draft-ietf-dnsop-refuse-any-05.txt   draft-ietf-dnsop-refuse-any-06.txt 
Network Working Group J. Abley Network Working Group J. Abley
Internet-Draft Afilias Internet-Draft Afilias
Updates: 1035 (if approved) O. Gudmundsson Updates: 1034, 1035 (if approved) O. Gudmundsson
Intended status: Standards Track M. Majkowski Intended status: Standards Track M. Majkowski
Expires: September 6, 2018 Cloudflare Inc. Expires: September 6, 2018 Cloudflare Inc.
March 5, 2018 March 5, 2018
Providing Minimal-Sized Responses to DNS Queries that have QTYPE=ANY Providing Minimal-Sized Responses to DNS Queries that have QTYPE=ANY
draft-ietf-dnsop-refuse-any-05 draft-ietf-dnsop-refuse-any-06
Abstract Abstract
The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". The Domain Name System (DNS) specifies a query type (QTYPE) "ANY".
The operator of an authoritative DNS server might choose not to The operator of an authoritative DNS server might choose not to
respond to such queries for reasons of local policy, motivated by respond to such queries for reasons of local policy, motivated by
security, performance or other reasons. security, performance or other reasons.
The DNS specification does not include specific guidance for the The DNS specification does not include specific guidance for the
behaviour of DNS servers or clients in this situation. This document behaviour of DNS servers or clients in this situation. This document
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Motivations for Use of ANY Queries . . . . . . . . . . . . . 3 2. Motivations for Use of ANY Queries . . . . . . . . . . . . . 3
3. General Approach . . . . . . . . . . . . . . . . . . . . . . 4 3. General Approach . . . . . . . . . . . . . . . . . . . . . . 4
4. Behaviour of DNS Responders . . . . . . . . . . . . . . . . . 4 4. Behaviour of DNS Responders . . . . . . . . . . . . . . . . . 4
4.1. Answer with a Subset of Available RRSets . . . . . . . . 5 4.1. Answer with a Subset of Available RRSets . . . . . . . . 5
4.2. Answer with a Synthesised HINFO RRSet . . . . . . . . . . 5 4.2. Answer with a Synthesised HINFO RRSet . . . . . . . . . . 5
4.3. Answer with Best Guess as to Intention . . . . . . . . . 5 4.3. Answer with Best Guess as to Intention . . . . . . . . . 6
4.4. Behaviour with TCP Transport . . . . . . . . . . . . . . 6 4.4. Behaviour with TCP Transport . . . . . . . . . . . . . . 6
5. Behaviour of DNS Initiators . . . . . . . . . . . . . . . . . 6 5. Behaviour of DNS Initiators . . . . . . . . . . . . . . . . . 6
6. HINFO Considerations . . . . . . . . . . . . . . . . . . . . 6 6. HINFO Considerations . . . . . . . . . . . . . . . . . . . . 6
7. Updates to RFC 1035 . . . . . . . . . . . . . . . . . . . . . 7 7. Updates to RFC 1034 and RFC 1035 . . . . . . . . . . . . . . 7
8. Implementation Experience . . . . . . . . . . . . . . . . . . 7 8. Implementation Experience . . . . . . . . . . . . . . . . . . 7
9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
12.1. Normative References . . . . . . . . . . . . . . . . . . 8 12.1. Normative References . . . . . . . . . . . . . . . . . . 8
12.2. Informative References . . . . . . . . . . . . . . . . . 8 12.2. Informative References . . . . . . . . . . . . . . . . . 9
12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Appendix A. Editorial Notes . . . . . . . . . . . . . . . . . . 9 Appendix A. Editorial Notes . . . . . . . . . . . . . . . . . . 9
A.1. Change History . . . . . . . . . . . . . . . . . . . . . 9 A.1. Change History . . . . . . . . . . . . . . . . . . . . . 9
A.1.1. draft-ietf-dnsop-refuse-any-05 . . . . . . . . . . . 9 A.1.1. draft-ietf-dnsop-refuse-any-06 . . . . . . . . . . . 9
A.1.2. draft-ietf-dnsop-refuse-any-04 . . . . . . . . . . . 9 A.1.2. draft-ietf-dnsop-refuse-any-05 . . . . . . . . . . . 9
A.1.3. draft-ietf-dnsop-refuse-any-03 . . . . . . . . . . . 9 A.1.3. draft-ietf-dnsop-refuse-any-04 . . . . . . . . . . . 9
A.1.4. draft-ietf-dnsop-refuse-any-02 . . . . . . . . . . . 9 A.1.4. draft-ietf-dnsop-refuse-any-03 . . . . . . . . . . . 10
A.1.5. draft-ietf-dnsop-refuse-any-01 . . . . . . . . . . . 10 A.1.5. draft-ietf-dnsop-refuse-any-02 . . . . . . . . . . . 10
A.1.6. draft-ietf-dnsop-refuse-any-00 . . . . . . . . . . . 10 A.1.6. draft-ietf-dnsop-refuse-any-01 . . . . . . . . . . . 10
A.1.7. draft-jabley-dnsop-refuse-any-01 . . . . . . . . . . 10 A.1.7. draft-ietf-dnsop-refuse-any-00 . . . . . . . . . . . 10
A.1.8. draft-jabley-dnsop-refuse-any-00 . . . . . . . . . . 10 A.1.8. draft-jabley-dnsop-refuse-any-01 . . . . . . . . . . 10
A.1.9. draft-jabley-dnsop-refuse-any-00 . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". The Domain Name System (DNS) specifies a query type (QTYPE) "ANY".
