| < draft-ietf-dnsop-avoid-fragmentation-02.txt | draft-ietf-dnsop-avoid-fragmentation-03.txt > | |||
|---|---|---|---|---|
| Network Working Group K. Fujiwara | Network Working Group K. Fujiwara | |||
| Internet-Draft JPRS | Internet-Draft JPRS | |||
| Intended status: Best Current Practice P. Vixie | Intended status: Best Current Practice P. Vixie | |||
| Expires: March 19, 2021 Farsight | Expires: 27 May 2021 Farsight | |||
| September 15, 2020 | 23 November 2020 | |||
| Fragmentation Avoidance in DNS | Fragmentation Avoidance in DNS | |||
| draft-ietf-dnsop-avoid-fragmentation-02 | draft-ietf-dnsop-avoid-fragmentation-03 | |||
| Abstract | Abstract | |||
| EDNS0 enables a DNS server to send large responses using UDP and is | EDNS0 enables a DNS server to send large responses using UDP and is | |||
| widely deployed. Path MTU discovery remains widely undeployed due to | widely deployed. Path MTU discovery remains widely undeployed due to | |||
| security issues, and IP fragmentation has exposed weaknesses in | security issues, and IP fragmentation has exposed weaknesses in | |||
| application protocols. Currently, DNS is known to be the largest | application protocols. Currently, DNS is known to be the largest | |||
| user of IP fragmentation. It is possible to avoid IP fragmentation | user of IP fragmentation. It is possible to avoid IP fragmentation | |||
| in DNS by limiting response size where possible, and signaling the | in DNS by limiting response size where possible, and signaling the | |||
| need to upgrade from UDP to TCP transport where necessary. This | need to upgrade from UDP to TCP transport where necessary. This | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 19, 2021. | This Internet-Draft will expire on 27 May 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | license-info) in effect on the date of publication of this document. | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. Code Components | |||
| to this document. Code Components extracted from this document must | extracted from this document must include Simplified BSD License text | |||
| include Simplified BSD License text as described in Section 4.e of | as described in Section 4.e of the Trust Legal Provisions and are | |||
| the Trust Legal Provisions and are provided without warranty as | provided without warranty as described in the Simplified BSD License. | |||
| described in the Simplified BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Proposal to avoid IP fragmentation in DNS . . . . . . . . . . 4 | 3. Proposal to avoid IP fragmentation in DNS . . . . . . . . . . 4 | |||
| 3.1. Recommendations for UDP requestors . . . . . . . . . . . 4 | 3.1. Recommendations for UDP responders . . . . . . . . . . . 4 | |||
| 3.2. Recommendations for UDP responders . . . . . . . . . . . 4 | 3.2. Recommendations for UDP requestors . . . . . . . . . . . 5 | |||
| 4. Maximum DNS/UDP payload size . . . . . . . . . . . . . . . . 5 | 4. Maximum DNS/UDP payload size . . . . . . . . . . . . . . . . 5 | |||
| 5. Incremental deployment . . . . . . . . . . . . . . . . . . . 6 | 5. Incremental deployment . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Request to zone operators and DNS server operators . . . . . 6 | 6. Request to zone operators and DNS server operators . . . . . 7 | |||
| 7. Considerations . . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Considerations . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7.1. Protocol compliance . . . . . . . . . . . . . . . . . . . 6 | 7.1. Protocol compliance . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 8 | 11.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. How to retrieve path MTU value to a destination from | Appendix A. How to retrieve path MTU value to a destination from | |||
| applications . . . . . . . . . . . . . . . . . . . . 9 | applications . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix B. Minimal-responses . . . . . . . . . . . . . . . . . 9 | Appendix B. Minimal-responses . . . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| DNS has EDNS0 [RFC6891] mechanism. It enables a DNS server to send | DNS has EDNS0 [RFC6891] mechanism. It enables a DNS server to send | |||
