draft-ietf-dnsop-resolver-priming-05.txt   draft-ietf-dnsop-resolver-priming-06.txt 
Network Working Group P. Koch Network Working Group P. Koch
Internet-Draft DENIC eG Internet-Draft DENIC eG
Intended status: Best Current Practice M. Larson Intended status: Best Current Practice M. Larson
Expires: September 10, 2015 Dyn, Inc. Expires: July 16, 2016 Dyn, Inc.
March 9, 2015 P. Hoffman
ICANN
January 13, 2016
Initializing a DNS Resolver with Priming Queries Initializing a DNS Resolver with Priming Queries
draft-ietf-dnsop-resolver-priming-05 draft-ietf-dnsop-resolver-priming-06
Abstract Abstract
This document describes the initial queries a DNS resolver is This document describes the queries a DNS resolver can emit to
supposed to emit in order to initialize its cache with both a current initialize its cache. The result is that the resolver gets both a
NS RRSet for the root zone and the necessary address information. current NS RRSet for the root zone and the necessary address
information for reaching the root servers.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015. This Internet-Draft will expire on July 16, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
1. Introduction 1. Introduction
Domain Name System (DNS) resolvers need a starting point to resolve Recursive DNS resolvers need a starting point to resolve queries.
queries. [RFC1034], section 5.3.2, defines the SBELT structure in a [RFC1034] describes a common scenario for recursive resolvers: they
full resolver as: begin with an empty cache and some configuration for finding the
names and addresses of the DNS root servers. [RFC1034] describes
a "safety belt" structure of the same form as SLIST, which is that configuration as a list of servers that will authoritative
initialized from a configuration file, and lists servers which answers to queries about the root. This has become a common
should be used when the resolver doesn't have any local implementation choice for recursive resolvers, and is the topic of
information to guide name server selection. The match count will this document.
be -1 to indicate that no labels are known to match.
Section 5.3.3 of [RFC1034] adds
the usual choice is two of the root servers and two of the servers
for the host's domain
Today's practice generally seperates serving and resolving
functionalities, so the servers "for the host's domain" might no
longer be an appropriate choice, even if they were only intended to
resolve "local" names, especially since the SBELT structure does not
distinguish between local and global information. In addition, DNS
server implementations have for a long time been seeded with not only
two but an exhaustive list of the root servers' addresses. This list
is either supplied as a configuration file (root "hints", an excerpt
of the DNS root zone) or even compiled into the software.
The list of root name servers has been rather stable over the last
fifteen years. After the last four servers had been added and moved
to their final (network) destinations in 1997, there have been only
five address changes affecting the L (twice), J, B, and D servers.
Research is available for B [Mann2006] and J [BLKT2004], which shows
that several months or even years after the change had become
effective, traffic is still received on the old addresses.
Therefore, it is important that resolvers be able to cope with
change, even without relying upon configuration updates to be applied
by their operator.
Work by the ICANN SSAC and RSSAC committees, [SSAC016] and [SSAC017],
aiming at adding AAAA RRs for the root name servers' names, deals
with priming queries and so does a draft on DNSSEC Trust Anchor
maintenance [I-D.ietf-dnsop-dnssec-trust-anchor]. However, it turned
out that despite having been practiced for a long time, priming
queries have not yet been documented as an important resolver
feature.
The following sections cover parameters of both the priming query and This document describes the steps needed for this common
the response to be sent by a root name server. implementation choice. Note that this is not the only way to start a
recursive name server with an empty cache, but it is the only one
described in [RFC1034]. Some implementers have chosen other
directions, some of which work well and others of which fail
(sometimes disastrously) under different conditions.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Priming Queries
This document only deals with recursive name servers (recursive This document only deals with recursive name servers (recursive
resolvers, resolvers) for the IN CLASS. resolvers, resolvers) for the IN class.
2.1. Parameters of a Priming Query
A priming query SHOULD use a QNAME of "." and a QTYPE of NS. The
priming query MUST be sent over UDP (section 6.1.3.2 of [RFC1123]).
