draft-ietf-dnsop-dns-tcp-requirements-05.txt   draft-ietf-dnsop-dns-tcp-requirements-06.txt 
Domain Name System Operations J. Kristoff Domain Name System Operations J. Kristoff
Internet-Draft DePaul University Internet-Draft DePaul University
Updates: 1123 (if approved) D. Wessels Updates: 1123 (if approved) D. Wessels
Intended status: Best Current Practice Verisign Intended status: Best Current Practice Verisign
Expires: May 4, 2020 November 1, 2019 Expires: November 7, 2020 May 6, 2020
DNS Transport over TCP - Operational Requirements DNS Transport over TCP - Operational Requirements
draft-ietf-dnsop-dns-tcp-requirements-05 draft-ietf-dnsop-dns-tcp-requirements-06
Abstract Abstract
This document encourages the practice of permitting DNS messages to This document encourages the practice of permitting DNS messages to
be carried over TCP on the Internet. This includes both DNS over be carried over TCP on the Internet. This includes both DNS over
unencrypted TCP, as well as over an encrypted TLS session. The unencrypted TCP, as well as over an encrypted TLS session. The
document also considers the consequences with this form of DNS document also considers the consequences with this form of DNS
communication and the potential operational issues that can arise communication and the potential operational issues that can arise
when this best common practice is not upheld. when this best common practice is not upheld.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2020. This Internet-Draft will expire on November 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 19 skipping to change at page 2, line 19
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Uneven Transport Usage and Preference . . . . . . . . . . 4 2.1. Uneven Transport Usage and Preference . . . . . . . . . . 4
2.2. Waiting for Large Messages and Reliability . . . . . . . 5 2.2. Waiting for Large Messages and Reliability . . . . . . . 5
2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4. Fragmentation and Truncation . . . . . . . . . . . . . . 6 2.4. Fragmentation and Truncation . . . . . . . . . . . . . . 6
2.5. "Only Zone Transfers Use TCP" . . . . . . . . . . . . . . 7 2.5. "Only Zone Transfers Use TCP" . . . . . . . . . . . . . . 7
3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 7 3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 7
4. Network and System Considerations . . . . . . . . . . . . . . 8 4. Network and System Considerations . . . . . . . . . . . . . . 8
4.1. Connection Admission . . . . . . . . . . . . . . . . . . 8 4.1. Connection Establishment and Admission . . . . . . . . . 8
4.2. Connection Management . . . . . . . . . . . . . . . . . . 9 4.2. Connection Management . . . . . . . . . . . . . . . . . . 9
4.3. Connection Termination . . . . . . . . . . . . . . . . . 10 4.3. Connection Termination . . . . . . . . . . . . . . . . . 10
4.4. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 11
5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 11 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 11
5.1. DNS Wedgie . . . . . . . . . . . . . . . . . . . . . . . 11 5.1. DNS Wedgie . . . . . . . . . . . . . . . . . . . . . . . 11
5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 11 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 12
5.3. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 12
6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 12 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 12
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 14 11.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Standards Related to DNS Transport over TCP . . . . 20 Appendix A. Standards Related to DNS Transport over TCP . . . . 20
A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND
SPECIFICATION . . . . . . . . . . . . . . . . . . . . . . 20 SPECIFICATION . . . . . . . . . . . . . . . . . . . . . . 20
A.2. IETF RFC 1536 - Common DNS Implementation Errors and A.2. IETF RFC 1536 - Common DNS Implementation Errors and
Suggested Fixes . . . . . . . . . . . . . . . . . . . . . 20 Suggested Fixes . . . . . . . . . . . . . . . . . . . . . 21
A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS . . . . 20 A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS . . . . 21
A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of
Zone Changes (DNS NOTIFY) . . . . . . . . . . . . . . . . 20 Zone Changes (DNS NOTIFY) . . . . . . . . . . . . . . . . 21
A.5. IETF RFC 2181 - Clarifications to the DNS Specification . 21 A.5. IETF RFC 2181 - Clarifications to the DNS Specification . 21
A.6. IETF RFC 2694 - DNS extensions to Network Address A.6. IETF RFC 2694 - DNS extensions to Network Address
Translators (DNS_ALG) . . . . . . . . . . . . . . . . . . 21 Translators (DNS_ALG) . . . . . . . . . . . . . . . . . . 21
A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC . . 21 A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC . . 21
A.8. IETF RFC 3326 - DNSSEC and IPv6 A6 aware server/resolver A.8. IETF RFC 3326 - DNSSEC and IPv6 A6 aware server/resolver
message size requirements . . . . . . . . . . . . . . . . 21 message size requirements . . . . . . . . . . . . . . . . 22
A.9. IETF RFC 4472 - Operational Considerations and Issues A.9. IETF RFC 4472 - Operational Considerations and Issues
with IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . 21 with IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . 22
A.10. IETF RFC 5452 - Measures for Making DNS More Resilient A.10. IETF RFC 5452 - Measures for Making DNS More Resilient
against Forged Answers . . . . . . . . . . . . . . . . . 22 against Forged Answers . . . . . . . . . . . . . . . . . 22
A.11. IETF RFC 5507 - Design Choices When Expanding the DNS . . 22 A.11. IETF RFC 5507 - Design Choices When Expanding the DNS . . 22
A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines . . . 22 A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines . . . 22
A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 22 A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 23
A.14. IETF RFC 5966 - DNS Transport over TCP - Implementation A.14. IETF RFC 5966 - DNS Transport over TCP - Implementation
Requirements . . . . . . . . . . . . . . . . . . . . . . 22 Requirements . . . . . . . . . . . . . . . . . . . . . . 23
A.15. IETF RFC 6304 - AS112 Nameserver Operations . . . . . . . 22 A.15. IETF RFC 6304 - AS112 Nameserver Operations . . . . . . . 23
A.16. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 23 A.16. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 23
A.17. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) . 23 A.17. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) . 23
A.18. IETF RFC 6950 - Architectural Considerations on A.18. IETF RFC 6950 - Architectural Considerations on
Application Features in the DNS . . . . . . . . . . . . . 23 Application Features in the DNS . . . . . . . . . . . . . 23
A.19. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 23 A.19. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 24
A.20. IETF RFC 7720 - DNS Root Name Service Protocol and A.20. IETF RFC 7720 - DNS Root Name Service Protocol and
Deployment Requirements . . . . . . . . . . . . . . . . . 23 Deployment Requirements . . . . . . . . . . . . . . . . . 24
A.21. IETF RFC 7766 - DNS Transport over TCP - Implementation A.21. IETF RFC 7766 - DNS Transport over TCP - Implementation
Requirements . . . . . . . . . . . . . . . . . . . . . . 23 Requirements . . . . . . . . . . . . . . . . . . . . . . 24
A.22. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option . . . 24 A.22. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option . . . 24
A.23. IETF RFC 7858 - Specification for DNS over Transport A.23. IETF RFC 7858 - Specification for DNS over Transport
Layer Security (TLS) . . . . . . . . . . . . . . . . . . 24 Layer Security (TLS) . . . . . . . . . . . . . . . . . . 24
A.24. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 24 A.24. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 24
A.25. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 24 A.25. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 25
A.26. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 24 A.26. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 25
A.27. IETF RFC 8094 - DNS over Datagram Transport Layer A.27. IETF RFC 8094 - DNS over Datagram Transport Layer
Security (DTLS) . . . . . . . . . . . . . . . . . . . . . 25 Security (DTLS) . . . . . . . . . . . . . . . . . . . . . 25
A.28. IETF RFC 8162 - Using Secure DNS to Associate A.28. IETF RFC 8162 - Using Secure DNS to Associate
Certificates with Domain Names for S/MIME . . . . . . . . 25 Certificates with Domain Names for S/MIME . . . . . . . . 25
A.29. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, A.29. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses,
Encoding, Characters, Matching, and Root Structure: Time Encoding, Characters, Matching, and Root Structure: Time
