| < draft-fujiwara-dnsop-nsec-aggressiveuse-02.txt | draft-fujiwara-dnsop-nsec-aggressiveuse-03.txt > | |||
|---|---|---|---|---|
| Network Working Group K. Fujiwara | Network Working Group K. Fujiwara | |||
| Internet-Draft JPRS | Internet-Draft JPRS | |||
| Intended status: Informational A. Kato | Intended status: Informational A. Kato | |||
| Expires: April 21, 2016 Keio/WIDE | Expires: September 19, 2016 Keio/WIDE | |||
| October 19, 2015 | March 18, 2016 | |||
| Aggressive use of NSEC/NSEC3 | Aggressive use of NSEC/NSEC3 | |||
| draft-fujiwara-dnsop-nsec-aggressiveuse-02 | draft-fujiwara-dnsop-nsec-aggressiveuse-03 | |||
| Abstract | Abstract | |||
| While DNS highly depends on cache, its cache usage of non-existence | While DNS highly depends on cache, its cache usage of non-existence | |||
| information was limited to exact matching. This draft proposes the | information has been limited to exact matching. This draft proposes | |||
| aggressive use of a NSEC/NSEC3 resource record, which is able to | the aggressive use of a NSEC/NSEC3 resource record, which is able to | |||
| express non-existence of range of names authoritatively. With this | express non-existence of a range of names authoritatively. With this | |||
| proposal, shorter latency to many of negative responses is expected | proposal, it is expected that shorter latency to many of negative | |||
| as well as some level of mitigation of random sub-domain attacks | responses as well as some level of mitigation of random sub-domain | |||
| (referred to as "Water Torture" attacks). It is also expected that | attacks (referred to as "Water Torture" attacks). It is also | |||
| non-existent TLD queries to Root DNS servers will decrease. | expected that non-existent TLD queries to Root DNS servers will | |||
| decrease. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 21, 2016. | This Internet-Draft will expire on September 19, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Proposed Solution: Aggressive Negative Caching . . . . . . . 4 | 4. Proposed Solution . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Possible side effect . . . . . . . . . . . . . . . . . . . . 5 | 4.1. Aggressive Negative Caching . . . . . . . . . . . . . . . 4 | |||
| 6. The CD Bit . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.2. NSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Detecting random subdomain attacks . . . . . . . . . . . 6 | 4.3. NSEC3 . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. Additional proposals . . . . . . . . . . . . . . . . . . . . 6 | 4.4. NSEC3 Opt-Out . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7.1. Another option . . . . . . . . . . . . . . . . . . . . . 6 | 4.5. Wildcard . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7.2. Aggressive negative caching flag idea . . . . . . . . . . 6 | 4.6. Consideration on TTL . . . . . . . . . . . . . . . . . . 6 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. Additional Considerations . . . . . . . . . . . . . . . . . . 6 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 5.1. The CD Bit . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. Implementation Considerations . . . . . . . . . . . . . . . . 7 | 5.2. Detecting random subdomain attacks . . . . . . . . . . . 7 | |||
| 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Possible side effect . . . . . . . . . . . . . . . . . . . . 7 | |||
| 12. Change History . . . . . . . . . . . . . . . . . . . . . . . 7 | 7. Additional proposals . . . . . . . . . . . . . . . . . . . . 7 | |||
| 12.1. Version 01 . . . . . . . . . . . . . . . . . . . . . . . 8 | 7.1. Partial implementation . . . . . . . . . . . . . . . . . 7 | |||
| 12.2. Version 02 . . . . . . . . . . . . . . . . . . . . . . . 8 | 7.2. Aggressive negative caching without DNSSEC validation . . 8 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 7.3. Aggressive negative caching flag idea . . . . . . . . . . 8 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 8 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 9 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| Appendix A. Aggressive negative caching from RFC 5074 . . . . . 9 | 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix B. Detailed implementation idea . . . . . . . . . . . . 10 | 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | 12. Change History . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 12.1. Version 01 . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
| 12.2. Version 02 . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
| 12.3. Version 03 . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 10 | ||||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 10 | ||||
| Appendix A. Aggressive negative caching from RFC 5074 . . . . . 11 | ||||
| Appendix B. Detailed implementation idea . . . . . . . . . . . . 11 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 1. Introduction | 1. Introduction | |||
| While negative (non-existence) information of DNS caching mechanism | While negative (non-existence) information of DNS caching mechanism | |||
