wdiff draft-wkumari-dnsop-multiple-responses-02.txt draft-wkumari-dnsop-multiple-responses-03.txt

dnsop W. Kumari
Internet-Draft Google
Intended status: Standards Track Z. Yan
Expires: July 8, December 28, 2016 CNNIC
W. Hardaker
Parsons, Inc.
January 05,
June 26, 2016

Returning multiple extra answers in DNS responses.
draft-wkumari-dnsop-multiple-responses-02
draft-wkumari-dnsop-multiple-responses-03

Abstract

This document (re)introduces the ability to provide multiple answers
in a DNS response.

Status of This Memo

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on July 8, December 28, 2016.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Returning multiple answers . . . . . . . . . . . . . . . . . 3 4
5. Additional records pseudo-RR The EXTRA Resource Record . . . . . . . . . . . . . . . . 5 . . 4
5.1. File Format . . . . . . . . . . . . . . . . . . . . . . . 5
5.2. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 5
6. Signaling support . . . . . . . . . . . . . . . . . . . . . . 6
7. Stub-Resolver Considerations . . . . . . . . . . . . . . . . 6
8. Use of Additional information . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
10. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
12.1. Normative References . . . . . . . . . . . . . . . . . . 7
12.2. Informative References . . . . . . . . . . . . . . . . . 8 7
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8

1. Introduction

Often the

In many cases a name being resolved in the DNS provides information about the reason
behind why the name is being resolved, allowing resolved. This may allow the
authoritative nameserver to predict what other answers the client a recursive
resolver will soon query for. By providing multiple answers in the
response, the authoritative name server operator can ensure that the assist a caching
recursive server resolver in pre-populating its cache before a stub resolver
or other client asks for the subsequent queries. Apart from
decreasing the latency for end users [RFC6555], this also decreases
the total number of queries that the client is
using has all recursive resolver needs to send
and the answers in its cache. autorative server needs to answer.

For example, the domain name server operator administrator of Example Widgets, Inc
(example.com) knows that the example.com web page at www.example.com contains
various other resources, including some images (served from
images.example.com), some Cascading Style Sheets (served from
css.example.com) and some JavaScript (data.example.com). A client (served from data.example.com).
An application attempting to resolve www.example.com is very likely
to be a web browser rendering the page and so will likely also need to also
resolve all of
the other names to obtain these other resources. additional names as well. Providing all of
these answers in response to a query for www.example.com allows the
recursive server resolver to populate pre-populate its cache and have all of the these answers
available immediately when the a stub resolver or other DNS client asks
for them.

Other examples where this technique is may be useful include SMTP (including
the (by
including mail server address addresses, SPF and DKIM records when serving
the MX record), SRV (providing (by providing the target information in addition
to the SRV response) and TLSA
(providing (by providing any TLSA records
associated with a name). This same technique can also be used to
include both the IPv4 (A) and IPv6 (AAAA) addresses for any singular
address query.

This technique, described in this document, is purely an optimization - by providing all of other,
and enables a zone publisher to distribute other related answers that
the client is likely to need along with the an answer that
they requested, users to the original
request. Users get a better experience, iterative servers recursive resolvers need to perform
send less queries, authoritative servers have to answer fewer
queries, etc.

1.1. Requirements notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].

2. Background

The existing DNS specifications [RFC1034] allow for additional supplemental
information to be included in the "additional" section of the DNS
response, but in order to defeat cache poisoning attacks most
implementations either ignore or don't trust additional information (other than for "glue"). records they
didn't ask for. For some more background, see [Ref.Bellovin], [RFC1034], [Ref.Bellovin] and
[RFC2181].

Not trusting the information in the additional section was necessary
because
since there was no way to authenticate it. If you queried a resolver queries for
www.example.com and got back received answers for www.invalid.com you couldn't as well, it
is impossible for a non-validating resolver to tell if these were
actually from invalid.com or if an attacker was trying to get push bad
information for invalid.com into your the resolver's cache. In a world of
ubiquitous DNSSEC deployment [Ed note: By the time this document is
published, there *will* be ubiquitous DNSSEC :-) ] the
iterative server ], a validating
resolver can validate the information validate, authenticate and trust it. the records in the
additional information.

3. Terminology

Additional records Additional records are records that the
authoritative nameserver has included in the Additional section.

EXTRTA Resource Record The EXTRA resource record (defined below)
carries a list fo additional records to send.

Primary query A Primary query (or primary question) is a QNAME that
the name server operator would like to return additional answers
for.

