draft-ietf-dnsop-edns-tcp-keepalive-01.txt   draft-ietf-dnsop-edns-tcp-keepalive-02.txt 
dnsop P. Wouters dnsop P. Wouters
Internet-Draft Red Hat Internet-Draft Red Hat
Intended status: Standards Track J. Abley Intended status: Standards Track J. Abley
Expires: April 30, 2015 Dyn, Inc. Expires: January 4, 2016 Dyn, Inc.
October 27, 2014 S. Dickinson
Sinodun
R. Bellis
ISC
July 3, 2015
The edns-tcp-keepalive EDNS0 Option The edns-tcp-keepalive EDNS0 Option
draft-ietf-dnsop-edns-tcp-keepalive-01 draft-ietf-dnsop-edns-tcp-keepalive-02
Abstract Abstract
DNS messages between clients and servers may be received over either DNS messages between clients and servers may be received over either
UDP or TCP. UDP transport involves keeping less state on a busy UDP or TCP. UDP transport involves keeping less state on a busy
server, but can cause truncation and retries over TCP. Additionally, server, but can cause truncation and retries over TCP. Additionally,
UDP can be exploited for reflection attacks. Using TCP would reduce UDP can be exploited for reflection attacks. Using TCP would reduce
retransmits and amplification. However, clients are currently retransmits and amplification. However, clients commonly use TCP
limited in their use of the TCP transport as RFC 5966 suggests only for fallback and servers typically use idle timeouts on the
closing idle TCP sessions "in the order of seconds", making use of order of seconds.
TCP only suitable for individual queries generated as a fallback
protocol for truncated UDP answers.
This document defines an EDNS0 option ("edns-tcp-keepalive") that This document defines an EDNS0 option ("edns-tcp-keepalive") that
allows DNS clients and servers to signal their respective readiness allows DNS servers to signal a variable idle timeout. This
to conduct multiple DNS transactions over individual TCP sessions. signalling facilitates a better balance of UDP and TCP transport
This signalling facilitates a better balance of UDP and TCP transport
between individual clients and servers, reducing the impact of between individual clients and servers, reducing the impact of
problems associated with UDP transport and allowing the state problems associated with UDP transport and allowing the state
associated with TCP transport to be managed effectively with minimal associated with TCP transport to be managed effectively with minimal
impact on the DNS transaction time. impact on the DNS transaction time.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 30, 2015. This Internet-Draft will expire on January 4, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4
3. The edns-tcp-keepalive Option . . . . . . . . . . . . . . . . 4 3. The edns-tcp-keepalive Option . . . . . . . . . . . . . . . . 4
3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Use by DNS Clients . . . . . . . . . . . . . . . . . . . 5 3.2. Use by DNS Clients . . . . . . . . . . . . . . . . . . . 5
3.2.1. Sending Queries . . . . . . . . . . . . . . . . . . . 5 3.2.1. Sending Queries . . . . . . . . . . . . . . . . . . . 5
3.2.2. Receiving Responses . . . . . . . . . . . . . . . . . 6 3.2.2. Receiving Responses . . . . . . . . . . . . . . . . . 5
3.3. Use by DNS Servers . . . . . . . . . . . . . . . . . . . 6 3.3. Use by DNS Servers . . . . . . . . . . . . . . . . . . . 6
3.3.1. Receiving Queries . . . . . . . . . . . . . . . . . . 6 3.3.1. Receiving Queries . . . . . . . . . . . . . . . . . . 6
3.3.2. Sending Responses . . . . . . . . . . . . . . . . . . 6 3.3.2. Sending Responses . . . . . . . . . . . . . . . . . . 6
3.4. TCP Session Management . . . . . . . . . . . . . . . . . 7 3.4. TCP Session Management . . . . . . . . . . . . . . . . . 6
3.5. Non-Clean Paths . . . . . . . . . . . . . . . . . . . . . 7 3.5. Non-Clean Paths . . . . . . . . . . . . . . . . . . . . . 7
3.6. Anycast Considerations . . . . . . . . . . . . . . . . . 7 3.6. Anycast Considerations . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 4. Intermediary Considerations . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9
Appendix A. Editors' Notes . . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9
A.1. Venue . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Editors' Notes . . . . . . . . . . . . . . . . . . . 10
A.2. Abridged Change History . . . . . . . . . . . . . . . . . 9 A.1. Venue . . . . . . . . . . . . . . . . . . . . . . . . . . 10