| large responses using UDP. EDNS0 is now widely deployed, and DNS | large responses using UDP. EDNS0 is now widely deployed, and DNS | |||
| (over UDP) is said to be the biggest user of IP fragmentation. | (over UDP) is said to be the biggest user of IP fragmentation. | |||
| However, "Fragmentation Considered Poisonous" [Herzberg2013] proposed | However, "Fragmentation Considered Poisonous" [Herzberg2013] proposed | |||
| effective off-path DNS cache poisoning attack vectors using IP | effective off-path DNS cache poisoning attack vectors using IP | |||
| fragmentation. "IP fragmentation attack on DNS" [Hlavacek2013] and | fragmentation. "IP fragmentation attack on DNS" [Hlavacek2013] and | |||
| skipping to change at page 3, line 38 ¶ | skipping to change at page 3, line 44 ¶ | |||
| that the size of the IP and TCP headers is known, as well as the far | that the size of the IP and TCP headers is known, as well as the far | |||
| end's MSS parameter and the interface or path MTU, so that the | end's MSS parameter and the interface or path MTU, so that the | |||
| segment size can be chosen so as to keep the each IP datagram below a | segment size can be chosen so as to keep the each IP datagram below a | |||
| target size. This takes advantage of the elasticity of TCP's | target size. This takes advantage of the elasticity of TCP's | |||
| packetizing process as to how much queued data will fit into the next | packetizing process as to how much queued data will fit into the next | |||
| segment. In contrast, DNS over UDP has little datagram size | segment. In contrast, DNS over UDP has little datagram size | |||
| elasticity and lacks insight into IP header and option size, and so | elasticity and lacks insight into IP header and option size, and so | |||
| must make more conservative estimates about available UDP payload | must make more conservative estimates about available UDP payload | |||
| space. | space. | |||
| This document proposes to avoid IP fragmentation in DNS/UDP. | This document proposes to set IP_DONTFRAG / IPV6_DONTFRAG in DNS/UDP | |||
| responses in order to avoid IP fragmentation, and describes how to | ||||
| avoid packet losses due to IP_DONTFRAG / IPV6_DONTFRAG. | ||||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| "Requestor" refers to the side that sends a request. "Responder" | "Requestor" refers to the side that sends a request. "Responder" | |||
| skipping to change at page 4, line 4 ¶ | skipping to change at page 4, line 16 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| "Requestor" refers to the side that sends a request. "Responder" | "Requestor" refers to the side that sends a request. "Responder" | |||
| refers to an authoritative, recursive resolver or other DNS component | refers to an authoritative, recursive resolver or other DNS component | |||
| that responds to questions. (Quoted from EDNS0 [RFC6891]) | that responds to questions. (Quoted from EDNS0 [RFC6891]) | |||
| "Path MTU" is the minimum link MTU of all the links in a path between | "Path MTU" is the minimum link MTU of all the links in a path between | |||
| a source node and a destination node. (Quoted from [RFC8201]) | a source node and a destination node. (Quoted from [RFC8201]) | |||
| "Path MTU discovery" is defined by [RFC1191], [RFC8201] and | "Path MTU discovery" is defined by [RFC1191], [RFC8201] and | |||
| [RFC8899]. | [RFC8899]. | |||
| Many of the specialized terms used in this document are defined in | Many of the specialized terms used in this document are defined in | |||
| DNS Terminology [RFC8499]. | DNS Terminology [RFC8499]. | |||
| 3. Proposal to avoid IP fragmentation in DNS | 3. Proposal to avoid IP fragmentation in DNS | |||
| The methods to avoid IP fragmentation in DNS are described below: | The methods to avoid IP fragmentation in DNS are described below: | |||
| 3.1. Recommendations for UDP requestors | 3.1. Recommendations for UDP responders | |||
| o UDP requestors SHOULD send DNS responses with IP_DONTFRAG / | * UDP responders SHOULD send DNS responses with IP_DONTFRAG / | |||
| IPV6_DONTFRAG [RFC3542] options. | IPV6_DONTFRAG [RFC3542] options. | |||
| o UDP requestors MAY probe to discover the real MTU value per | * If the UDP responder detects immediate error that the UDP packet | |||
| cannot be sent beyond the path MTU size (EMSGSIZE), the UDP | ||||