Supporting DNSSEC information Supporting DNSSEC information is the
DNSSEC RRSIGs that prove the authenticity of the Additional
records.

Stub Resolver The term "Stub Resolver" is used in this document to
refer to the most common instance of a DNS client sending DNS
requests to a Recursive Resolver. However, other DNS clients are
not excluded from these usages and where we write "Stub Resolver"
you may read it as "Stub Resolver or other DNS client".

4. Returning multiple answers

The authoritative nameserver should include as many of the instructed
Additional
additional records identified by the Extra Resource Record and
Supporting DNSSEC information as will fit in the response packet.
These additional records (and Supporting DNSSEC information) are
appended to the additional section of the response.

In order to include Additional additional records in a response, certain these
conditions need to be met. [Ed note: Some discussion on each rule is
below] met:

1. Additional records MUST only be included when the primary name
and each additional record are signed using DNSSEC "valid".

2. Additional records MUST only be served over TCP connections, or
when DNS Cookies [ToDo: Ref] are in use. This is to mitigate
Denial of Service reflection attacks.[1]

3. Additional records SHOULD be contained within the same zone as
the primary name[2], or MAY be additionally be contained within a
child zone for which the name server Name Server is
authoritative for,
assuming all DNSSEC validation records required to validate the
child(ren) are included as well. Note that for the DS record, zone, and NS
and glue the records for a child zone may to be returned even when no
other additional data for the child will be included.

4. The are
DNSSEC signed.

2. The supporting DNSSEC information necessary to perform validation
on the records must be included. I.E., the RRSIGs required to
validate the Additional record information must MUST be included.

3. The authoritative nameserver Authoritative Name Server SHOULD include as many of the
additional records as will fit in the response. Each Additional
record MUST have its matching Supporting information. Additional
records MUST SHOULD be inserted in the order specified in the
Additional records list.

6. Operators

4. Zone administrators SHOULD only include Additional answers records identified in the
EXTRA Resource Records that they expect a client to actually need. [3]

[Ed note 1: The above MAY be troll bait. I'm not really sure if this
is a good idea or not - moving folk towards TCP is probably a good
idea, and this is somewhat of an optional record type. Then again,
special handing (TCP only) for a record would be unusual. Additional
records could cause responses to become really large, but there are
already enough large records that can be used for reflection attacks
that we can just give up on the whole "keep responses as small as
possible" ship. ]

[Ed note 2: This is poorly worded. I mumbled about bailiwick,
subdomains, etc but nothing I could come up with was better. Also,
is this rule actually needed? I *think* it would be bad for .com
servers to be able to include Additional records for
www.foo.bar.baz.example.com, but perhaps <handwave>public-suffix-
list?! This rule also makes it easier to decide what all DNSSEC
information is required.]

[Ed note 3: This is not enforceable. ]

5. Additional records pseudo-RR The EXTRA Resource Record

To allow the authoritative nameserver operator a zone content administrator to configure instruct the name server with the
which additional records to serve when it receives a query to a
label, we introduce the Additional EXTRA Resource Record (RR). These additional
records are appended to the additional section (note that the EXTRA
RR itself is not appended). The EXTRA resource record MAY still be
queried for directly (e.g for debugging), in which case the record
itself is returned.

5.1. File Format

The format of the Additional Extra RR is:

label ADD EXTRA "label,type; label,type; label,type; ..."

For example, if the operator of example.com would like to also return
A record answers for images.example.com, css.html.example.com and
both an A and AAAA for data.example.com when queried for
www.example.com he
www.example.com, they would enter:

www ADD create the following record:

www.example.com. EXTRA "images,A; css.html,A; css,A; data,A; data,AAA;"

The entries in the ADD EXRTA list are ordered. An authoritative
nameserver SHOULD insert the records in the order listed when filling
the response packet. This is to allow the operator to express a
preference in case all the records to will not fit. fit in the response. The
TTL of the records added to the Additional section are MUST be the
same as if queried directly.

In some cases the operator a zone content administrator might not know what all
additional records clients need. For example, the owner of
www.example.com may have outsourced his DNS operations to a third
party. DNS operators administrators may be able to mine their query logs, and
see that, in a large majority of cases, a recursive server asks for
foo.example.com and then very soon after asks for bar.example.com,
and so may decide to optimize this by opportunistically returning bar
when queried for foo. This functionality could also be included in
the authoritative name server software itself, but discussions of
these re are outside the scope of this document.

5.2. Wire Format

The wire format of the Additional EXTRA RR is the same as the wire format for a
TXT RR:

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Where TXT-DATA is one or more charter-strings. <character-string>s.