| has been known as DNS negative cache [RFC2308], it requires exact | has been known as DNS negative cache [RFC2308], it requires exact | |||
| matching in most cases. Assume that "example.com" zone doesn't have | matching in most cases. Assume that "example.com" zone doesn't have | |||
| names such as "a.example.com" and "b.example.com". When a full- | names such as "a.example.com" and "b.example.com". When a full- | |||
| service resolver receives a query "a.example.com" , it performs a DNS | service resolver receives a query "a.example.com" , it performs a DNS | |||
| resolution process, and eventually gets NXDOMAIN and stores it into | resolution process, and eventually gets NXDOMAIN and stores it into | |||
| its negative cache. When the full-service resolver receives another | its negative cache. When the full-service resolver receives another | |||
| skipping to change at page 3, line 10 ¶ | skipping to change at page 3, line 17 ¶ | |||
| will send a query to one of the authoritative servers of | will send a query to one of the authoritative servers of | |||
| "example.com". This was because the NXDOMAIN response just says | "example.com". This was because the NXDOMAIN response just says | |||
| there is no such name "a.example.com" and it doesn't tell anything | there is no such name "a.example.com" and it doesn't tell anything | |||
| for "b.example.com". | for "b.example.com". | |||
| Section 5 of [RFC2308] seems to show that negative answers should be | Section 5 of [RFC2308] seems to show that negative answers should be | |||
| cached only for the exact query name, and not (necessarily) for | cached only for the exact query name, and not (necessarily) for | |||
| anything below it. | anything below it. | |||
| Recently, DNSSEC [RFC4035] [RFC5155] has been practically deployed. | Recently, DNSSEC [RFC4035] [RFC5155] has been practically deployed. | |||
| Two types of resource record (NSEC and NSEC3) are used for authentic | Two types of resource record (NSEC and NSEC3) along with their RRSIG | |||
| non-existence. For a zone signed with NSEC, it may be possible to | records represent authentic non-existence. For a zone signed with | |||
| use the information carried in NSEC resource records to indicate that | NSEC, it would be possible to use the information carried in NSEC | |||
| the range of names where no valid name exists. Such use is | resource records to indicate that a range of names where no valid | |||
| discouraged by Section 4.5 of RFC 4035, however. | name exists. Such use is discouraged by Section 4.5 of RFC 4035, | |||
| however. | ||||
| This document proposes to make a minor change to RFC 4035 and the | This document proposes to make a minor change to RFC 4035 and a full- | |||
| full-service resolver can use NSEC/NSEC3 resource records | service resolver can use NSEC/NSEC3 resource records aggressively so | |||
| aggressively. | that the resolver responds with NXDOMAIN immediately if the name in | |||
| question falls into a range expressed by a NSEC/NSEC3 resource | ||||
| record. | ||||
| Aggressive Negative Caching was first proposed in Section 6 of DNSSEC | Aggressive Negative Caching was first proposed in Section 6 of DNSSEC | |||
| Lookaside Validation (DLV) [RFC5074] in order to find covering NSEC | Lookaside Validation (DLV) [RFC5074] in order to find covering NSEC | |||
| records efficiently. Unbound [UNBOUND] has aggressive negative | records efficiently. Unbound [UNBOUND] has aggressive negative | |||
| caching code in its DLV validator. Unbound TODO file contains "NSEC/ | caching code in its DLV validator. Unbound TODO file contains "NSEC/ | |||
| NSEC3 aggressive negative caching". | NSEC3 aggressive negative caching". | |||
| Section 3 of [I-D.vixie-dnsext-resimprove] ("Stopping Downward Cache | Section 3 of [I-D.vixie-dnsext-resimprove] ("Stopping Downward Cache | |||
| Search on NXDOMAIN") proposed another approach to use NXDOMAIN | Search on NXDOMAIN") proposed another approach to use NXDOMAIN | |||
| information effectively. | information effectively. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| Many of the specialized terms used in this specification are defined | Many of the specialized terms used in this specification are defined | |||
| in DNS Terminology [I-D.ietf-dnsop-dns-terminology]. | in DNS Terminology [RFC7719]. | |||
| 3. Problem Statement | 3. Problem Statement | |||
| Random sub-domain attacks (referred to as "Water Torture" attacks or | Random sub-domain attacks (referred to as "Water Torture" attacks or | |||
| NXDomain attacks) send many non-existent queries to full-service | NXDomain attacks) send many non-existent queries to full-service | |||
| resolvers. Their query names consist of random prefixes and a target | resolvers. Their query names consist of random prefixes and a target | |||
| domain name. The negative cache does not work well and target full- | domain name. The negative cache does not work well and target full- | |||