for Another Look? . . . . . . . . . . . . . . . . . . . . 25 for Another Look? . . . . . . . . . . . . . . . . . . . . 26
A.30. IETF RFC 8467 - Padding Policies for Extension Mechanisms A.30. IETF RFC 8467 - Padding Policies for Extension Mechanisms
for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . . 25 for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . . 26
A.31. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 25 A.31. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 26
A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 25 A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 26
A.33. IETF RFC 8490 - DNS Stateful Operations . . . . . . . . . 26 A.33. IETF RFC 8490 - DNS Stateful Operations . . . . . . . . . 26
A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service
Providers . . . . . . . . . . . . . . . . . . . . . . . . 26 Providers . . . . . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction 1. Introduction
DNS messages may be delivered using UDP or TCP communications. While DNS messages may be delivered using UDP or TCP communications. While
most DNS transactions are carried over UDP, some operators have been most DNS transactions are carried over UDP, some operators have been
led to believe that any DNS over TCP traffic is unwanted or led to believe that any DNS over TCP traffic is unwanted or
unnecessary for general DNS operation. When DNS over TCP has been unnecessary for general DNS operation. When DNS over TCP has been
restricted, a variety of communication failures and debugging restricted, a variety of communication failures and debugging
challenges often arise. As DNS and new naming system features have challenges often arise. As DNS and new naming system features have
evolved, TCP as a transport has become increasingly important for the evolved, TCP as a transport has become increasingly important for the
correct and safe operation of an Internet DNS. Reflecting modern correct and safe operation of an Internet DNS. Reflecting modern
usage, the DNS standards were recently updated to declare support for usage, the DNS standards were recently updated to declare support for
TCP is now a required part of the DNS implementation TCP is now a required part of the DNS implementation specifications
specifications.[RFC7766] This document is the formal requirements [RFC7766]. This document is the formal requirements equivalent for
equivalent for the operational community, encouraging system the operational community, encouraging system administrators, network
administrators, network engineers, and security staff to ensure DNS engineers, and security staff to ensure DNS over TCP communications
over TCP communications support is on par with DNS over UDP support is on par with DNS over UDP communications.
communications.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Background 2. Background
The curious state of disagreement in operational best practices and The curious state of disagreement in operational best practices and
skipping to change at page 5, line 25 skipping to change at page 5, line 21
"[...] it is also clear that some new DNS record types defined in "[...] it is also clear that some new DNS record types defined in
the future will contain information exceeding the 512 byte limit the future will contain information exceeding the 512 byte limit
that applies to UDP, and hence will require TCP. that applies to UDP, and hence will require TCP.
At least two new, widely anticipated developments were set to elevate At least two new, widely anticipated developments were set to elevate
the need for DNS over TCP transactions. The first was dynamic the need for DNS over TCP transactions. The first was dynamic
updates defined in [RFC2136] and the second was the set of extensions updates defined in [RFC2136] and the second was the set of extensions
collectively known as DNSSEC originally specified in [RFC2541]. The collectively known as DNSSEC originally specified in [RFC2541]. The
former suggested "requestors who require an accurate response code former suggested "requestors who require an accurate response code
must use TCP", while the later warned "[...] larger keys increase the must use TCP," while the latter warned "... larger keys increase the
size of KEY and SIG RRs. This increases the chance of DNS UDP packet size of KEY and SIG RRs. This increases the chance of DNS UDP packet
overflow and the possible necessity for using higher overhead TCP in overflow and the possible necessity for using higher overhead TCP in
responses." responses."
Yet defying some expectations, DNS over TCP remained little used in Yet, defying some expectations, DNS over TCP remained little-used in
real traffic across the Internet. Dynamic updates saw little real traffic across the Internet around this time. Dynamic updates
deployment between autonomous networks. Around the time DNSSEC was saw little deployment between autonomous networks. Around the time
first defined, another new feature helped solidify UDP transport DNSSEC was first defined, another new feature helped solidify UDP
dominance for message transactions. transport dominance for message transactions.
2.3. EDNS0 2.3. EDNS0
In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0) In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0)
in [RFC2671] (superseded in 2013 by an update in [RFC6891]). This in [RFC2671] (superseded in 2013 by an update in [RFC6891]). This
document standardized a way for communicating DNS nodes to perform document standardized a way for communicating DNS nodes to perform
rudimentary capabilities negotiation. One such capability written rudimentary capabilities negotiation. One such capability written
into the base specification and present in every ENDS0 compatible into the base specification and present in every EDNS0-compatible
message is the value of the maximum UDP payload size the sender can message is the value of the maximum UDP payload size the sender can
support. This unsigned 16-bit field specifies in bytes the maximum support. This unsigned 16-bit field specifies, in bytes, the maximum
(possibly fragmented) DNS message size a node is capable of (possibly fragmented) DNS message size a node is capable of
receiving. In practice, typical values are a subset of the 512 to receiving. In practice, typical values are a subset of the 512- to
4096 byte range. EDNS0 became widely deployed over the next several 4096-byte range. EDNS0 became widely deployed over the next several
years and numerous surveys have shown many systems currently support years and numerous surveys ([CASTRO2010], [NETALYZR]) have shown many
larger UDP MTUs [CASTRO2010], [NETALYZR] with EDNS0. systems currently support larger UDP MTUs with EDNS0.
The natural effect of EDNS0 deployment meant DNS messages larger than The natural effect of EDNS0 deployment meant DNS messages larger than
512 bytes would be less reliant on TCP than they might otherwise have 512 bytes would be less reliant on TCP than they might otherwise have
been. While a non-negligible population of DNS systems lacked EDNS0 been. While a non-negligible population of DNS systems lacked EDNS0
or fall back to TCP when necessary, DNS over TCP transactions or fell back to TCP when necessary, DNS over TCP transactions
remained a very small fraction of overall DNS traffic [VERISIGN]. remained a very small fraction of overall DNS traffic [VERISIGN].
2.4. Fragmentation and Truncation 2.4. Fragmentation and Truncation
Although EDNS0 provides a way for endpoints to signal support for DNS Although EDNS0 provides a way for endpoints to signal support for DNS
messages exceeding 512 bytes, the realities of a diverse and messages exceeding 512 bytes, the realities of a diverse and
inconsistently deployed Internet may result in some large messages inconsistently deployed Internet may result in some large messages
being unable to reach their destination. Any IP datagram whose size being unable to reach their destination. Any IP datagram whose size
exceeds the MTU of a link it transits will be fragmented and then exceeds the MTU of a link it transits will be fragmented and then
reassembled by the receiving host. Unfortunately, it is not uncommon reassembled by the receiving host. Unfortunately, it is not uncommon
skipping to change at page 6, line 46 skipping to change at page 6, line 43
prepared to retry queries with different EDNS0 maximum message size prepared to retry queries with different EDNS0 maximum message size
values. Administrators of BIND are likely to be familiar with seeing values. Administrators of BIND are likely to be familiar with seeing
"success resolving ... after reducing the advertised EDNS0 UDP packet "success resolving ... after reducing the advertised EDNS0 UDP packet
size to 512 octets" messages in their system logs. size to 512 octets" messages in their system logs.