A.2.1. draft-ietf-dnsop-edns-tcp-keepalive-01 . . . . . . . 9 A.2. Abridged Change History . . . . . . . . . . . . . . . . . 10
A.2.2. draft-ietf-dnsop-edns-tcp-keepalive-00 . . . . . . . 9 A.2.1. draft-ietf-dnsop-edns-tcp-keepalive-02 . . . . . . . 10
A.2.3. draft-wouters-edns-tcp-keepalive-01 . . . . . . . . . 9 A.2.2. draft-ietf-dnsop-edns-tcp-keepalive-01 . . . . . . . 11
A.2.4. draft-wouters-edns-tcp-keepalive-00 . . . . . . . . . 9 A.2.3. draft-ietf-dnsop-edns-tcp-keepalive-00 . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 A.2.4. draft-wouters-edns-tcp-keepalive-01 . . . . . . . . . 11
A.2.5. draft-wouters-edns-tcp-keepalive-00 . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
DNS messages between clients and servers may be received over either DNS messages between clients and servers may be received over either
UDP or TCP [RFC1035]. Historically, DNS clients used API's that only UDP or TCP [RFC1035]. Historically, DNS clients used API's that only
facilitated sending and receiving a single query over either UDP or facilitated sending and receiving a single query over either UDP or
TCP. New APIs and deployment of DNSSEC validating resolvers on hosts TCP. New APIs and deployment of DNSSEC validating resolvers on hosts
that in the past were using stub resolving only is increasing the DNS that in the past were using stub resolving only is increasing the DNS
client base that prefer using long lived TCP connections. Long-lived client base that prefer using long lived TCP connections. Long-lived
TCP connections can result in lower request latency than the case TCP connections can result in lower request latency than the case
where UDP transport is used and truncated responses are received, where UDP transport is used and truncated responses are received,
since clients that have fallen back to TCP transport in response to a since clients that have fallen back to TCP transport in response to a
truncated response typically only uses the TCP session for a single truncated response typically only uses the TCP session for a single
skipping to change at page 3, line 15 skipping to change at page 3, line 18
UDP or TCP [RFC1035]. Historically, DNS clients used API's that only UDP or TCP [RFC1035]. Historically, DNS clients used API's that only
facilitated sending and receiving a single query over either UDP or facilitated sending and receiving a single query over either UDP or
TCP. New APIs and deployment of DNSSEC validating resolvers on hosts TCP. New APIs and deployment of DNSSEC validating resolvers on hosts
that in the past were using stub resolving only is increasing the DNS that in the past were using stub resolving only is increasing the DNS
client base that prefer using long lived TCP connections. Long-lived client base that prefer using long lived TCP connections. Long-lived
TCP connections can result in lower request latency than the case TCP connections can result in lower request latency than the case
where UDP transport is used and truncated responses are received, where UDP transport is used and truncated responses are received,
since clients that have fallen back to TCP transport in response to a since clients that have fallen back to TCP transport in response to a
truncated response typically only uses the TCP session for a single truncated response typically only uses the TCP session for a single
(request, response) pair, continuing with UDP transport for (request, response) pair, continuing with UDP transport for
subsequent queries. subsequent queries. Clients wishing to use other stream-based
transport protocols for DNS would also benefit from the set-up
amortisation afforded by long lived connections.
UDP transport is stateless, and hence presents a much lower resource UDP transport is stateless, and hence presents a much lower resource
burden on a busy DNS server than TCP. An exchange of DNS messages burden on a busy DNS server than TCP. An exchange of DNS messages
over UDP can also be completed in a single round trip between over UDP can also be completed in a single round trip between
communicating hosts, resulting in optimally-short transaction times. communicating hosts, resulting in optimally-short transaction times.
UDP transport is not without its risks, however. UDP transport is not without its risks, however.
