draft-ietf-dnsop-resolver-priming-11.txt   rfc8109.txt 
Network Working Group P. Koch Internet Engineering Task Force (IETF) P. Koch
Internet-Draft DENIC eG Request for Comments: 8109 DENIC eG
Intended status: Best Current Practice M. Larson BCP: 209 M. Larson
Expires: June 27, 2017 P. Hoffman Category: Best Current Practice P. Hoffman
ICANN ISSN: 2070-1721 ICANN
December 24, 2016 March 2017
Initializing a DNS Resolver with Priming Queries Initializing a DNS Resolver with Priming Queries
draft-ietf-dnsop-resolver-priming-11
Abstract Abstract
This document describes the queries that a DNS resolver should emit This document describes the queries that a DNS resolver should emit
to initialize its cache. The result is that the resolver gets both a to initialize its cache. The result is that the resolver gets both a
current NS RRSet for the root zone and the necessary address current NS Resource Record Set (RRset) for the root zone and the
information for reaching the root servers. necessary address information for reaching the root servers.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This memo documents an Internet Best Current Practice.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
BCPs is available in Section 2 of RFC 7841.
This Internet-Draft will expire on June 27, 2017. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8109.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................2
2. Description of Priming ..........................................3
3. Priming Queries .................................................3
3.1. Repeating Priming Queries ..................................4
3.2. Target Selection ...........................................4
3.3. DNSSEC with Priming Queries ................................4
4. Priming Responses ...............................................5
4.1. Expected Properties of the Priming Response ................5
4.2. Completeness of the Response ...............................5
5. Security Considerations .........................................6
6. IANA Considerations .............................................6
7. Normative References ............................................6
Acknowledgements ...................................................7
Authors' Addresses .................................................7
1. Introduction 1. Introduction
Recursive DNS resolvers need a starting point to resolve queries. Recursive DNS resolvers need a starting point to resolve queries.
[RFC1034] describes a common scenario for recursive resolvers: they [RFC1034] describes a common scenario for recursive resolvers: they
begin with an empty cache and some configuration for finding the begin with an empty cache and some configuration for finding the
names and addresses of the DNS root servers. [RFC1034] describes names and addresses of the DNS root servers. [RFC1034] describes
that configuration as a list of servers that will give authoritative that configuration as a list of servers that will give authoritative
answers to queries about the root. This has become a common answers to queries about the root. This has become a common
implementation choice for recursive resolvers, and is the topic of implementation choice for recursive resolvers, and is the topic of
this document. this document.
skipping to change at page 3, line 23 skipping to change at page 3, line 40
priming instead of just going from a configured list to get a full priming instead of just going from a configured list to get a full
and accurate list of root servers. and accurate list of root servers.
3. Priming Queries 3. Priming Queries
A priming query is a DNS query used to get the root server A priming query is a DNS query used to get the root server
information in a resolver. It has a QNAME of "." and a QTYPE of NS, information in a resolver. It has a QNAME of "." and a QTYPE of NS,
and is sent to one of the addresses in the configuration for the and is sent to one of the addresses in the configuration for the
recursive resolver. The priming query can be sent over either UDP or recursive resolver. The priming query can be sent over either UDP or
TCP. If the query is sent over UDP, the source port SHOULD be TCP. If the query is sent over UDP, the source port SHOULD be
randomly selected (see [RFC5452]). The RD bit MAY be set to 0 or 1, randomly selected (see [RFC5452]). The Recursion Desired (RD) bit
although the meaning of it being set to 1 is undefined for priming MAY be set to 0 or 1, although the meaning of it being set to 1 is
queries. undefined for priming queries.
The recursive resolver SHOULD use EDNS0 [RFC6891] for priming queries The recursive resolver SHOULD use EDNS(0) [RFC6891] for priming
and SHOULD announce and handle a reassembly size of at least 1024 queries and SHOULD announce and handle a reassembly size of at least
octets [RFC3226]. Doing so allows responses that cover the size of a 1024 octets [RFC3226]. Doing so allows responses that cover the size
full priming response (see Section 4.2) for the current set of root of a full priming response (see Section 4.2) for the current set of
servers. See Section 3.3 for discussion of setting the DNSSEC OK root servers. See Section 3.3 for discussion of setting the DNSSEC
(DO) bit (defined in [RFC4033]). OK (DO) bit (defined in [RFC4033]).
3.1. Repeating Priming Queries 3.1. Repeating Priming Queries
The recursive resolver SHOULD send a priming query only when it is The recursive resolver SHOULD send a priming query only when it is
needed, such as when the resolver starts with an empty cache and when needed, such as when the resolver starts with an empty cache and when
the NS RRset for the root zone has expired. Because the NS records the NS RRset for the root zone has expired. Because the NS records
for the root are not special, the recursive resolver expires those NS for the root are not special, the recursive resolver expires those NS
records according to their TTL values. (Note that a recursive records according to their TTL values. (Note that a recursive
resolver MAY pre-fetch the NS RRset before it expires.) resolver MAY pre-fetch the NS RRset before it expires.)