The operator of an authoritative DNS server might choose not to The operator of an authoritative DNS server might choose not to
respond to such queries for reasons of local policy, motivated by respond to such queries for reasons of local policy, motivated by
security, performance or other reasons. security, performance or other reasons.
The DNS specification [RFC1034] [RFC1035] does not include specific The DNS specification [RFC1034] [RFC1035] does not include specific
skipping to change at page 3, line 17 skipping to change at page 3, line 17
situation. This document aims to provide such guidance. situation. This document aims to provide such guidance.
1.1. Terminology 1.1. Terminology
This document uses terminology specific to the Domain Name System This document uses terminology specific to the Domain Name System
(DNS), descriptions of which can be found in [RFC7719]. (DNS), descriptions of which can be found in [RFC7719].
In this document, "ANY Query" refers to a DNS meta-query with In this document, "ANY Query" refers to a DNS meta-query with
QTYPE=ANY. An "ANY Response" is a response to such a query. QTYPE=ANY. An "ANY Response" is a response to such a query.
In this document, "conventional ANY response" means an ANY response
that is constructed in accordance with the algorithm documented in
section 4.3.2 of [RFC1034] and specifically without implementing any
of the mechanisms described in this document.
In an exchange of DNS messages between two hosts, this document In an exchange of DNS messages between two hosts, this document
refers to the host sending a DNS request as the initiator, and the refers to the host sending a DNS request as the initiator, and the
host sending a DNS response as the responder. host sending a DNS response as the responder.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Motivations for Use of ANY Queries 2. Motivations for Use of ANY Queries
skipping to change at page 5, line 8 skipping to change at page 5, line 11
3. Resolver can try to give out the most likely records the 3. Resolver can try to give out the most likely records the
requester wants. This is not always possible and the result requester wants. This is not always possible and the result
might well be a large response. might well be a large response.
Except as described below in this section, the DNS responder MUST Except as described below in this section, the DNS responder MUST
follow the standard algorithms when constructing a response. follow the standard algorithms when constructing a response.
4.1. Answer with a Subset of Available RRSets 4.1. Answer with a Subset of Available RRSets
A DNS responder which receives an ANY query MAY decline to provide a A DNS responder which receives an ANY query MAY decline to provide a
conventional response, or MAY instead send a response with a single conventional ANY response, or MAY instead send a response with a
RRSet (or a larger subset of available RRSets) in the answer section. single RRSet (or a larger subset of available RRSets) in the answer
section.
The RRSets returned in the answer section of the response MAY consist The RRSets returned in the answer section of the response MAY consist
of a single RRSet owned by the name specified in the QNAME. Where of a single RRSet owned by the name specified in the QNAME. Where
multiple RRSets exist, the responder SHOULD choose a small subset of multiple RRSets exist, the responder SHOULD choose a small subset of
those avialable to reduce the amplification potential of the those avialable to reduce the amplification potential of the
response. response.
If the zone is signed, appropriate RRSIG records MUST be included in If the zone is signed, appropriate RRSIG records MUST be included in
the answer. the answer.
Note that this mechanism does not provide any signalling to indicate
to a client that an incomplete subset of the available RRSets has
been returned.