| service resolvers result in sending queries to authoritative DNS | service resolvers result in sending queries to authoritative DNS | |||
| servers of the target domain name. | servers of the target domain name. | |||
| When number of queries is large, the full-service resolvers drop | When number of queries is large, the full-service resolvers drop | |||
| queries from both legitimate users and attackers as their outstanding | queries from both legitimate users and attackers as their outstanding | |||
| queues are filled up. | queues are filled up. | |||
| For example, BIND 9.10.2 [BIND9] full-service resolvers answer | For example, BIND 9.10.2 [BIND9] full-service resolvers answer | |||
| SERVFAIL and Unbound 1.5.2 full-service resolvers drop most of | SERVFAIL and Unbound 1.5.2 full-service resolvers drop most of | |||
| queries under 10,000 queries per second attack. | queries under 10,000 queries per second attack. | |||
| The countermeasures implemented at this moment are rate limiting and | The countermeasures implemented at this moment are rate limiting and | |||
| disabling name resolution of target domain names. | disabling name resolution of target domain names in ad-hoc manner. | |||
| 4. Proposed Solution: Aggressive Negative Caching | 4. Proposed Solution | |||
| 4.1. Aggressive Negative Caching | ||||
| If the target domain names are DNSSEC signed, aggressive use of NSEC/ | If the target domain names are DNSSEC signed, aggressive use of NSEC/ | |||
| NSEC3 resource records mitigates the problem. | NSEC3 resource records mitigates the problem. | |||
| Section 4.5 of [RFC4035] shows that "In theory, a resolver could use | Section 4.5 of [RFC4035] shows that "In theory, a resolver could use | |||
| wildcards or NSEC RRs to generate positive and negative responses | wildcards or NSEC RRs to generate positive and negative responses | |||
| (respectively) until the TTL or signatures on the records in question | (respectively) until the TTL or signatures on the records in question | |||
| expire. However, it seems prudent for resolvers to avoid blocking | expire. However, it seems prudent for resolvers to avoid blocking | |||
| new authoritative data or synthesizing new data on their own. | new authoritative data or synthesizing new data on their own. | |||
| Resolvers that follow this recommendation will have a more consistent | Resolvers that follow this recommendation will have a more consistent | |||
| skipping to change at page 4, line 40 ¶ | skipping to change at page 5, line 7 ¶ | |||
| | NSEC/NSEC3 resource records to generate negative responses | | | NSEC/NSEC3 resource records to generate negative responses | | |||
| | until their effective TTLs or signatures on the records | | | until their effective TTLs or signatures on the records | | |||
| | in question expire. | | | in question expire. | | |||
| +--------------------------------------------------------------+ | +--------------------------------------------------------------+ | |||
| If the full-service resolver's cache have enough information to | If the full-service resolver's cache have enough information to | |||
| validate the query, the full-service resolver MAY use NSEC/NSEC3/ | validate the query, the full-service resolver MAY use NSEC/NSEC3/ | |||
| wildcard records aggressively. Otherwise, the full-service resolver | wildcard records aggressively. Otherwise, the full-service resolver | |||
| MUST fall back to send the query to the authoritative DNS servers. | MUST fall back to send the query to the authoritative DNS servers. | |||
| Necessary information to validate are wildcards which match the query | Necessary information to validate are matching/covering NSEC/NSEC3 of | |||
| name, covering NSEC/NSEC3 of the wildcards, and covering NSEC/NSEC3 | the wildcards which may match the query name, matching/covering NSEC/ | |||
| of (parts of) the query name. | NSEC3 of non-terminals which derive from the query name and matching/ | |||
| covering NSEC/NSEC3 of the query name. | ||||
| If the zone has a wildcard and it is in the full-service resolver's | If the query name has the matching NSEC/NSEC3 RR and it shows the | |||
| cache, the full-service resolver MAY generate positive responses | query type does not exist, the full-service resolver is possible to | |||
| based on the information associated with the wildcard in the cache. | respond with NODATA (empty) answer. | |||
| This approach is effective for DNSSEC signed zones with NSEC or | 4.2. NSEC | |||
| NSEC3, except zones with NSEC3 Opt-Out. To identify signing types of | ||||
| the zone, validating resolvers need to build special cache of NSEC | ||||
| and NSEC3 resource records for each signer domain name. When a query | ||||
| name is not in the cache, find closest enclosing NS RRset in the | ||||
| cache. The owner of this NS RRset may be the longest signer domain | ||||
| name of the query name. If the NSEC/NSEC3 cache of the signer domain | ||||
| name is empty, the aggressive negative caching is not possible. | ||||
