draft-ietf-dnsop-resolver-priming-03.txt   draft-ietf-dnsop-resolver-priming-04.txt 
Network Working Group P. Koch Network Working Group P. Koch
Internet-Draft DENIC eG Internet-Draft DENIC eG
Intended status: Best Current Practice M. Larson Intended status: Best Current Practice M. Larson
Expires: January 16, 2014 Dyn, Inc. Expires: August 18, 2014 Dyn, Inc.
July 15, 2013 February 14, 2014
Initializing a DNS Resolver with Priming Queries Initializing a DNS Resolver with Priming Queries
draft-ietf-dnsop-resolver-priming-03 draft-ietf-dnsop-resolver-priming-04
Abstract Abstract
This document describes the initial queries a DNS resolver is This document describes the initial queries a DNS resolver is
supposed to emit to initialize its cache with a current NS RRSet for supposed to emit to initialize its cache with a current NS RRSet for
the root zone as well as the necessary address information. the root zone as well as the necessary address information.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2014. This Internet-Draft will expire on August 18, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 21 skipping to change at page 3, line 21
This document only deals with recursive name servers (recursive This document only deals with recursive name servers (recursive
resolvers, resolvers) for the IN CLASS. resolvers, resolvers) for the IN CLASS.
2.1. Parameters of a Priming Query 2.1. Parameters of a Priming Query
A priming query SHOULD use a QNAME of "." and a QTYPE of NS. The A priming query SHOULD use a QNAME of "." and a QTYPE of NS. The
priming query MUST be sent over UDP (section 6.1.3.2 of [RFC1123]). priming query MUST be sent over UDP (section 6.1.3.2 of [RFC1123]).
The UDP source port SHOULD be randomly selected [RFC5452]. The RD The UDP source port SHOULD be randomly selected [RFC5452]. The RD
bit MUST NOT be set. bit MUST NOT be set.
The resolver SHOULD also use EDNS0 [RFC2671] and announce and handle The resolver SHOULD also use EDNS0 [RFC6891] and SHOULD announce and
a reassembly size of at least 1024 octets [RFC3226]. This is to handle a reassembly size of at least 1024 octets [RFC3226]. This is
cover the size of a full priming response (see Section 3.3). to cover the size of a full priming response (see Section 3.3).
2.2. Repeating Priming Queries 2.2. Repeating Priming Queries
A resolver SHOULD NOT originate a priming query more often than once A resolver SHOULD NOT originate a priming query more often than once
per day (or whenever it starts). It SHOULD adhere to the TTL values per day (or whenever the resolver starts). It SHOULD adhere to the
given in the priming response. To avoid amnesia, the resolver MAY TTL values given in the priming response. To avoid amnesia, the
proactively re-prime before the old root NS RRSet expires from the resolver MAY proactively re-prime before the old root NS RRSet
cache, but only after 75 percent of the NS RRSet's TTL (or of the A/ expires from the cache, but only after 75 percent of the NS RRSet's
AAAA RRSets' TTL, whichever is lower) have passed. TTL (or of the A/AAAA RRSets' TTL, whichever is lower) have passed.
Should the priming query time out, the resolver SHOULD retry with a Should the priming query time out, the resolver SHOULD retry with a
different target address. different target address.
2.3. Target Selection 2.3. Target Selection
A resolver MUST select the target for a priming query randomly from A resolver MUST select the target for a priming query randomly from
the list of addresses (IPv4 and IPv6) available in its SBELT the list of addresses (IPv4 and IPv6) available in its SBELT
structure and it MUST ensure that all targets are selected with equal structure and it MUST ensure that all targets are selected with equal
probability even upon startup. For resending the priming query to a probability even upon startup. For resending the priming query to a
skipping to change at page 5, line 12 skipping to change at page 5, line 12
For an EDNS response, a resolver SHOULD consider the address For an EDNS response, a resolver SHOULD consider the address
information found in the additional section complete for any information found in the additional section complete for any
particular server that appears at all. In other words: if the particular server that appears at all. In other words: if the
additional section only has an A RRSet for a server, the resolver additional section only has an A RRSet for a server, the resolver
SHOULD assume that no AAAA RRSet exists. This is to avoid repeated SHOULD assume that no AAAA RRSet exists. This is to avoid repeated
unnecessary queries for names of name servers that do not or not yet unnecessary queries for names of name servers that do not or not yet
offer IPv6 service, or, in perspective, will have ceased IPv4 offer IPv6 service, or, in perspective, will have ceased IPv4
service. service.
