Network Working Group M. Andrews Internet-Draft ISC Intended status: BCP
July 11, 2008February 25, 2009 Expires: January 12,August 29, 2009 Locally-served DNS Zones draft-ietf-dnsop-default-local-zones-06draft-ietf-dnsop-default-local-zones-07 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claimsThis Internet-Draft is submitted to IETF in full conformance with the provisions of which heBCP 78 and BCP 79. This document may contain material from IETF Documents or she is aware have beenIETF Contributions published or willmade publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be disclosed,modified outside the IETF Standards Process, and anyderivative works of which he or she becomes aware willit may not be disclosed, in accordance with Section 6 of BCP 79.created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 12,August 29, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract Experience has shown that there are a number of DNS zones all iterative resolvers and recursive nameservers should, unless configured otherwise, automatically serve. RFC 4193 specifies that this should occur for D.F.IP6.ARPA. This document extends the practice to cover the IN-ADDR.ARPA zones for RFC 1918 address space and other well known zones with similar characteristics. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . . 3 2. Effects on sites using RFC 1918 addresses. . . . . . . . . . . 4 3. Changes to Iterative Resolver Behaviour. . . . . . . . . . . . 4 4. Lists Of Zones Covered . . . . . . . . . . . . . . . . . . . . 5 4.1. RFC 1918 Zones . . . . . . . . . . . . . . . . . . . . . . 5 4.2. RFC 3330 Zones . . . . . . . . . . . . . . . . . . . . . . 6 4.3. Local IPv6 Unicast Addresses . . . . . . . . . . . . . . . 6 4.4. IPv6 Locally Assigned Local Addresses . . . . . . . . . . 6 4.5. IPv6 Link Local Addresses . . . . . . . . . . . . . . . . 7 4.6. IPv6 Example Prefix . . . . . . . . . . . . . . . . . . . 7 5. Zones that are Out-Of-Scope . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 Appendix A. Change History [To Be Removed on Publication] . . . . 10 A.1. draft-ietf-dnsop-default-local-zones-06.txtdraft-ietf-dnsop-default-local-zones-07.txt . . . . . . . 10 A.2. draft-ietf-dnsop-default-local-zones-05.txtdraft-ietf-dnsop-default-local-zones-06.txt . . . . . . . 11 A.3. draft-ietf-dnsop-default-local-zones-04.txtdraft-ietf-dnsop-default-local-zones-05.txt . . . . . . . 11 A.4. draft-ietf-dnsop-default-local-zones-03.txtdraft-ietf-dnsop-default-local-zones-04.txt . . . . . . . 11 A.5. draft-ietf-dnsop-default-local-zones-02.txtdraft-ietf-dnsop-default-local-zones-03.txt . . . . . . . 11 A.6. draft-ietf-dnsop-default-local-zones-01.txtdraft-ietf-dnsop-default-local-zones-02.txt . . . . . . . 11 A.7. draft-ietf-dnsop-default-local-zones-00.txtdraft-ietf-dnsop-default-local-zones-01.txt . . . . . . . 11 A.8. draft-andrews-full-service-resolvers-03.txtdraft-ietf-dnsop-default-local-zones-00.txt . . . . . . . 11 A.9. draft-andrews-full-service-resolvers-03.txt . . . . . . . 12 A.10. draft-andrews-full-service-resolvers-02.txt . . . . . . . 12 Appendix B. Proposed Status [To Be Removed on Publication] . . . 12 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 Intellectual Property and Copyright Statements . . . . . . . . . . 131. Introduction Experience has shown that there are a number of DNS [RFC 1034] [RFC 1035] zones that all iterative resolvers and recursive nameservers SHOULD, unless intentionally configured otherwise, automatically serve. These zones include, but are not limited to, the IN-ADDR.ARPA zones for the address space allocated by [RFC 1918] and the IP6.ARPA zones for locally assigned unique local IPv6 addresses, [RFC 4193]. This recommendation is made because data has shown that significant leakage of queries for these name spaces is occurring, despite instructions to restrict them, and because it has therefore become necessary to deploy sacrificial name servers to protect the immediate parent name servers for these zones from excessive, unintentional, query load [AS112] [I-D.draft-ietf-dnsop-as112-ops] [I-D.draft-ietf-dnsop-as112-under-attack-help-help]. There is every expectation that the query load will continue to increase unless steps are taken as outlined here. Additionally, queries from clients behind badly configured firewalls that allow outgoing queries for these name spaces but drop the responses, put a significant load on the root servers (forward but no reverse zones configured). They also cause operational load for the root server operators as they have to reply to enquiries about why the root servers are "attacking" these clients. Changing the default configuration will address all these issues for the zones listed in Section 4. [RFC 4193] recommends that queries for D.F.IP6.ARPA be handled locally. This document extends the recommendation to cover the IN- ADDR.ARPA zones for [RFC 1918] and other well known IN-ADDR.ARPA and IP6.ARPA zones for which queries should not appear on the public Internet. It is hoped that by doing this the number of sacrificial servers [AS112] will not have to be increased, and may in time be reduced. This recommendation should also help DNS responsiveness for sites which are using [RFC 1918] addresses but do not follow the last paragraph in Section 3 of [RFC 1918]. 1.1. Reserved Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119]. 2. Effects on sites using RFC 1918 addresses. For most sites using [RFC 1918] addresses, the changes here will have little or no detrimental effect. If the site does not already have the reverse tree populated the only effect will be that the name error responses will be generated locally rather than remotely. For sites that do have the reverse tree populated, most will either have a local copy of the zones or will be forwarding the queries to servers which have local copies of the zone. Therefore this recommendation will not be relevant. The most significant impact will be felt at sites that make use of delegations for [RFC 1918] addresses and have populated these zones. These sites will need to override the default configuration expressed in this document to allow resolution to continue. Typically, such sites will be fully disconnected from the Internet and have their own root servers for their own non-Internet DNS tree. 3. Changes to Iterative Resolver Behaviour. Unless configured otherwise, an iterative resolver will now return authoritatively (aa=1) name errors (RCODE=3) for queries within the zones in Section 4, with the obvious exception of queries for the zone name itself where SOA, NS and "no data" responses will be returned as appropriate to the query type. One common way to do this is to serve empty (SOA and NS only) zones. An implementation of this recommendation MUST provide a mechanism to disable this new behaviour, and SHOULD allow this decision on a zone by zone basis. If using empty zones one SHOULD NOT use the same NS and SOA records as used on the public Internet servers as that will make it harder to detect the origin of the responses and thus any leakage to the public Internet servers. This document recommends that the NS record defaults to the name of the zone and the SOA MNAME defaults to the name of the only NS RR's target. The SOA RNAME should default to "nobody.invalid." [RFC 2606]. Implementations SHOULD provide a mechanism to set these values. No address records need to be provided for the name server. Below is an example of a generic empty zone in master file format. It will produce a negative cache TTL of 3 hours. @ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800 @ 10800 IN NS @ The SOA RR is needed to support negative caching [RFC 2308] of name error responses and to point clients to the primary master for DNS dynamic updates. SOA values of particular importance are the MNAME, the SOA RR's TTL and the negTTL value. Both TTL values SHOULD match. The rest of the SOA timer values MAY be chosen arbitrarily since they are not intended to control any zone transfer activity. The NS RR is needed as some UPDATE [RFC 2136] clients use NS queries to discover the zone to be updated. Having no address records for the name server is expected to abort UPDATE processing in the client. 4. Lists Of Zones Covered The following subsections are intended to seed the IANA registry as requested in the IANA Considerations Section. The zone name is the entity to be registered. 