| responder MAY recreate response packets fit in path MTU size, or | ||||
| TC bit set. | ||||
| * UDP responders MAY probe to discover the real MTU value per | ||||
| destination. If the path MTU discovery failed or is impossible, | destination. If the path MTU discovery failed or is impossible, | |||
| use the default path MTU described in Section 4. | use the default path MTU described in Section 4. | |||
| o UDP reqoestors SHOULD use the requestor's payload size to limit | * UDP responders SHOULD compose UDP responses that result in IP | |||
| the path MTU value minus the IP header length and UDP header | packets that do not exceed the path MTU to the requestor. Of | |||
| length. Of course, as in the conventional case, a specified value | course, as in the conventional case, a specified value (1220 or | |||
| (1220 or 1232) as the requestor's payload size may be used. | 1232) as the DNS packet size limit may be used. | |||
| o UDP requestors MAY drop fragmented DNS/UDP responses without IP | ||||
| reassembly to avoid cache poisoning attacks. | ||||
| o DNS responses may be dropped by IP fragmentation. Upon a timeout, | The cause and effect of the TC bit is unchanged from EDNS0 | |||
| UDP requestors may retry using TCP or UDP, per local policy. | [RFC6891]. | |||
| 3.2. Recommendations for UDP responders | 3.2. Recommendations for UDP requestors | |||
| o UDP responders SHOULD send DNS responses with IP_DONTFRAG / | * UDP requestors SHOULD send DNS responses with IP_DONTFRAG / | |||
| IPV6_DONTFRAG [RFC3542] options. | IPV6_DONTFRAG [RFC3542] options. | |||
| o UDP responders MAY probe to discover the real MTU value per | * UDP requestors MAY probe to discover the real MTU value per | |||
| destination. If the path MTU discovery failed or is impossible, | destination. If the path MTU discovery failed or is impossible, | |||
| use the default path MTU described in Section 4. | use the default path MTU described in Section 4. | |||
| o UDP responders SHOULD compose UDP responses that result in IP | * UDP reqoestors SHOULD use the requestor's payload size to limit | |||
| packets that do not exceed the path MTU to the requestor. Of | the path MTU value minus the IP header length and UDP header | |||
| course, as in the conventional case, a specified value (1220 or | length. Of course, as in the conventional case, a specified value | |||
| 1232) as the DNS packet size limit may be used. | (1220 or 1232) as the requestor's payload size may be used. | |||
| The cause and effect of the TC bit is unchanged from EDNS0 | * UDP requestors MAY drop fragmented DNS/UDP responses without IP | |||
| [RFC6891]. | reassembly to avoid cache poisoning attacks. | |||
| * DNS responses may be dropped by IP fragmentation. Upon a timeout, | ||||
| UDP requestors may retry using TCP or UDP, per local policy. | ||||
| 4. Maximum DNS/UDP payload size | 4. Maximum DNS/UDP payload size | |||
| Default path MTU value for IPv6 is XXXX. Default path MTU value for | Default path MTU value for IPv6 is XXXX. Default path MTU value for | |||
| IPv4 is XXXX. | IPv4 is XXXX. | |||
| Discussions under here will be deleted when the discussion is over. | Discussions under here will be deleted when the discussion is over. | |||
| There are many discussions for default path MTU values. | There are many discussions for default path MTU values. | |||
| o The minimum MTU for an IPv6 interface is 1280 octets (see | * The minimum MTU for an IPv6 interface is 1280 octets (see | |||
| Section 5 of [RFC8200]). Then, we can use it as default path MTU | Section 5 of [RFC8200]). Then, we can use it as default path MTU | |||
| value for IPv6. | value for IPv6. | |||
| o Most of the Internet and especially the inner core has an MTU of | * Most of the Internet and especially the inner core has an MTU of | |||
| at least 1500 octets. An operator of a full resolver would be | at least 1500 octets. An operator of a full resolver would be | |||
| well advised to measure their path MTU to several authority name | well advised to measure their path MTU to several authority name | |||
| servers and to a random sample of their expected stub resolver | servers and to a random sample of their expected stub resolver | |||