| Otherwise, there is at least one NSEC or NSEC3 resource records. The | ||||
| record shows the signing type. If the resource record is NSEC3 and | ||||
| with Opt-Out, the aggressive negative caching is not possible. | ||||
| When the query name has a matching NSEC resource records in the cache | A full-service resolver implementation SHOULD support aggressive use | |||
| and there is no wildcard in the zone which the query name matches | of NSEC and enable it by default. It SHOULD provide a configuration | |||
| with, the full-service resolver is allowed to respond with NXDOMAIN | knob to disable aggressive use of NSEC. | |||
| error immediately. | ||||
| The validating resolver need to check the existence of matching | ||||
| wildcards which derive from the query name, covering NSEC RRs of the | ||||
| matching wildcards and covering NSEC RR of the query name. | ||||
| If the full-service resolver's cache contains covering NSEC RRs of | ||||
| matching wildcards and the covering NSEC RR of the query name, the | ||||
| full-service resolver is possible to respond with NXDOMAIN error | ||||
| immediately. | ||||
| 4.3. NSEC3 | ||||
| NSEC3 aggressive negative caching is more difficult. If the zone is | NSEC3 aggressive negative caching is more difficult. If the zone is | |||
| signed with NSEC3, the validating resolver need to check the | signed with NSEC3, the validating resolver need to check the | |||
| existence of each label from the query name. If a label is not exist | existence of non-terminals and wildcards which derive from query | |||
| in the zone, and there is no matching wildcard in the zone, the full- | names. | |||
| service resolver is allowed to respond with NXDOMAIN error | ||||
| immediately. | If the full-service resolver's cache contains covering NSEC3 RRs of | |||
| matching wildcards, the covering NSEC3 RRs of the non-terminals and | ||||
| the covering NSEC3 RR of the query name, the full-service resolver is | ||||
| possible to respond with NXDOMAIN error immediately. | ||||
| If the validating resolver proves the non-exisence of the non- | ||||
| terminal domain name of the query name, the query name does not | ||||
| exist. | ||||
| To identify signing types of the zone, validating resolvers need to | ||||
| build separated cache of NSEC and NSEC3 resource records for each | ||||
| signer domain name. | ||||
| When a query name is not in the regular cache, find closest enclosing | ||||
| NS RRset in the regular cache. The owner of the closest enclosing NS | ||||
| RRset may be the longest signer domain name of the query name. If | ||||
| there is no entry in the NSEC/NSEC3 cache of the signer domain name, | ||||
| aggressive negative caching is not possible at this moment. | ||||
| Otherwise, there is at least one NSEC or NSEC3 resource records. The | ||||
| record shows the signing type. | ||||
| A full-service resolver implementation MAY support aggressive use of | ||||
| NSEC3. It SHOULD provide a configuration knob to disable aggressive | ||||
| use NSEC3 in this case. | ||||
| 4.4. NSEC3 Opt-Out | ||||
| If the zone is signed with NSEC3 and with Opt-Out flag set to 1, the | ||||
| aggressive negative caching is not possible at the zone. | ||||
| 4.5. Wildcard | ||||
| Even if a wildcard is cached, it is necessary to send a query to an | ||||
| authoritative server to ensure that the name in question doesn't | ||||
| exist as long as the name is not in the negative cache. | ||||
| When aggressive use is enabled, regardless of description of | ||||
| Section 4.5 of [RFC4035], it is possible to send a positive response | ||||
| immediately when the name in question matches a NSEC/NSEC3 RRs in the | ||||
| negative cache. | ||||
| 4.6. Consideration on TTL | ||||
| This function needs care on the TTL value of negative information | This function needs care on the TTL value of negative information | |||
| because newly added domain names cannot be used while the negative | because newly added domain names cannot be used while the negative | |||
| information is effective. RFC 2308 states the maximum number of | information is effective. RFC 2308 states the maximum number of | |||
| negative cache TTL value is 10800 (3 hours). So the full-service | negative cache TTL value is 10800 (3 hours). So the full-service | |||
| resolver SHOULD limit the maximum effective TTL value of negative | resolver SHOULD limit the maximum effective TTL value of negative | |||
| responses (NSEC/NSEC3 RRs) to 10800 (3 hours). It is reasonably | responses (NSEC/NSEC3 RRs) to 10800 (3 hours). It is reasonably | |||
| small but still effective for the purpose of this document as it can | small but still effective for the purpose of this document as it can | |||
| eliminate significant amount of DNS attacks with randomly generated | eliminate significant amount of DNS attacks with randomly generated | |||
| names. | names. | |||
| The same discussion is also applicable to wildcards. If a query name | 5. Additional Considerations | |||
