draft-ietf-dnsop-resolver-priming-08.txt   draft-ietf-dnsop-resolver-priming-09.txt 
Network Working Group P. Koch Network Working Group P. Koch
Internet-Draft DENIC eG Internet-Draft DENIC eG
Intended status: Best Current Practice M. Larson Intended status: Best Current Practice M. Larson
Expires: February 27, 2017 P. Hoffman Expires: March 19, 2017 P. Hoffman
ICANN ICANN
August 26, 2016 September 15, 2016
Initializing a DNS Resolver with Priming Queries Initializing a DNS Resolver with Priming Queries
draft-ietf-dnsop-resolver-priming-08 draft-ietf-dnsop-resolver-priming-09
Abstract Abstract
This document describes the queries that a DNS resolver should emit This document describes the queries that a DNS resolver should emit
to initialize its cache. The result is that the resolver gets both a to initialize its cache. The result is that the resolver gets both a
current NS RRSet for the root zone and the necessary address current NS RRSet for the root zone and the necessary address
information for reaching the root servers. information for reaching the root servers.
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 27, 2017. This Internet-Draft will expire on March 19, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 16 skipping to change at page 4, line 16
the list in a recursive resolver's configuration. Two other common the list in a recursive resolver's configuration. Two other common
methods include picking the first from the list, and remembering methods include picking the first from the list, and remembering
which address in the list gave the fastest response earlier and using which address in the list gave the fastest response earlier and using
that one. There are probably other methods in use today. However, that one. There are probably other methods in use today. However,
the random method listed above SHOULD be used for priming. the random method listed above SHOULD be used for priming.
3.3. DNSSEC with Priming Queries 3.3. DNSSEC with Priming Queries
The resolver MAY set the DNSSEC OK (DO) bit. At the time this The resolver MAY set the DNSSEC OK (DO) bit. At the time this
document is being published, there is little use to performing DNSSEC document is being published, there is little use to performing DNSSEC
validation on the priming query because the "root-servers.net" zone validation on the priming query. Currently all root name server
is not signed, and so a man-in-the-middle attack on the priming query names end in "root-servers.net" and the AAAA and A RRsets for the
can result in malicious data in the responses. However, if the root server names reside in the "root-servers.net" zone. All root
"root-servers.net" zone is later signed, or if the root servers are servers are also authoritative for this zone, allowing priming
named in a different zone and that zone is signed, having DNSSEC responses to include the appropriate root name server A and AAAA
validation for the priming queries might be valuable. RRsets. But because the "root-servers.net" zone is not currently
signed, these RRsets cannot be validated.
A man-in-the-middle attack on the priming query could direct a
resolver to a rogue root name server. Note, however, that a
validating resolver will not accept responses from rogue root name
servers if they are different from the real responses because the
resolver has a trust anchor for the root and the answers from the
root are signed. Thus, if there is a man-in-the-middle attack on the
priming query, the only result for a validating resolver will be a
denial of service, not the resolver's accepting the bad responses.
If the "root-servers.net" zone is later signed, or if the root
servers are named in a different zone and that zone is signed, having
DNSSEC validation for the priming queries might be valuable.
4. Priming Responses 4. Priming Responses
A priming query is a normal DNS query. Thus, a root name server A priming query is a normal DNS query. Thus, a root name server
cannot distinguish a priming query from any other query for the root cannot distinguish a priming query from any other query for the root
NS RRSet. Thus, the root server's response will also be a normal DNS NS RRSet. Thus, the root server's response will also be a normal DNS
response. response.
4.1. Expected Properties of the Priming Response 4.1. Expected Properties of the Priming Response
skipping to change at page 4, line 46 skipping to change at page 5, line 11
in the Answer section). There will also be an Additional section in the Answer section). There will also be an Additional section
with A and/or AAAA RRSets for the root name servers pointed at by the with A and/or AAAA RRSets for the root name servers pointed at by the
NS RRSet. NS RRSet.
Resolver software SHOULD treat the response to the priming query as a Resolver software SHOULD treat the response to the priming query as a
normal DNS response, just as it would use any other data fed to its normal DNS response, just as it would use any other data fed to its
cache. Resolver software SHOULD NOT expect exactly 13 NS RRs. cache. Resolver software SHOULD NOT expect exactly 13 NS RRs.
4.2. Completeness of the Response 4.2. Completeness of the Response
There are currently 13 root servers. Of those 13, all have one IPv4 There are currently 13 root servers. All have one IPv4 address, and
address, and 12 have an IPv6 address. The combined size of all the A 12 of the 13 have an IPv6 address. The combined size of all the A
and AAAA RRSets is 544 bytes. Not even counting the NS RRSet, this and AAAA RRSets is 544 bytes. Not even counting the NS RRSet, this
value exceeds the original 512 octet payload limit from [RFC1035]. value exceeds the original 512 octet payload limit from [RFC1035].
For an EDNS response when recursive resolver announced a reassembly
size larger than 512 octets, a resolver SHOULD consider the address
information found in the Additional section complete for any
particular server that appears at all. Said another way: in an EDNS
response, if the Additional section only has an A RRSet for a server,
the resolver can assume that no AAAA RRSet exists for that server.
This assumption is invalid if the announced reassembly size in the
resolver's query was smaller than 512 octets.
In the event of a response where the Additional section omits certain In the event of a response where the Additional section omits certain
root server address information, re-issuing of the priming query does root server address information, re-issuing of the priming query does
not help with those root name servers that respond with a fixed order not help with those root name servers that respond with a fixed order
of addresses in the Additional section. Instead, the recursive of addresses in the Additional section. Instead, the recursive
resolver needs to issue direct queries for A and AAAA RRSets for the resolver needs to issue direct queries for A and AAAA RRSets for the
remaining names. Currently, these RRSets would be authoritatively remaining names. Currently, these RRSets would be authoritatively
available from the root name servers. available from the root name servers.
5. Security Considerations 5. Security Considerations
skipping to change at page 5, line 33 skipping to change at page 5, line 38
more servers for the attacker. Until the responses to priming more servers for the attacker. Until the responses to priming
queries are protected with DNSSEC, there is no definitive way to queries are protected with DNSSEC, there is no definitive way to
prevent such redirection. prevent such redirection.
An on-path attacker who sees a priming query coming from a resolver An on-path attacker who sees a priming query coming from a resolver
can inject false answers before a root server can give correct can inject false answers before a root server can give correct
answers. If the attacker's answers are accepted, this can set up the answers. If the attacker's answers are accepted, this can set up the
ability to give further false answers for future queries to the ability to give further false answers for future queries to the
resolver. False answers for root servers are more dangerous than, resolver. False answers for root servers are more dangerous than,
say, false answers for TLDs, because the root is the highest node of say, false answers for TLDs, because the root is the highest node of
the DNS. the DNS. See Section 3.3 for more discussion.
In both of the scenarios above, a validating resolver will be able to In both of the scenarios above, a validating resolver will be able to
detect the attack if its chain of queries comes to a zone that is detect the attack if its chain of queries comes to a zone that is
signed, but not for those that are unsigned. signed, but not for those that are unsigned.
6. IANA Considerations 6. IANA Considerations
None. None.
7. Normative References 7. Normative References
 End of changes. 8 change blocks. 
22 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/