| < draft-ietf-dnsop-as112-dname-00.txt | draft-ietf-dnsop-as112-dname-01.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Abley | Network Working Group J. Abley | |||
| Internet-Draft Dyn, Inc. | Internet-Draft Dyn, Inc. | |||
| Updates: 6304 (if approved) B. Dickson | Updates: 6304 (if approved) B. Dickson | |||
| Intended status: Informational Verisign Labs | Intended status: Informational Verisign Labs | |||
| Expires: May 9, 2014 W. Kumari | Expires: August 18, 2014 W. Kumari | |||
| G. Michaelson | G. Michaelson | |||
| APNIC | APNIC | |||
| November 5, 2013 | February 14, 2014 | |||
| AS112 Redirection using DNAME | AS112 Redirection using DNAME | |||
| draft-ietf-dnsop-as112-dname-00 | draft-ietf-dnsop-as112-dname-01 | |||
| Abstract | Abstract | |||
| Many sites connected to the Internet make use of IPv4 addresses that | Many sites connected to the Internet make use of IPv4 addresses that | |||
| are not globally unique. Examples are the addresses designated in | are not globally unique. Examples are the addresses designated in | |||
| RFC 1918 for private use within individual sites. | RFC 1918 for private use within individual sites. | |||
| Devices in such environments may occasionally originate Domain Name | Devices in such environments may occasionally originate Domain Name | |||
| System (DNS) queries (so-called "reverse lookups") corresponding to | System (DNS) queries (so-called "reverse lookups") corresponding to | |||
| those private-use addresses. Since the addresses concerned have only | those private-use addresses. Since the addresses concerned have only | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 9, 2014. | This Internet-Draft will expire on August 18, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 3, line 28 ¶ | skipping to change at page 3, line 28 ¶ | |||
| 8.2. Hosting of AS112.ARPA . . . . . . . . . . . . . . . . . . 12 | 8.2. Hosting of AS112.ARPA . . . . . . . . . . . . . . . . . . 12 | |||
| 8.3. Delegation of AS112.ARPA . . . . . . . . . . . . . . . . . 13 | 8.3. Delegation of AS112.ARPA . . . . . . . . . . . . . . . . . 13 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . . 16 | 11.1. Normative References . . . . . . . . . . . . . . . . . . . 16 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . . 16 | 11.2. Informative References . . . . . . . . . . . . . . . . . . 16 | |||
| Appendix A. Assessing Support for DNAME in the Real World . . . . 17 | Appendix A. Assessing Support for DNAME in the Real World . . . . 17 | |||
| A.1. Methodology . . . . . . . . . . . . . . . . . . . . . . . 17 | A.1. Methodology . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| A.2. Results . . . . . . . . . . . . . . . . . . . . . . . . . 19 | A.2. Results . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| Appendix B. Updates to RFC6304 . . . . . . . . . . . . . . . . . 20 | Appendix B. Editorial Notes . . . . . . . . . . . . . . . . . . . 20 | |||
| B.1. Changes to Section 2.1, Zones . . . . . . . . . . . . . . 20 | B.1. Change History . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| B.2. Changes to Section 2.2, Nameservers . . . . . . . . . . . 20 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| B.3. Changes to Section 3.4, Routing Software . . . . . . . . . 20 | ||||
| B.4. Changes to Section 3.5, DNS Software . . . . . . . . . . . 20 | ||||
| B.5. Changes to Section 3.6, Testing a Newly Installed Node . . 20 | ||||
| B.6. Changes to Section 6, On the Future of AS112 Nodes . . . . 20 | ||||
| B.7. Changes to Section 8, Security Considerations . . . . . . 21 | ||||
| B.8. Changes to Appendix A, History . . . . . . . . . . . . . . 21 | ||||
| Appendix C. Editorial Notes . . . . . . . . . . . . . . . . . . . 22 | ||||
| C.1. Change History . . . . . . . . . . . . . . . . . . . . . . 22 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 | ||||
| 1. Introduction | 1. Introduction | |||
