Network Working Group                                            P. Koch
Internet-Draft                                                  DENIC eG
Intended status: Best Current Practice                         M. Larson
Expires: September 10, 2015 July 16, 2016                                         Dyn, Inc.
                                                           March 9, 2015
                                                              P. Hoffman
                                                        January 13, 2016

            Initializing a DNS Resolver with Priming Queries


   This document describes the initial queries a DNS resolver is
   supposed to can emit in order to
   initialize its cache with cache.  The result is that the resolver gets both a
   current NS RRSet for the root zone and the necessary address information.
   information for reaching the root servers.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 10, 2015. July 16, 2016.

Copyright Notice

   Copyright (c) 2015 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   Domain Name System (DNS)

   Recursive DNS resolvers need a starting point to resolve queries.  [RFC1034], section 5.3.2, defines the SBELT structure in a
   full resolver as:
   [RFC1034] describes a "safety belt" structure common scenario for recursive resolvers: they
   begin with an empty cache and some configuration for finding the
   names and addresses of the same form DNS root servers.  [RFC1034] describes
   that configuration as SLIST, which is
      initialized from a configuration file, and lists list of servers which
      should be used when the resolver doesn't have any local
      information to guide name server selection.  The match count will
      be -1 to indicate that no labels are known will authoritative
   answers to match.

   Section 5.3.3 of [RFC1034] adds queries about the usual root.  This has become a common
   implementation choice for recursive resolvers, and is two of the root servers and two topic of
   this document.

   This document describes the servers steps needed for this common
   implementation choice.  Note that this is not the host's domain

   Today's practice generally seperates serving and resolving
   functionalities, so the servers "for the host's domain" might no
   longer be an appropriate choice, even if they were only intended way to
   resolve "local" names, especially since the SBELT structure does not
   distinguish between local and global information.  In addition, DNS
   server implementations have for start a long time been seeded
   recursive name server with not only
   two but an exhaustive list of the root servers' addresses.  This list empty cache, but it is either supplied the only one
   described in [RFC1034].  Some implementers have chosen other
   directions, some of which work well and others of which fail
   (sometimes disastrously) under different conditions.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as a configuration file (root "hints", an excerpt described in [RFC2119].

   This document only deals with recursive name servers (recursive
   resolvers, resolvers) for the IN class.

2.  Description of Priming

   As described in this document, priming is the DNS root zone) or even compiled into act of finding the software.

   The list
   of root name servers has been rather stable over the last
   fifteen years.  After from a configuration that lists some or all of the last four servers had been added and moved
   to their final (network) destinations in 1997, there have
   purported IP addresses of some or all of those root servers.  A
   recursive resolver starts with no information about the root servers,
   and ends up with a list of their names and their addresses.

   Priming is described in Sections 5.3.2 and 5.3.3 of [RFC1034].  The
   scenario used in that description, that of a recursive server that is
   also authoritative, is no longer as common.

   Currently, it is quite common for the configured list of IP addresses
   for the root server to be mostly complete and correct.  Note that
   this list (at least initially) comes from the vendor or distributor
   of the recursive server software.

   The list of root server operators and the domain name associated with
   each one has been only
   five stable since 1997.  However, there are address
   changes affecting for the L (twice), J, B, and D servers.
   Research is available NS records for those root server operators, both for B [Mann2006]
   IPv4 and J [BLKT2004], which IPv6 addresses.  However, research shows that several months or even years after those
   addresses change, some resolvers never get the change had become
   effective, traffic is still received on the old new addresses.
   Therefore, it is important that resolvers be able to cope with
   change, even without relying upon configuration updates to be applied
   by their operator.

   Work by the ICANN SSAC and RSSAC committees, [SSAC016] and [SSAC017],
   aiming at adding AAAA RRs for  This is the root name servers' names, deals
   with priming queries and so does a draft on DNSSEC Trust Anchor
   maintenance [I-D.ietf-dnsop-dnssec-trust-anchor].  However, it turned
   out main reason that despite having been practiced for a long time, one needs to do
   queries have not yet been documented as an important resolver

   The following sections cover parameters instead of both the priming query and
   the response just going from a configured list to be sent by get a root name server.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Priming Queries

   This document only deals with recursive name servers (recursive
   resolvers, resolvers) for the IN CLASS.