| is covered by a NSEC or a NSEC3 resource record in the cache and | ||||
| there is a covering wildcard, the full-service resolver MAY use | ||||
| wildcards to generate positive responses while wildcard and NSEC/ | ||||
| NSEC3 resource records in the cache are effective. | ||||
| 5. Possible side effect | ||||
| Aggressive use of NSEC/NSEC3 resource records may decrease queries to | ||||
| Root DNS servers. | ||||
| People may generate many typos in TLD, and they will result in | ||||
| unnecessary DNS queries. Some implementations leak non-existent TLD | ||||
| queries whose second level domain are different each other. Well | ||||
| observed TLDs are ".local" and ".belkin". With this proposal, it is | ||||
| possible to return NXDOMAIN immediately to such queries without | ||||
| further DNS recursive resolution process. It may reduces round trip | ||||
| time, as well as reduces the DNS queries to corresponding | ||||
| authoritative servers, including Root DNS servers. | ||||
| 6. The CD Bit | 5.1. The CD Bit | |||
| The CD bit disables signature validation. It is one of the basic | The CD bit disables signature validation. It is one of the basic | |||
| functions of DNSSEC protocol and it SHOULD NOT be changed. However, | functions of DNSSEC protocol and it SHOULD NOT be changed. However, | |||
| attackers may set the CD bit to their attack queries and the | attackers may set the CD bit to their attack queries and the | |||
| aggressive negative caching will be of no use. | aggressive negative caching will be of no use. | |||
| Ignoring the CD bit function may break the DNSSEC protocol. | Ignoring the CD bit function may break the DNSSEC protocol. | |||
| This draft proposes that the CD bit may be ignored to support | This draft proposes that the CD bit may be ignored to support | |||
| aggressive negative caching when the full-service resolver is under | aggressive negative caching when the full-service resolver is under | |||
| attacks with CD bit set. | attacks with CD bit set. | |||
| 6.1. Detecting random subdomain attacks | 5.2. Detecting random subdomain attacks | |||
| Full-service resolvers should detect conditions under random | Full-service resolvers should detect conditions under random | |||
| subdomain attacks. When they are under attacks, their outstanding | subdomain attacks. When they are under attacks, their outstanding | |||
| queries increase. If there are some destination addresses whose | queries increase. If there are some destination addresses whose | |||
| outstanding queries are many, they may contain attack target domain | outstanding queries are many, they may contain attack target domain | |||
| names. Existing countermeasures may implement attack detection. | names. Existing countermeasures may implement attack detection. | |||
| 6. Possible side effect | ||||
| Aggressive use of NSEC/NSEC3 resource records may decrease queries to | ||||
| Root DNS servers. | ||||
| People may generate many typos in TLD, and they will result in | ||||
| unnecessary DNS queries. Some implementations leak non-existent TLD | ||||
| queries whose second level domain are different each other. Well | ||||
| observed TLDs are ".local" and ".belkin". With this proposal, it is | ||||
| possible to return NXDOMAIN immediately to such queries without | ||||
| further DNS recursive resolution process. It may reduces round trip | ||||
| time, as well as reduces the DNS queries to corresponding | ||||
| authoritative servers, including Root DNS servers. | ||||
| 7. Additional proposals | 7. Additional proposals | |||
| There are additional proposals to the aggressive negative caching. | There are additional proposals to the aggressive negative caching. | |||
| 7.1. Another option | 7.1. Partial implementation | |||
| The proposed technique is applicable to zones where there is a NSEC | It is possible to implement aggressive negative caching partially. | |||
| record to each owner name in the zone even without DNSSEC signed. | ||||
| And it is also applicable to full-service resolvers without DNSSEC | ||||
| validation. Full-service resolvers can set DNSSEC OK bit in query | ||||
| packets and they will cache NSEC/NSEC3 resource records. They can | ||||
| apply aggressive use of NSEC/NSEC3 resource records without DNSSEC | ||||
| validation. | ||||
| It is highly recommended to sign the zone, of course, and it is | DLV aggressive negative caching [RFC5074] is an implementation of | |||
| recommended to apply DNSSEC validation of NSEC record prior to cache | NSEC aggressive negative caching which targets DLV domain names. | |||
| it in the negative cache. | ||||
| 7.2. Aggressive negative caching flag idea | NSEC only aggressive negative caching is easier to implement NSEC/ | |||
| NSEC3 aggressive negative caching (full implantation) because NSEC3 | ||||
| handling is hard to implement. | ||||
| Root only aggressive negative caching is possible. It uses NSEC and | ||||
| RRSIG resource records whose signer domain name is root. | ||||
| An implementation without detecting attacks is possible. It cannot | ||||