The UDP source port SHOULD be randomly selected [RFC5452]. The RD
bit MUST NOT be set.
The resolver SHOULD also use EDNS0 [RFC6891] and SHOULD announce and
handle a reassembly size of at least 1024 octets [RFC3226]. This is
to cover the size of a full priming response (see Section 3.3).
2.2. Repeating Priming Queries 2. Description of Priming
A resolver SHOULD NOT originate a priming query more often than once As described in this document, priming is the act of finding the list
per day (or whenever the resolver starts). It SHOULD adhere to the of root servers from a configuration that lists some or all of the
TTL values given in the priming response. To avoid amnesia, the purported IP addresses of some or all of those root servers. A
resolver MAY proactively re-prime before the old root NS RRSet recursive resolver starts with no information about the root servers,
expires from the cache, but only after 75 percent of the NS RRSet's and ends up with a list of their names and their addresses.
TTL (or of the A/AAAA RRSets' TTL, whichever is lower) have passed.
Should the priming query time out, the resolver SHOULD retry with a Priming is described in Sections 5.3.2 and 5.3.3 of [RFC1034]. The
different target address. scenario used in that description, that of a recursive server that is
also authoritative, is no longer as common.
2.3. Target Selection Currently, it is quite common for the configured list of IP addresses
for the root server to be mostly complete and correct. Note that
this list (at least initially) comes from the vendor or distributor
of the recursive server software.
A resolver MUST select the target for a priming query randomly from The list of root server operators and the domain name associated with
the list of addresses (IPv4 and IPv6) available in its SBELT each one has been stable since 1997. However, there are address
structure and it MUST ensure that all targets are selected with equal changes for the NS records for those root server operators, both for
probability even upon startup. For resending the priming query to a IPv4 and IPv6 addresses. However, research shows that after those
different server the random selection SHOULD also be used. addresses change, some resolvers never get the new addresses.
Therefore, it is important that resolvers be able to cope with
change, even without relying upon configuration updates to be applied
by their operator. This is the main reason that one needs to do
priming instead of just going from a configured list to get a full
and accurate list of root servers.
2.4. DNSSEC with Priming Queries 3. Priming Queries
The resolver SHOULD NOT set the DNSSEC OK [RFC4033] bit. A priming query is a DNS query that has a QNAME of "." and a QTYPE of
NS, and is sent to one of the addresses in the configuration for the
recursive resolver. The priming query MAY be sent over UDP or TCP.
If the query is sent over UDP, the source port SHOULD be randomly
selected (see [RFC5452]). The RD bit MAY be set to 0 or 1, although
the meaning of it being set to 1 is undefined for priming queries.
Discussion: Delegations in referral responses are not signed, so The recursive resolver SHOULD use EDNS0 [RFC6891] for priming queries
consequently the priming response is not validated, either. For that and SHOULD announce and handle a reassembly size of at least 1024
to work, the priming response would also have to be self-contained in octets [RFC3226]. Doing so allows responses that cover the size of a
that it would allow the resolver to not only validate the NS RRSet full priming response (see Section 4.2).
(with the root DNSKEY RRSet and the root NS RRSet's signature), but
also the A and AAAA RRSets. All this information cannot be
guaranteed to be either present at the root name servers or fit into
the priming reponse even with the largest feasible EDNS0 buffer size.
In fact, in today's Internet, with the root name servers' names under
"ROOT-SERVERS.NET.", this isn't even true for the top level domain
involved. So, even though a poisoned priming response could
drastically influence the resolver's operations, there is little a
DNSSEC enhanced priming response could achieve without the whole
validation chain. This would probably call for a different naming
scheme (see section 6.1 of [I-D.koch-dns-glue-clarifications]).
3. Priming Responses 3.1. Repeating Priming Queries
A root name server cannot distinguish a priming query from any other The recursive resolver SHOULD send a priming query only when it is
query for the root NS RRSet, except that QTYPE NS would not usually needed. This would be when the resolver starts with an empty cache,
be part of the DNS resolution process. and when one or more of the NS records for the root servers has
expired. The recursive resolver SHOULD expire the NS records of the
root servers according to the TTL values given in the priming
response.