2.1.  Parameters accurate list of a root servers.

3.  Priming Query Queries

   A priming query SHOULD use is a DNS query that has a QNAME of "." and a QTYPE of NS.
   NS, and is sent to one of the addresses in the configuration for the
   recursive resolver.  The priming query MUST MAY be sent over UDP (section of [RFC1123]).
   The UDP or TCP.
   If the query is sent over UDP, the source port SHOULD be randomly
   selected [RFC5452]. (see [RFC5452]).  The RD bit MUST NOT MAY be set. set to 0 or 1, although
   the meaning of it being set to 1 is undefined for priming queries.

   The recursive resolver SHOULD also use EDNS0 [RFC6891] for priming queries
   and SHOULD announce and handle a reassembly size of at least 1024
   octets [RFC3226].  This is
   to  Doing so allows responses that cover the size of a
   full priming response (see Section 3.3).

2.2. 4.2).

3.1.  Repeating Priming Queries


   The recursive resolver SHOULD NOT originate send a priming query only when it is
   needed.  This would be when the resolver starts with an empty cache,
   and when one or more often than once
   per day (or whenever of the NS records for the root servers has
   expired.  The recursive resolver starts).  It SHOULD adhere expire the NS records of the
   root servers according to the TTL values given in the priming
   response.  To avoid amnesia, the
   resolver MAY proactively re-prime before the old root NS RRSet
   expires from the cache, but only after 75 percent of the NS RRSet's
   TTL (or of the A/AAAA RRSets' TTL, whichever is lower) have passed.

   Should the

   If a priming query time out, does not get a response within 2 seconds, the
   recursive resolver SHOULD retry with a different target address.

2.3. address from
   the configuration.

3.2.  Target Selection


   In order to spread the load across all the root server operators, the
   recursive resolver MUST SHOULD select the target for a priming query
   randomly from the list of addresses.  The recursive resolver might
   choose either IPv4 and IPv6 addresses (IPv4 based on its knowledge of
   whether the server on which it is running has adequate transit on
   either type of address.

   Note that this recommended method is not the only way to choose from
   the list in a recursive resolver's configuration.  Two other other
   common methods include picking the first from the list, and IPv6) available
   remembering which address in its SBELT
   structure the list gave the fastest response
   earlier and it MUST ensure using that all targets one.  There are selected with equal
   probability even upon startup.  For resending the priming query to a
   different server probably other methods in use
   today.  However, the random selection SHOULD also be used.

2.4. method listed above is the one that is
   recommended for priming.

3.3.  DNSSEC with Priming Queries

   The resolver SHOULD NOT MAY set the DNSSEC OK [RFC4033] bit.

   Discussion: Delegations in referral responses are not signed, so
   consequently  At the priming response time this
   document is not validated, either.  For that being published, there is little use to work, performing DNSSEC
   validation on the priming response would also have to be self-contained in
   that it would allow query because the resolver to "" zone
   is not only validate the NS RRSet
   (with the root DNSKEY RRSet signed, and so a man-in-the-middle attack on the root NS RRSet's signature), but
   also priming query
   can result in malicious data in the A and AAAA RRSets.  All this information cannot be
   guaranteed to be either present at responses.  However, if the root name servers
   "" zone is later signed, or fit into
   the priming reponse even with the largest feasible EDNS0 buffer size.
   In fact, in today's Internet, with if the root name servers' names under
   "ROOT-SERVERS.NET.", this isn't even true for the top level domain
   involved.  So, even though server
   operators choose a poisoned priming response could
   drastically influence the resolver's operations, there different zone to identify themselves and that
   zone is little a signed, having DNSSEC enhanced priming response could achieve without the whole validation chain.  This would probably call for a different naming
   scheme (see section 6.1 of [I-D.koch-dns-glue-clarifications]).

3. the priming queries
   might be valuable.

4.  Priming Responses

   A priming query is a normal DNS query.  Thus, a root name server
   cannot distinguish a priming query from any other query for the root
   NS RRSet, except that QTYPE NS would not usually
   be part of RRSet.  Thus, the root server's response will also be a normal DNS resolution process.