If the resolver did not announce a reassembly size larger than 512 If the resolver did not announce a reassembly size larger than 512
octets, this assumption is invalid. Simple re-issueing of the octets, this assumption is invalid. Simple re-issuing of the priming
priming query does not help with those root name servers that respond query does not help with those root name servers that respond with a
with a fixed order of addresses in the additional section. Instead fixed order of addresses in the additional section. Instead the
the resolver ought to issue direct queries for A and AAAA RRSets for resolver ought to issue direct queries for A and AAAA RRSets for the
the remaining names. In today's environment these RRSets would be remaining names. In today's environment these RRSets would be
authoritatively available from the root name servers. authoritatively available from the root name servers.
4. Requirements for Root Name Servers and the Root Zone 4. Requirements for Root Name Servers and the Root Zone
The operational requirements for root name servers are described in The operational requirements for root name servers are described in
[RFC2870]. This section specifies additional guidance for the [RFC2870]. This section specifies additional guidance for the
configuration of and software deployed at the root name servers. configuration of and software deployed at the root name servers.
All DNS root name servers need to be able to provide for all All DNS root name servers need to be able to provide for all
addresses of all root name servers. This can easily achieved by addresses of all root name servers. This can easily achieved by
making all root name servers authoritative for the zone containing keeping all root name server names in a single zone and by making all
the servers' names. root name servers authoritative for that zone.
If the response packet does not provide for more than 512 octets due If the response packet does not provide for more than 512 octets due
to lack of EDNS0 support, A RRSets SHOULD be given preference over to lack of EDNS0 support, A RRSets SHOULD be given preference over
AAAA RRSets when filling the additional section. AAAA RRSets when filling the additional section.
[[EDNS0 is used as an indication of AAAA understanding on the side of [[Issue 1: EDNS0 is used as an indication of AAAA understanding on
the client. What to do with small payload sizes indicated by EDNS0 the side of the client. What to do with payload sizes indicated by
is open to discussion. At the time of writing, some root name EDNS0 that are smaller than 1024, is open to discussion. At the time
servers will fill the additional section with all available A RRSets, of writing, some root name servers will fill the additional section
only adding some AAAA RRSets, when queried over IPv4 without EDNS0. with all available A RRSets, only adding some AAAA RRSets, when
Other servers will deliver more AAAA RRSets, therefore withholding queried over IPv4 without EDNS0. Other servers will deliver more
some A RRSets completely [RFC4472].]] AAAA RRSets, therefore withholding some A RRSets completely
[RFC4472].]]
To ensure equal availability the A and AAAA RRSets for the rot name To ensure equal availability the A and AAAA RRSets for the root name
servers' names SHOULD have identical TTL values at the authoritative servers' names SHOULD have identical TTL values at the authoritative
source. source.
[[Do the TTLs for the root NS RRSet and address RRSets in the root [[Issue 2: Do the TTLs for the root NS RRSet and address RRSets in
and the ROOT-SERVERS.NET. zones need to be aligned? In real life the root and the ROOT-SERVERS.NET. zones need to be aligned? In real
responses, the address RRSet's TTL values vary by name server life responses, the address RRSet's TTL values vary by name server
implementation.]] implementation. Is this diversity we can live with? Should the
authoritative source prevail? Is it therefore a protocol issue
rather than an operational choice of parameters?]]
5. Security Considerations 5. Security Considerations
This document deals with priming a DNS resolver's cache. The usual This document deals with priming a DNS resolver's cache. The usual
DNS caveats apply. Use of DNSSEC with priming queries is discussed DNS caveats apply. Use of DNSSEC with priming queries is discussed
in section 2.4. in section 2.4.
Spoofing a response to a priming query can be used to redirect all Spoofing a response to a priming query can be used to redirect all
queries originating from a victim resolver, therefore any difference queries originating from a victim resolver, therefore any difference
between the inital SBELT list and the priming response SHOULD be between the inital SBELT list and the priming response SHOULD be
skipping to change at page 6, line 27 skipping to change at page 6, line 34
out of the scope of this document. out of the scope of this document.
6. IANA Considerations 6. IANA Considerations
This document does not propose any new IANA registry nor does it ask This document does not propose any new IANA registry nor does it ask
for any allocation from an existing IANA registry. for any allocation from an existing IANA registry.
However, this document deals with requirements for the root zone and However, this document deals with requirements for the root zone and
root server operations. root server operations.
[[Any recommendation on the "." NS RRSet TTL or the TTLs of the [[Issue3: related to issue 2 - any recommendation on the "." NS
respective A and/or AAAA RRSets would go here.]] RRSet TTL or the TTLs of the respective A and/or AAAA RRSets might go
here.]]
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1123] Braden, R., "Requirements for Internet Hosts - Application [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
and Support", STD 3, RFC 1123, October 1989. and Support", STD 3, RFC 1123, October 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
2671, August 1999.
[RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
message size requirements", RFC 3226, December 2001. message size requirements", RFC 3226, December 2001.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005. 4033, March 2005.
[RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More [RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More
Resilient against Forged Answers", RFC 5452, January 2009. Resilient against Forged Answers", RFC 5452, January 2009.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891, April 2013.
7.2. Informative References 7.2. Informative References
[BLKT2004] [BLKT2004]
Barber, P., Larson, M., Kosters, M., and P. Toscano, "Life Barber, P., Larson, M., Kosters, M., and P. Toscano, "Life
and Times of J-Root", NANOG 32, October 2004. and Times of J-Root", NANOG 32, October 2004.
[I-D.ietf-dnsop-dnssec-trust-anchor] [I-D.ietf-dnsop-dnssec-trust-anchor]
Larson, M. and O. Gudmundsson, "DNSSEC Trust Anchor Larson, M. and O. Gudmundsson, "DNSSEC Trust Anchor
Configuration and Maintenance", draft-ietf-dnsop-dnssec- Configuration and Maintenance", draft-ietf-dnsop-dnssec-
trust-anchor-04 (work in progress), October 2010. trust-anchor-04 (work in progress), October 2010.
skipping to change at page 7, line 36 skipping to change at page 7, line 43
WIDE/CAIDA Workshop , October 2006. WIDE/CAIDA Workshop , October 2006.
[RFC2870] Bush, R., Karrenberg, D., Kosters, M., and R. Plzak, "Root [RFC2870] Bush, R., Karrenberg, D., Kosters, M., and R. Plzak, "Root
Name Server Operational Requirements", BCP 40, RFC 2870, Name Server Operational Requirements", BCP 40, RFC 2870,
June 2000. June 2000.
[RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational [RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational
Considerations and Issues with IPv6 DNS", RFC 4472, April Considerations and Issues with IPv6 DNS", RFC 4472, April
2006. 2006.
[RFC4697] Larson, M. and P. Barber, "Observed DNS Resolution
Misbehavior", BCP 123, RFC 4697, October 2006.
[SSAC016] ICANN Security and Stability Advisory Committee, "Testing [SSAC016] ICANN Security and Stability Advisory Committee, "Testing
Firewalls for IPv6 and EDNS0 Support", SSAC 016, January Firewalls for IPv6 and EDNS0 Support", SSAC 016, January
2007. 2007.
[SSAC017] ICANN Security and Stability Advisory Committee, "Testing [SSAC017] ICANN Security and Stability Advisory Committee, "Testing
Recursive Name Servers for IPv6 and EDNS0 Support", SSAC Recursive Name Servers for IPv6 and EDNS0 Support", SSAC
017, February 2007. 017, February 2007.
Appendix A. Document Revision History Appendix A. Document Revision History
This section is to be removed should the draft be published. This section is to be removed should the draft be published.
$Id: draft-ietf-dnsop-resolver-priming.xml,v 1.6 2013/07/15 17:35:18 $Id: draft-ietf-dnsop-resolver-priming.xml,v 1.7 2014/02/14 23:27:23
pk Exp $ pk Exp $
A.1. -03 WG Document A.1. -04 WG Document
Revived. Updated EDNS0 reference. Minor edits for clarity.
A.2. -03 WG Document
Revived. Resolved most open issues [[]] as per previous WG Revived. Resolved most open issues [[]] as per previous WG
discussion. Minor edits on history and wording. All root servers discussion. Minor edits on history and wording. All root servers
authoritative for ROOT-SERVERS.NET. authoritative for ROOT-SERVERS.NET.
A.2. -02 WG Document A.3. -02 WG Document
Revived. Changed use of DNSSEC OK in the priming query as per the WG Revived. Changed use of DNSSEC OK in the priming query as per the WG
discussion. discussion.
A.3. -01 WG Document A.4. -01 WG Document
Revived with minor edits. Open issues marked [[]]. Revived with minor edits. Open issues marked [[]].
A.4. -00 WG Document A.5. -00 WG Document
Reposted as WG document with minor edits. Reposted as WG document with minor edits.
Added re-primimg proposal and A/AAAA TTL considerations. Added re-primimg proposal and A/AAAA TTL considerations.
A.5. Initial Document A.6. Initial Document
First draft First draft
Authors' Addresses Authors' Addresses
Peter Koch Peter Koch
DENIC eG DENIC eG
Kaiserstrasse 75-77 Kaiserstrasse 75-77
Frankfurt 60329 Frankfurt 60329
DE DE
 End of changes. 21 change blocks. 
43 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/