3.1. Expected Properties of the Priming Response If a priming query does not get a response within 2 seconds, the
recursive resolver SHOULD retry with a different target address from
the configuration.
The priming response can be expected to have an RCODE of NOERROR and 3.2. Target Selection
the AA bit set. Also, there should be an NS RRSet in the answer
section (since the NS RRSet originates from the root zone), an empty
authority section (since the NS RRSet already appears in the answer
section) and an additional section with A and AAAA RRSets for the
root name servers pointed at by the NS RRSet. Resolver software
SHOULD NOT expect a fixed number of 13 NS RRs, since "internal" root
server setups in split DNS configurations might use a different
number of servers. Resolver software SHOULD warn the operator about
any change in the number or names of name servers or their addresses
compared to the SBELT information.
3.2. Use of the Priming Response In order to spread the load across all the root server operators, the
recursive resolver SHOULD select the target for a priming query
randomly from the list of addresses. The recursive resolver might
choose either IPv4 and IPv6 addresses based on its knowledge of
whether the server on which it is running has adequate transit on
either type of address.
A resolver MAY use the priming response as it would use any other Note that this recommended method is not the only way to choose from
data fed to its cache. However, it SHOULD NOT use the SBELT the list in a recursive resolver's configuration. Two other other
information directly in any responses it hands out. common methods include picking the first from the list, and
remembering which address in the list gave the fastest response
earlier and using that one. There are probably other methods in use
today. However, the random method listed above is the one that is
recommended for priming.
3.3. Completeness of the Response 3.3. DNSSEC with Priming Queries
Assuming an upper bound of thirteen root name servers and one address The resolver MAY set the DNSSEC OK [RFC4033] bit. At the time this
each for IPv4 and IPv6, the combined size of all the A and AAAA document is being published, there is little use to performing DNSSEC
RRSets is 13 * (16 + 28) == 572, independent of the naming scheme. validation on the priming query because the "root-servers.net" zone
Not even counting the NS RRSet, this value exceeds the original 512 is not signed, and so a man-in-the-middle attack on the priming query
octet payload limit. can result in malicious data in the responses. However, if the
"root-servers.net" zone is later signed, or if the root server
operators choose a different zone to identify themselves and that
zone is signed, having DNSSEC validation for the priming queries
might be valuable.
For an EDNS response, a resolver SHOULD consider the address 4. Priming Responses
information found in the additional section complete for any
particular server that appears at all. In other words: if the
additional section only has an A RRSet for a server, the resolver
SHOULD assume that no AAAA RRSet exists. This is to avoid repeated
unnecessary queries for names of name servers that do not or do not
yet offer IPv6 service, or, in perspective, will have ceased IPv4
service.
If the resolver did not announce a reassembly size larger than 512 A priming query is a normal DNS query. Thus, a root name server
octets, this assumption is invalid. Simple re-issuing of the priming cannot distinguish a priming query from any other query for the root
query does not help with those root name servers that respond with a NS RRSet. Thus, the root server's response will also be a normal DNS
fixed order of addresses in the additional section. Instead the response.
resolver ought to issue direct queries for A and AAAA RRSets for the
remaining names. In today's environment these RRSets would be
authoritatively available from the root name servers.
4. Requirements for Root Name Servers and the Root Zone 4.1. Expected Properties of the Priming Response
The operational requirements for root name servers are described in The priming response is expected to have an RCODE of NOERROR, and to
[RFC2870]. This section specifies additional guidance for the have the AA bit set. Also, there should be an NS RRSet in the Answer
configuration of and software deployed at the root name servers. section (because the NS RRSet originates from the root zone), an
empty Authority section (because the NS RRSet already appears in the
answer section) and an Additional section with A and/or AAAA RRSets
for the root name servers pointed at by the NS RRSet.