4.1. RFC 1918 Zones The following zones correspond to the IPv4 address space reserved in [RFC 1918]. +----------------------+ | Zone | +----------------------+ | 10.IN-ADDR.ARPA | | 16.172.IN-ADDR.ARPA | | 17.172.IN-ADDR.ARPA | | 18.172.IN-ADDR.ARPA | | 19.172.IN-ADDR.ARPA | | 20.172.IN-ADDR.ARPA | | 21.172.IN-ADDR.ARPA | | 22.172.IN-ADDR.ARPA | | 23.172.IN-ADDR.ARPA | | 24.172.IN-ADDR.ARPA | | 25.172.IN-ADDR.ARPA | | 26.172.IN-ADDR.ARPA | | 27.172.IN-ADDR.ARPA | | 28.172.IN-ADDR.ARPA | | 29.172.IN-ADDR.ARPA | | 30.172.IN-ADDR.ARPA | | 31.172.IN-ADDR.ARPA | | 168.192.IN-ADDR.ARPA | +----------------------+ 4.2. RFC 3330 Zones The following zones correspond to those address ranges from [RFC 3330] that are not expected to appear as source or destination addresses on the public Internet and to not have a unique name to associate with. The recommendation to serve an empty zone 127.IN-ADDR.ARPA is not a attempt to discourage any practice to provide a PTR RR for 220.127.116.11.IN-ADDR.ARPA locally. In fact, a meaningful reverse mapping should exist, but the exact setup is out of the scope of this document. Similar logic applies to the reverse mapping for ::1 (Section 4.3). The recommendations made here simply assume no other coverage for these domains exists. +------------------------------+------------------------+ | Zone | Description | +------------------------------+------------------------+ | 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK | | 127.IN-ADDR.ARPA | IPv4 LOOP-BACK NETWORK | | 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL | | 2.0.192.IN-ADDR.ARPA | IPv4 TEST NET | | 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST | +------------------------------+------------------------+ 4.3. Local IPv6 Unicast Addresses The reverse mappings ([RFC 3596], Section 2.5 IP6.ARPA Domain) for the IPv6 Unspecified (::) and Loopback (::1) addresses ([RFC 4291], Sections 2.4, 2.5.2 and 2.5.3) are covered by these two zones: +-------------------------------------------+ | Zone | +-------------------------------------------+ | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ | | 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA | | 18.104.22.168.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ | | 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA | +-------------------------------------------+ Note: Line breaks and a escapes '\' have been inserted above for readability and to adhere to line width constraints. They are not parts of the zone names. 4.4. IPv6 Locally Assigned Local Addresses Section 4.4 of [RFC 4193] already required special treatment of: +--------------+ | Zone | +--------------+ | D.F.IP6.ARPA | +--------------+ 4.5. IPv6 Link Local Addresses IPv6 Link-Local Addresses as of [RFC 4291], Section 2.5.6 are covered by four distinct reverse DNS zones: +----------------+ | Zone | +----------------+ | 8.E.F.IP6.ARPA | | 9.E.F.IP6.ARPA | | A.E.F.IP6.ARPA | | B.E.F.IP6.ARPA | +----------------+ 4.6. IPv6 Example Prefix IPv6 example prefix [RFC 3849]. +--------------------------+ | Zone | +--------------------------+ | 8.B.D.0.1.0.0.2.IP6.ARPA | +--------------------------+ Note: 8.B.D.0.1.0.0.2.IP6.ARPA is not being used as a example here. 5. Zones that are Out-Of-Scope IPv6 site-local addresses, [RFC 4291] Sections 2.4 and 2.5.7, and IPv6 Non-Locally Assigned Local addresses [RFC 4193] are not covered here. It is expected that IPv6 site-local addresses will be self correcting as IPv6 implementations remove support for site-local addresses. However, sacrificial servers for C.E.F.IP6.ARPA through F.E.F.IP6.ARPA may still need to be deployed in the short term if the traffic becomes excessive. For IPv6 Non-Locally Assigned Local addresses (L = 0) [RFC 4193], there has been no decision made about whether the Regional Internet Registries (RIRs) will provide delegations in this space or not. If they don't, then C.F.IP6.ARPA will need to be added to the list in Section 4.4. If they do, then registries will need to take steps to ensure that name servers are provided for these addresses. This document also ignores IP6.INT. IP6.INT has been wound up with only legacy resolvers now generating reverse queries under IP6.INT [RFC 4159]. This document has also deliberately ignored names immediately under the root domain. While there is a subset of queries to the root name servers which could be addressed using the techniques described here (e.g. .local, .workgroup and IPv4 addresses), there is also a vast amount of traffic that requires a different strategy (e.g. lookups for unqualified hostnames, IPv6 addresses). 6. IANA Considerations This document requests that IANA establish a registry of zones which require this default behaviour. The initial contents of which are in Section 4. Implementors are encouraged to check this registry and adjust their implementations to reflect changes therein. This registry can be amended through "IETF Consensus" as per [RFC 2434]. IANA should co-ordinate with the RIRs to ensure that, as DNSSEC is deployed in the reverse tree, delegations for these zones are made in the manner described in Section 7. 