A single-datagram exchange over UDP between two hosts can be A single-datagram exchange over UDP between two hosts can be
exploited to enable a reflection attack on a third party. Mitigation exploited to enable a reflection attack on a third party. Mitigation
of such attacks on authoritative-only servers is possible using an of such attacks on authoritative-only servers is possible using an
skipping to change at page 4, line 6 skipping to change at page 4, line 10
The overhead of the three-way TCP handshake for a single DNS The overhead of the three-way TCP handshake for a single DNS
transaction is substantial, increasing the transaction time for a transaction is substantial, increasing the transaction time for a
single (request, response) pair of DNS messages from 1 x RTT to 2 x single (request, response) pair of DNS messages from 1 x RTT to 2 x
RTT. There is no such overhead for a session that is already RTT. There is no such overhead for a session that is already
established, however, and the overall impact of the TCP setup established, however, and the overall impact of the TCP setup
handshake when the resulting session is used to exchange N DNS handshake when the resulting session is used to exchange N DNS
message pairs over a single session, (1 + N)/N, approaches unity as N message pairs over a single session, (1 + N)/N, approaches unity as N
increases. increases.
(It should perhaps be noted that the overhead for a DNS transaction (It should perhaps be noted that the overhead for a DNS transaction
over UDP truncacated due to RRL is 3x RTT, higher than the overhead over UDP truncated due to RRL is 3x RTT, higher than the overhead
imposed on the same transaction initiated over TCP.) imposed on the same transaction initiated over TCP.)
With increased deployment of DNSSEC and new RRtypes containing With increased deployment of DNSSEC and new RRtypes containing
application specific cryptographic material, there is an increase in application specific cryptographic material, there is an increase in
the prevalence of truncated responses received over UDP with fallback the prevalence of truncated responses received over UDP with fallback
to TCP. to TCP.
The use of TCP transport requires considerably more state to be The use of TCP transport requires considerably more state to be
retained on DNS servers. If a server is to perform adequately with a retained on DNS servers. If a server is to perform adequately with a
significant query load received over TCP, it must manage its significant query load received over TCP, it must manage its
available resources to ensure that all established TCP sessions are available resources to ensure that all established TCP sessions are
well-used, and that those which are unlikely to be used for the well-used, and those that remain idle for long periods are closed
exchange of multiple DNS messages are closed promptly. promptly.
This document proposes a signalling mechanism between DNS clients and This document proposes a signalling mechanism between DNS clients and
servers that provides a means to better balance the use of UDP and servers that provides a means to better balance the use of UDP and
TCP transport, reducing the impact of problems associated with UDP TCP transport, reducing the impact of problems associated with UDP
whilst constraining the impact of TCP on response times and server whilst constraining the impact of TCP on response times and server
resources to a manageable level. resources to a manageable level.
The reduced overhead of this extension adds up significantly when The reduced overhead of this extension adds up significantly when
combined with other edns extensions, such as [CHAIN-QUERY]. The combined with other edns extensions, such as [CHAIN-QUERY] and
combination of these two EDNS extensions make it possible for hosts [STARTTLS]. For example, the combination of these EDNS extensions
on high-latency mobile networks to natively perform DNSSEC make it possible for hosts on high-latency mobile networks to
validation. natively perform DNSSEC validation and encrypt queries.
2. Requirements Notation 2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. The edns-tcp-keepalive Option 3. The edns-tcp-keepalive Option
This document specifies a new EDNS0 [RFC6891] option, edns-tcp- This document specifies a new EDNS0 [RFC6891] option, edns-tcp-
keepalive, which can be used by DNS clients and servers to signal a keepalive, which can be used by DNS clients and servers to signal a
willingness to keep an (idle) TCP session open for a certain amount willingness to keep an idle TCP session open for a certain amount of
of time to conduct future DNS transactions. This specification does time to conduct future DNS transactions. This specification does not
not distinguish between different types of DNS client and server in distinguish between different types of DNS client and server in the
the use of this option. use of this option.
3.1. Option Format 3.1. Option Format
The edns-tcp-keepalive option is encoded as follows: The edns-tcp-keepalive option is encoded as follows:
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-------------------------------+-------------------------------+ +-------------------------------+-------------------------------+
! OPTION-CODE ! OPTION-LENGTH ! ! OPTION-CODE ! OPTION-LENGTH !