4.1.  Expected Properties of the Priming Response

   The priming response can be is expected to have an RCODE of NOERROR NOERROR, and to
   have the AA bit set.  Also, there should be an NS RRSet in the answer Answer
   section (since (because the NS RRSet originates from the root zone), an
   authority Authority section (since (because the NS RRSet already appears in the
   answer section) and an additional Additional section with A and and/or AAAA RRSets
   for the root name servers pointed at by the NS RRSet.

   Resolver software SHOULD NOT expect a fixed number of 13 NS RRs, since "internal" root
   server setups in split DNS configurations might use a different
   number of servers.  Resolver software SHOULD warn the operator about
   any change in treat the number or names of name servers or their addresses
   compared response to the SBELT information.

3.2.  Use of the Priming Response

   A resolver MAY use the priming response query as a
   normal DNS response, just as it would use any other data fed to its
   cache.  However, it  Resolver software SHOULD NOT use the SBELT
   information directly in any responses it hands out.

3.3. expect exactly 13 NS RRs.

4.2.  Completeness of the Response

   Assuming an upper bound of thirteen

   There are currently 13 root name servers and servers.  Of those 13, all have one address
   each for IPv4
   address, and IPv6, the 11 have an IPv6 address.  The combined size of all the A
   and AAAA RRSets is 13 (13 * (16 16) + 28) == 572, independent of the naming scheme. (11 * 32), or 560 bytes.  Not even
   counting the NS RRSet, this value exceeds the original 512 octet
   payload limit. limit from [RFC1035].

   For an EDNS response, a resolver SHOULD consider the address
   information found in the additional Additional section complete for any
   particular server that appears at all.  In other words:  Said another way: in an EDNS
   response, if the additional section only has an A RRSet for a server,
   the resolver SHOULD assume that no AAAA RRSet exists.  This

   It is important to avoid repeated
   unnecessary queries for names of name servers note that do not or do not
   yet offer IPv6 service, or, in perspective, will have ceased IPv4

   If if the recursive resolver did not
   announce a reassembly size larger than 512 octets, this assumption is
   invalid.  Simple re-issuing  Re-issuing of the priming query does not help with those
   root name servers that respond with a fixed order of addresses in the
   additional section.  Instead  Instead, the recursive resolver ought needs to to
   issue direct queries for A and AAAA RRSets for the remaining names.  In today's environment these RRSets would be
   authoritatively available from the root name servers.

4.  Requirements for Root Name Servers and the Root Zone

   The operational requirements for root name servers are described in
   [RFC2870].  This section specifies additional guidance for the
   configuration of and software deployed at the root name servers.

   All DNS root name servers need to be able to provide for all
   addresses of all root name servers.  This can easily achieved by
   keeping all root name server names in a single zone and by making all
   root name servers authoritative for that zone.

   If the response packet does not provide for more than 512 octets due
   to lack of EDNS0 support, A RRSets SHOULD be given preference over
   AAAA RRSets when filling the additional section.

   [[Issue 1: EDNS0 is used as an indication of AAAA understanding on
   the side of the client.  What to do with payload sizes indicated by
   EDNS0 that are smaller than 1024, is open to discussion.  At the time
   of writing, some root name servers will fill the additional section
   with all available A RRSets, only adding some AAAA RRSets, when
   queried over IPv4 without EDNS0.  Other servers will deliver more
   AAAA RRSets, therefore withholding some A RRSets completely

   To ensure equal availability the A and AAAA RRSets for the root name
   servers' names SHOULD have identical TTL values at the authoritative

   [[Issue 2: Do the TTLs for the root NS RRSet and address RRSets in
   the root and the ROOT-SERVERS.NET. zones need to
   Currently, these RRSets would be aligned?  In real
   life responses, authoritatively available from the address RRSet's TTL values vary by
   root name server
   implementation.  Is this diversity we can live with?  Should the
   authoritative source prevail?  Is it therefore a protocol issue
   rather than an operational choice of parameters?]] servers.

5.  Security Considerations

   This document deals with priming a DNS resolver's cache.  The usual
   DNS caveats apply.  Use of DNSSEC with priming queries is discussed
   in section 2.4.

   Spoofing a response to a priming query can be used to redirect all of
   the queries originating from a victim resolver.  Therefore, any
   difference between recursive resolver to one or
   more servers for the inital SBELT list and attacker.  Until the priming response
   SHOULD be brought responses to the operators' attention.  There priming
   queries are protected with DNSSEC, there is also a
   chance that the random target selection chooses the address of a
   retired root name server.  Operational measures no definitive way to
   prevent reuse of
   these addresses are out of the scope of this document. such redirection.

