on by +nocookie disables sending a EDNS COOKIE option in which is on by
default. default.
Check that EDNS version 1 queries work (EDNS supported): Check that EDNS version 1 queries work (EDNS supported):
dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to not be present expect: SOA record to not be present
expect: OPT record to be present expect: OPT record to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present
(Only EDNS Version 0 is currently defined so the response should (Only EDNS Version 0 is currently defined so the response should
always be a 0 version. This will change when EDNS version 1 is always be a 0 version. This will change when EDNS version 1 is
defined.) defined.)
Check that EDNS queries with an unknown option work (EDNS supported): Check that EDNS queries with an unknown option work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: OPT record to be present expect: OPT record to be present
expect: OPT=100 to not be present expect: OPT=100 to not be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present
Check that EDNS queries with unknown flags work (EDNS supported): Check that EDNS queries with unknown flags work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: OPT record to be present expect: OPT record to be present
expect: MBZ not to be present expect: MBZ not to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present
MBZ (Must Be Zero) presence indicates the flag bit has been copied. MBZ (Must Be Zero) presence indicates the flag bit has been copied.
Check that EDNS version 1 queries with unknown flags work (EDNS Check that EDNS version 1 queries with unknown flags work (EDNS
supported): supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: OPT record to be present expect: OPT record to be present
expect: MBZ not to be present expect: MBZ not to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present
+noednsneg disables EDNS version negotiation in DiG; MBZ (Must Be +noednsneg disables EDNS version negotiation in DiG; MBZ (Must Be
Zero) presence indicates the flag bit has been copied. Zero) presence indicates the flag bit has been copied.
Check that EDNS version 1 queries with unknown options work (EDNS Check that EDNS version 1 queries with unknown options work (EDNS
supported): supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: OPT record to be present expect: OPT record to be present
expect: OPT=100 to NOT be present expect: OPT=100 to NOT be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present
+noednsneg disables EDNS version negotiation in DiG. +noednsneg disables EDNS version negotiation in DiG.
Check that a DNSSEC queries work (EDNS supported): Check that a DNSSEC queries work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: OPT record to be present expect: OPT record to be present
expect: DO=1 to be present if a RRSIG is in the response expect: DO=1 to be present if a RRSIG is in the response
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present
DO=1 should be present if RRSIGs are returned as they indicate that DO=1 should be present if RRSIGs are returned as they indicate that
the server supports DNSSEC. Servers that support DNSSEC are supposed the server supports DNSSEC. Servers that support DNSSEC are supposed
to copy the DO bit from the request to the response as per [RFC3225]. to copy the DO bit from the request to the response as per [RFC3225].
Check that EDNS version 1 DNSSEC queries work (EDNS supported): Check that EDNS version 1 DNSSEC queries work (EDNS supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to not be present expect: SOA record to not be present
expect: OPT record to be present expect: OPT record to be present
expect: DO=1 to be present if the EDNS version 0 DNSSEC query test expect: DO=1 to be present if the EDNS version 0 DNSSEC query test
returned DO=1 returned DO=1
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present
+noednsneg disables EDNS version negotiation in DiG. +noednsneg disables EDNS version negotiation in DiG.
Check that EDNS queries with multiple defined EDNS options work. Check that EDNS queries with multiple defined EDNS options work.
dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \ dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \
soa $zone @$server soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: SOA record to be present expect: SOA record to be present
expect: OPT record to be present expect: OPT record to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present
If EDNS is not supported by the nameserver, we expect a response to If EDNS is not supported by the nameserver, we expect a response to
all the above queries. That response may be a FORMERR or NOTIMP all the above queries. That response may be a FORMERR or NOTIMP
error response or the OPT record may just be ignored. error response or the OPT record may just be ignored.
It is advisable to run all the above tests in parallel so as to It is advisable to run all the above tests in parallel so as to
minimise the delays due to multiple timeouts when the servers do not minimise the delays due to multiple timeouts when the servers do not
respond. respond.
The above tests use dig from BIND 9.11.0 which is still in The above tests use dig from BIND 9.11.0 which is still in
 End of changes. 26 change blocks. 
17 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/