dnsop J. Yao Internet-Draft N. Kong Intended status: Standards Track X. Li Expires: March 31, 2016 CNNIC September 28, 2015 Decreasing Fetch time of Root Data by Improving the Mechanism of Root Data Cacheing draft-yao-dnsop-root-cache-00 Abstract Many DNS recursive resolvers have long round trip times to the DNS root server. It has been an obstacle to increse the performance of DNS query. In order to decrease fetch time of DNS root data, this document proposes a new mechanism by improving the mechanism of root data cacheing. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 31, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Yao, et al. Expires March 31, 2016 [Page 1] Internet-Draft root-cache-solution September 2015 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Design Considerations . . . . . . . . . . . . . . . . . . . . 3 4. Mechanism for decreasing fetch time of DNS root data . . . . 4 5. System Requirements . . . . . . . . . . . . . . . . . . . . . 6 6. Requirement of the Root Data Cache . . . . . . . . . . . . . 7 7. Requirement and Operation of the Root Zone Analyzer . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 10. Change History . . . . . . . . . . . . . . . . . . . . . . . 9 10.1. draft-yao-dnsop-root-cache: Version 00 . . . . . . . . . 9 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 11.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction Many DNS recursive resolvers have long round trip times to the DNS root server, which sometimes become the big burden to increase the DNS resolving performance. The document [Root-loopback] allows the new root zone server to be run on a loopback address to decrease access time to root servers, but it also points out " this design being described here is not considered a "best practice." This document provides a new method by improving the mechanism of root data cacheing. The cache provides an efficient way for DNS to efficiently improve its resolving performance. The resolver can eliminate network delay and name server load from most requests by answering them from its cache of prior results. Yao, et al. Expires March 31, 2016 [Page 2] Internet-Draft root-cache-solution September 2015 TTL is a time limit on how long an RR can be kept in a cache. Root zone data normally is kept stable except the SOA record which the root administrator may intentionaly change. Long TTLs can be used to maximize caching. Recursive resolvers currently send queries for all TLDs that are not in their caches to root servers. If there is a mechanism which can increase the valid time of root data in the cache without using the outdated root data information, it will help to decrease access time to root servers generally or help to decrease the fetch time of root data. When any RR is updated in a zone, there will have a new version of zone and have a different serial No. in SOA record. The root zone normally updates its data not frequently as other zones such as the TLD zone. The data for the root zone is usually long- lived. While TTLs can be used to dynamically adjust caching, and a zero TTL prohibits caching, the realities of root zone features suggest that these times should be on the order of days for the typical resolver. If a change can be anticipated, the TTL can be reduced prior to the change to minimize inconsistency during the change, and then increased back to its former value following the change. 2. Terminology The basic key words such as "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "MAY", and "MAYNOT" are to be interpreted as described in [RFC2119]. The basic DNS terms used in this specification are defined in the documents [RFC1034] and [RFC1035]. 3. Design Considerations The following features will be used to design the cache based mechanism to decrease fetch time of root data: o All resolvers have to connect the root servers for root data. The root data is a common one for all resolvers. o The TLD contents of the root zone is not changed frequently. o DNSSEC[RFC4033][RFC4034][RFC4035] protects the data origin authentication and data integrity. The goal of our design is that the cached root data can be valid as long as the expire value of the root SOA or longger while the data still remains fresh. The mechanism proposed by this dcoument will decrease fetch time of DNS root data efficently. Yao, et al. Expires March 31, 2016 [Page 3] Internet-Draft root-cache-solution September 2015 4. Mechanism for decreasing fetch time of DNS root data Local System | Foreign | +---------+ +----------+ | +--------+ | | references | |queries | | | |Root Data|-------------->| |---------|->| Root | | Cache | | Resolver | | | Name | | |<--------------| |<--------|--| Servers| | | cache ops | |responses| | | +---------+ +----------+ | +--------+ | | A | | | | V | | +----------+ | +--------+ | Root |-------- |->| IANA | | Zone | | |RootZone| | Analyzer |<------- |--| File | +----------+ | +--------+ Figure 1. The structure of root data caching mechanism The figure above shows the structure of root data caching mechanism. There will have a separated cache specially designed for root data called root data cache in the resolver. There will have a Root Zone Analyzer which will get the SOA record and zone file of root, and analyze the data. The design is shown in the figure above. The detailed function of the three components in the local system is shown below. 