draft-ietf-dnsop-no-response-issue-18.txt   draft-ietf-dnsop-no-response-issue-19.txt 
Network Working Group M. Andrews Network Working Group M. Andrews
Internet-Draft R. Bellis Internet-Draft R. Bellis
Intended status: Best Current Practice ISC Intended status: Best Current Practice ISC
Expires: September 23, 2020 March 22, 2020 Expires: October 7, 2020 April 5, 2020
A Common Operational Problem in DNS Servers - Failure To Communicate A Common Operational Problem in DNS Servers - Failure To Communicate
draft-ietf-dnsop-no-response-issue-18 draft-ietf-dnsop-no-response-issue-19
Abstract Abstract
The DNS is a query / response protocol. Failing to respond to The DNS is a query / response protocol. Failing to respond to
queries, or responding incorrectly, causes both immediate operational queries, or responding incorrectly, causes both immediate operational
problems and long term problems with protocol development. problems and long term problems with protocol development.
This document identifies a number of common kinds of queries to which This document identifies a number of common kinds of queries to which
some servers either fail to respond or else respond incorrectly. some servers either fail to respond or else respond incorrectly.
This document also suggests procedures for zone operators to apply to This document also suggests procedures for zone operators to apply to
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 23, 2020. This Internet-Draft will expire on October 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 31 skipping to change at page 2, line 31
3.1.5. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6 3.1.5. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6
3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6 3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6
3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7 3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7
3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7 3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7
3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7 3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7
3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7 3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7
3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8 3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8
3.2.6. DO=1 Handling . . . . . . . . . . . . . . . . . . . . 8 3.2.6. DO=1 Handling . . . . . . . . . . . . . . . . . . . . 8
3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8 3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8
4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8
5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9 5. Packet Scrubbing Services . . . . . . . . . . . . . . . . . . 9
6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10
7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10 7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10
8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11 8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11
8.1.1. Is The Server Configured For The Zone? . . . . . . . 11 8.1.1. Is The Server Configured For The Zone? . . . . . . . 11
8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 12 8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 12
8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 13 8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 13
8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 15 8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 15
8.1.5. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15 8.1.5. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15
8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16 8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16
skipping to change at page 7, line 35 skipping to change at page 7, line 35
3.2.2. EDNS Queries - Version Specific 3.2.2. EDNS Queries - Version Specific
Some servers respond correctly to EDNS version 0 queries but fail to Some servers respond correctly to EDNS version 0 queries but fail to
respond to EDNS queries with version numbers that are higher than respond to EDNS queries with version numbers that are higher than
zero. Servers should respond with BADVERS to EDNS queries with zero. Servers should respond with BADVERS to EDNS queries with
version numbers that they do not support. version numbers that they do not support.
Some servers respond correctly to EDNS version 0 queries but fail to Some servers respond correctly to EDNS version 0 queries but fail to
set QR=1 when responding to EDNS versions they do not support. Such set QR=1 when responding to EDNS versions they do not support. Such
answers responses may be discarded as invalid (as QR is not 1) or responses may be discarded as invalid (as QR is not 1) or treated as
treated as requests (when the source port of the original request was requests (when the source port of the original request was port 53).
port 53).
3.2.3. EDNS Options 3.2.3. EDNS Options
Some servers fail to respond to EDNS queries with EDNS options set. Some servers fail to respond to EDNS queries with EDNS options set.
The original EDNS specification left this behaviour undefined The original EDNS specification left this behaviour undefined
[RFC2671], but the correct behaviour was clarified in [RFC6891]. [RFC2671], but the correct behaviour was clarified in [RFC6891].
Unknown EDNS options are supposed to be ignored by the server. Unknown EDNS options are supposed to be ignored by the server.
3.2.4. EDNS Flags 3.2.4. EDNS Flags
skipping to change at page 9, line 45 skipping to change at page 9, line 45
design. design.