Often, reducing the EDNS0 UDP packet size leads to a successful Often, reducing the EDNS0 UDP packet size leads to a successful
response. That is, the necessary data fits within the smaller response. That is, the necessary data fits within the smaller
message size. However, when the data does not fit, the server sets message size. However, when the data does not fit, the server sets
the truncated flag in its response, indicating the client should the truncated flag in its response, indicating the client should
retry over TCP to receive the whole response. This is undesirable retry over TCP to receive the whole response. This is undesirable
from the client's point of view because it adds more latency, and from the client's point of view because it adds more latency and
potentially undesirable from the server's point of view due to the potentially undesirable from the server's point of view due to the
increased resource requirements of TCP. increased resource requirements of TCP.
The issues around fragmentation, truncation, and TCP are driving The issues around fragmentation, truncation, and TCP are driving
certain implementation and policy decisions in the DNS. Notably, certain implementation and policy decisions in the DNS. Notably,
Cloudflare implemented what it calls "DNSSEC black lies" [CLOUDFLARE] Cloudflare implemented what it calls "DNSSEC black lies" [CLOUDFLARE]
and uses ECDSA algorithms, such that their signed responses fit and uses ECDSA algorithms, such that their signed responses fit
easily in 512 bytes. The KSK Rollover design team [DESIGNTEAM] spent easily in 512 bytes. The KSK Rollover design team [DESIGNTEAM] spent
a lot of time thinking and worrying about response sizes. There is a lot of time thinking and worrying about response sizes. There is
growing sentiment in the DNSSEC community that RSA key sizes beyond growing sentiment in the DNSSEC community that RSA key sizes beyond
2048-bits are impractical and that critical infrastructure zones 2048-bits are impractical and that critical infrastructure zones
should transition to elliptic curve algorithms to keep response sizes should transition to elliptic curve algorithms to keep response sizes
manageable. manageable.
More recently, renewed security concerns about fragmented DNS More recently, renewed security concerns about fragmented DNS
messages [AVOID_FRAGS], [FRAG_POISON] are leading implementors to messages ([AVOID_FRAGS], [FRAG_POISON]) are leading implementors to
consider lower default EDNS0 UDP payload size values, for both consider lower default EDNS0 UDP payload size values for both
queriers and responders. queriers and responders.
2.5. "Only Zone Transfers Use TCP" 2.5. "Only Zone Transfers Use TCP"
Today, the majority of the DNS community expects, or at least has a Today, the majority of the DNS community expects, or at least has a
desire, to see DNS over TCP transactions occur without interference. desire, to see DNS over TCP transactions occur without interference.
However there has also been a long held belief by some operators, However there has also been a long-held belief by some operators,
particularly for security-related reasons, that DNS over TCP services particularly for security-related reasons, that DNS over TCP services
should be purposely limited or not provided at all [CHES94], should be purposely limited or not provided at all [CHES94],
[DJBDNS]. A popular meme has also held the imagination of some that [DJBDNS]. A popular meme has also held the imagination of some: that
DNS over TCP is only ever used for zone transfers and is generally DNS over TCP is only ever used for zone transfers and is generally
unnecessary otherwise, with filtering all DNS over TCP traffic even unnecessary otherwise, with filtering all DNS over TCP traffic even
described as a best practice. described as a best practice.
The position on restricting DNS over TCP had some justification given The position on restricting DNS over TCP had some justification given
that historic implementations of DNS nameservers provided very little that historic implementations of DNS nameservers provided very little
in the way of TCP connection management (for example see in the way of TCP connection management (for example see
Section 6.1.2 of [RFC7766] for more details). However modern Section 6.1.2 of [RFC7766] for more details). However modern
standards and implementations are nearing parity with the more standards and implementations are nearing parity with the more
sophisticated TCP management techniques employed by, for example, sophisticated TCP management techniques employed by, for example,
skipping to change at page 8, line 23 skipping to change at page 8, line 20
queries so that they do not prevent large responses from a TCP- queries so that they do not prevent large responses from a TCP-
capable server from reaching its TCP-capable clients. capable server from reaching its TCP-capable clients.
Regarding the choice of limiting the resources a server devotes to Regarding the choice of limiting the resources a server devotes to
queries, Section 6.1.3.2 in [RFC1123] also says: queries, Section 6.1.3.2 in [RFC1123] also says:
"A name server MAY limit the resources it devotes to TCP queries, "A name server MAY limit the resources it devotes to TCP queries,
but it SHOULD NOT refuse to service a TCP query just because it but it SHOULD NOT refuse to service a TCP query just because it
would have succeeded with UDP." would have succeeded with UDP."
This requirement is hereby updated: A name server MAY limit the the This requirement is hereby updated: A name server MAY limit the
resources it devotes to queries, but it MUST NOT refuse to service a resources it devotes to queries, but it MUST NOT refuse to service a
query just because it would have succeeded with another transport query just because it would have succeeded with another transport
protocol. protocol.
Filtering of DNS over TCP is considered harmful in the general case. Filtering of DNS over TCP is considered harmful in the general case.
DNS resolver and server operators MUST suport and provide DNS service DNS resolver and server operators MUST support and provide DNS
over both UDP and TCP transports. Likewise, network operators MUST service over both UDP and TCP transports. Likewise, network
allow DNS service over both UDP and TCP transports. It is operators MUST allow DNS service over both UDP and TCP transports.
acknowledged that DNS over TCP service can pose operational It is acknowledged that DNS over TCP service can pose operational
challenges that are not present when running DNS over UDP alone, and challenges that are not present when running DNS over UDP alone, and
vice-versa. However, it is the aim of this document to argue that vice-versa. However, it is the aim of this document to argue that
the potential damage incurred by prohibiting DNS over TCP service is the potential damage incurred by prohibiting DNS over TCP service is
more detrimental to the continued utility and success of the DNS than more detrimental to the continued utility and success of the DNS than
when its usage is allowed. when its usage is allowed.
4. Network and System Considerations 4. Network and System Considerations
This section describes measures that systems and applications can This section describes measures that systems and applications can
take to optimize performance over TCP and to protect themselves from take to optimize performance over TCP and to protect themselves from
TCP-based resource exhaustion and attacks. TCP-based resource exhaustion and attacks.
4.1. Connection Admission 4.1. Connection Establishment and Admission
Resolvers and other DNS clients should be aware that some servers
might not be reachable over TCP. For this reason, clients MAY want
to track and limit the number of TCP connections and connection
attempts to a single server. Additionally, DNS clients MAY want to
enforce a short timeout on unestablished connections, rather than
rely on the host operating system's TCP connection timeout, which is
often around 60-120 seconds.
The SYN flooding attack is a denial-of-service method affecting hosts The SYN flooding attack is a denial-of-service method affecting hosts
that run TCP server processes [RFC4987]. This attack can be very that run TCP server processes [RFC4987]. This attack can be very
effective if not mitigated. One of the most effective mitigation effective if not mitigated. One of the most effective mitigation
techniques is SYN cookies, which allows the server to avoid techniques is SYN cookies, which allows the server to avoid
allocating any state until the successful completion of the three-way allocating any state until the successful completion of the three-way
handshake. handshake.
Services not intended for use by the public Internet, such as most Services not intended for use by the public Internet, such as most
recursive name servers, SHOULD be protected with access controls. recursive name servers, SHOULD be protected with access controls.
Ideally these controls are placed in the network, well before before Ideally these controls are placed in the network, well before before
any unwanted TCP packets can reach the DNS server host or any unwanted TCP packets can reach the DNS server host or
application. If this is not possible, the controls can be placed in application. If this is not possible, the controls can be placed in
the application itself. In some situations (e.g. attacks) it may be the application itself. In some situations (e.g. attacks) it may be
necessary to deploy access controls for DNS services that should necessary to deploy access controls for DNS services that should
otherwise be globally reachable. otherwise be globally reachable.
