draft-ietf-dnsop-refuse-any-01.txt   draft-ietf-dnsop-refuse-any-02.txt 
Network Working Group J. Abley Network Working Group J. Abley
Internet-Draft Dyn, Inc. Internet-Draft Dyn, Inc.
Updates: 1035 (if approved) O. Gudmundsson Updates: 1035 (if approved) O. Gudmundsson
Intended status: Standards Track M. Majkowski Intended status: Standards Track M. Majkowski
Expires: October 8, 2016 CloudFlare Inc. Expires: January 22, 2017 CloudFlare Inc.
April 06, 2016 July 21, 2016
Providing Minimal-Sized Responses to DNS Queries with QTYPE=ANY Providing Minimal-Sized Responses to DNS Queries with QTYPE=ANY
draft-ietf-dnsop-refuse-any-01 draft-ietf-dnsop-refuse-any-02
Abstract Abstract
The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". The Domain Name System (DNS) specifies a query type (QTYPE) "ANY".
The operator of an authoritative DNS server might choose not to The operator of an authoritative DNS server might choose not to
respond to such queries for reasons of local policy, motivated by respond to such queries for reasons of local policy, motivated by
security, performance or other reasons. security, performance or other reasons.
The DNS specification does not include specific guidance for the The DNS specification does not include specific guidance for the
behaviour of DNS servers or clients in this situation. This document behaviour of DNS servers or clients in this situation. This document
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 8, 2016. This Internet-Draft will expire on January 22, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
3. Motivations . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Motivations . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. General Approach . . . . . . . . . . . . . . . . . . . . . . 3 3. General Approach . . . . . . . . . . . . . . . . . . . . . . 4
5. Behaviour of DNS Responders . . . . . . . . . . . . . . . . . 4 4. Behaviour of DNS Responders . . . . . . . . . . . . . . . . . 4
6. Behaviour of DNS Initiators . . . . . . . . . . . . . . . . . 5 5. Behaviour of DNS Initiators . . . . . . . . . . . . . . . . . 5
7. HINFO Considerations . . . . . . . . . . . . . . . . . . . . 5 6. HINFO Considerations . . . . . . . . . . . . . . . . . . . . 5
8. Changes to RFC 1035 . . . . . . . . . . . . . . . . . . . . . 6 7. Changes to RFC 1035 . . . . . . . . . . . . . . . . . . . . . 6
9. Implementation experience . . . . . . . . . . . . . . . . . . 6 8. Implementation Experience . . . . . . . . . . . . . . . . . . 6
10. Security Considerations . . . . . . . . . . . . . . . . . . . 6 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
13.1. Normative References . . . . . . . . . . . . . . . . . . 7 12.1. Normative References . . . . . . . . . . . . . . . . . . 7
13.2. Informative References . . . . . . . . . . . . . . . . . 7 12.2. Informative References . . . . . . . . . . . . . . . . . 7
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7 12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Editorial Notes . . . . . . . . . . . . . . . . . . 8 Appendix A. Editorial Notes . . . . . . . . . . . . . . . . . . 8
A.1. Change History . . . . . . . . . . . . . . . . . . . . . 8 A.1. Change History . . . . . . . . . . . . . . . . . . . . . 8
A.1.1. draft-ietf-dnsop-refuse-any-03 . . . . . . . . . . . 8 A.1.1. draft-ietf-dnsop-refuse-any-03 . . . . . . . . . . . 8
A.1.2. draft-ietf-dnsop-refuse-any-02 . . . . . . . . . . . 8 A.1.2. draft-ietf-dnsop-refuse-any-02 . . . . . . . . . . . 8
A.1.3. draft-ietf-dnsop-refuse-any-01 . . . . . . . . . . . 8 A.1.3. draft-ietf-dnsop-refuse-any-01 . . . . . . . . . . . 8
A.1.4. draft-ietf-dnsop-refuse-any-00 . . . . . . . . . . . 8 A.1.4. draft-ietf-dnsop-refuse-any-00 . . . . . . . . . . . 8
A.1.5. draft-jabley-dnsop-refuse-any-01 . . . . . . . . . . 8 A.1.5. draft-jabley-dnsop-refuse-any-01 . . . . . . . . . . 8
A.1.6. draft-jabley-dnsop-refuse-any-00 . . . . . . . . . . 8 A.1.6. draft-jabley-dnsop-refuse-any-00 . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Terminology 1. Introduction
The Domain Name System (DNS) specifies a query type (QTYPE) "ANY".
The operator of an authoritative DNS server might choose not to
respond to such queries for reasons of local policy, motivated by
security, performance or other reasons.