+-------------------------------+-------------------------------+ +-------------------------------+-------------------------------+
| TIMEOUT | | TIMEOUT |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
where: where:
OPTION-CODE: the EDNS0 option code assigned to edns-tcp-keepalive, OPTION-CODE: the EDNS0 option code assigned to edns-tcp-keepalive,
[TBD] [TBD]
OPTION-LENGTH: the value 2; OPTION-LENGTH: the value 0 if the TIMEOUT is omitted, the value 2
if it is present;
TIMEOUT: a timeout value for the TCP connection, specified in TIMEOUT: an idle timeout value for the TCP connection, specified in
seconds, encoded in network byte order. units of 100 milliseconds, encoded in network byte order.
3.2. Use by DNS Clients 3.2. Use by DNS Clients
3.2.1. Sending Queries 3.2.1. Sending Queries
DNS clients MAY include the edns-tcp-keepalive option in queries sent DNS clients MUST NOT include the edns-tcp-keepalive option in queries
using UDP transport to signal their general ability to use individual sent using UDP transport.
TCP sessions for multiple DNS transactions with a particular server.
DNS clients MAY include the edns-tcp-keepalive option in the first DNS clients MAY include the edns-tcp-keepalive option in the first
query sent to a server using TCP transport to signal their desire query sent to a server using TCP transport to signal their desire to
that that specific TCP session be used for multiple DNS transactions. keep the connection open when idle.
Clients MAY specify a TIMEOUT value that is representative of the
minimum expected time an individual TCP session should remain
established for it to be used by multiple DNS transactions.
In the case where there are multiple candidate servers available to
service a particular transaction, clients MAY include data associated
with all servers when computing a TIMEOUT value to be signalled to
any one of those servers.
If the client has insufficient data to be able to provide a Clients MUST specify a OPTION-LENGTH of 0 and omit the TIMEOUT value.
meaningful estimate, the TIMEOUT value MUST be set to zero.
3.2.2. Receiving Responses 3.2.2. Receiving Responses
A DNS client that receives a response using UDP transport that A DNS client that receives a response using UDP transport that
includes the edns-tcp-keepalive option MAY record the presence of the includes the edns-tcp-keepalive option MUST ignore the option.
option and the associated TIMEOUT value, and use that information as
part of its server selection algorithm in the case where multiple
candidate servers are available to service a particular query.
A DNS client that receives a response using TCP transport that A DNS client that receives a response using TCP transport that
includes the edns-tcp-keepalive option MAY keep the existing TCP includes the edns-tcp-keepalive option MAY keep the existing TCP
session open. session open when it is idle. It SHOULD honour the timeout and
initiate close of the connection before the timeout expires.
A DNS client that receives a response that includes the edns-tcp- A DNS client that receives a response that includes the edns-tcp-
keepalive option with a TIMEOUT value of 0 is allowed to keep the TCP keepalive option with a TIMEOUT value of 0 should send no more
connection open indefinately. queries on that connection and initiate closing the connection as
soon as it has received all outstanding responses.
A DNS client that sent a query containing the edns-keepalive-option
but receives a response that does not contain the edns-keepalive-
option should assume the server does not support keepalive and behave
following the guidance in [DRAFT-5966bis]. This holds true even if a
previous edns-keepalive-option exchange occurred on the existing TCP
connection.
3.3. Use by DNS Servers 3.3. Use by DNS Servers
3.3.1. Receiving Queries 3.3.1. Receiving Queries
A DNS server that receives a query using UDP transport that includes A DNS server that receives a query using UDP transport that includes
the edns-tcp-keepalive option MAY record the presence of the option the edns-tcp-keepalive option MUST ignore the option.
for statistical purposes, but should not otherwise modify its usual
behaviour in sending a response.
A DNS server that receives a query using TCP transport that includes A DNS server that receives a query using TCP transport that includes
the edns-tcp-keepalive option SHOULD extend the timeout normally the edns-tcp-keepalive option MAY modify the local idle timeout
associated with TCP sessions if resources permit, using the TIMEOUT associated with that TCP session if resources permit.
value supplied by the client as a guide.