The FreeBSD operating system has an "accept filter" feature that The FreeBSD, OpenBSD, and NetBSD operating systems have an "accept
postpones delivery of TCP connections to applications until a filter" feature ([accept_filter]) that postpones delivery of TCP
complete, valid request has been received. The dns_accf(9) filter connections to applications until a complete, valid request has been
ensures that a valid DNS message is received. If not, the bogus received. The dns_accf(9) filter ensures that a valid DNS message is
connection never reaches the application. Applications must be coded received. If not, the bogus connection never reaches the
and configured to make use of this filter. application. Applications must be coded and configured to make use
of this filter.
Per [RFC7766], applications and administrators are advised to Per [RFC7766], applications and administrators are advised to
remember that TCP MAY be used before sending any UDP queries. remember that TCP MAY be used before sending any UDP queries.
Networks and applications MUST NOT be configured to refuse TCP Networks and applications MUST NOT be configured to refuse TCP
queries that were not preceded by a UDP query. queries that were not preceded by a UDP query.
TCP Fast Open [RFC7413] (TFO) allows TCP clients to shorten the TCP Fast Open [RFC7413] (TFO) allows TCP clients to shorten the
handshake for subsequent connections to the same server. TFO saves handshake for subsequent connections to the same server. TFO saves
one round-trip time in the connection setup. DNS servers SHOULD one round-trip time in the connection setup. DNS servers SHOULD
enable TFO when possible. Furthermore, DNS servers clustered behind enable TFO when possible. Furthermore, DNS servers clustered behind
a single service address (e.g., anycast or load-balancing), SHOULD a single service address (e.g., anycast or load-balancing), SHOULD
use the same TFO server key on all instances. use the same TFO server key on all instances.
DNS clients MAY also enable TFO when possible. Currently, on some DNS clients MAY also enable TFO when possible. Currently, on some
operating systems it is not implemented or disabled by default. operating systems it is not implemented or disabled by default.
[WIKIPEDIA_TFO] describes applications and operating systems that [WIKIPEDIA_TFO] describes applications and operating systems that
support TFO. support TFO.
4.2. Connection Management 4.2. Connection Management
Since host memory for TCP state is a finite resource, DNS servers Since host memory for TCP state is a finite resource, DNS clients and
MUST actively manage their connections. Applications that do not servers MUST actively manage their connections. Applications that do
actively manage their connections can encounter resource exhaustion not actively manage their connections can encounter resource
leading to denial of service. For DNS, as in other protocols, there exhaustion leading to denial of service. For DNS, as in other
is a tradeoff between keeping connections open for potential future protocols, there is a tradeoff between keeping connections open for
use and the need to free up resources for new connections that will potential future use and the need to free up resources for new
arrive. connections that will arrive.
DNS server software SHOULD provide a configurable limit on the total DNS server software SHOULD provide a configurable limit on the total
number of established TCP connections. If the limit is reached, the number of established TCP connections. If the limit is reached, the
application is expected to either close existing (idle) connections application is expected to either close existing (idle) connections
or refuse new connections. Operators SHOULD ensure the limit is or refuse new connections. Operators SHOULD ensure the limit is
configured appropriately for their particular situation. configured appropriately for their particular situation.
DNS server software MAY provide a configurable limit on the number of DNS server software MAY provide a configurable limit on the number of
established connections per source IP address or subnet. This can be established connections per source IP address or subnet. This can be
used to ensure that a single or small set of users can not consume used to ensure that a single or small set of users can not consume
all TCP resources and deny service to other users. Operators SHOULD all TCP resources and deny service to other users. Operators SHOULD
ensure this limit is configured appropriately, based on their number ensure this limit is configured appropriately, based on their number
of diversity of users. of diversity of users.
DNS server software SHOULD provide a configurable timeout for idle DNS server software SHOULD provide a configurable timeout for idle
TCP connections. For very busy name servers this might be set to a TCP connections. For very busy name servers this might be set to a
low value, such as a few seconds. For less busy servers it might be low value, such as a few seconds. For less busy servers it might be
set to a higher value, such as tens of seconds. DNS clients and set to a higher value, such as tens of seconds. DNS clients and
servers SHOULD signal their timeout values using the edns-tcp- servers SHOULD signal their timeout values using the edns-tcp-
keepalive option.[RFC7828] keepalive option [RFC7828].
DNS server software MAY provide a configurable limit on the number of DNS server software MAY provide a configurable limit on the number of
transactions per TCP connection. This document does not offer advice transactions per TCP connection. This document does not offer advice
on particular values for such a limit. on particular values for such a limit.
Similarly, DNS server software MAY provide a configurable limit on Similarly, DNS server software MAY provide a configurable limit on
the total duration of a TCP connection. This document does not offer the total duration of a TCP connection. This document does not offer
advice on particular values for such a limit. advice on particular values for such a limit.
Since clients may not be aware of server-imposed limits, clients Since clients may not be aware of server-imposed limits, clients
skipping to change at page 11, line 5 skipping to change at page 11, line 9
On systems where large numbers of sockets in TIME_WAIT are observed, On systems where large numbers of sockets in TIME_WAIT are observed,
it may be beneficial to tune the local TCP parameters. For example, it may be beneficial to tune the local TCP parameters. For example,
the Linux kernel provides a number of "sysctl" parameters related to the Linux kernel provides a number of "sysctl" parameters related to
TIME_WAIT, such as net.ipv4.tcp_fin_timeout, net.ipv4.tcp_tw_recycle, TIME_WAIT, such as net.ipv4.tcp_fin_timeout, net.ipv4.tcp_tw_recycle,
and net.ipv4.tcp_tw_reuse. In extreme cases, implementors and and net.ipv4.tcp_tw_reuse. In extreme cases, implementors and
operators of very busy servers may find it necessary to utilize the operators of very busy servers may find it necessary to utilize the
SO_LINGER socket option ([Stevens] Section 7.5) with a value of zero SO_LINGER socket option ([Stevens] Section 7.5) with a value of zero
so that the server doesn't accumulate TIME_WAIT sockets. so that the server doesn't accumulate TIME_WAIT sockets.
4.4. DNS-over-TLS
DNS messages may be sent over TLS to provide privacy between stubs
and recursive resolvers. [RFC7858] is a standards track document
describing how this works. Although DNS-over-TLS utilizes TCP port
853 instead of port 53, this document applies equally well to DNS-
over-TLS. Note, however, DNS-over-TLS is currently only defined
between stubs and recursives.
The use of TLS places even stronger operational burdens on DNS
clients and servers. Cryptographic functions for authentication and
encryption require additional processing. Unoptimized connection
setup takes two additional round-trips compared to TCP, but can be
reduced with Fast TLS connection resumption [RFC5077] and TLS False
Start [RFC7918].
5. DNS over TCP Filtering Risks 5. DNS over TCP Filtering Risks
Networks that filter DNS over TCP risk losing access to significant Networks that filter DNS over TCP risk losing access to significant
or important pieces of the DNS name space. For a variety of reasons or important pieces of the DNS namespace. For a variety of reasons a
a DNS answer may require a DNS over TCP query. This may include DNS answer may require a DNS over TCP query. This may include large
large message sizes, lack of EDNS0 support, DDoS mitigation message sizes, lack of EDNS0 support, DDoS mitigation techniques, or
techniques, or perhaps some future capability that is as yet perhaps some future capability that is as yet unforeseen will also
unforeseen will also demand TCP transport. demand TCP transport.