The Additional Extra RR has RR type TBD [RFC Editor: insert the IANA assigned
value and delete this note]

6. Signaling support

Iterative nameservers

Recursive Resolvers (or other DNS clients) that support Additional EXTRA records
MAY signal this by setting the OPT record's PL ("plus") EXTRA bit (bit NN [TBD:
assigned by IANA] in the EDNS0 extension header to 1.

7. Stub-Resolver Considerations

No modifications need to be made to stub-resolvers to get the
predominate benefit of this protocol, since the majority of the speed
gain will take place between the validating recursive resolver and
the authoritative name server. However, stub resolvers may wish choose to
support this technique, and / or may query directly for the Additional EXTRA RR
if it wants to pre-query for data that will likely be needed in the
process of supporting its application.

8. Use of Additional information

When receiving Additional information, an iterative server additional records in the additional section, a
resolver follows certain rules:

1. Additional records MUST be validated before being used.

2. Additional records SHOULD be annotated in the cache as having
been received as Additional records.

3. Additional records SHOULD have lower priority in the cache than
answers received because they were requested. This is to help
evict Additional records from the cache first, and first (to help stop prevent
cache filling attacks. attacks).

4. Iterative servers Recursive resolvers MAY choose to ignore Additional records for
any reason, including CPU or cache space concerns, phase of the
moon, etc. It may choose to only accept all, some or none of the
Additional records.

9. IANA Considerations

This document contains the following IANA assignment requirements:

1. The PL EXTRA bit discussed in Section 6 needs to be allocated.

10. Security Considerations

Additional records will make DNS responses even larger than they are
currently, leading to more large larger records that can be used for in DNS
reflection attacks. We One could mitigate this by only serving these
responses to EXTRA requests over TCP. TCP or when using Cookies [RFC5395],
although there is no easy way to signal this to a client other than
through the use of the truncate bit.

A malicious authoritative server could include a large number of
Additional
extra records (and associated DNSSEC information) and attempt to DoS
the recursive by making it do lots of DNSSEC validation. I don't
view However,
this as is not considered a very serious threat (CPU realistic threat; CPU for validation is
cheap compared to bandwidth), but we mitigate this bandwidth. This can be mitigated by allowing the
iterative
recursive resolver to ignore Additional records whenever it wants.

By requiring considers
itself under attack or its CPU resources are otherwise over-
committed.

This specification requires that the ALL all of the Additional records
are signed, and all necessary DNSSEC information for validation be
included we to avoid cache poisoning (I hope :-)) attacks.

11. Acknowledgements

The authors wish to thank some folk.

12. References

12.1. Normative References

[Ref.Bellovin]
Bellovin, S., "Using the Domain Name System for System
Break-Ins", 1995,
<https://www.cs.columbia.edu/~smb/papers/dnshack.pdf>.

[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.

[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
<http://www.rfc-editor.org/info/rfc2181>.

[RFC5395] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", RFC 5395, DOI 10.17487/RFC5395, November
2008, <http://www.rfc-editor.org/info/rfc5395>.

12.2. Informative References

[I-D.ietf-sidr-iana-objects]
Manderson, T., Vegoda, L., and S. Kent, "RPKI Objects
issued by IANA", draft-ietf-sidr-iana-objects-03 (work in
progress),

[RFC6555] Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with
Dual-Stack Hosts", RFC 6555, DOI 10.17487/RFC6555, April
2012, <http://www.rfc-editor.org/info/rfc6555>.

[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2011. 2016,
<http://www.rfc-editor.org/info/rfc7873>.

Appendix A. Changes / Author Notes.

[RFC Editor: Please remove this section before publication ]

From -00 to -01.

o Nothing changed in the template!

From -02 to -3:

Sat down and rewrote and cleaned up large sections of text.

Changed name of RR from Additional to EXTRA (the term "Additional"
is overloaded in general)

Clarified that stub resolvers and other clients MAY use this
specification.

Attempted to clarify that the individual RRs are added to the
response, not the EXTRA record itself. The EXTRA RR can be
queried directly.

Authors' Addresses

Warren Kumari
Google
1600 Amphitheatre Parkway
Mountain View, CA 94043
US

Email: warren@kumari.net

Zhiwei Yan
CNNIC
No.4 South 4th Street, Zhongguancun
Beijing 100190
P. R. China

Email: yanzhiwei@cnnic.cn
Wes Hardaker
Parsons, Inc.
P.O. Box 382
Davis, CA 95617
US

Email: ietf@hardakers.net