1)Root Data Cache: It will cache the root TLD data information from the root name server queried by the resolver. It has three parameters, respectively, version No., fingerprint and refresh timer. Version No: The value is same to SOA serial No. of the current version of root zone. Fingerprint: The value is the digest value by the same digest operation ( MD5 [RFC 1321]) performed by the root zone analyzer to the root zone (excluding the SOA and its RRSIG) Refresh Timer: Yao, et al. Expires March 31, 2016 [Page 4] Internet-Draft root-cache-solution September 2015 The contents of the root data cache MUST be refreshed using the timer. That is that every RR will be assigned a refresh timer with the default value when it is put into the root data cache. The default timer value is the expire value from the root SOA record in [RFC1035]. The administrators may set their own timer value to RRs in the root data cache. 2)Resolver: When the resolver needs to query the TLD information in the root, it should check its cache (specified in RFC 1035) first. If it fails, it then should check the root data cache. If it can not find the answer queried, it then asks the question to root name servers. If it is a DNSSEC query to the root, the resolver should verify the response from the root with DNSSEC. If it passes the DNSSEC validation, the resolver should put these TLD RRs into the root data cache. If it is not a DNSSEC query, the resolver should send another query with the same question with DNSSEC to the root. If the response from the root passes the DNSSEC validation, the resolver should put the TLD data in the response into the root data cache. If these TLD RRs can not pass the DNSSEC validation, it should discard them without caching. The basic implication is that all sanity checks on any TLD RR should be performed before any of it is cached into the root data cache. When a resolver finds a set of RRs for some TLD name in a response from the root, and wants to cache the RRs into the root data cache, it should check its root data cache for already existing RRs. If there is one, the resolver should replace it with the new one. When several RRs of the same type are available for a TLD, the resolver should either cache them all or none at all. The resolver should not cache a possibly partial set of RRs. 3)Root Zone Analyzer: It will check the root SOA record and analyze the root zone data frequently. Currently, the root SOA is changed every day even if the contents of the root zone are unchanged. So in most cases, the difference between the new zone and old zone is that SOA record and its RRSIG have the new version while the other parts will be kept same. When the root zone analyzer finds that the root SOA is changed, it should download the root zone file. The root zone analyzer will perform the same digest operation (such as MD5), and compare the result to fingerprint of the root zone (excluding the SOA and its RRSIG) stored in the root data cache. If the SOA is changed and the fingerprint is not changed, the version No. will be changed to the new SOA serial No.. If both the SOA and the fingerprint are changed, the version No. must be changed to the new SOA serial No., and the fingerprint must be changed to the new digest value of the root zone (excluding the SOA and its RRSIG), and flush the root data cache. It means that all root data cache information may be outdated. The system should discard all data in the root data cache. Yao, et al. Expires March 31, 2016 [Page 5] Internet-Draft root-cache-solution September 2015 The detailed steps for using this system is shown below: step 1, When the resolver needs to query the TLD name information in the root, it should check its cache (specified in RFC 1035) first. If it finds the information, go to step 4; otherwise go to step 2. step 2, Check the root data cache for the TLD name information. If it finds the answer queried, go to step 4; otherwise go to step 3. step 3, Ask the question to the root name servers. If it finds the answer queried, go to step 5 and step 4 simultaneously; otherwise go to step 4. step 4, The resolver has the necessary information and followed the steps specified in RFC 1035. End. step 5, If it is a DNSSEC query to the root, the resolver should validate the response from the root with DNSSEC; if it passes the DNSSEC validation, the resolver should put these TLD RRs into the root data cache, and set the refresh timer with the default value for these RRs; if it does not pass the DNSSEC validation, these RRs will not be put into the root data cache; end. If it is not a DNSSEC query, go to step 6. step 6, The resolver should send another query with the same question with DNSSEC to the root. If the response from the root passes the DNSSEC validation, the resolver should put the TLD data in the response into the root data cache, and set the refresh timer with the default value for these RRs. If these TLD RRs can not pass the DNSSEC validation, it should discard them without caching. End. Note: The basic implication is that all sanity checks on any TLD RR should be performed before any of it is cached into the root data cache. 