draft-ietf-dnsop-no-response-issue-13.txt   draft-ietf-dnsop-no-response-issue-14.txt 
Network Working Group M. Andrews Network Working Group M. Andrews
Internet-Draft R. Bellis Internet-Draft R. Bellis
Intended status: Best Current Practice ISC Intended status: Best Current Practice ISC
Expires: August 29, 2019 February 25, 2019 Expires: May 7, 2020 November 4, 2019
A Common Operational Problem in DNS Servers - Failure To Communicate. A Common Operational Problem in DNS Servers - Failure To Communicate.
draft-ietf-dnsop-no-response-issue-13 draft-ietf-dnsop-no-response-issue-14
Abstract Abstract
The DNS is a query / response protocol. Failing to respond to The DNS is a query / response protocol. Failing to respond to
queries, or responding incorrectly, causes both immediate operational queries, or responding incorrectly, causes both immediate operational
problems and long term problems with protocol development. problems and long term problems with protocol development.
This document identifies a number of common kinds of queries to which This document identifies a number of common kinds of queries to which
some servers either fail to respond or else respond incorrectly. some servers either fail to respond or else respond incorrectly.
This document also suggests procedures for TLD and other zone This document also suggests procedures for zone operators to apply to
operators to apply to mitigate the problem. identify and remediate the problem.
The document does not look at the DNS data itself, just the structure The document does not look at the DNS data itself, just the structure
of the responses. of the responses.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 29, 2019. This Internet-Draft will expire on May 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Common queries kinds that result in no or bad responses. . . 5 3. Common kinds of queries that result in no or bad responses. . 5
3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5 3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5
3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5 3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5
3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5 3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5
3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6
3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6 3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6
3.1.5. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6 3.1.5. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6
3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6 3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6
3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7 3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7
3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7 3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7
3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7 3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7
skipping to change at page 5, line 29 skipping to change at page 5, line 29
measures are not put in place to remove non compliant servers from measures are not put in place to remove non compliant servers from
the ecosystem. Working around issues due to non-compliance with RFCs the ecosystem. Working around issues due to non-compliance with RFCs
is not sustainable. is not sustainable.
Most (if not all) of these consequences could have been avoided if Most (if not all) of these consequences could have been avoided if
action had been taken to remove non-compliant servers as soon as action had been taken to remove non-compliant servers as soon as
people were aware of them, i.e. to actively seek out broken people were aware of them, i.e. to actively seek out broken
implementations and servers and inform their developers and operators implementations and servers and inform their developers and operators
that they need to fix their servers. that they need to fix their servers.
3. Common queries kinds that result in no or bad responses. 3. Common kinds of queries that result in no or bad responses.
This section is broken down into Basic DNS requests and EDNS This section is broken down into Basic DNS requests and EDNS
requests. requests.
3.1. Basic DNS Queries 3.1. Basic DNS Queries
3.1.1. Zone Existence 3.1.1. Zone Existence
Initially, to test existence of the zone, an SOA query should be Initially, to test existence of the zone, an SOA query should be
made. If the SOA record is not returned but some other response is made. If the SOA record is not returned but some other response is
skipping to change at page 12, line 35 skipping to change at page 12, line 35
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.3. Testing Header Bits 8.1.3. Testing Header Bits
8.1.3.1. Testing CD=1 Queries 8.1.3.1. Testing CD=1 Queries
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with only the CD DNS flag bit set and all other DNS bits clear and with only the CD DNS flag bit set, all other DNS bits clear, and
without EDNS. without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response. We do not expect an OPT record to be returned. set in the response. We do not expect an OPT record to be returned.
If the server supports DNSSEC, CD should be set in the response If the server supports DNSSEC, CD should be set in the response
[RFC4035] otherwise CD should be clear [RFC1034]. [RFC4035] otherwise CD should be clear [RFC1034].
Check that queries with CD=1 work: Check that queries with CD=1 work:
skipping to change at page 17, line 25 skipping to change at page 17, line 25
+noednsneg has been set as dig supports EDNS version negotiation and +noednsneg has been set as dig supports EDNS version negotiation and
we want to see only the response to the initial EDNS version 1 query. we want to see only the response to the initial EDNS version 1 query.
8.2.3. Testing Unknown EDNS Options 8.2.3. Testing Unknown EDNS Options
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 0 is used without any EDNS with no DNS flag bits set. EDNS version 0 is used without any EDNS
flags. An EDNS option is present with a value that has not yet been flags. An EDNS option is present with a value that has not yet been
assigned by IANA. We have picked an unassigned code of 100 for the assigned by IANA. We have picked an unassigned code of 100 for the
example below. Any unassigned EDNS option code could have be choose example below. Any unassigned EDNS option code could have been
for this test. choose for this test.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response; RA may also be set [RFC1034]. We expect an OPT set in the response; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response. The EDNS version field should be 0 as EDNS versions other response. The EDNS version field should be 0 as EDNS versions other
than 0 are yet to be specified and there should be no EDNS options than 0 are yet to be specified and there should be no EDNS options
present as unknown EDNS options are supposed to be ignored by the present as unknown EDNS options are supposed to be ignored by the
server [RFC6891] Section 6.1.2. server [RFC6891] Section 6.1.2.
skipping to change at page 19, line 24 skipping to change at page 19, line 24
expect: MBZ not to be present expect: MBZ not to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 1 is used. An unknown EDNS with no DNS flag bits set. EDNS version 1 is used. An unknown EDNS
option is present. We have picked an unassigned code of 100 for the option is present. We have picked an unassigned code of 100 for the
example below. Any unassigned EDNS option code could be chosen for example below. Any unassigned EDNS option code could have been
this test. chosen for this test.
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the extended rcode set to BADVERS and the QR bit answer section with the extended rcode set to BADVERS and the QR bit
to be set in the response; RA may also be set [RFC1034]. We expect to be set in the response; RA may also be set [RFC1034]. We expect
an OPT record to be returned. There should be no EDNS flags present an OPT record to be returned. There should be no EDNS flags present
in the response. The EDNS version field should be 0 as EDNS versions in the response. The EDNS version field should be 0 as EDNS versions
other than 0 are yet to be specified and there should be no EDNS other than 0 are yet to be specified and there should be no EDNS
options present [RFC6891]. options present [RFC6891].
Check that EDNS version 1 queries with unknown options work (EDNS Check that EDNS version 1 queries with unknown options work (EDNS
 End of changes. 9 change blocks. 
12 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/