3.3.2. Sending Responses 3.3.2. Sending Responses
DNS servers MAY include the edns-tcp-keepalive option in responses DNS servers MAY include the edns-tcp-keepalive option in responses
sent using UDP transport to signal their general ability to use sent using TCP transport to signal their expected idle timeout on a
individual TCP sessions for multiple DNS transactions with a connection. Servers MUST specify the TIMEOUT value that is currently
particular server. The TIMEOUT value should be indicative of what a associated with the TCP session. It is reasonable for this value to
client might expect if it was to open a TCP session with the server change according to local resource constraints or in consideration of
and receive a response with the edns-tcp-keepalive option present. intermediary behaviour (for example TCP middleboxes or NATs). The
The DNS server MAY omit including the edns-tcp-keepalive option if it DNS server SHOULD send a edns-tcp-keepalive option with a timeout of
is running too low on resources to service more TCP keepalive 0 if it deems its local resources are too low to service more TCP
sessions. keepalive sessions.
DNS servers MAY include the edns-tcp-keepalive option in responses
sent using TCP transport to signal their ability to use that specific
session to exchange multiple DNS transactions. Servers MUST specify
the TIMEOUT value that is currently associated with the TCP session.
It is reasonable for this value to change according to local resource
constraints. The DNS server MAY omit including the edns-tcp-
keepalive option if it deems its local resources are too low to
service more TCP keepalive sessions.
3.4. TCP Session Management 3.4. TCP Session Management
Both DNS clients and servers are subject to resource constraints Both DNS clients and servers are subject to resource constraints
which will limit the extent to which TCP sessions can persist. which will limit the extent to which TCP sessions can persist.
Effective limits for the number of active sessions that can be Effective limits for the number of active sessions that can be
maintained on individual clients and servers should be established, maintained on individual clients and servers should be established,
either as configuration options or by interrogation of process limits either as configuration options or by interrogation of process limits
imposed by the operating system. imposed by the operating system. Servers that implement keepalive
should also engage in TCP connection management by recycling existing
connections when appropriate, closing connections gracefully and
managing request queues to enable fair use.
In the event that there is greater demand for TCP sessions than can In the event that there is greater demand for TCP sessions than can
be accommodated, servers may reduce the TIMEOUT value signalled in be accommodated, servers may reduce the TIMEOUT value signalled in
successive DNS messages to avoid abrupt termination of a session. successive DNS messages to minimise idle time on existing sessions.
This allows, for example, clients with other candidate servers to
query to establish new TCP sessions with different servers in This also allows, for example, clients with other candidate servers
to query to establish new TCP sessions with different servers in
expectation that an existing session is likely to be closed, or to expectation that an existing session is likely to be closed, or to
fall back to UDP. fall back to UDP.
Based on TCP session resources servers may signal a TIMEOUT value of
0 to request clients to close connections as soon as possible. This
is useful when server resources become very low or a denial-of-
service attack is detected and further maximises the shifting of
TIME_WAIT state to well-behaved clients.
However it should be noted that RCF6891 states:
Lack of presence of an OPT record in a request MUST be taken as an
indication that the requestor does not implement any part of this
specification and that the responder MUST NOT include an OPT
record in its response.
Since servers must be faithful to this specification even on a
persistent TCP connection it means that (following the initial
exchange of timeouts) a server may not be presented with the
opportunity to signal a change in the idle timeout associated with a
connection if the client does not send any further requests
containing EDNS0 OPT RRs. This limitation makes persistent
connection handling via an initial idle timeout signal more
attractive than a mechanism that establishes default persistence and
then uses a connection close signal (in a similar manner to HTTP 1.1
[RFC7320]).
DNS clients and servers MAY close a TCP session at any time in order DNS clients and servers MAY close a TCP session at any time in order
to manage local resource constraints. The algorithm by which clients to manage local resource constraints. The algorithm by which clients
and servers rank active TCP sessions in order to determine which to and servers rank active TCP sessions in order to determine which to
close is not specified in this document. close is not specified in this document.