| The AS112 project is described in detail in [RFC6304]. | The AS112 project is described in detail in [RFC6304]. | |||
| The AS112 nameservers (PRISONER.IANA.ORG, BLACKHOLE-1.IANA.ORG and | The AS112 nameservers (PRISONER.IANA.ORG, BLACKHOLE-1.IANA.ORG and | |||
| BLACKHOLE-2.IANA.ORG) are required to answer authoritatively for each | BLACKHOLE-2.IANA.ORG) are required to answer authoritatively for each | |||
| and every zone that is delegated to them. | and every zone that is delegated to them. | |||
| If a zone is delegated to AS112 nameservers without those nameservers | If a zone is delegated to AS112 nameservers without those nameservers | |||
| skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 27 ¶ | |||
| known as a "lame delegation". | known as a "lame delegation". | |||
| AS112 nameserver operators are only loosely-coordinated, and hence | AS112 nameserver operators are only loosely-coordinated, and hence | |||
| adding support for a new zone (or, correspondingly, removing support | adding support for a new zone (or, correspondingly, removing support | |||
| for a zone that is no longer delegated to the AS112 nameservers) is | for a zone that is no longer delegated to the AS112 nameservers) is | |||
| difficult to accomplish with accuracy; testing AS112 nameservers | difficult to accomplish with accuracy; testing AS112 nameservers | |||
| remotely to see whether they are configured to answer authoritatively | remotely to see whether they are configured to answer authoritatively | |||
| for a particular zone is similarly challenging since AS112 nodes are | for a particular zone is similarly challenging since AS112 nodes are | |||
| distributed using anycast [RFC4786]. | distributed using anycast [RFC4786]. | |||
| This document proposes that instead of delegating individual zones to | This document proposes a more flexibl approach for sinking queries on | |||
| AS112 nameservers, DNAME [RFC6672] redirection be used instead. This | AS112 infrastructure that can be deployed alongside unmodified, | |||
| approach has the advantage that query traffic for arbitrary parts of | existing AS112 nodes. Instead of delegating additional zones | |||
| the namespace can be directed to AS112 servers without those servers | directly to AS112 nameservers, DNAME [RFC6672] redirection is used | |||
| having to be reconfigured every time a zone is added or removed. | instead. This approach has the advantage that query traffic for | |||
| arbitrary parts of the namespace can be directed to AS112 servers | ||||
| without those servers having to be reconfigured every time a zone is | ||||
| added or removed. | ||||
| 2. Design Overview | 2. Design Overview | |||
| A new zone, EMPTY.AS112.ARPA, is delegated to a single nameserver | A new zone, EMPTY.AS112.ARPA, is delegated to a single nameserver | |||
| BLACKHOLE.AS112.ARPA (IPv4 address TBAv4-1, IPv6 address TBAv6-1). | BLACKHOLE.AS112.ARPA (IPv4 address TBAv4-1, IPv6 address TBAv6-1). | |||
| The IPv4 address TBAv4-1 has been assigned by the IANA such that the | The IPv4 address TBAv4-1 has been assigned by the IANA such that the | |||
| address is coverable by a single IPv4 /24 prefix, and that no other | address is coverable by a single IPv4 /24 prefix, and that no other | |||
| address covered by that prefix is in use. The IPv6 address TBAv6-1 | address covered by that prefix is in use. The IPv6 address TBAv6-1 | |||
| has been similarly assigned such that no other address within a | has been similarly assigned such that no other address within a | |||
| covering /48 is in use. This addressing plan accommodates the | covering /48 is in use. This addressing plan accommodates the | |||
| anycast distribution of the BLACKHOLE.AS112.ARPA service using a | anycast distribution of the BLACKHOLE.AS112.ARPA service using a | |||
| single IPv4 service prefix and a single IPv6 service prefix. See | single IPv4 service prefix and a single IPv6 service prefix. See | |||