All DNS root name servers need to be able to provide for all Resolver software SHOULD treat the response to the priming query as a
addresses of all root name servers. This can easily achieved by normal DNS response, just as it would use any other data fed to its
keeping all root name server names in a single zone and by making all cache. Resolver software SHOULD NOT expect exactly 13 NS RRs.
root name servers authoritative for that zone.
If the response packet does not provide for more than 512 octets due 4.2. Completeness of the Response
to lack of EDNS0 support, A RRSets SHOULD be given preference over
AAAA RRSets when filling the additional section.
[[Issue 1: EDNS0 is used as an indication of AAAA understanding on There are currently 13 root servers. Of those 13, all have one IPv4
the side of the client. What to do with payload sizes indicated by address, and 11 have an IPv6 address. The combined size of all the A
EDNS0 that are smaller than 1024, is open to discussion. At the time and AAAA RRSets is (13 * 16) + (11 * 32), or 560 bytes. Not even
of writing, some root name servers will fill the additional section counting the NS RRSet, this value exceeds the original 512 octet
with all available A RRSets, only adding some AAAA RRSets, when payload limit from [RFC1035].
queried over IPv4 without EDNS0. Other servers will deliver more
AAAA RRSets, therefore withholding some A RRSets completely
[RFC4472].]]
To ensure equal availability the A and AAAA RRSets for the root name For an EDNS response, a resolver SHOULD consider the address
servers' names SHOULD have identical TTL values at the authoritative information found in the Additional section complete for any
source. particular server that appears at all. Said another way: in an EDNS
response, if the additional section only has an A RRSet for a server,
the resolver SHOULD assume that no AAAA RRSet exists.
[[Issue 2: Do the TTLs for the root NS RRSet and address RRSets in It is important to note that if the recursive resolver did not
the root and the ROOT-SERVERS.NET. zones need to be aligned? In real announce a reassembly size larger than 512 octets, this assumption is
life responses, the address RRSet's TTL values vary by name server invalid. Re-issuing of the priming query does not help with those
implementation. Is this diversity we can live with? Should the root name servers that respond with a fixed order of addresses in the
authoritative source prevail? Is it therefore a protocol issue additional section. Instead, the recursive resolver needs to to
rather than an operational choice of parameters?]] issue direct queries for A and AAAA RRSets for the remaining names.
Currently, these RRSets would be authoritatively available from the
root name servers.
5. Security Considerations 5. Security Considerations
This document deals with priming a DNS resolver's cache. The usual Spoofing a response to a priming query can be used to redirect all of
DNS caveats apply. Use of DNSSEC with priming queries is discussed the queries originating from a victim recursive resolver to one or
in section 2.4. more servers for the attacker. Until the responses to priming
queries are protected with DNSSEC, there is no definitive way to
Spoofing a response to a priming query can be used to redirect all prevent such redirection.
queries originating from a victim resolver. Therefore, any
difference between the inital SBELT list and the priming response
SHOULD be brought to the operators' attention. There is also a
chance that the random target selection chooses the address of a
retired root name server. Operational measures to prevent reuse of
these addresses are out of the scope of this document.
6. IANA Considerations 6. IANA Considerations
This document does not propose any new IANA registry nor does it ask None.
for any allocation from an existing IANA registry.
However, this document deals with requirements for the root zone and
root server operations.
[[Issue3: related to issue 2 - any recommendation on the "." NS
RRSet TTL or the TTLs of the respective A and/or AAAA RRSets might go
here.]]
7. References
7.1. Normative References 7. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>.
[RFC1123] Braden, R., "Requirements for Internet Hosts - Application [RFC1035] Mockapetris, P., "Domain names - implementation and
and Support", STD 3, RFC 1123, October 1989. specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
message size requirements", RFC 3226, December 2001. message size requirements", RFC 3226, DOI 10.17487/
RFC3226, December 2001,
<http://www.rfc-editor.org/info/rfc3226>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005. 4033, DOI 10.17487/RFC4033, March 2005,
<http://www.rfc-editor.org/info/rfc4033>.
[RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More [RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More
Resilient against Forged Answers", RFC 5452, January 2009. Resilient against Forged Answers", RFC 5452, DOI 10.17487/
RFC5452, January 2009,
<http://www.rfc-editor.org/info/rfc5452>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891, April 2013. for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/
RFC6891, April 2013,
7.2. Informative References <http://www.rfc-editor.org/info/rfc6891>.
[BLKT2004]
Barber, P., Larson, M., Kosters, M., and P. Toscano, "Life
and Times of J-Root", NANOG 32, October 2004.
[I-D.ietf-dnsop-dnssec-trust-anchor]
Larson, M. and O. Gudmundsson, "DNSSEC Trust Anchor
Configuration and Maintenance", draft-ietf-dnsop-dnssec-
trust-anchor-04 (work in progress), October 2010.
[I-D.koch-dns-glue-clarifications]
Koch, P., "DNS Glue RR Survey and Terminology
Clarification", draft-koch-dns-glue-clarifications-04
(work in progress), July 2010.
[Mann2006]
Manning, B., "persistent queries and phantom nameservers",
WIDE/CAIDA Workshop , October 2006.
[RFC2870] Bush, R., Karrenberg, D., Kosters, M., and R. Plzak, "Root
Name Server Operational Requirements", BCP 40, RFC 2870,
June 2000.
[RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational
Considerations and Issues with IPv6 DNS", RFC 4472, April
2006.
[RFC4697] Larson, M. and P. Barber, "Observed DNS Resolution
Misbehavior", BCP 123, RFC 4697, October 2006.
[SSAC016] ICANN Security and Stability Advisory Committee, "Testing
Firewalls for IPv6 and EDNS0 Support", SSAC 016, January
2007.
[SSAC017] ICANN Security and Stability Advisory Committee, "Testing
Recursive Name Servers for IPv6 and EDNS0 Support", SSAC
017, February 2007.
Appendix A. Document Revision History
This section is to be removed should the draft be published.
$Id: draft-ietf-dnsop-resolver-priming.xml,v 1.8 2015/03/09 20:22:52
pk Exp $
A.1. -05 WG Document
Revived. Minor edits for readability - Warren.
A.2. -04 WG Document
Revived. Updated EDNS0 reference. Minor edits for clarity.
A.3. -03 WG Document
Revived. Resolved most open issues [[]] as per previous WG
discussion. Minor edits on history and wording. All root servers
authoritative for ROOT-SERVERS.NET.
A.4. -02 WG Document
Revived. Changed use of DNSSEC OK in the priming query as per the WG
discussion.
A.5. -01 WG Document
Revived with minor edits. Open issues marked [[]].
A.6. -00 WG Document
Reposted as WG document with minor edits.
Added re-primimg proposal and A/AAAA TTL considerations.
A.7. Initial Document Appendix A. Acknowledgements
First draft This document is the product of the DNSOP WG and benefitted from the
reviews done there.
Authors' Addresses Authors' Addresses
Peter Koch Peter Koch
DENIC eG DENIC eG
Kaiserstrasse 75-77 Kaiserstrasse 75-77
Frankfurt 60329 Frankfurt 60329
DE DE
Phone: +49 69 27235 0 Phone: +49 69 27235 0
Email: pk@DENIC.DE Email: pk@DENIC.DE
Matt Larson Matt Larson
skipping to change at line 392 skipping to change at page 6, line 38
Phone: +49 69 27235 0 Phone: +49 69 27235 0
Email: pk@DENIC.DE Email: pk@DENIC.DE
Matt Larson Matt Larson
Dyn, Inc. Dyn, Inc.
150 Dow St 150 Dow St
Manchester, NH 03101 Manchester, NH 03101
USA USA
Email: mlarson@dyn.com Email: mlarson@dyn.com
Paul Hoffman
ICANN
Email: paul.hoffman@icann.org
 End of changes. 48 change blocks. 
276 lines changed or deleted 158 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/