For example, [RFC7901] describes a latency-avoiding technique that For example, [RFC7901] describes a latency-avoiding technique that
sends extra data in DNS responses. This makes responses larger and sends extra data in DNS responses. This makes responses larger and
potentially increases the risk of DDoS reflection attacks. The potentially increases the effectiveness of DDoS reflection attacks.
specification mandates the use of TCP or DNS Cookies.[RFC7873] The specification mandates the use of TCP or DNS Cookies [RFC7873].
Even if any or all particular answers have consistently been returned Even if any or all particular answers have consistently been returned
successfully with UDP in the past, this continued behavior cannot be successfully with UDP in the past, this continued behavior cannot be
guaranteed when DNS messages are exchanged between autonomous guaranteed when DNS messages are exchanged between autonomous
systems. Therefore, filtering of DNS over TCP is considered harmful systems. Therefore, filtering of DNS over TCP is considered harmful
and contrary to the safe and successful operation of the Internet. and contrary to the safe and successful operation of the Internet.
This section enumerates some of the known risks known at the time of This section enumerates some of the known risks known at the time of
this writing when networks filter DNS over TCP. this writing when networks filter DNS over TCP.
5.1. DNS Wedgie 5.1. DNS Wedgie
Networks that filter DNS over TCP may inadvertently cause problems Networks that filter DNS over TCP may inadvertently cause problems
for third party resolvers as experienced by [TOYAMA]. If for for third-party resolvers as experienced by [TOYAMA]. If, for
instance a resolver receives a truncated answer from a server, but instance, a resolver receives a truncated answer from a server, but
when the resolver resends the query using TCP and the TCP response when the resolver resends the query using TCP and the TCP response
never arrives, not only will a complete answer be unavailable, but never arrives, not only will a complete answer be unavailable, but
the resolver will incur the full extent of TCP retransmissions and the resolver will incur the full extent of TCP retransmissions and
time outs. This situation might place extreme strain on resolver timeouts. This situation might place extreme strain on resolver
resources. If the number and frequency of these truncated answers resources. If the number and frequency of these truncated answers
are sufficiently high, the steady-state of lost resources as a result are sufficiently high, the steady-state of lost resources as a result
is a "DNS wedgie". A DNS wedgie is generally not easily or is a "DNS wedgie." A DNS wedgie is generally not easily or
completely mitigated by the affected DNS resolver operator. completely mitigated by the affected DNS resolver operator.
5.2. DNS Root Zone KSK Rollover 5.2. DNS Root Zone KSK Rollover
The plans for deploying a new root zone DNSSEC KSK highlighted a The plans for deploying a new root zone DNSSEC KSK highlighted a
potential problem in retrieving the keys.[LEWIS] During some phases potential problem in retrieving the root zone key set [LEWIS].
of the KSK rollover process, root zone DNSKEY reponses were larger During some phases of the KSK rollover process, root zone DNSKEY
than 1280 bytes, the IPv6 minimum MTU for links carrying IPv6 responses were larger than 1280 bytes, the IPv6 minimum MTU for links
traffic.[RFC2460] There was some concern that any DNS server unable carrying IPv6 traffic [RFC2460]. There was some concern that any DNS
to receive large DNS messages over UDP, or any DNS message over TCP, server unable to receive large DNS messages over UDP, or any DNS
would experience disruption while performing DNSSEC validation. message over TCP, would experience disruption while performing DNSSEC
validation.
However, during the year-long posponment of the KSK rollover there However, during the year-long postponement of the KSK rollover there
were no reported problems that could be attributed to the 1414 octet were no reported problems that could be attributed to the 1414 octet
DNSKEY response when both the old and new keys were publised in the DNSKEY response when both the old and new keys were published in the
zone. Additionaly, there were no reported problems during the two zone. Additionally, there were no reported problems during the two
month period when the old key was published as revoked and the DNSKEY month period when the old key was published as revoked and the DNSKEY
response was 1425 octets in size.[ROLL_YOUR_ROOT] response was 1425 octets in size [ROLL_YOUR_ROOT].
5.3. DNS-over-TLS
DNS messages may be sent over TLS to provide privacy between stubs
and recursive resolvers. [RFC7858] is a standards track document
describing how this works. Although it utilizes TCP port 853 instead
of port 53, this document applies equally well to DNS-over-TLS.
Note, however, DNS-over-TLS is currently only defined between stubs
and recursives.
The use of TLS places even stronger operational burdens on DNS
clients and servers. Cryptographic functions for authentication and
encryption require additional processing. Unoptimized connection
setup takes two additional round-trips compared to TCP, but can be
reduced with Fast TLS connection resumption [RFC5077] and TLS False
Start [RFC7918].
6. Logging and Monitoring 6. Logging and Monitoring
Developers of applications that log or monitor DNS are advised to not Developers of applications that log or monitor DNS SHOULD NOT ignore
ignore TCP because it is rarely used or because it is hard to TCP due to the perception that it is rarely used or is hard to
process. Operators are advised to ensure that their monitoring and process. Operators SHOULD ensure that their monitoring and logging
logging applications properly capture DNS message over TCP. applications properly capture DNS message over TCP. Otherwise,
Otherwise, attacks, exfiltration attempts, and normal traffic may go attacks, exfiltration attempts, and normal traffic may go undetected.
undetected.
DNS messages over TCP are in no way guaranteed to arrive in single DNS messages over TCP are in no way guaranteed to arrive in single
segments. In fact, a clever attacker may attempt to hide certain segments. In fact, a clever attacker might attempt to hide certain
messages by forcing them over very small TCP segments. Applications messages by forcing them over very small TCP segments. Applications
that capture network packets (e.g., with libpcap) should be prepared that capture network packets (e.g., with libpcap [libpcap]) SHOULD be
to implement and perform full TCP segment reassembly. dnscap prepared to implement and perform full TCP segment reassembly.
[dnscap] is an open-source example of a DNS logging program that dnscap [dnscap] is an open-source example of a DNS logging program
implements TCP reassembly. that implements TCP reassembly.
Developers should also keep in mind connection reuse, pipelining, and Developers SHOULD also keep in mind connection reuse, query
out-of-order responses when building and testing DNS monitoring pipelining, and out-of-order responses when building and testing DNS
applications. monitoring applications.
As an alternative to packet capture, some DNS server software
supports dnstap [dnstap] as an integrated monitoring protocol
intended to facilitate wide-scale DNS monitoring.
7. Acknowledgments 7. Acknowledgments
This document was initially motivated by feedback from students who This document was initially motivated by feedback from students who
pointed out that they were hearing contradictory information about pointed out that they were hearing contradictory information about
filtering DNS over TCP messages. Thanks in particular to a teaching filtering DNS over TCP messages. Thanks in particular to a teaching
colleague, JPL, who perhaps unknowingly encouraged the initial colleague, JPL, who perhaps unknowingly encouraged the initial
research into the differences of what the community has historically research into the differences between what the community has
said and did. Thanks to all the NANOG 63 attendees who provided historically said and did. Thanks to all the NANOG 63 attendees who
feedback to an early talk on this subject. provided feedback to an early talk on this subject.
The following individuals provided an array of feedback to help The following individuals provided an array of feedback to help
improve this document: Piet Barber, Sara Dickinson, Bob Harold, improve this document: Piet Barber, Sara Dickinson, Bob Harold,
Tatuya Jinmei, and Paul Hoffman. The authors are also indebted to Tatuya Jinmei, and Paul Hoffman, Puneet Sood, Richard Wilhelm. The
the contributions stemming from discussion in the tcpm working group authors are also indebted to the contributions stemming from
meeting at IETF 104. Any remaining errors or imperfections are the discussion in the tcpm working group meeting at IETF 104. Any
sole responsibility of the document authors. remaining errors or imperfections are the sole responsibility of the
document authors.