| client networks, to find the upper boundary on IP/UDP packet size | client networks, to find the upper boundary on IP/UDP packet size | |||
| in the average case. This limit should not be exceeded by most | in the average case. This limit should not be exceeded by most | |||
| messages received or transmitted by a full resolver, or else | messages received or transmitted by a full resolver, or else | |||
| fallback to TCP will occur too often. An operator of | fallback to TCP will occur too often. An operator of | |||
| authoritative servers would also be well advised to measure their | authoritative servers would also be well advised to measure their | |||
| path MTU to several full-service resolvers. The Linux tool | path MTU to several full-service resolvers. The Linux tool | |||
| "tracepath" can be used to measure the path MTU to well known | "tracepath" can be used to measure the path MTU to well known | |||
| authority name servers such as [a-m].root-servers.net or [a- | authority name servers such as [a-m].root-servers.net or [a- | |||
| m].gtld-servers.net. If the reported path MTU is for example no | m].gtld-servers.net. If the reported path MTU is for example no | |||
| smaller than 1460, then the maximum DNS/UDP payload would be 1432 | smaller than 1460, then the maximum DNS/UDP payload would be 1432 | |||
| for IP4 (which is 1460 - IP4 header(20) - UDP header(8)) and 1412 | for IP4 (which is 1460 - IP4 header(20) - UDP header(8)) and 1412 | |||
| for IP6 (which is 1460 - IP6 header(40) - UDP header(8)). To | for IP6 (which is 1460 - IP6 header(40) - UDP header(8)). To | |||
| allow for possible IP options and distant tunnel overhead, a | allow for possible IP options and distant tunnel overhead, a | |||
| useful default for maximum DNS/UDP payload size would be 1400. | useful default for maximum DNS/UDP payload size would be 1400. | |||
| o [RFC4035] defines that "A security-aware name server MUST support | * [RFC4035] defines that "A security-aware name server MUST support | |||
| the EDNS0 message size extension, MUST support a message size of | the EDNS0 message size extension, MUST support a message size of | |||
| at least 1220 octets". Then, the smallest number of the maximum | at least 1220 octets". Then, the smallest number of the maximum | |||
| DNS/UDP payload size is 1220. | DNS/UDP payload size is 1220. | |||
| o DNS flag day 2020 proposed 1232 as an EDNS buffer size. | * In order to avoid IP fragmentation, [DNSFlagDay2020] proposed that | |||
| [DNSFlagDay2020] By the above reasoning, this proposal is either | the UDP requestors set the requestor's payload size to 1232, and | |||
| too small or too large. | the UDP responders compose UDP responses fit in 1232 octets. The | |||
| size 1232 is based on an MTU of 1280, which is required by the | ||||
| IPv6 specification [RFC8200], minus 48 octets for the IPv6 and UDP | ||||
| headers. | ||||
| It is considered that these arguments are diverted from IPv6 | By the above reasoning, this proposal is either too small or too | |||
| values because most IPv4 links have path MTU values larger than or | large. | |||
| equal to the minimum MTU value of IPv6. | ||||
| 5. Incremental deployment | 5. Incremental deployment | |||
| The proposed method supports incremental deployment. | The proposed method supports incremental deployment. | |||
| When a full-service resolver implements the proposed method, its stub | When a full-service resolver implements the proposed method, its stub | |||
| resolvers (clients) and the authority server network will no longer | resolvers (clients) and the authority server network will no longer | |||
| observe IP fragmentation or reassembly from that server, and will | observe IP fragmentation or reassembly from that server, and will | |||
| fall back to TCP when necessary. | fall back to TCP when necessary. | |||
| skipping to change at page 6, line 25 ¶ | skipping to change at page 7, line 11 ¶ | |||
| service resolvers (clients) will no longer observe IP fragmentation | service resolvers (clients) will no longer observe IP fragmentation | |||
| or reassembly from that server, and will fall back to TCP when | or reassembly from that server, and will fall back to TCP when | |||
| necessary. | necessary. | |||