If a priming query does not get a response, the recursive resolver If a priming query does not get a response, the recursive resolver
needs to retry the query with a different target address from the needs to retry the query with a different target address from the
configuration. configuration.
3.2. Target Selection 3.2. Target Selection
In order to spread the load across all the root server domain names, In order to spread the load across all the root server domain names,
the recursive resolver SHOULD select the target for a priming query the recursive resolver SHOULD select the target for a priming query
randomly from the list of addresses. The recursive resolver might randomly from the list of addresses. The recursive resolver might
choose either IPv4 and IPv6 addresses based on its knowledge of choose either IPv4 or IPv6 addresses based on its knowledge of
whether the system on which it is running has adequate connectivity whether the system on which it is running has adequate connectivity
on either type of address. on either type of address.
Note that this recommended method is not the only way to choose from Note that this recommended method is not the only way to choose from
the list in a recursive resolver's configuration. Two other common the list in a recursive resolver's configuration. Two other common
methods include picking the first from the list, and remembering methods include picking the first from the list, and remembering
which address in the list gave the fastest response earlier and using which address in the list gave the fastest response earlier and using
that one. There are probably other methods in use today. However, that one. There are probably other methods in use today. However,
the random method listed above SHOULD be used for priming. the random method listed above SHOULD be used for priming.
3.3. DNSSEC with Priming Queries 3.3. DNSSEC with Priming Queries
The resolver MAY set the DNSSEC OK (DO) bit. At the time this The resolver MAY set the DNSSEC OK (DO) bit. At the time of
document is being published, there is little use to performing DNSSEC publication, there is little use to performing DNSSEC validation on
validation on the priming query. Currently all root name server the priming query. Currently, all root name server names end in
names end in "root-servers.net" and the AAAA and A RRsets for the "root-servers.net" and the AAAA and A RRsets for the root server
root server names reside in the "root-servers.net" zone. All root names reside in the "root-servers.net" zone. All root servers are
servers are also authoritative for this zone, allowing priming also authoritative for this zone, allowing priming responses to
responses to include the appropriate root name server A and AAAA include the appropriate root name server A and AAAA RRsets. But,
RRsets. But because the "root-servers.net" zone is not currently because the "root-servers.net" zone is not currently signed, these
signed, these RRsets cannot be validated. RRsets cannot be validated.
A man-in-the-middle attack on the priming query could direct a A man-in-the-middle attack on the priming query could direct a
resolver to a rogue root name server. Note, however, that a resolver to a rogue root name server. Note, however, that a
validating resolver will not accept responses from rogue root name validating resolver will not accept responses from rogue root name
servers if they are different from the real responses because the servers if they are different from the real responses because the
resolver has a trust anchor for the root and the answers from the resolver has a trust anchor for the root and the answers from the
root are signed. Thus, if there is a man-in-the-middle attack on the root are signed. Thus, if there is a man-in-the-middle attack on the
priming query, the only result for a validating resolver will be a priming query, the only result for a validating resolver will be a
denial of service, not the resolver's accepting the bad responses. denial of service, not the resolver's accepting the bad responses.
If the "root-servers.net" zone is later signed, or if the root If the "root-servers.net" zone is later signed, or if the root
servers are named in a different zone and that zone is signed, having servers are named in a different zone and that zone is signed, having
DNSSEC validation for the priming queries might be valuable. DNSSEC validation for the priming queries might be valuable.
4. Priming Responses 4. Priming Responses
A priming query is a normal DNS query. Thus, a root name server A priming query is a normal DNS query. Thus, a root name server
cannot distinguish a priming query from any other query for the root cannot distinguish a priming query from any other query for the root
NS RRSet. Thus, the root server's response will also be a normal DNS NS RRset. Thus, the root server's response will also be a normal DNS
response. response.
4.1. Expected Properties of the Priming Response 4.1. Expected Properties of the Priming Response
The priming response is expected to have an RCODE of NOERROR, and to The priming response is expected to have an RCODE of NOERROR, and to
have the AA bit set. Also, it is expected to have an NS RRSet in the have the Authoritative Answer (AA) bit set. Also, it is expected to
Answer section (because the NS RRSet originates from the root zone), have an NS RRset in the Answer section (because the NS RRset
and an empty Authority section (because the NS RRSet already appears originates from the root zone), and an empty Authority section
in the Answer section). There will also be an Additional section (because the NS RRset already appears in the Answer section). There
with A and/or AAAA RRSets for the root name servers pointed at by the will also be an Additional section with A and/or AAAA RRsets for the
NS RRSet. root name servers pointed at by the NS RRset.