8. IANA Considerations 8. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
9. Security Considerations 9. Security Considerations
Ironically, returning truncated DNS over UDP answers in order to Ironically, returning truncated DNS over UDP answers in order to
induce a client query to switch to DNS over TCP has become a common induce a client query to switch to DNS over TCP has become a common
response to source address spoofed, DNS denial-of-service attacks response to source address spoofed, DNS denial-of-service attacks
[RRL]. Historically, operators have been wary of TCP-based attacks, [RRL]. Historically, operators have been wary of TCP-based attacks,
but in recent years, UDP-based flooding attacks have proven to be the but in recent years, UDP-based flooding attacks have proven to be the
most common protocol attack on the DNS. Nevertheless, a high rate of most common protocol attack on the DNS. Nevertheless, a high rate of
short-lived DNS transactions over TCP may pose challenges. While short-lived DNS transactions over TCP may pose challenges. While
many operators have provided DNS over TCP service for many years many operators have provided DNS over TCP service for many years
without duress, past experience is no guarantee of future success. without duress, past experience is no guarantee of future success.
DNS over TCP is not unlike many other Internet TCP services. TCP DNS over TCP is not unlike many other Internet TCP services. TCP
threats and many mitigation strategies have been well documented in a threats and many mitigation strategies have been well-documented in a
series of documents such as [RFC4953], [RFC4987], [RFC5927], and series of documents such as [RFC4953], [RFC4987], [RFC5927], and
[RFC5961]. [RFC5961].
10. Privacy Considerations 10. Privacy Considerations
Since DNS over both UDP and TCP use the same underlying message Since DNS over both UDP and TCP use the same underlying message
format, the use of one transport instead of the other does change the format, the use of one transport instead of the other does change the
privacy characteristics of the message content (i.e., the name being privacy characteristics of the message content (i.e., the name being
queried). DNS over TLS or DTLS is the recommended way to achieve DNS queried). DNS over TLS or DTLS is the recommended way to achieve DNS
privacy. privacy.
skipping to change at page 14, line 16 skipping to change at page 14, line 25
11.1. Normative References 11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
11.2. Informative References 11.2. Informative References
[accept_filter]
FreeBSD, "FreeBSD accept_filter(9)", May 2018,
<https://www.freebsd.org/cgi/man.cgi?query=accept_filter>.
[AVOID_FRAGS] [AVOID_FRAGS]
Fujiwara, K., "It's time to consider avoiding IP Fujiwara, K., "It's time to consider avoiding IP
fragmentation in the DNS", Jul 2019, fragmentation in the DNS", Jul 2019,
<https://blog.apnic.net/2019/07/12/its-time-to-consider- <https://blog.apnic.net/2019/07/12/its-time-to-consider-
avoiding-ip-fragmentation-in-the-dns/>. avoiding-ip-fragmentation-in-the-dns/>.
[CASTRO2010] [CASTRO2010]
Castro, S., Zhang, M., John, W., Wessels, D., and k. Castro, S., Zhang, M., John, W., Wessels, D., and k.
claffy, "Understanding and preparing for DNS evolution", claffy, "Understanding and preparing for DNS evolution",
2010. 2010.
skipping to change at page 14, line 46 skipping to change at page 15, line 11
Design Team Report, "Root Zone KSK Rollover Plan", Design Team Report, "Root Zone KSK Rollover Plan",
December 2015, <https://www.iana.org/reports/2016/root- December 2015, <https://www.iana.org/reports/2016/root-
ksk-rollover-design-20160307.pdf>. ksk-rollover-design-20160307.pdf>.
[DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002, [DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002,
<https://cr.yp.to/djbdns/tcp.html#why>. <https://cr.yp.to/djbdns/tcp.html#why>.
[dnscap] DNS-OARC, "DNSCAP", May 2018, [dnscap] DNS-OARC, "DNSCAP", May 2018,
<https://www.dns-oarc.net/tools/dnscap>. <https://www.dns-oarc.net/tools/dnscap>.
[dnstap] Edmonds, R. and P. Vixie, "dnstap", May 2018,
<https://dnstap.info>.
[FRAG_POISON] [FRAG_POISON]
Herzberg, A. and H. Shulman, "Fragmentation Considered Herzberg, A. and H. Shulman, "Fragmentation Considered
Poisonous", May 2012, Poisonous", May 2012,
<https://u.cs.biu.ac.il/~herzbea/security/13-03-frag.pdf>. <https://u.cs.biu.ac.il/~herzbea/security/13-03-frag.pdf>.
[HUSTON] Huston, G., "Dealing with IPv6 fragmentation in the DNS", [HUSTON] Huston, G., "Dealing with IPv6 fragmentation in the DNS",
August 2017, <https://blog.apnic.net/2017/08/22/dealing- August 2017, <https://blog.apnic.net/2017/08/22/dealing-
ipv6-fragmentation-dns/>. ipv6-fragmentation-dns/>.
[LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74 Budapest, [LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74 Budapest,
Hungary, May 2017, <https://ripe74.ripe.net/ Hungary, May 2017, <https://ripe74.ripe.net/
presentations/25-RIPE74-lewis-submission.pdf>. presentations/25-RIPE74-lewis-submission.pdf>.
[libpcap] Tcpdump/Libpcap, "Tcpdump and Libpcap", May 2018,
<https://www.tcpdump.org>.
[NETALYZR] [NETALYZR]
Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson, Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson,
"Netalyzr: Illuminating The Edge Network", 2010. "Netalyzr: Illuminating The Edge Network", 2010.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
skipping to change at page 20, line 21 skipping to change at page 20, line 42
Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los
Angeles, 2014. Angeles, 2014.
[WIKIPEDIA_TFO] [WIKIPEDIA_TFO]
Wikipedia, "TCP Fast Open", May 2018, Wikipedia, "TCP Fast Open", May 2018,
<https://en.wikipedia.org/wiki/TCP_Fast_Open>. <https://en.wikipedia.org/wiki/TCP_Fast_Open>.
Appendix A. Standards Related to DNS Transport over TCP Appendix A. Standards Related to DNS Transport over TCP
This section enumerates all known IETF RFC documents that are This section enumerates all known IETF RFC documents that are
currently of status standard, informational, best common practice or currently of status standard, informational, best common practice, or
experimental and either implicitly or explicitly make assumptions or experimental and either implicitly or explicitly make assumptions or
statements about the use of TCP as a transport for the DNS germane to statements about the use of TCP as a transport for the DNS germane to
this document. this document.
A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
The internet standard [RFC1035] is the base DNS specification that The internet standard [RFC1035] is the base DNS specification that
explicitly defines support for DNS over TCP. explicitly defines support for DNS over TCP.
A.2. IETF RFC 1536 - Common DNS Implementation Errors and Suggested A.2. IETF RFC 1536 - Common DNS Implementation Errors and Suggested
skipping to change at page 20, line 49 skipping to change at page 21, line 23
A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS
The [RFC1995] standards track document documents the use of TCP as The [RFC1995] standards track document documents the use of TCP as
the fallback transport when IXFR responses do not fit into a single the fallback transport when IXFR responses do not fit into a single
UDP response. As with AXFR, IXFR messages are typically delivered UDP response. As with AXFR, IXFR messages are typically delivered
over TCP by default in practice. over TCP by default in practice.