The DNS specification [RFC1034] [RFC1035] does not include specific
guidance for the behaviour of DNS servers or clients in this
situation. This document aims to provide such guidance.
1.1. Terminology
This document uses terminology specific to the Domain Name System This document uses terminology specific to the Domain Name System
(DNS), descriptions of which can be found in [RFC7719]. (DNS), descriptions of which can be found in [RFC7719].
In this document, "ANY Query" refers to a DNS meta-query with In this document, "ANY Query" refers to a DNS meta-query with
QTYPE=ANY. An "ANY Response" is a response to such a query. QTYPE=ANY. An "ANY Response" is a response to such a query.
In an exchange of DNS messages between two hosts, this document In an exchange of DNS messages between two hosts, this document
refers to the host sending a DNS request as the initiator, and the refers to the host sending a DNS request as the initiator, and the
host sending a DNS response as the responder. host sending a DNS response as the responder.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Introduction 2. Motivations
The Domain Name System (DNS) specifies a query type (QTYPE) "ANY".
The operator of an authoritative DNS server might choose not to
respond to such queries for reasons of local policy, motivated by
security, performance or other reasons.
The DNS specification [RFC1034] [RFC1035] does not include specific
guidance for the behaviour of DNS servers or clients in this
situation. This document aims to provide such guidance.
3. Motivations
ANY queries are legitimately used for debugging and checking the ANY queries are legitimately used for debugging and checking the
state of a DNS server for a particular name. ANY queries are state of a DNS server for a particular name. ANY queries are
sometimes used as a attempt to reduce the number of queries needed to sometimes used as a attempt to reduce the number of queries needed to
get information, e.g. to obtain MX, A and AAAA RRSets for a mail get information, e.g. to obtain MX, A and AAAA RRSets for a mail
domain in a single query. Although there is no documented guidance domain in a single query. Although there is no documented guidance
available for this use case and some implementations have been available for this use case and some implementations have been
observed that appear not to function as perhaps their developers observed that appear not to function as perhaps their developers
expected. For any developer that assumes that ANY query will be sent expected. For any developer that assumes that ANY query will be sent
to authoritative server to fetch all RRSets, they need to include a to authoritative server to fetch all RRSets, they need to include a
skipping to change at page 3, line 48 skipping to change at page 4, line 5
ANY queries are sometimes used to help mine authoritative-only DNS ANY queries are sometimes used to help mine authoritative-only DNS
servers for zone data, since they are expected to return all RRSets servers for zone data, since they are expected to return all RRSets
for a particular query name. A DNS operator MAY prefer not to send for a particular query name. A DNS operator MAY prefer not to send
large ANY responses to reduce the potential for information leaks. large ANY responses to reduce the potential for information leaks.
Some authoritative-only DNS server implementations require additional Some authoritative-only DNS server implementations require additional
processing in order to send a conventional ANY response, and avoiding processing in order to send a conventional ANY response, and avoiding
that processing expense might be desirable. that processing expense might be desirable.
4. General Approach 3. General Approach
This proposal provides a mechanism for an authority server to signal This proposal provides a mechanism for an authority server to signal
that conventional ANY queries are not supported for a particular that conventional ANY queries are not supported for a particular
QNAME, and to do so in such a way that is both compatible with and QNAME, and to do so in such a way that is both compatible with and
triggers desirable behaviour by unmodified clients (e.g. DNS triggers desirable behaviour by unmodified clients (e.g. DNS
resolvers). resolvers).
Alternative proposals for dealing with ANY queries have been Alternative proposals for dealing with ANY queries have been
discussed. One approach proposed using a new RCODE to signal that an discussed. One approach proposed using a new RCODE to signal that an
authoritative server did not answer ANY queries in the standard way. authoritative server did not answer ANY queries in the standard way.
skipping to change at page 4, line 28 skipping to change at page 4, line 34
effectively suppressing repeat queries to the same or different effectively suppressing repeat queries to the same or different
authority servers. authority servers.
This proposal specifies two different modes of behaviour by DNS This proposal specifies two different modes of behaviour by DNS
responders, for names that exists. Operators/Implementers are free responders, for names that exists. Operators/Implementers are free
to choose whichever mechanism best suits their environment. to choose whichever mechanism best suits their environment.
1. A DNS responder can choose to select one or subset of RRSets at 1. A DNS responder can choose to select one or subset of RRSets at
the QNAME. the QNAME.
2. A DNS responder can return instead synthesised HINFO resource 2. A DNS responder can instead return a synthesised HINFO resource
record. See Section 7 for discussion of the use of HINFO. record. See Section 6 for discussion of the use of HINFO.