7. Security Considerations During the initial deployment phase, particularly where [RFC 1918] addresses are in use, there may be some clients that unexpectedly receive a name error rather than a PTR record. This may cause some service disruption until their recursive name server(s) have been re- configured. As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA namespaces, the zones listed above will need to be delegated as insecure delegations, or be within insecure zones. This will allow DNSSEC validation to succeed for queries in these spaces despite not being answered from the delegated servers. It is recommended that sites actively using these namespaces secure them using DNSSEC [RFC 4035] by publishing and using DNSSEC trust anchors. This will protect the clients from accidental import of unsigned responses from the Internet. 8. Acknowledgements This work was supported by the US National Science Foundation (research grant SCI-0427144) and DNS-OARC. 9. References 9.1. Normative References [RFC 1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", STD 13, RFC 1034, November 1987. [RFC 1035] Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION", STD 13, RFC 1035, November 1987. [RFC 1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC 2136] Vixie, P., Thomson, A., Rekhter, Y., and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April 1997. [RFC 2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2398, March 1998. [RFC 2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC 2606] Eastlake, D. and A. Panitz, "Reserved Top Level DNS Names", BCP 32, RFC 2606, June 1999. [RFC 3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS Extensions to Support IPv6", RFC 3596, October 2003. [RFC 4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. [RFC 4159] Huston, G., "Deprecation of "ip6.int"", BCP 109, RFC 4159, August 2005. [RFC 4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, October 2005. [RFC 4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. 9.2. Informative References [AS112] "AS112 Project", <http://www.as112.net/>. [I-D.draft-ietf-dnsop-as112-ops] Abley, J. and W. Maton, "AS112 Nameserver Operations", draft-ietf-dnsop-as112-ops-00 (work in progress), February 2007. [I-D.draft-ietf-dnsop-as112-under-attack-help-help] Abley, J. and W. Maton, "I'm Being Attacked by PRISONER.IANA.ORG!", draft-ietf-dnsop-as112-under-attack-help-help-00 (work in progress), February 2007. [RFC 3330] "Special-Use IPv4 Addresses", RFC 3330, September 2002. [RFC 3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix Reserved for Documentation", RFC 3849, July 2004. Appendix A. Change History [To Be Removed on Publication] A.1. draft-ietf-dnsop-default-local-zones-07.txt none, expiry prevention A.2. draft-ietf-dnsop-default-local-zones-06.txt add IPv6 example prefix A.2.A.3. draft-ietf-dnsop-default-local-zones-05.txt none, expiry prevention A.3.A.4. draft-ietf-dnsop-default-local-zones-04.txt Centrally Assigned Local addresses -> Non-Locally Assigned Local address A.4.A.5. draft-ietf-dnsop-default-local-zones-03.txt expanded section 4 descriptions Added references [RFC 2136], [RFC 3596], [I-D.draft-ietf-dnsop-as112-ops] and [I-D.draft-ietf-dnsop-as112-under-attack-help-help]. Revised language. A.5.A.6. draft-ietf-dnsop-default-local-zones-02.txt RNAME now "nobody.invalid." Revised language. A.6.A.7. draft-ietf-dnsop-default-local-zones-01.txt Revised impact description. Updated to reflect change in IP6.INT status. A.7.A.8. draft-ietf-dnsop-default-local-zones-00.txt Adopted by DNSOP. "Author's Note" re-titled "Zones that are Out-Of-Scope" Add note that these zone are expected to seed the IANA registry. Title changed. A.8.A.9. draft-andrews-full-service-resolvers-03.txt Added "Proposed Status". A.9.A.10. draft-andrews-full-service-resolvers-02.txt Added 0.IN-ADDR.ARPA. Appendix B. Proposed Status [To Be Removed on Publication] This Internet-Draft is being submitted for eventual publication as an RFC with a proposed status of Best Current Practice. Author's Address Mark P. Andrews Internet Systems Consortium 950 Charter Street Redwood City, CA 94063 US Email: Mark_Andrews@isc.org Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org.