| ignore the CD bit and the effectiveness may be limited. | ||||
| 7.2. Aggressive negative caching without DNSSEC validation | ||||
| Aggressive negative caching may be applicable to full-service | ||||
| resolvers without DNSSEC validation. They can set DNSSEC OK bit in | ||||
| query packets to obtain corresponding NSEC/NSEC3 resource records. | ||||
| While the full-service resolvers SHOULD validate the NSEC/NSEC3 | ||||
| resource records, they MAY use the records to respond NXDOMAIN error | ||||
| immediately without DNSSEC validation. | ||||
| However, it is highly recommended to apply DNSSEC validation. | ||||
| 7.3. Aggressive negative caching flag idea | ||||
| Authoritative DNS servers that dynamically generate NSEC records | Authoritative DNS servers that dynamically generate NSEC records | |||
| normally generate minimally covering NSEC Records [RFC4470]. | normally generate minimally covering NSEC Records [RFC4470]. | |||
| Aggressive negative caching does not work with minimally covering | Aggressive negative caching does not work with minimally covering | |||
| NSEC records. DNS operators don't want zone walking and zone | NSEC records. Most of DNS operators don't want zone enumeration and | |||
| information leaks. They prefer NSEC resource records with narrow | zone information leaks. They prefer NSEC resource records with | |||
| ranges. When there is a flag that show a full-service resolver | narrow ranges. When there is a flag that show a full-service | |||
| support the aggressive negative caching and a query have the | resolver support the aggressive negative caching and a query have the | |||
| aggressive negative caching flag, authoritative DNS servers can | aggressive negative caching flag, authoritative DNS servers can | |||
| generate NSEC resource records with wider range under random | generate NSEC resource records with wider range under random | |||
| subdomain attacks. | subdomain attacks. | |||
| However, changing range of minimally covering NSEC Records may be | However, changing range of minimally covering NSEC Records may be | |||
| implemented by detecting attacks. Authoritative DNS servers can | implemented by detecting attacks. Authoritative DNS servers can | |||
| answer any range of minimally covering NSEC Records. | answer any range of minimally covering NSEC Records. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| skipping to change at page 7, line 31 ¶ | skipping to change at page 9, line 5 ¶ | |||
| It is also suggested to limit the maximum TTL value of NSEC resource | It is also suggested to limit the maximum TTL value of NSEC resource | |||
| records in the negative cache to, for example, 10800 seconds (3hrs), | records in the negative cache to, for example, 10800 seconds (3hrs), | |||
| to mitigate the issue. Implementations which comply with this | to mitigate the issue. Implementations which comply with this | |||
| proposal is suggested to have a configurable maximum value of NSEC | proposal is suggested to have a configurable maximum value of NSEC | |||
| RRs in the negative cache. | RRs in the negative cache. | |||
| Aggressive use of NSEC/NSEC3 resource records without DNSSEC | Aggressive use of NSEC/NSEC3 resource records without DNSSEC | |||
| validation may cause security problems. | validation may cause security problems. | |||
| 10. Implementation Considerations | 10. Implementation Status | |||
| Unbound has aggressive negative caching code in its DLV validator. | Unbound has aggressive negative caching code in its DLV validator. | |||
| The author implemented NSEC aggressive caching using Unbound and its | The author implemented NSEC aggressive caching using Unbound and its | |||
| DLV validator code. | DLV validator code. | |||
| 11. Acknowledgments | 11. Acknowledgments | |||
| The authors gratefully acknowledge DLV [RFC5074] author Samuel Weiler | The authors gratefully acknowledge DLV [RFC5074] author Samuel Weiler | |||
| and Unbound developers. Olafur Gudmundsson and Pieter Lexis proposed | and Unbound developers. Olafur Gudmundsson and Pieter Lexis proposed | |||
| aggressive negative caching flag idea. Valuable comments were | aggressive negative caching flag idea. Valuable comments were | |||
| skipping to change at page 8, line 21 ¶ | skipping to change at page 9, line 40 ¶ | |||
| o Added detailed algorithms. | o Added detailed algorithms. | |||
| 12.2. Version 02 | 12.2. Version 02 | |||
| o Added reference to [I-D.vixie-dnsext-resimprove] | o Added reference to [I-D.vixie-dnsext-resimprove] | |||
| o Added considerations for the CD bit | o Added considerations for the CD bit | |||
| o Updated detailed algorithms. | o Updated detailed algorithms. | |||
| o Moved Aggressive Negative Caching Flag idea into Another Option. | o Moved Aggressive Negative Caching Flag idea into Additional | |||
| Proposals | ||||
| 12.3. Version 03 | ||||
| o Added "Partial implementation" | ||||
| o Section 4,5,6 reorganized for better representation | ||||
| o Added NODATA answer in Section 4 | ||||