Resolver software SHOULD treat the response to the priming query as a Resolver software SHOULD treat the response to the priming query as a
normal DNS response, just as it would use any other data fed to its normal DNS response, just as it would use any other data fed to its
cache. Resolver software SHOULD NOT expect exactly 13 NS RRs because cache. Resolver software SHOULD NOT expect exactly 13 NS RRs
historically some root servers have returned fewer. because, historically, some root servers have returned fewer.
4.2. Completeness of the Response 4.2. Completeness of the Response
There are currently 13 root servers. All have one IPv4 address and There are currently 13 root servers. All have one IPv4 address and
one IPv6 address. Not even counting the NS RRSet, the combined size one IPv6 address. Not even counting the NS RRset, the combined size
of all the A and AAAA RRSets exceeds the original 512 octet payload of all the A and AAAA RRsets exceeds the original 512-octet payload
limit from [RFC1035]. limit from [RFC1035].
In the event of a response where the Additional section omits certain In the event of a response where the Additional section omits certain
root server address information, re-issuing of the priming query does root server address information, re-issuing of the priming query does
not help with those root name servers that respond with a fixed order not help with those root name servers that respond with a fixed order
of addresses in the Additional section. Instead, the recursive of addresses in the Additional section. Instead, the recursive
resolver needs to issue direct queries for A and AAAA RRSets for the resolver needs to issue direct queries for A and AAAA RRsets for the
remaining names. Currently, these RRSets would be authoritatively remaining names. Currently, these RRsets would be authoritatively
available from the root name servers. available from the root name servers.
5. Security Considerations 5. Security Considerations
Spoofing a response to a priming query can be used to redirect all of Spoofing a response to a priming query can be used to redirect all of
the queries originating from a victim recursive resolver to one or the queries originating from a victim recursive resolver to one or
more servers for the attacker. Until the responses to priming more servers for the attacker. Until the responses to priming
queries are protected with DNSSEC, there is no definitive way to queries are protected with DNSSEC, there is no definitive way to
prevent such redirection. prevent such redirection.
An on-path attacker who sees a priming query coming from a resolver An on-path attacker who sees a priming query coming from a resolver
can inject false answers before a root server can give correct can inject false answers before a root server can give correct
answers. If the attacker's answers are accepted, this can set up the answers. If the attacker's answers are accepted, this can set up the
ability to give further false answers for future queries to the ability to give further false answers for future queries to the
resolver. False answers for root servers are more dangerous than, resolver. False answers for root servers are more dangerous than,
say, false answers for TLDs, because the root is the highest node of say, false answers for Top-Level Domains (TLDs), because the root is
the DNS. See Section 3.3 for more discussion. the highest node of the DNS. See Section 3.3 for more discussion.
In both of the scenarios above, a validating resolver will be able to In both of the scenarios above, a validating resolver will be able to
detect the attack if its chain of queries comes to a zone that is detect the attack if its chain of queries comes to a zone that is
signed, but not for those that are unsigned. signed, but not for those that are unsigned.
6. IANA Considerations 6. IANA Considerations
None. This document does not require any IANA actions.
7. Normative References 7. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034,
<http://www.rfc-editor.org/info/rfc1034>. November 1987, <http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware
message size requirements", RFC 3226, server/resolver message size requirements", RFC 3226,
DOI 10.17487/RFC3226, December 2001, DOI 10.17487/RFC3226, December 2001,
<http://www.rfc-editor.org/info/rfc3226>. <http://www.rfc-editor.org/info/rfc3226>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005, RFC 4033, DOI 10.17487/RFC4033, March 2005,
<http://www.rfc-editor.org/info/rfc4033>. <http://www.rfc-editor.org/info/rfc4033>.
[RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More [RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More
Resilient against Forged Answers", RFC 5452, Resilient against Forged Answers", RFC 5452,
DOI 10.17487/RFC5452, January 2009, DOI 10.17487/RFC5452, January 2009,
<http://www.rfc-editor.org/info/rfc5452>. <http://www.rfc-editor.org/info/rfc5452>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891, for DNS (EDNS(0))", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013, DOI 10.17487/RFC6891, April 2013,
<http://www.rfc-editor.org/info/rfc6891>. <http://www.rfc-editor.org/info/rfc6891>.
Appendix A. Acknowledgements Acknowledgements
This document is the product of the DNSOP WG and benefitted from the This document is the product of the DNSOP WG and benefitted from the
reviews done there. reviews done there.
Authors' Addresses Authors' Addresses
Peter Koch Peter Koch
DENIC eG DENIC eG
Kaiserstrasse 75-77 Kaiserstrasse 75-77
Frankfurt 60329 Frankfurt 60329
DE Germany
Phone: +49 69 27235 0 Phone: +49 69 27235 0
Email: pk@DENIC.DE Email: pk@DENIC.DE
Matt Larson Matt Larson
ICANN ICANN
Email: matt.larson@icann.org Email: matt.larson@icann.org
Paul Hoffman Paul Hoffman
 End of changes. 28 change blocks. 
85 lines changed or deleted 98 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/