draft-ietf-dnsop-no-response-issue-07.txt   draft-ietf-dnsop-no-response-issue-08.txt 
Network Working Group M. Andrews Network Working Group M. Andrews
Internet-Draft ISC Internet-Draft ISC
Intended status: Best Current Practice March 2, 2017 Intended status: Best Current Practice March 3, 2017
Expires: September 3, 2017 Expires: September 4, 2017
A Common Operational Problem in DNS Servers - Failure To Respond. A Common Operational Problem in DNS Servers - Failure To Respond.
draft-ietf-dnsop-no-response-issue-07 draft-ietf-dnsop-no-response-issue-08
Abstract Abstract
The DNS is a query / response protocol. Failure to respond or to The DNS is a query / response protocol. Failure to respond or to
respond correctly to queries causes both immediate operational respond correctly to queries causes both immediate operational
problems and long term problems with protocol development. problems and long term problems with protocol development.
This document identifies a number of common kinds of queries to which This document identifies a number of common kinds of queries to which
some servers either fail to respond or else respond incorrectly. some servers either fail to respond or else respond incorrectly.
This document also suggests procedures for TLD and other zone This document also suggests procedures for TLD and other zone
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 3, 2017. This Internet-Draft will expire on September 4, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Common queries kinds that result in non responses. . . . . . 5 3. Common queries kinds that result in non responses. . . . . . 5
3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5 3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5
3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5 3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5
3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5 3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5
3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6
3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6 3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6
3.1.5. Recursive Queries . . . . . . . . . . . . . . . . . . 6 3.1.5. Recursive Queries . . . . . . . . . . . . . . . . . . 6
3.1.6. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6 3.1.6. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6
3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6 3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 7
3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7 3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7
3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7 3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7
3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7 3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7
3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7 3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7
3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8 3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8
3.2.6. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 8 3.2.6. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8 3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8
4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8
5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9 5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9
6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 9 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 9
skipping to change at page 3, line 5 skipping to change at page 3, line 5
8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16 8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16
8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16 8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16
8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 16 8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 16
8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17 8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17
8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18 8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18
8.2.5. Testing EDNS Version Negotiation With Unknown EDNS 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS
Flags . . . . . . . . . . . . . . . . . . . . . . . . 18 Flags . . . . . . . . . . . . . . . . . . . . . . . . 18
8.2.6. Testing EDNS Version Negotiation With Unknown EDNS 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS
Options . . . . . . . . . . . . . . . . . . . . . . . 19 Options . . . . . . . . . . . . . . . . . . . . . . . 19
8.2.7. Testing DNSSEC Queries . . . . . . . . . . . . . . . 20 8.2.7. Testing Truncated Responses . . . . . . . . . . . . . 20
8.2.8. Testing EDNS Version Negotiation With DNSSEC . . . . 20 8.2.8. Testing DNSSEC Queries . . . . . . . . . . . . . . . 20
8.2.9. Testing With Multiple Defined EDNS Options . . . . . 21 8.2.9. Testing EDNS Version Negotiation With DNSSEC . . . . 21
8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 21 8.2.10. Testing With Multiple Defined EDNS Options . . . . . 22
8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 22
9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22 9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22
10. Security Considerations . . . . . . . . . . . . . . . . . . . 23 10. Security Considerations . . . . . . . . . . . . . . . . . . . 24
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
12.1. Normative References . . . . . . . . . . . . . . . . . . 23 12.1. Normative References . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . 24 12.2. Informative References . . . . . . . . . . . . . . . . . 25
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 25 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure
to respond to queries or to respond incorrectly causes both immediate to respond to queries or to respond incorrectly causes both immediate
operational problems and long term problems with protocol operational problems and long term problems with protocol
development. development.
Failure to respond to a query is indistinguishable from a packet loss Failure to respond to a query is indistinguishable from a packet loss
skipping to change at page 20, line 5 skipping to change at page 20, line 5
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: a OPT record to be present in the additional section expect: a OPT record to be present in the additional section
expect: OPT=100 to NOT be present expect: OPT=100 to NOT be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
+noednsneg disables EDNS version negotiation in DiG. +noednsneg disables EDNS version negotiation in DiG.