| [RFC4786] for more discussion of anycast service distribution; see | [RFC4786] for more discussion of anycast service distribution; see | |||
| Section 8 for the specific requests this document makes of the IANA. | Section 8 for the specific requests this document makes of the IANA. | |||
| Some or all of the existing AS112 nodes should be extended to support | Some or all of the existing AS112 nodes should be extended to support | |||
| these new nameserver addresses, and to host the EMPTY.AS112.ARPA | these new nameserver addresses, and to host the EMPTY.AS112.ARPA | |||
| zone. See Section 3.1 for guidance to AS112 server operators. | zone. See [I-D.jabley-dnsop-rfc6304bis] for revised guidance to | |||
| AS112 server operators. | ||||
| Each part of the DNS namespace for which it is desirable to sink | Each part of the DNS namespace for which it is desirable to sink | |||
| queries at AS112 nameservers should be redirected to the | queries at AS112 nameservers should be redirected to the | |||
| EMPTY.AS112.ARPA zone using DNAME [RFC6672]. See Section 3.2 for | EMPTY.AS112.ARPA zone using DNAME [RFC6672]. See Section 3.2 for | |||
| guidance to zone administrators. | guidance to zone administrators. | |||
| 3. AS112 Operations | 3. AS112 Operations | |||
| 3.1. Extensions to Support DNAME Redirection | 3.1. Extensions to Support DNAME Redirection | |||
| skipping to change at page 6, line 27 ¶ | skipping to change at page 6, line 27 ¶ | |||
| It is only necessary for a single AS112 server operator to implement | It is only necessary for a single AS112 server operator to implement | |||
| these extensions for this mechanism to function as intended. It is | these extensions for this mechanism to function as intended. It is | |||
| beneficial if many more than one AS112 server operators make these | beneficial if many more than one AS112 server operators make these | |||
| changes, however, since that provides for greater distribution and | changes, however, since that provides for greater distribution and | |||
| capacity for the nameservers serving the EMPTY.AS112.ARPA zone. It | capacity for the nameservers serving the EMPTY.AS112.ARPA zone. It | |||
| is not necessary for all AS112 server operators to make these changes | is not necessary for all AS112 server operators to make these changes | |||
| for the mechanism to be viable. | for the mechanism to be viable. | |||
| Detailed instructions for the implementation of these extensions is | Detailed instructions for the implementation of these extensions is | |||
| included in Appendix B. | included in [I-D.jabley-dnsop-rfc6304bis]. | |||
| 3.2. Redirection of Query Traffic to AS112 Servers | 3.2. Redirection of Query Traffic to AS112 Servers | |||
| Once the EMPTY.AS112.ARPA zone has been deployed using the | Once the EMPTY.AS112.ARPA zone has been deployed using the | |||
| nameservers described in Section 3.1, redirections may be installed | nameservers described in Section 3.1, redirections may be installed | |||
| in the DNS namespace for queries that are intended to be answered by | in the DNS namespace for queries that are intended to be answered by | |||
| the AS112 infrastructure. | the AS112 infrastructure. | |||
| For example, reverse queries corresponding to TEST-NET-1 | For example, reverse queries corresponding to TEST-NET-1 | |||
| (192.0.2.0/24) [RFC5737] could be redirected to AS112 nameservers by | (192.0.2.0/24) [RFC5737] could be redirected to AS112 nameservers by | |||
| skipping to change at page 12, line 51 ¶ | skipping to change at page 13, line 22 ¶ | |||
| 1209600 ; expire | 1209600 ; expire | |||
| 3600 ) ; negative cache TTL | 3600 ) ; negative cache TTL | |||
| NS A.IANA-SERVERS.NET. | NS A.IANA-SERVERS.NET. | |||
| NS B.IANA-SERVERS.NET. | NS B.IANA-SERVERS.NET. | |||
| NS C.IANA-SERVERS.NET. | NS C.IANA-SERVERS.NET. | |||
| BLACKHOLE A TBAv4-1 | BLACKHOLE A TBAv4-1 | |||
| AAAA TBAv6-1 | AAAA TBAv6-1 | |||
| HOSTNAME NS BLACKHOLE | ||||