| o Trivial updates | ||||
| o Updated pseudo code | ||||
| 13. References | 13. References | |||
| 13.1. Normative References | 13.1. Normative References | |||
| [I-D.ietf-dnsop-dns-terminology] | ||||
| Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | ||||
| Terminology", draft-ietf-dnsop-dns-terminology-05 (work in | ||||
| progress), September 2015. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | |||
| RFC2119, March 1997, | RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | |||
| NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | |||
| <http://www.rfc-editor.org/info/rfc2308>. | <http://www.rfc-editor.org/info/rfc2308>. | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| skipping to change at page 9, line 14 ¶ | skipping to change at page 10, line 38 ¶ | |||
| [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074, | [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074, | |||
| DOI 10.17487/RFC5074, November 2007, | DOI 10.17487/RFC5074, November 2007, | |||
| <http://www.rfc-editor.org/info/rfc5074>. | <http://www.rfc-editor.org/info/rfc5074>. | |||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <http://www.rfc-editor.org/info/rfc5155>. | <http://www.rfc-editor.org/info/rfc5155>. | |||
| [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
| for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/ | Terminology", RFC 7719, DOI 10.17487/RFC7719, December | |||
| RFC6891, April 2013, | 2015, <http://www.rfc-editor.org/info/rfc7719>. | |||
| <http://www.rfc-editor.org/info/rfc6891>. | ||||
| 13.2. Informative References | 13.2. Informative References | |||
| [BIND9] Internet Systems Consortium, Inc., "Name Server Software", | [BIND9] Internet Systems Consortium, Inc., "Name Server Software", | |||
| 2000, <https://www.isc.org/downloads/bind/>. | 2000, <https://www.isc.org/downloads/bind/>. | |||
| [I-D.vixie-dnsext-resimprove] | [I-D.vixie-dnsext-resimprove] | |||
| Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS | Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS | |||
| Resolvers for Resiliency, Robustness, and Responsiveness", | Resolvers for Resiliency, Robustness, and Responsiveness", | |||
| draft-vixie-dnsext-resimprove-00 (work in progress), June | draft-vixie-dnsext-resimprove-00 (work in progress), June | |||
| skipping to change at page 10, line 33 ¶ | skipping to change at page 12, line 9 ¶ | |||
| If errors happen in aggressive negative caching algorithm, resolvers | If errors happen in aggressive negative caching algorithm, resolvers | |||
| MUST fall back to resolve the query as usual. "Resolve the query as | MUST fall back to resolve the query as usual. "Resolve the query as | |||
| usual" means that the full-resolver resolve the query in Recursive- | usual" means that the full-resolver resolve the query in Recursive- | |||
| mode as if the full-service resolver does not implement aggressive | mode as if the full-service resolver does not implement aggressive | |||
| negative caching. | negative caching. | |||
| To implement aggressive negative caching, resolver algorithm near | To implement aggressive negative caching, resolver algorithm near | |||
| cache lookup will be changed as follows: | cache lookup will be changed as follows: | |||
| QNAME = the query name; | QNAME = the query name; | |||
| if (QNAME name entry exists in the cache) { | QTYPE = the query type; | |||
| if ({QNAME,QTYPE} entry exists in the cache) { | ||||
| // the resolver responds the RRSet from the cache | ||||
| resolve the query as usual; | resolve the query as usual; | |||
| // if RRSet (query name and query type) exists in the cache, | } | |||
| // the resolver responds the RRSet from the cache | ||||
| // Otherwise, the resolver needs to iterate the query. | // if NSEC* exists, QTYPE existence is proved by type bitmap | |||
| if (matching NSEC/NSEC3 of QNAME exists in the cache) { | ||||
| if (QTYPE exists in type bitmap of NSEC/NSEC3 of QNAME) { | ||||
| // the entry exists, however, it is not in the cache. | ||||
| // need to iterate QNAME/QTYPE. | ||||
| resolve the query as usual; | ||||
| } else { | ||||
| // QNAME exists, QTYPE does not exist. | ||||
| the resolver can generate NODATA response; | ||||
| } | ||||
| } | } | |||
| // Find closest enclosing NS RRset in the cache. | // Find closest enclosing NS RRset in the cache. | |||
| // The owner of this NS RRset will be a suffix of the QNAME | // The owner of this NS RRset will be a suffix of the QNAME | |||
| // - the longest suffix of any NS RRset in the cache. | // - the longest suffix of any NS RRset in the cache. | |||
| SIGNER = closest enclosing NS RRSet of QNAME in the cache; | SIGNER = closest enclosing NS RRSet of QNAME in the cache; | |||
| // Check the SOA RR of the SIGNER | // Check the SOA RR of the SIGNER | |||
| if (SOA RR of SIGNER does not exist in the cache | if (SOA RR of SIGNER does not exist in the cache | |||
| or SIGNER zone is not signed or not validated) { | or SIGNER zone is not signed or not validated) { | |||