8.2.7. Testing DNSSEC Queries 8.2.7. Testing Truncated Responses
Ask for the DNSKEY records of the zone the server is nominally
configured to serve. This query is made with no DNS flag bits set.
EDNS version 0 is used without any EDNS options. The only EDNS flag
set is DO. The EDNS UDP buffer size is set to 512. The intention of
this query is elicit a truncated response from the server. Most
signed DNSKEY responses are bigger than 512 bytes.
We expect a response with the rcode set to NOERROR and the AA and QR
bits to be set, AD may be set in the response if the server supports
DNSSEC otherwise it should be clear. TC and RA may also be set
[RFC1034]. We expect a OPT record to be present in the response.
There should be no EDNS flags other than DO present in the response.
The EDNS version field should be zero and there should be no EDNS
options present [RFC6891].
If TC is not set it is not possible to confirm that the server
correctly adds the OPT record to the truncated responses or not.
dig +norec +dnssec +bufsize=512 +ignore dnskey $zone @$server
expect: NOERROR
expect: OPT record with version set to 0
8.2.8. Testing DNSSEC Queries
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the zone the server is nominally configured
to serve. This query is made with no DNS flag bits set. EDNS to serve. This query is made with no DNS flag bits set. EDNS
version 0 is used without any EDNS options. The only EDNS flag set version 0 is used without any EDNS options. The only EDNS flag set
is DO. is DO.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, AD may be set in the response if the server set in the response, AD may be set in the response if the server
supports DNSSEC otherwise it should be clear. RA may also be set supports DNSSEC otherwise it should be clear. RA may also be set
skipping to change at page 20, line 36 skipping to change at page 21, line 20
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: a OPT record to be present in the additional section expect: a OPT record to be present in the additional section
expect: DO=1 to be present if a RRSIG is in the response expect: DO=1 to be present if a RRSIG is in the response
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
DO=1 should be present if RRSIGs are returned as they indicate that DO=1 should be present if RRSIGs are returned as they indicate that
the server supports DNSSEC. Servers that support DNSSEC are supposed the server supports DNSSEC. Servers that support DNSSEC are supposed
to copy the DO bit from the request to the response as per [RFC3225]. to copy the DO bit from the request to the response as per [RFC3225].
8.2.8. Testing EDNS Version Negotiation With DNSSEC 8.2.9. Testing EDNS Version Negotiation With DNSSEC
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the zone the server is nominally configured
to serve. This query is made with no DNS flag bits set. EDNS to serve. This query is made with no DNS flag bits set. EDNS
version 1 is used without any EDNS options. The only EDNS flag set version 1 is used without any EDNS options. The only EDNS flag set
is DO. is DO.
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the rcode set to BADVERS and the only the QR bit answer section with the rcode set to BADVERS and the only the QR bit
and possibly the RA bit to be set [RFC1034]. We expect a OPT record and possibly the RA bit to be set [RFC1034]. We expect a OPT record
to be returned. There should be no EDNS flags other than DO present to be returned. There should be no EDNS flags other than DO present
skipping to change at page 21, line 20 skipping to change at page 22, line 5
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: a OPT record to be present in the additional section expect: a OPT record to be present in the additional section
expect: DO=1 to be present if the EDNS version 0 DNSSEC query test expect: DO=1 to be present if the EDNS version 0 DNSSEC query test
returned DO=1 returned DO=1
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
+noednsneg disables EDNS version negotiation in DiG. +noednsneg disables EDNS version negotiation in DiG.
8.2.9. Testing With Multiple Defined EDNS Options 8.2.10. Testing With Multiple Defined EDNS Options
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the zone the server is nominally configured
to serve. This query is made with no DNS flag bits set. EDNS to serve. This query is made with no DNS flag bits set. EDNS
version 0 is used. A number of defined EDNS options are present version 0 is used. A number of defined EDNS options are present
(NSID [RFC5001], DNS COOKIE [RFC7873], EDNS Client Subnet [RFC7871] (NSID [RFC5001], DNS COOKIE [RFC7873], EDNS Client Subnet [RFC7871]
and EDNS Expire [RFC7314]). and EDNS Expire [RFC7314]).
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may also be set [RFC1034]. We expect a OPT set in the response, RA may also be set [RFC1034]. We expect a OPT
 End of changes. 9 change blocks. 
17 lines changed or deleted 42 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/