3.5. Non-Clean Paths 3.5. Non-Clean Paths
Many paths between DNS clients and servers suffer from poor hygiene, Many paths between DNS clients and servers suffer from poor hygiene,
limiting the free flow of DNS messages that include particular EDNS0 limiting the free flow of DNS messages that include particular EDNS0
options, or messages that exceed a particular size. A fallback options, or messages that exceed a particular size. A fallback
strategy similar to that described in [RFC6891] section 6.2.2 SHOULD strategy similar to that described in [RFC6891] section 6.2.2 SHOULD
be employed to avoid persistent interference due to non-clean paths. be employed to avoid persistent interference due to non-clean paths.
3.6. Anycast Considerations 3.6. Anycast Considerations
DNS servers of various types are commonly deployed using anycast DNS servers of various types are commonly deployed using anycast
[RFC4786]. [RFC4786].
Successive DNS transactions between a client and server using UDP
transport may involve responses generated by different anycast nodes,
and the use of anycast in the implementation of a DNS server is
effectively undetectable by the client. The edns-tcp-keepalive
option SHOULD NOT be included in responses using UDP transport from
servers provisioned using anycast unless all anycast server nodes are
capable of processing the edns-tcp-keepalive option.
Changes in network topology between clients and anycast servers may Changes in network topology between clients and anycast servers may
cause disruption to TCP sessions making use of edns-tcp-keepalive cause disruption to TCP sessions making use of edns-tcp-keepalive
more often than with TCP sessions that omit it, since the TCP more often than with TCP sessions that omit it, since the TCP
sessions are expected to be longer-lived. Anycast servers MAY make sessions are expected to be longer-lived. Anycast servers MAY make
use of TCP multipath [RFC6824] to anchor the server side of the TCP use of TCP multipath [RFC6824] to anchor the server side of the TCP
connection to an unambiguously-unicast address in order to avoid connection to an unambiguously-unicast address in order to avoid
disruption due to topology changes. disruption due to topology changes.
4. Security Considerations 4. Intermediary Considerations
It is RECOMMENDED that DNS intermediaries which terminate TCP
connections implement keepalive. Should a non-keepalive-aware
intermediary sit between a client and server that both support
keepalive a potential side effect will be an increased frequency of
the proxy closing idle client connections.
5. Security Considerations
The edns-tcp-keep-alive option can potentially be abused to request The edns-tcp-keep-alive option can potentially be abused to request
large numbers of sessions in a quick burst. When a Nameserver large numbers of sessions in a quick burst. When a Nameserver
detects abusive behaviour, it SHOULD immediately close the TCP detects abusive behaviour, it SHOULD immediately close the TCP
connection and free all buffers used. connection and free all buffers used.
Readers are advised to familiarise themselves with the security
considerations outlined in [DRAFT-5966bis]
This section needs more work. As usual. This section needs more work. As usual.
5. IANA Considerations 6. IANA Considerations
The IANA is directed to assign an EDNS0 option code for the edns-tcp- The IANA is directed to assign an EDNS0 option code for the edns-tcp-
keepalive option from the DNS EDNS0 Option Codes (OPT) registry as keepalive option from the DNS EDNS0 Option Codes (OPT) registry as
follows: follows:
+-------+--------------------+----------+-----------------+ +-------+--------------------+----------+-----------------+
| Value | Name | Status | Reference | | Value | Name | Status | Reference |
+-------+--------------------+----------+-----------------+ +-------+--------------------+----------+-----------------+
| [TBA] | edns-tcp-keepalive | Optional | [This document] | | [TBA] | edns-tcp-keepalive | Optional | [This document] |
+-------+--------------------+----------+-----------------+ +-------+--------------------+----------+-----------------+
6. Acknowledgements 7. Acknowledgements
The authors acknowledge the contributions of Ray Bellis, Jinmei
TATUYA and Mark Andrews.
7. References The authors acknowledge the contributions of Jinmei TATUYA and Mark
Andrews.
7.1. Normative References 8. References
[CHAIN-QUERY] 8.1. Normative References
Wouters, P., "chain Query requests in DNS", draft-ietf-
dnsop-edns-chain-query (work in progress), October 2014.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005. 4033, March 2005.
skipping to change at page 9, line 22 skipping to change at page 9, line 32
[RFC5966] Bellis, R., "DNS Transport over TCP - Implementation [RFC5966] Bellis, R., "DNS Transport over TCP - Implementation
Requirements", RFC 5966, August 2010. Requirements", RFC 5966, August 2010.