| skipping to change at page 11, line 4 ¶ | skipping to change at page 12, line 40 ¶ | |||
| SIGNER = closest enclosing NS RRSet of QNAME in the cache; | SIGNER = closest enclosing NS RRSet of QNAME in the cache; | |||
| // Check the SOA RR of the SIGNER | // Check the SOA RR of the SIGNER | |||
| if (SOA RR of SIGNER does not exist in the cache | if (SOA RR of SIGNER does not exist in the cache | |||
| or SIGNER zone is not signed or not validated) { | or SIGNER zone is not signed or not validated) { | |||
| Resolve the query as usual; | Resolve the query as usual; | |||
| } | } | |||
| if (SIGNER zone does not have NSEC_TABLE) { | if (SIGNER zone does not have NSEC_TABLE) { | |||
| Resolve the query as usual; | Resolve the query as usual; | |||
| } | } | |||
| if (SIGNER zone is signed with NSEC) { | if (SIGNER zone is signed with NSEC) { // NSEC mode | |||
| // NSEC mode | ||||
| if (covering NSEC RR of QNAME at SIGNER zone | // Check the non-existence of QNAME | |||
| doesn't exist in the cache) { | CoveringNSEC = Find the covering NSEC of QNAME; | |||
| if (Covering NSEC doesn't exist in the cache) { | ||||
| Resolve the query as usual. | Resolve the query as usual. | |||
| } | } | |||
| TEST = Find the closest encloser domain name of QNAME and | // Select the longest existing name of QNAME from covering NSEC | |||
| the covering NSEC RR of QNAME | LongestExistName = common part of both owner name and | |||
| next domain name of CoveringNSEC; | ||||
| if (*.TEST name entry exists in the cache) { | if (*.LongestExistName entry exists in the cache) { | |||
| the resolver can generate positive response | the resolver can generate positive response | |||
| // synthesize the wildcard *.TEST | // synthesize the wildcard *.TEST | |||
| } | } | |||
| if covering NSEC RR of "*.TEST" at SIGNER zone exists | if covering NSEC RR of "*.LongestExistName" at SIGNER zone exists | |||
| in the cache { | in the cache { | |||
| the resolver can generate negative response; | the resolver can generate negative response; | |||
| } | } | |||
| // Lack of information | //*.LongestExistName may exist. cannot generate negative response | |||
| Resolve the query as usual. | ||||
| } else | } else | |||
| if (SIGNER zone is signed with NSEC3 and does not use Opt-Out) { | if (SIGNER zone is signed with NSEC3 and does not use Opt-Out) { | |||
| // NSEC3 mode | // NSEC3 mode | |||
| TEST = SIGNER; | TEST = SIGNER; | |||
| while (TEST != QNAME) { | while (TEST != QNAME) { | |||
| // if any error happens in this loop, break this loop | // if any error happens in this loop, break this loop | |||
| UPPER = TEST; | UPPER = TEST; | |||
| add a label from the QNAME to the start of TEST; | add a label from the QNAME to the start of TEST; | |||
| // TEST = label.UPPER | // TEST = label.UPPER | |||
| if (TEST name entry exist in the cache) { | if (TEST name entry exist in the cache | |||
| || matching NSEC3 of TEST exist in the cache) { | ||||
| // TEST exist | ||||
| continue; // need to check rest of QNAME | continue; // need to check rest of QNAME | |||
| } | } | |||
| if (covering NSEC3 of TEST exist in the cache) { | if (covering NSEC3 of TEST exist in the cache) { | |||
| // (non-)terminal name TEST does not exist | // (non-)terminal name TEST does not exist | |||
| if (*.UPPER name entry exist in the cache) { | if (*.UPPER name entry exist in the cache) { | |||
| // TEST does not exist and *.UPPER exist | // TEST does not exist and *.UPPER exist | |||
| the resolver can generate positive response; | the resolver can generate positive response; | |||
| } else | } else | |||
| if (covering NSEC3 of *.UPPER exist in the cache) { | if (covering NSEC3 of *.UPPER exist in the cache) { | |||
| // TEST does not exist and *.UPPER does not exist | // TEST does not exist and *.UPPER does not exist | |||
| the resolver can generate negative response; | the resolver can generate negative response; | |||
| } | } | |||
| break; // Lack of information | break; // Lack of information (No *.UPPER information) | |||
| } else | ||||
| if (NSEC3 of TEST does not exist in the cache) { | ||||
| break; // Lack of information | ||||
| } | } | |||
| // TEST label exist, then need to check rest of QNAME | break; // Lack of information (No TEST information) | |||
| } | } | |||
| // Lack of information, need to resolve the query as usual | // no matching/covering NSEC3 of QNAME information | |||
| Resolve the query as usual | ||||
| } | } | |||
| Resolve the query as usual | ||||
| Authors' Addresses | Authors' Addresses | |||
| Kazunori Fujiwara | Kazunori Fujiwara | |||
| Japan Registry Services Co., Ltd. | Japan Registry Services Co., Ltd. | |||
| Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda | Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda | |||
| Chiyoda-ku, Tokyo 101-0065 | Chiyoda-ku, Tokyo 101-0065 | |||
| Japan | Japan | |||
| Phone: +81 3 5215 8451 | Phone: +81 3 5215 8451 | |||
| End of changes. 42 change blocks. | ||||
| 140 lines changed or deleted | 225 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||