4.2. Answer with a Synthesised HINFO RRSet 4.2. Answer with a Synthesised HINFO RRSet
If there is no CNAME present at the owner name matching the QNAME, If there is no CNAME present at the owner name matching the QNAME,
the resource record returned in the response MAY instead be the resource record returned in the response MAY instead be
synthesised, in which case a single HINFO resource record SHOULD be synthesised, in which case a single HINFO resource record SHOULD be
returned. The CPU field of the HINFO RDATA SHOULD be set to RFCXXXX returned. The CPU field of the HINFO RDATA SHOULD be set to RFCXXXX
[note to RFC Editor, replace with RFC number assigned to this [note to RFC Editor, replace with RFC number assigned to this
document]. The OS field of the HINFO RDATA SHOULD be set to the null document]. The OS field of the HINFO RDATA SHOULD be set to the null
string to minimize the size of the response. string to minimize the size of the response.
skipping to change at page 6, line 11 skipping to change at page 6, line 20
RRsets that are present. This is not a guess but a heuristic that RRsets that are present. This is not a guess but a heuristic that
seems to work well in practice. The main drawback is the size of the seems to work well in practice. The main drawback is the size of the
answer. answer.
As in the first one if the zone is signed RRSIG MUST be returned if As in the first one if the zone is signed RRSIG MUST be returned if
there the DO bit is set on query. there the DO bit is set on query.
4.4. Behaviour with TCP Transport 4.4. Behaviour with TCP Transport
A DNS responder MAY behave differently when processing ANY queries A DNS responder MAY behave differently when processing ANY queries
received over different transport, e.g. by providing a conventional, received over different transport, e.g. by providing a conventional
full response over TCP whilst using one of the other mechanisms ANY response over TCP whilst using one of the other mechanisms
specified in this document in the case where a query was received specified in this document in the case where a query was received
using UDP. using UDP.
Implementers SHOULD provide configuration options to allow operators Implementers SHOULD provide configuration options to allow operators
to specify different behaviour over UDP and TCP. to specify different behaviour over UDP and TCP.
5. Behaviour of DNS Initiators 5. Behaviour of DNS Initiators
A DNS initiator which sends a query with QTYPE=ANY and receives a A DNS initiator which sends a query with QTYPE=ANY and receives a
response containing an HINFO resource record or a single RRset, as response containing an HINFO resource record or a single RRset, as
skipping to change at page 7, line 5 skipping to change at page 7, line 11
Authority-server operators who serve zones that rely upon Authority-server operators who serve zones that rely upon
conventional use of the HINFO RRTYPE SHOULD sensibly choose the conventional use of the HINFO RRTYPE SHOULD sensibly choose the
"single RRset" method described in this document or select another "single RRset" method described in this document or select another
type. type.
The HINFO RRTYPE is believed to be rarely used in the DNS at the time The HINFO RRTYPE is believed to be rarely used in the DNS at the time
of writing, based on observations made at recursive servers, of writing, based on observations made at recursive servers,
authority servers and in passive DNS. authority servers and in passive DNS.
7. Updates to RFC 1035 7. Updates to RFC 1034 and RFC 1035
This document extends the specification for processing ANY queries
described in section 4.3.2 of [RFC1034].
It is important to note that returning a subset of available RRSets It is important to note that returning a subset of available RRSets
when processing an ANY query is legitimate and consistent with when processing an ANY query is legitimate and consistent with
[RFC1035]; ANY does not mean ALL. The main difference here is that [RFC1035]; it can be argued that ANY does not always mean ALL, as
used in section 3.2.3 of [RFC1035]. The main difference here is that
the TC bit SHOULD not be set on the response indicating that this is the TC bit SHOULD not be set on the response indicating that this is
not a complete answer. not a complete answer.
This document describes optional behaviour for both DNS initiators This document describes optional behaviour for both DNS initiators
and responders, and implementation of the guidance provided by this and responders, and implementation of the guidance provided by this
document is OPTIONAL. document is OPTIONAL.