| EMPTY NS BLACKHOLE | EMPTY NS BLACKHOLE | |||
| Figure 2 | Figure 2 | |||
| 8.3. Delegation of AS112.ARPA | 8.3. Delegation of AS112.ARPA | |||
| Once the AS112.ARPA zone is being hosted in production, the IANA is | Once the AS112.ARPA zone is being hosted in production, the IANA is | |||
| requested to arrange delegation from the ARPA zone according to | requested to arrange delegation from the ARPA zone according to | |||
| normal IANA procedure for ARPA zone management, to the nameservers | normal IANA procedure for ARPA zone management, to the nameservers | |||
| used in carrying out the direction in Section 8.2. The following | used in carrying out the direction in Section 8.2. The following | |||
| metadata is suggested for the delegation, but may be changed by the | metadata is suggested for the delegation, but may be changed by the | |||
| IANA if required: | IANA if required: | |||
| skipping to change at page 16, line 9 ¶ | skipping to change at page 16, line 9 ¶ | |||
| [RFC6304]. | [RFC6304]. | |||
| 10. Acknowledgements | 10. Acknowledgements | |||
| Your name here, etc. | Your name here, etc. | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [I-D.jabley-dnsop-rfc6304bis] | ||||
| Abley, J. and W. Maton, "AS112 Nameserver Operations", | ||||
| draft-jabley-dnsop-rfc6304bis-00 (work in progress), | ||||
| February 2014. | ||||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, November 1987. | specification", STD 13, RFC 1035, November 1987. | |||
| [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | |||
| NCACHE)", RFC 2308, March 1998. | NCACHE)", RFC 2308, March 1998. | |||
| [RFC6304] Abley, J. and W. Maton, "AS112 Nameserver Operations", | [RFC6304] Abley, J. and W. Maton, "AS112 Nameserver Operations", | |||
| RFC 6304, July 2011. | RFC 6304, July 2011. | |||
| [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the | [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the | |||
| skipping to change at page 20, line 5 ¶ | skipping to change at page 20, line 5 ¶ | |||
| resolvers that fail to resolve a domain name that contains a DNAME | resolvers that fail to resolve a domain name that contains a DNAME | |||
| redirection. However the failure rate of slightly lower than 3% for | redirection. However the failure rate of slightly lower than 3% for | |||
| the control URL indicates that the failure rate for the DNAME | the control URL indicates that the failure rate for the DNAME | |||
| construct lies within the bounds of error within the experimental | construct lies within the bounds of error within the experimental | |||
| framework. We conclude that there is no evidence of a consistent | framework. We conclude that there is no evidence of a consistent | |||
| failure on the part of deployed DNS resolvers to correctly resolve a | failure on the part of deployed DNS resolvers to correctly resolve a | |||
| DNAME construct. | DNAME construct. | |||
| This experiment was conducted by Geoff Huston and George Michaelson. | This experiment was conducted by Geoff Huston and George Michaelson. | |||
| Appendix B. Updates to RFC6304 | Appendix B. Editorial Notes | |||
| The following changes are required to [RFC6304] to provide support | ||||
| for AS112 redirection. It is proposed that a successor document to | ||||
| [RFC6304] be prepared for joint publication with this document in the | ||||
| interests of providing clear advice to prospective new AS112 | ||||
| operators. The following sub-sections are hence provided mainly only | ||||
| to describe the scope of the changes required for 6304bis, and are | ||||
| not intended for publication in this document. References to this | ||||
| section in this document should ultimately be replaced with | ||||
| references to 6304bis. | ||||
| B.1. Changes to Section 2.1, Zones | ||||
| The list of zones that the AS112 nameserver should answer | ||||
| authoritatively for is extended to include EMPTY.AS112.ARPA. | ||||
| B.2. Changes to Section 2.2, Nameservers | ||||