A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY) Changes (DNS NOTIFY)
The [RFC1996] standards track document suggests a zone master may The [RFC1996] standards track document suggests a master server may
decide to issue NOTIFY messages over TCP. In practice NOTIFY decide to issue NOTIFY messages over TCP. In practice, NOTIFY
messages are generally sent over UDP, but this specification leaves messages are generally sent over UDP, but this specification leaves
open the possibility that the choice of transport protocol is up to open the possibility that the choice of transport protocol is up to
the master, and therefore a slave ought to be able to operate over the master server, and therefore a slave server ought to be able to
both UDP and TCP. operate over both UDP and TCP.
A.5. IETF RFC 2181 - Clarifications to the DNS Specification A.5. IETF RFC 2181 - Clarifications to the DNS Specification
The [RFC2181] standards track document includes clarifying text on The [RFC2181] standards track document includes clarifying text on
how a client should react to the TC flag set on responses. It is how a client should react to the TC bit set on responses. It is
advised the the response should be discarded and the query resent advised that the response should be discarded and the query resent
using TCP. using TCP.
A.6. IETF RFC 2694 - DNS extensions to Network Address Translators A.6. IETF RFC 2694 - DNS extensions to Network Address Translators
(DNS_ALG) (DNS_ALG)
The informational document [RFC2694] enumerates considerations for The informational document [RFC2694] enumerates considerations for
network address translation (NAT) middle boxes to properly handle DNS network address translation (NAT) devices to properly handle DNS
traffic. This document is noteworthy in its suggestion that DNS over traffic. This document is noteworthy in its suggestion that
TCP is "[t]ypically" used for zone transfer requests, further "[t]ypically, TCP is used for AXFR requests," as further evidence
evidence that helps explain why DNS over TCP may often have been that helps explain why DNS over TCP may often have been treated very
treated very differently than DNS over UDP in operational networks. differently than DNS over UDP in operational networks.
A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC
The [RFC3225] standards track document makes statements indicating The [RFC3225] standards track document makes statements indicating
DNS over TCP is "detrimental" as a result of increased traffic, DNS over TCP is "detrimental" as a result of increased traffic,
latency, and server load. This document is a companion to the next latency, and server load. This document is a companion to the next
document in the RFC series expressing the requirement for EDNS0 document in the RFC series expressing the requirement for EDNS0
support for DNSSEC. support for DNSSEC.
A.8. IETF RFC 3326 - DNSSEC and IPv6 A6 aware server/resolver message A.8. IETF RFC 3326 - DNSSEC and IPv6 A6 aware server/resolver message
size requirements size requirements
The [RFC3226] standards track document, although updated by later Although updated by later DNSSEC RFCs, the standards track document
DNSSEC strongly argued in favor of UDP messages over TCP largely for [RFC3226] strongly argued in favor of UDP messages over TCP largely
performance reasons. The document declares EDNS0 a requirement for for performance reasons. The document declares EDNS0 a requirement
DNSSEC servers and advocated packet fragmentation may be preferable for DNSSEC servers and advocated packet fragmentation may be
to TCP in certain situations preferable to TCP in certain situations.
A.9. IETF RFC 4472 - Operational Considerations and Issues with IPv6 A.9. IETF RFC 4472 - Operational Considerations and Issues with IPv6
DNS DNS
This informational document [RFC4472] notes that IPv6 data may This informational document [RFC4472] notes that IPv6 data may
increase DNS responses beyond what would fit in a UDP message. increase DNS responses beyond what would fit in a UDP message.
Particularly noteworthy, perhaps less common today then when this Particularly noteworthy, perhaps less common today then when this
document was written, refers to implementations that truncate data document was written, it refers to implementations that truncate data
without setting the TC bit to encourge the client to resend the query without setting the TC bit to encourage the client to resend the
using TCP. query using TCP.
A.10. IETF RFC 5452 - Measures for Making DNS More Resilient against A.10. IETF RFC 5452 - Measures for Making DNS More Resilient against
Forged Answers Forged Answers
This informational document [RFC5452] arose as public DNS systems This informational document [RFC5452] arose as public DNS systems
began to experience widespread abuse from spoofed queries, resulting began to experience widespread abuse from spoofed queries, resulting
in amplification and reflection attacks against unwitting victims. in amplification and reflection attacks against unwitting victims.
One of the leading justifications for supporting DNS over TCP to One of the leading justifications for supporting DNS over TCP to
thwart these attacks is briefly described in this document's 9.3 thwart these attacks is briefly described in this document's 9.3
Spoof Detection and Countermeasure section. Spoof Detection and Countermeasure section.
skipping to change at page 23, line 9 skipping to change at page 23, line 30
A.15. IETF RFC 6304 - AS112 Nameserver Operations A.15. IETF RFC 6304 - AS112 Nameserver Operations
[RFC6304] is an informational document enumerating the requirements [RFC6304] is an informational document enumerating the requirements
for operation of AS112 project DNS servers. New AS112 nodes are for operation of AS112 project DNS servers. New AS112 nodes are
tested for their ability to provide service on both UDP and TCP tested for their ability to provide service on both UDP and TCP
transports, with the implication that TCP service is an expected part transports, with the implication that TCP service is an expected part
of normal operations. of normal operations.
A.16. IETF RFC 6762 - Multicast DNS A.16. IETF RFC 6762 - Multicast DNS
In this standards track document [RFC6762] the TC bit is deemed to In this standards track document [RFC6762], the TC bit is deemed to
have essentially the same meaning as described in the original DNS have essentially the same meaning as described in the original DNS
specifications. That is, if a response with the TCP bit set is specifications. That is, if a response with the TCP bit set is
receiver "[...] the querier SHOULD reissue its query using TCP in received, "[...] the querier SHOULD reissue its query using TCP in
order to receive the larger response." order to receive the larger response."
A.17. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) A.17. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0))
This standards track document [RFC6891] helped slow the use and need This standards track document [RFC6891] helped slow the use of and
for DNS over TCP messages. This document highlights concerns over need for DNS over TCP messages. This document highlights concerns
server load and scalability in widespread use of DNS over TCP. over server load and scalability in widespread use of DNS over TCP.
A.18. IETF RFC 6950 - Architectural Considerations on Application A.18. IETF RFC 6950 - Architectural Considerations on Application
Features in the DNS Features in the DNS
An informational document [RFC6950] that draws attention to large An informational document [RFC6950] that draws attention to large
data in the DNS. TCP is referenced in the context as a common data in the DNS. TCP is referenced in the context as a common
fallback mechnanism and counter to some spoofing attacks. fallback mechanism and counter to some spoofing attacks.
A.19. IETF RFC 7477 - Child-to-Parent Synchronization in DNS A.19. IETF RFC 7477 - Child-to-Parent Synchronization in DNS
This standards track document [RFC7477] specifies a RRType and This standards track document [RFC7477] specifies a RRType and
protocol to signal and synchronize NS, A, and AAAA resource record protocol to signal and synchronize NS, A, and AAAA resource record
changes from a child to parent zone. Since this protocol may require changes from a child to parent zone. Since this protocol may require
multiple requests and responses, it recommends utilizing DNS over TCP multiple requests and responses, it recommends utilizing DNS over TCP
to ensure the conversation takes place between a consistent pair of to ensure the conversation takes place between a consistent pair of
end nodes. end nodes.
A.20. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment A.20. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment
Requirements Requirements
This best current practice[RFC7720] declares root name service "MUST This best current practice [RFC7720] declares root name service "MUST
support UDP [RFC768] and TCP [RFC793] transport of DNS queries and support UDP [RFC768] and TCP [RFC793] transport of DNS queries and
responses." responses."