5. Behaviour of DNS Responders 4. Behaviour of DNS Responders
A DNS responder which receives an ANY query MAY decline to provide a A DNS responder which receives an ANY query MAY decline to provide a
conventional response, and MAY instead send a response with a single conventional response, and MAY instead send a response with a single
RRSet in the answer section. RRSet in the answer section.
The RRSet returned in the answer section of the response MAY be a The RRSet returned in the answer section of the response MAY be a
single RRSet owned by the name specified in the QNAME. Where single RRSet owned by the name specified in the QNAME. Where
multiple RRSets exist, the responder SHOULD choose a small one(s) to multiple RRSets exist, the responder SHOULD choose a small one(s) to
reduce its amplification potential. reduce its amplification potential.
skipping to change at page 5, line 13 skipping to change at page 5, line 18
of the DNS responder to be large enough to suppress frequent of the DNS responder to be large enough to suppress frequent
subsequent ANY queries from the same initiator with the same QNAME, subsequent ANY queries from the same initiator with the same QNAME,
understanding that a TTL that is too long might make policy changes understanding that a TTL that is too long might make policy changes
relating to ANY queries difficult to change in the future. The relating to ANY queries difficult to change in the future. The
specific value used is hence a familiar balance when choosing TTL for specific value used is hence a familiar balance when choosing TTL for
any RR in any zone, and be specified according to local policy. any RR in any zone, and be specified according to local policy.
If the DNS query includes DO=1 and the QNAME corresponds to a zone If the DNS query includes DO=1 and the QNAME corresponds to a zone
that is known by the responder to be signed, a valid RRSIG for the that is known by the responder to be signed, a valid RRSIG for the
RRSets in the answer (or authority if answer is empty) section MUST RRSets in the answer (or authority if answer is empty) section MUST
be returned. In case DO=0 RRSIG SHOULD be omitted. be returned. In the case of DO=0, the RRSIG SHOULD be omitted.
Except as described in this section, the DNS responder MUST follow Except as described in this section, the DNS responder MUST follow
the standard algorithms when constructing a response. the standard algorithms when constructing a response.
6. Behaviour of DNS Initiators 5. Behaviour of DNS Initiators
A DNS initiator which sends a query with QTYPE=ANY and receives a A DNS initiator which sends a query with QTYPE=ANY and receives a
response containing an HINFO, as described in Section 5, MAY cache response containing an HINFO resource record, as described in
the HINFO response in the normal way. Such cached HINFO resource Section 4, MAY cache the HINFO response in the normal way. Such
records SHOULD be retained in the cache following normal caching cached HINFO resource records SHOULD be retained in the cache
semantics, as it would with any other response received from a DNS following normal caching semantics, as it would with any other
responder. response received from a DNS responder.
A DNS initiator MAY suppress queries with QTYPE=ANY in the event that A DNS initiator MAY suppress queries with QTYPE=ANY in the event that
the local cache contains a matching HINFO resource record with the local cache contains a matching HINFO resource record with
RDATA.CPU field, as described in Section 5. RDATA.CPU field, as described in Section 4.
7. HINFO Considerations 6. HINFO Considerations
In the case where a zone that contains HINFO RRSets is served from an In the case where a zone that contains HINFO RRSets is served from an
authority server that does not provide conventional ANY responses, it authority server that does not provide conventional ANY responses, it
is possible that the HINFO RRSet in an ANY response, once cached by is possible that the HINFO RRSet in an ANY response, once cached by
the initiator, might suppress subsequent queries from the same the initiator, might suppress subsequent queries from the same
initiator with QTYPE=HINFO. The use of HINFO in this proposal would initiator with QTYPE=HINFO. The use of HINFO in this proposal would
hence have effectively mask the HINFO RRSet present in the zone. hence have effectively mask the HINFO RRSet present in the zone.
Authority-server operators who serve zones that rely upon Authority-server operators who serve zones that rely upon
conventional use of the HINFO RRTYPE MAY sensibly choose not to conventional use of the HINFO RRTYPE MAY sensibly choose not to
deploy the mechanism described in this document or select other type. deploy the mechanism described in this document or select other type.
The HINFO RRTYPE is believed to be rarely used in the DNS at the time The HINFO RRTYPE is believed to be rarely used in the DNS at the time
of writing, based on observations made both at recursive servers and of writing, based on observations made both at recursive servers and
authority servers. authority servers.
8. Changes to RFC 1035 7. Changes to RFC 1035
It is important to note that returning a subset of available RRSets It is important to note that returning a subset of available RRSets
when processing an ANY query is legitimate and consistent with when processing an ANY query is legitimate and consistent with
[RFC1035]; ANY does not mean ALL. [RFC1035]; ANY does not mean ALL.