6.  IANA Considerations

   This document does not propose any new IANA registry nor does it ask
   for any allocation from an existing IANA registry.

   However, this document deals with requirements for the root zone and
   root server operations.

   [[Issue3: related to issue 2 - any recommendation on the "."  NS
   RRSet TTL or the TTLs of the respective A and/or AAAA RRSets might go


7.  References

7.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987.

   [RFC1123]  Braden, R., "Requirements for Internet Hosts 1987,

   [RFC1035]  Mockapetris, P., "Domain names - Application implementation and Support",
              specification", STD 3, 13, RFC 1123, October 1989. 1035, DOI 10.17487/RFC1035,
              November 1987, <>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
              RFC2119, March 1997. 1997,

   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
              message size requirements", RFC 3226, DOI 10.17487/
              RFC3226, December 2001. 2001,

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements", RFC
              4033, DOI 10.17487/RFC4033, March 2005. 2005,

   [RFC5452]  Hubert, A. and R. van Mook, "Measures for Making DNS More
              Resilient against Forged Answers", RFC 5452, DOI 10.17487/
              RFC5452, January 2009. 2009,

   [RFC6891]  Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
              for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/
              RFC6891, April 2013.

7.2.  Informative References

              Barber, P., Larson, M., Kosters, M., and P. Toscano, "Life
              and Times of J-Root", NANOG 32, October 2004.

              Larson, M. and O. Gudmundsson, "DNSSEC Trust Anchor
              Configuration and Maintenance", draft-ietf-dnsop-dnssec-
              trust-anchor-04 (work in progress), October 2010.

              Koch, P., "DNS Glue RR Survey and Terminology
              Clarification", draft-koch-dns-glue-clarifications-04
              (work in progress), July 2010.

              Manning, B., "persistent queries and phantom nameservers",
              WIDE/CAIDA Workshop , October 2006.

   [RFC2870]  Bush, R., Karrenberg, D., Kosters, M., and R. Plzak, "Root
              Name Server Operational Requirements", BCP 40, RFC 2870,
              June 2000.

   [RFC4472]  Durand, A., Ihren, J., and P. Savola, "Operational
              Considerations and Issues with IPv6 DNS", RFC 4472, April

   [RFC4697]  Larson, M. and P. Barber, "Observed DNS Resolution
              Misbehavior", BCP 123, RFC 4697, October 2006.

   [SSAC016]  ICANN Security and Stability Advisory Committee, "Testing
              Firewalls for IPv6 and EDNS0 Support", SSAC 016, January

   [SSAC017]  ICANN Security and Stability Advisory Committee, "Testing
              Recursive Name Servers for IPv6 and EDNS0 Support", SSAC
              017, February 2007. 2013,

Appendix A.  Document Revision History  Acknowledgements

   This section document is to be removed should the draft be published.

   $Id: draft-ietf-dnsop-resolver-priming.xml,v 1.8 2015/03/09 20:22:52
   pk Exp $

A.1.  -05 WG Document

   Revived.  Minor edits for readability - Warren.

A.2.  -04 WG Document

   Revived.  Updated EDNS0 reference.  Minor edits for clarity.

A.3.  -03 WG Document

   Revived.  Resolved most open issues [[]] as per previous WG
   discussion.  Minor edits on history and wording.  All root servers
   authoritative for ROOT-SERVERS.NET.

A.4.  -02 WG Document

   Revived.  Changed use product of DNSSEC OK in the priming query as per the DNSOP WG

A.5.  -01 WG Document

   Revived with minor edits.  Open issues marked [[]].

A.6.  -00 WG Document

   Reposted as WG document with minor edits.

   Added re-primimg proposal and A/AAAA TTL considerations.

A.7.  Initial Document

   First draft benefitted from the
   reviews done there.

Authors' Addresses

   Peter Koch
   Kaiserstrasse 75-77
   Frankfurt  60329

   Phone: +49 69 27235 0
   Email: pk@DENIC.DE

   Matt Larson
   Dyn, Inc.
   150 Dow St
   Manchester, NH  03101


   Paul Hoffman