A.21. IETF RFC 7766 - DNS Transport over TCP - Implementation A.21. IETF RFC 7766 - DNS Transport over TCP - Implementation
Requirements Requirements
The standards track document [RFC7766] might be considered the direct The standards track document [RFC7766] might be considered the direct
ancestor of this operational requirements document. The ancestor of this operational requirements document. The
implementation requirements document codifies mandatory support for implementation requirements document codifies mandatory support for
DNS over TCP in compliant DNS software. DNS over TCP in compliant DNS software.
skipping to change at page 24, line 18 skipping to change at page 24, line 42
negotiate an idle timeout value for long-lived DNS over TCP negotiate an idle timeout value for long-lived DNS over TCP
connections. Consequently, this document is only applicable and connections. Consequently, this document is only applicable and
relevant to DNS over TCP sessions and between implementations that relevant to DNS over TCP sessions and between implementations that
support this option. support this option.
A.23. IETF RFC 7858 - Specification for DNS over Transport Layer A.23. IETF RFC 7858 - Specification for DNS over Transport Layer
Security (TLS) Security (TLS)
This standards track document [RFC7858] defines a method for putting This standards track document [RFC7858] defines a method for putting
DNS messages into a TCP-based encrypted channel using TLS. This DNS messages into a TCP-based encrypted channel using TLS. This
specification is noteworthy for explicitly targetting the stub-to- specification is noteworthy for explicitly targeting the stub-to-
recursive traffic, but does not preclude its application from recursive traffic, but does not preclude its application from
recursive-to-authoritative traffic. recursive-to-authoritative traffic.
A.24. IETF RFC 7873 - Domain Name System (DNS) Cookies A.24. IETF RFC 7873 - Domain Name System (DNS) Cookies
This standards track document [RFC7873] describes an EDNS0 option to This standards track document [RFC7873] describes an EDNS0 option to
provide additional protection against query and answer forgery. This provide additional protection against query and answer forgery. This
specification mentions DNS over TCP as a reasonable fallback specification mentions DNS over TCP as a reasonable fallback
mechanism when DNS Cookies are not available. The specification does mechanism when DNS Cookies are not available. The specification does
make mention of DNS over TCP processing in two specific situations. make mention of DNS over TCP processing in two specific situations.
skipping to change at page 24, line 42 skipping to change at page 25, line 18
the request and respond accordingly. In another, when a client the request and respond accordingly. In another, when a client
receives a BADCOOKIE reply using a fresh server cookie, the client receives a BADCOOKIE reply using a fresh server cookie, the client
should retry using TCP as the transport. should retry using TCP as the transport.
A.25. IETF RFC 7901 - CHAIN Query Requests in DNS A.25. IETF RFC 7901 - CHAIN Query Requests in DNS
This experimental specification [RFC7901] describes an EDNS0 option This experimental specification [RFC7901] describes an EDNS0 option
that can be used by a security-aware validating resolver to request that can be used by a security-aware validating resolver to request
and obtain a complete DNSSEC validation path for any single query. and obtain a complete DNSSEC validation path for any single query.
This document requires the use of DNS over TCP or a source IP address This document requires the use of DNS over TCP or a source IP address
verified transport mechanism such as EDNS-COOKIE.[RFC7873] verified transport mechanism such as EDNS-COOKIE [RFC7873].
A.26. IETF RFC 8027 - DNSSEC Roadblock Avoidance A.26. IETF RFC 8027 - DNSSEC Roadblock Avoidance
This document [RFC8027] details observed problems with DNSSEC This document [RFC8027] details observed problems with DNSSEC
deployment and mitigation techniques. Network traffic blocking and deployment and mitigation techniques. Network traffic blocking and
restrictions, including DNS over TCP messages, are highlighted as one restrictions, including DNS over TCP messages, are highlighted as one
reason for DNSSEC deployment issues. While this document suggests reason for DNSSEC deployment issues. While this document suggests
these sorts of problems are due to "non-compliant infrastructure" and these sorts of problems are due to "non-compliant infrastructure" and
is of type BCP, the scope of the document is limited to detection and is of type BCP, the scope of the document is limited to detection and
mitigation techniques to avoid so-called DNSSEC roadblocks. mitigation techniques to avoid so-called DNSSEC roadblocks.
A.27. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS) A.27. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS)
This experimental specification [RFC8094] details a protocol that This experimental specification [RFC8094] details a protocol that
uses a datagram transport (UDP), but stipulates that "DNS clients and uses a datagram transport (UDP), but stipulates that "DNS clients and
servers that implement DNS over DTLS MUST also implement DNS over TLS servers that implement DNS over DTLS MUST also implement DNS over TLS
in order to provide privacy for clients that desire Strict Privacy in order to provide privacy for clients that desire Strict Privacy
[...]". This requirement implies DNS over TCP must be supported in [...]." This requirement implies DNS over TCP must be supported in
case the message size is larger than the path MTU. case the message size is larger than the path MTU.
A.28. IETF RFC 8162 - Using Secure DNS to Associate Certificates with A.28. IETF RFC 8162 - Using Secure DNS to Associate Certificates with
Domain Names for S/MIME Domain Names for S/MIME
This experimental specification [RFC8162] describes a technique to This experimental specification [RFC8162] describes a technique to
authenticate user X.509 certificates in an S/MIME system via the DNS. authenticate user X.509 certificates in an S/MIME system via the DNS.
The document points out that the new experimental resource record The document points out that the new experimental resource record
types are expected to carry large payloads, resulting in the types are expected to carry large payloads, resulting in the
suggestion that "applications SHOULD use TCP -- not UDP -- to perform suggestion that "applications SHOULD use TCP -- not UDP -- to perform
skipping to change at page 25, line 50 skipping to change at page 26, line 31
This informational document [RFC8483] describes a testbed environment This informational document [RFC8483] describes a testbed environment
that highlights some DNS over TCP behaviors, including issues that highlights some DNS over TCP behaviors, including issues
involving packet fragmentation and operational requirements for TCP involving packet fragmentation and operational requirements for TCP
stream assembly in order to conduct DNS measurement and analysis. stream assembly in order to conduct DNS measurement and analysis.
A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH)
This standards track document [RFC8484] defines a protocol for This standards track document [RFC8484] defines a protocol for
sending DNS queries and responses over HTTPS. This specification sending DNS queries and responses over HTTPS. This specification
assumes TLS and TCP for the underlying security and transport layers assumes TLS and TCP for the underlying security and transport layers,
respectively. Self-described as a a technique that more closely respectively. Self-described as a a technique that more closely
resembles a tunneling mechanism, DoH nevertheless likely implies DNS resembles a tunneling mechanism, DoH nevertheless likely implies DNS
over TCP in some sense if not directly. over TCP in some sense, if not directly.
A.33. IETF RFC 8490 - DNS Stateful Operations A.33. IETF RFC 8490 - DNS Stateful Operations
This standards track document [RFC8490] updates the base protocol This standards track document [RFC8490] updates the base protocol
specification with a new OPCODE to help manage stateful operations in specification with a new OPCODE to help manage stateful operations in
persistent sessions such as those that might be used by DNS over TCP. persistent sessions, such as those that might be used by DNS over
TCP.
A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service
Providers Providers
This informational document [RFC8501] identifies potential This informational document [RFC8501] identifies potential
operational challenges with Dynamic DNS including denial-of-service operational challenges with Dynamic DNS including denial-of-service
threats. The document suggests TCP may provide some advantages, but threats. The document suggests TCP may provide some advantages, but
that updating hosts would need to be explicitly configured to use TCP that updating hosts would need to be explicitly configured to use TCP
instead of UDP. instead of UDP.
 End of changes. 76 change blocks. 
162 lines changed or deleted 186 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/