This document describes optional behaviour for both DNS initiators This document describes optional behaviour for both DNS initiators
and responders, and implementation of the guidance provided by this and responders, and implementation of the guidance provided by this
document is OPTIONAL. document is OPTIONAL.
9. Implementation experience 8. Implementation Experience
In October 2015 CloudFlare Authoritative Nameserver implementation In October 2015 CloudFlare Authoritative Nameserver implementation
implemented the HINFO response. Few minor problems have been implemented the HINFO response. Few minor problems have been
reported and worked out. NSD has for a while implemented a sub-set reported and worked out. NSD has for a while implemented a sub-set
response. A Bind user implemented this draft suggestion of returning response. A Bind user implemented this draft suggestion of returning
only single RRset during an attack. only single RRset during an attack.
10. Security Considerations 9. Security Considerations
Queries with QTYPE=ANY are frequently observed as part of reflection Queries with QTYPE=ANY are frequently observed as part of reflection
attacks, since a relatively small query can be used to elicit a large attacks, since a relatively small query can be used to elicit a large
response; this is a desirable characteristic if the goal is to response; this is a desirable characteristic if the goal is to
maximize the amplification potential of a DNS server as part of a maximize the amplification potential of a DNS server as part of a
volumetric attack. The ability of a DNS operator to suppress such volumetric attack. The ability of a DNS operator to suppress such
responses on a particular server makes that server a less useful responses on a particular server makes that server a less useful
amplifier. amplifier.
The optional behaviour described in this document to reduce the size The optional behaviour described in this document to reduce the size
of responses to queries with QTYPE=ANY is compatible with the use of of responses to queries with QTYPE=ANY is compatible with the use of
DNSSEC by both initiator and responder. DNSSEC by both initiator and responder.
11. IANA Considerations 10. IANA Considerations
The IANA is requested to update the Resource Record (RR) TYPEs The IANA is requested to update the Resource Record (RR) TYPEs
Registry [1] entry as follows: Registry [1] entry as follows:
+------+-------+-------------------------------+--------------------+ +------+-------+-------------------------------+--------------------+
| Type | Value | Meaning | Reference | | Type | Value | Meaning | Reference |
+------+-------+-------------------------------+--------------------+ +------+-------+-------------------------------+--------------------+
| * | 255 | A request for some or all | [RFC1035][RFC6895] | | * | 255 | A request for some or all | [RFC1035][RFC6895] |
| | | records the server has | [This Document] | | | | records the server has | [This Document] |
| | | available | | | | | available | |
+------+-------+-------------------------------+--------------------+ +------+-------+-------------------------------+--------------------+
12. Acknowledgements 11. Acknowledgements
Evan Hunt and David Lawrence provided valuable observations and Evan Hunt and David Lawrence provided valuable observations and
concrete suggestions. Jeremy Laidman helped make the document concrete suggestions. Jeremy Laidman helped make the document
better. Tony Finch realized that this document was valuable and better. Tony Finch realized that this document was valuable and
implemented it while under attack. A large number of people have implemented it while under attack. A large number of people have
provided comments and suggestions we thank them all for the feedback. provided comments and suggestions we thank them all for the feedback.
13. References 12. References
13.1. Normative References 12.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
13.2. Informative References 12.2. Informative References
[RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive
Nameservers in Reflector Attacks", BCP 140, RFC 5358, DOI Nameservers in Reflector Attacks", BCP 140, RFC 5358, DOI
10.17487/RFC5358, October 2008, 10.17487/RFC5358, October 2008,
<http://www.rfc-editor.org/info/rfc5358>. <http://www.rfc-editor.org/info/rfc5358>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <http://www.rfc-editor.org/info/rfc6895>. April 2013, <http://www.rfc-editor.org/info/rfc6895>.
[RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", RFC 7719, DOI 10.17487/RFC7719, December Terminology", RFC 7719, DOI 10.17487/RFC7719, December
2015, <http://www.rfc-editor.org/info/rfc7719>. 2015, <http://www.rfc-editor.org/info/rfc7719>.
13.3. URIs 12.3. URIs
[1] http://www.iana.org/assignments/dns-parameters/dns- [1] http://www.iana.org/assignments/dns-parameters/dns-
parameters.xhtml#dns-parameters-4 parameters.xhtml#dns-parameters-4
Appendix A. Editorial Notes Appendix A. Editorial Notes
This section (and sub-sections) to be removed prior to publication. This section (and sub-sections) to be removed prior to publication.
A.1. Change History A.1. Change History
 End of changes. 23 change blocks. 
55 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/