However, there may be times when a nameserver mishandles messages However, there may be times when a nameserver mishandles messages
with a particular flag, EDNS option, EDNS version field, opcode, type with a particular flag, EDNS option, EDNS version field, opcode, type
or class field or combination thereof to the point where the or class field or combination thereof to the point where the
integrity of the nameserver is compromised. Firewalls should offer integrity of the nameserver is compromised. Firewalls should offer
the ability to selectively reject messages using an appropriately the ability to selectively reject messages using an appropriately
constructed response based on all these fields while awaiting a fix constructed response based on all these fields while awaiting a fix
from the nameserver vendor. from the nameserver vendor.
5. Scrubbing Services 5. Packet Scrubbing Services
Scrubbing services can affect the externally visible behaviour of a Packet scrubbing services are used to filter out undesired traffic,
nameserver in a similar way to firewalls. If an operator uses a including but not limited to, denial of service traffic. This is
scrubbing service, they should check that legitimate queries are not often done using heuristic analysis of the traffic.
being blocked.
Scrubbing services, unlike firewalls, are also turned on and off in Packet scrubbing services can affect the externally visible behaviour
response to denial of service attacks. One needs to take care when of a nameserver in a similar way to firewalls. If an operator uses a
choosing a scrubbing service. packet scrubbing service, they should check that legitimate queries
are not being blocked.
Ideally, Operators should run these tests against a scrubbing service Packet scrubbing services, unlike firewalls, are also turned on and
to ensure that these tests are not seen as attack vectors. off in response to denial of service attacks. One needs to take care
when choosing a scrubbing service.
Ideally, Operators should run these tests against a packet scrubbing
service to ensure that these tests are not seen as attack vectors.
6. Whole Answer Caches 6. Whole Answer Caches
Whole answer caches take a previously constructed answer and return Whole answer caches take a previously constructed answer and return
it to a subsequent query for the same question. However, they can it to a subsequent query for the same question. However, they can
return the wrong response if they do not take all of the relevant return the wrong response if they do not take all of the relevant
attributes of the query into account. attributes of the query into account.
In addition to the standard tuple of <qname,qtype,qclass> a non- In addition to the standard tuple of <qname,qtype,qclass> a non-
exhaustive set of attributes that must be considered include: RD, AD, exhaustive set of attributes that must be considered include: RD, AD,
skipping to change at page 24, line 10 skipping to change at page 24, line 10
have unanticipated side effects. For example, other parts of the DNS have unanticipated side effects. For example, other parts of the DNS
tree may depend on names below the removed zone cut, and the parent tree may depend on names below the removed zone cut, and the parent
operator may find themselves responsible for causing new DNS failures operator may find themselves responsible for causing new DNS failures
to occur. to occur.
10. Security Considerations 10. Security Considerations
Testing protocol compliance can potentially result in false reports Testing protocol compliance can potentially result in false reports
of attempts to break services from Intrusion Detection Services and of attempts to break services from Intrusion Detection Services and
firewalls. All of the tests are well-formed (though not necessarily firewalls. All of the tests are well-formed (though not necessarily
common) DNS queries. None the tests listed above should cause any common) DNS queries. None of the tests listed above should cause any
harm to a protocol-compliant server. harm to a protocol-compliant server.
Relaxing firewall settings to ensure EDNS compliance could Relaxing firewall settings to ensure EDNS compliance could
potentially expose a critical implementation flaw in the nameserver. potentially expose a critical implementation flaw in the nameserver.
Nameservers should be tested for conformance before relaxing firewall Nameservers should be tested for conformance before relaxing firewall
settings. settings.
When removing delegations for non-compliant servers there can be a When removing delegations for non-compliant servers there can be a
knock on effect on other zones that require these zones to be knock on effect on other zones that require these zones to be
operational for the nameservers addresses to be resolved. operational for the nameservers addresses to be resolved.
 End of changes. 10 change blocks. 
18 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/