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple "TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, January 2013. Addresses", RFC 6824, January 2013.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891, April 2013. for DNS (EDNS(0))", STD 75, RFC 6891, April 2013.
7.2. Informative References [RFC7320] Nottingham, M., "URI Design and Ownership", BCP 190, RFC
7320, July 2014.
8.2. Informative References
[CHAIN-QUERY]
Wouters, P., "Chain Query requests in DNS", draft-ietf-
dnsop-edns-chain-query (work in progress), October 2014.
[DRAFT-5966bis]
Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
D. Wessels, "DNS Transport over TCP - Implementation
Requirements", draft-ietf-dnsop-5966bis-02 (work in
progress), July 2015.
[RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting [RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting
(DNS RRL)", ISC-TN 2012-1-Draft1, April 2012. (DNS RRL)", ISC-TN 2012-1-Draft1, April 2012.
[STARTTLS]
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "TLS for DNS: Initiation and Performance
Considerations", draft-ietf-dprive-start-tls-for-dns-02
(work in progress), May 2015.
Appendix A. Editors' Notes Appendix A. Editors' Notes
A.1. Venue A.1. Venue
An appropriate venue for discussion of this document is An appropriate venue for discussion of this document is
dnsop@ietf.org. dnsop@ietf.org.
A.2. Abridged Change History A.2. Abridged Change History
A.2.1. draft-ietf-dnsop-edns-tcp-keepalive-01 A.2.1. draft-ietf-dnsop-edns-tcp-keepalive-02
Changed timeout value to idle timeout and re-phrased document around
this.
Changed units of timeout to 100ms to allow values less than 1 second.
Change specification to remove use of the option over UDP. This is
potentially confusing, could cause issues with ALG's and adds only
limited value.
Changed semantics so the client no longer sends a timeout. The
client timeout is of limited value as servers should be managing
connections based on their view of their resources, not on client
requests as this is open to abuse. Additionally this identifies
cases were the option is simply being reflected back.
Changed semantics for the meaning of a server sending a timeout of 0.
The maximum timeout value of 6553.5s (~1.8h) is already large and a
distinct 'connection close'-like signal is potentially more useful.
Added more detail on server side requirements when supporting
keepalive in terms of resource and connection management.
Added discussion of EDNS0 per-message limitation and implications of
this.
Added reference to STARTTLS draft and RFC7320.
A.2.2. draft-ietf-dnsop-edns-tcp-keepalive-01
Version bump with no changes Version bump with no changes
A.2.2. draft-ietf-dnsop-edns-tcp-keepalive-00 A.2.3. draft-ietf-dnsop-edns-tcp-keepalive-00
Clarifications, working group adoption. Clarifications, working group adoption.
A.2.3. draft-wouters-edns-tcp-keepalive-01 A.2.4. draft-wouters-edns-tcp-keepalive-01
Also allow clients to specify KEEPALIVE timeout values, clarify Also allow clients to specify KEEPALIVE timeout values, clarify
motivation of document. motivation of document.
A.2.4. draft-wouters-edns-tcp-keepalive-00 A.2.5. draft-wouters-edns-tcp-keepalive-00
Initial draft. Initial draft.
Authors' Addresses Authors' Addresses
Paul Wouters Paul Wouters
Red Hat Red Hat
Email: pwouters@redhat.com Email: pwouters@redhat.com
Joe Abley Joe Abley
Dyn, Inc. Dyn, Inc.
470 Moore Street 470 Moore Street
London, ON N6C 2C2 London, ON N6C 2C2
Canada Canada
Phone: +1 519 670 9327 Phone: +1 519 670 9327
Email: jabley@dyn.com Email: jabley@dyn.com
Sara Dickinson
Sinodun Internet Technologies
Magdalen Centre
Oxford Science Park
Oxford OX4 4GA
UK
Email: sara@sinodun.com
URI: http://sinodun.com
Ray Bellis
Internet Systems Consortium, Inc
950 Charter Street
Redwood City CA 94063
USA
Phone: +1 650 423 1200
Email: ray@isc.org
URI: http://www.isc.org
 End of changes. 45 change blocks. 
119 lines changed or deleted 184 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/