RRSIG queries (i.e. queries with QTYPE=RRSIG) are similar to ANY RRSIG queries (i.e. queries with QTYPE=RRSIG) are similar to ANY
queries in the sense that they have the potential to generate large queries in the sense that they have the potential to generate large
responses as well as extra work for the responders that process them, responses as well as extra work for the responders that process them,
skipping to change at page 8, line 27 skipping to change at page 8, line 37
| * | 255 | A request for some or all | [RFC1035][RFC6895] | | * | 255 | A request for some or all | [RFC1035][RFC6895] |
| | | records the server has | [This Document] | | | | records the server has | [This Document] |
| | | available | | | | | available | |
+------+-------+-------------------------------+--------------------+ +------+-------+-------------------------------+--------------------+
11. Acknowledgements 11. Acknowledgements
Evan Hunt and David Lawrence provided valuable observations and Evan Hunt and David Lawrence provided valuable observations and
concrete suggestions. Jeremy Laidman helped make the document concrete suggestions. Jeremy Laidman helped make the document
better. Tony Finch realized that this document was valuable and better. Tony Finch realized that this document was valuable and
implemented it while under attack. A large number of people have implemented it while under attack. Richard Gibson identified areas
provided comments and suggestions we thank them all for the feedback. where more detail and accuracy was useful. A large number of other
people also provided comments and suggestions we thank them all for
the feedback.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
skipping to change at page 9, line 24 skipping to change at page 9, line 36
[1] http://www.iana.org/assignments/dns-parameters/dns- [1] http://www.iana.org/assignments/dns-parameters/dns-
parameters.xhtml#dns-parameters-4 parameters.xhtml#dns-parameters-4
Appendix A. Editorial Notes Appendix A. Editorial Notes
This section (and sub-sections) to be removed prior to publication. This section (and sub-sections) to be removed prior to publication.
A.1. Change History A.1. Change History
A.1.1. draft-ietf-dnsop-refuse-any-05 A.1.1. draft-ietf-dnsop-refuse-any-06
Update RFC 1034 as well as RFC 1035; define the term "conventional
ANY response"; soften and qualify ANY does not mean ALL; note that
the subset mode response lacks signalling.
A.1.2. draft-ietf-dnsop-refuse-any-05
Minor editorial changes. Soften advice on RRSIG queries. Version Minor editorial changes. Soften advice on RRSIG queries. Version
bump. bump.
A.1.2. draft-ietf-dnsop-refuse-any-04 A.1.3. draft-ietf-dnsop-refuse-any-04
These are the changes requested during WGLC. The title has been These are the changes requested during WGLC. The title has been
updated for readability The behavior section now contains description updated for readability The behavior section now contains description
of three different approaches in order of preference. Text added on of three different approaches in order of preference. Text added on
behavior over TCP. The document is clear in how it updates from behavior over TCP. The document is clear in how it updates from
RFC1035. Minor adjustments for readability and remove redundancy. RFC1035. Minor adjustments for readability and remove redundancy.
A.1.3. draft-ietf-dnsop-refuse-any-03 A.1.4. draft-ietf-dnsop-refuse-any-03
Change section name to "Updates to RFC1034", few minor grammar Change section name to "Updates to RFC1034", few minor grammar
changes suggested by Matthew Pounsett and Tony Finch. changes suggested by Matthew Pounsett and Tony Finch.
Text clarifications, reflecting experience, added implementation Text clarifications, reflecting experience, added implementation
experience. experience.
A.1.4. draft-ietf-dnsop-refuse-any-02 A.1.5. draft-ietf-dnsop-refuse-any-02
Added suggestion to call out RRSIG is optional when DO=0. Added suggestion to call out RRSIG is optional when DO=0.
Number of text suggestions from Jeremy Laidman. Number of text suggestions from Jeremy Laidman.
A.1.5. draft-ietf-dnsop-refuse-any-01 A.1.6. draft-ietf-dnsop-refuse-any-01
Add IANA Considerations Add IANA Considerations
A.1.6. draft-ietf-dnsop-refuse-any-00 A.1.7. draft-ietf-dnsop-refuse-any-00
Re-submitted with a different name following adoption at the dnsop WG Re-submitted with a different name following adoption at the dnsop WG
meeting convened at IETF 94. meeting convened at IETF 94.
A.1.7. draft-jabley-dnsop-refuse-any-01 A.1.8. draft-jabley-dnsop-refuse-any-01
Make signing of RRSets in answers from signed zones mandatory. Make signing of RRSets in answers from signed zones mandatory.
Document the option of returning an existing RRSet in place of a Document the option of returning an existing RRSet in place of a
synthesised one. synthesised one.
A.1.8. draft-jabley-dnsop-refuse-any-00 A.1.9. draft-jabley-dnsop-refuse-any-00
Initial draft circulated for comment. Initial draft circulated for comment.
Authors' Addresses Authors' Addresses
Joe Abley Joe Abley
Afilias Afilias
300-184 York Street 300-184 York Street
London, ON N6A 1B5 London, ON N6A 1B5
Canada Canada
 End of changes. 22 change blocks. 
30 lines changed or deleted 53 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/