5. System Requirements In order to implement the mechanism described in this document: o The system MUST be able to validate DNSSEC resource records. o The system MUST have an up-to-date copy of the DNS root key. o Only root TLD data from root zone should be cached. The requirement above is to be sure that authoritative data in the root data cache MUST be identical to the same data in the root zone Yao, et al. Expires March 31, 2016 [Page 6] Internet-Draft root-cache-solution September 2015 for the DNS. It is possible to change the unsigned data in the root data cache, but that operation MUST not be allowed. 6. Requirement of the Root Data Cache Root cached data will be discarded by a timeout mechanism with refresh timer value or by the root data anlayzer when the data of the root zone is changed. The requirements to run the root data cache are shown below: o Inside the root data cache, refresh timers for cached root data conceptually "count down", while TTL in the RR will be kept in the constant value. o When the RRs are exported from root data cache, the refresh timer will be removed and the TTL in RR will start to "count down". o Every RR will be assigned a refresh timer with the default value when it is put into the root data cache. o The root data cache should discard old RRs whose timer has expired. The resolver may make the queries to several different root name servers to answer a particular user query. Since all the root servers serve the same root data, it will not impact the data accurance. 7. Requirement and Operation of the Root Zone Analyzer The resolver expects to cache root data which it receives in responses from the root since it is useful in answering future client requests. However, there are several types of data which should not be cached: o any data not from the root o a possibly partial set of the RRs of the same type for a particular TLD name o TLD data that does not pass the DNSSEC validation o Any TLD data from the root data cache itself The system should periodically checks to make sure that its root data cache are up to date. It MUST discard the cached root data if the data is outdated. The steps to run the Root Zone Analyzer are shown below: Yao, et al. Expires March 31, 2016 [Page 7] Internet-Draft root-cache-solution September 2015 step 1, Get the SOA value from the root name server query, set root data cache's version No. = serial of SOA; refresh timer value = expire value of SOA. step 2, Get the full root zone, and do the same digest operation ( such as MD5 [RFC 1321]) to the root zone data excluding the SOA and its RRSIG. Set the root data cache fingerprint = the digest value. step 3, Check the SOA record from the root name server, and compare the serail of the SOA with the version No. of root data cache. If the value is same, wait for fixed time (the suggested time is the refresh value of SOA of the root zone or every 15 minutes) and go to step 3; If the value is not same, go to step 4. step 4, Notify that the root data cache should stop response to the resolver temporarily and give a message to the resolver that no answer has been found for the question. Get the full root zone, and do the same digest operation ( MD5 [RFC 1321]) to the whole root zone data excluding the SOA and its RRSIG. Compare the digest value with the fingerprint of root data cache. If the value is same, set root data cache's version No. = current serial of SOA; if the RRs of root SOA and its RRSIG are in the root data cache, they should be updated to the new one; notify that the root data cache should start response to the resolver immediately and go to step 3. If the value is not same, the system MUST discard all data in the root data cache, notify that the root data cache should start response to the resolver immediately and go to step 1. 8. IANA Considerations This document requires no action from the IANA. 9. Security Considerations A DNS cache may become poisoned when unauthorized RRs are inserted into it. A non-DNSSEC query may suffer from this problem in the same way as any resolver that does not do DNSSEC validation on responses from a remote root server. The resolver with a DNSSEC query will know how to deal with it. DDOS attackers may aim to the root data cache. They may query random invalid root TLD. In our current design, the root data cache will not cache any negative answers from the root. Yao, et al. Expires March 31, 2016 [Page 8] Internet-Draft root-cache-solution September 2015 10. Change History RFC Editor: Please remove this section. 10.1. draft-yao-dnsop-root-cache: Version 00 o Decreasing fetch time of Root Data by Improving the Mechanism of Root Data Cacheing 11. References 11.1. Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, . [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, . [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, DOI 10.17487/RFC1321, April 1992, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005, . [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, . [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, . Yao, et al. Expires March 31, 2016 [Page 9] Internet-Draft root-cache-solution September 2015 11.2. Informative References [Root-loopback] Kumari, W. and P. Hoffman, "Decreasing Access Time to Root Servers by Running One on Loopback", May 2015, . Authors' Addresses Jiankang Yao CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3007 Email: yaojk@cnnic.cn Ning Kong CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3147 Email: nkong@cnnic.cn Xiaodong Li CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3020 Email: xl@cnnic.cn Yao, et al. Expires March 31, 2016 [Page 10]