| The nameserver BLACKHOLE.AS112.ARPA (IPv4 address TBAv4-1, IPv6 | ||||
| address TBAv6-1) is added to the list of nameserver addresses that | ||||
| the AS112 node should support. The IPv4 prefix TBAv4/24 and the IPv6 | ||||
| prefix TBAv6/48 are added as new prefixes to be originated. | ||||
| B.3. Changes to Section 3.4, Routing Software | ||||
| The sample configuration provided in this section is extended to | ||||
| accommodate the IPv4 and IPv6 service prefixes associated with AS112 | ||||
| redirection, TBAv4/24 and TBAv6/48, respectively. | ||||
| B.4. Changes to Section 3.5, DNS Software | ||||
| The sample configuration provided in this section is extended to | ||||
| accommodate the TBAv4-1 and TBAv6-1 addresses and the | ||||
| EMPTY.AS112.ARPA zone. The contents of the EMPTY.AS112.ARPA zone | ||||
| should be specified (nameservers differ from that included as | ||||
| "db.empty"). | ||||
| B.5. Changes to Section 3.6, Testing a Newly Installed Node | ||||
| Testing should be extended to test for correct hosting of the | ||||
| EMPTY.AS112.ARPA zone. | ||||
| B.6. Changes to Section 6, On the Future of AS112 Nodes | ||||
| A reference to this document should be included. | ||||
| B.7. Changes to Section 8, Security Considerations | ||||
| Mention should be made that AS112 redirection, as specified in this | ||||
| document, supports DNSSEC in the sense that the DNAME records which | ||||
| signal the redirection can be signed. | ||||
| B.8. Changes to Appendix A, History | ||||
| A reference to this document should be included. | ||||
| Appendix C. Editorial Notes | ||||
| This section (and sub-sections) to be removed prior to publication. | This section (and sub-sections) to be removed prior to publication. | |||
| C.1. Change History | B.1. Change History | |||
| 00 Initial write-up of Brian's idea, circulated for the purposes of | 00 Initial write-up of Brian's idea, circulated for the purposes of | |||
| entertainment. | entertainment. | |||
| 01 Some particularly egregious spelling mistakes fixed. Warren | 01 Some particularly egregious spelling mistakes fixed. Warren | |||
| Kumari and George Michaelson added as co-authors. Intended status | Kumari and George Michaelson added as co-authors. Intended status | |||
| changed to informational. Appendix on DNAME testing added, | changed to informational. Appendix on DNAME testing added, | |||
| describing an experiment conducted by Geoff Huston and George | describing an experiment conducted by Geoff Huston and George | |||
| Michaelson. | Michaelson. | |||
| 00 Adopted by dnsop in IETF88, Vancouver; resubmitted as | 00 Adopted by dnsop in IETF88, Vancouver; resubmitted as | |||
| draft-ietf-dnsop-as112-dname. Changed contact info for Brian. | draft-ietf-dnsop-as112-dname. Changed contact info for Brian. | |||
| 01 Minor updates following submission of | ||||
| [I-D.jabley-dnsop-rfc6304bis]. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Joe Abley | Joe Abley | |||
| Dyn, Inc. | Dyn, Inc. | |||
| 470 Moore Street | 470 Moore Street | |||
| London, ON N6C 2C2 | London, ON N6C 2C2 | |||
| Canada | Canada | |||
| Phone: +1 519 670 9327 | Phone: +1 519 670 9327 | |||
| Email: jabley@dyn.com | Email: jabley@dyn.com | |||
| Brian Dickson | Brian Dickson | |||
| Verisign Labs | Verisign Labs | |||
| 12061 Bluemont Way | 12061 Bluemont Way | |||
| Reston, VA 20190 | Reston, VA 20190 | |||
| USA | ||||
| Email: bdickson@verisign.com | Email: bdickson@verisign.com | |||
| Warren Kumari | Warren Kumari | |||
| 1600 Amphitheatre Parkway | 1600 Amphitheatre Parkway | |||
| Mountain View, CA 94043 | Mountain View, CA 94043 | |||
| USA | ||||
| Email: warren@kumari.net | Email: warren@kumari.net | |||
| George Michaelson | George Michaelson | |||
| APNIC | APNIC | |||
| Email: ggm@apnic.net | Email: ggm@apnic.net | |||
| End of changes. 17 change blocks. | ||||
| 83 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||