| 6. Request to zone operators and DNS server operators | 6. Request to zone operators and DNS server operators | |||
| Large DNS responses are the result of zone configuration. Zone | Large DNS responses are the result of zone configuration. Zone | |||
| operators SHOULD seek configurations resulting in small responses. | operators SHOULD seek configurations resulting in small responses. | |||
| For example, | For example, | |||
| o Use smaller number of name servers (13 may be too large) | * Use smaller number of name servers (13 may be too large) | |||
| o Use smaller number of A/AAAA RRs for a domain name | * Use smaller number of A/AAAA RRs for a domain name | |||
| o Use 'minimal-responses' configuration: Some implementations have | * Use 'minimal-responses' configuration: Some implementations have | |||
| 'minimal responses' configuration that causes DNS servers to make | 'minimal responses' configuration that causes DNS servers to make | |||
| response packets smaller, containing only mandatory and required | response packets smaller, containing only mandatory and required | |||
| data (Appendix B). | data (Appendix B). | |||
| o Use smaller signature / public key size algorithm for DNSSEC. | * Use smaller signature / public key size algorithm for DNSSEC. | |||
| Notably, the signature size of ECDSA or EdDSA is smaller than RSA. | Notably, the signature size of ECDSA or EdDSA is smaller than RSA. | |||
| 7. Considerations | 7. Considerations | |||
| 7.1. Protocol compliance | 7.1. Protocol compliance | |||
| In prior research ([Fujiwara2018] and dns-operations mailing list | In prior research ([Fujiwara2018] and dns-operations mailing list | |||
| discussions), there are some authoritative servers that ignore EDNS0 | discussions), there are some authoritative servers that ignore EDNS0 | |||
| requestor's UDP payload size, and return large UDP responses. | requestor's UDP payload size, and return large UDP responses. | |||
| skipping to change at page 7, line 29 ¶ | skipping to change at page 8, line 14 ¶ | |||
| [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, | [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, | |||
| DOI 10.17487/RFC1191, November 1990, | DOI 10.17487/RFC1191, November 1990, | |||
| <https://www.rfc-editor.org/info/rfc1191>. | <https://www.rfc-editor.org/info/rfc1191>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, | ||||
| "Advanced Sockets Application Program Interface (API) for | ||||
| IPv6", RFC 3542, DOI 10.17487/RFC3542, May 2003, | ||||
| <https://www.rfc-editor.org/info/rfc3542>. | ||||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Protocol Modifications for the DNS Security | Rose, "Protocol Modifications for the DNS Security | |||
| Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4035>. | <https://www.rfc-editor.org/info/rfc4035>. | |||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <https://www.rfc-editor.org/info/rfc5155>. | <https://www.rfc-editor.org/info/rfc5155>. | |||
| [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | |||
| for DNS (EDNS(0))", STD 75, RFC 6891, | for DNS (EDNS(0))", STD 75, RFC 6891, | |||
| DOI 10.17487/RFC6891, April 2013, | DOI 10.17487/RFC6891, April 2013, | |||
| <https://www.rfc-editor.org/info/rfc6891>. | <https://www.rfc-editor.org/info/rfc6891>. | |||
| [RFC7739] Gont, F., "Security Implications of Predictable Fragment | ||||
| Identification Values", RFC 7739, DOI 10.17487/RFC7739, | ||||
| February 2016, <https://www.rfc-editor.org/info/rfc7739>. | ||||
| [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage | [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage | |||
| Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, | Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, | |||
| March 2017, <https://www.rfc-editor.org/info/rfc8085>. | March 2017, <https://www.rfc-editor.org/info/rfc8085>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", STD 86, RFC 8200, | (IPv6) Specification", STD 86, RFC 8200, | |||
| skipping to change at page 8, line 27 ¶ | skipping to change at page 9, line 5 ¶ | |||
| [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., | [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., | |||
| "Path MTU Discovery for IP version 6", STD 87, RFC 8201, | "Path MTU Discovery for IP version 6", STD 87, RFC 8201, | |||
| DOI 10.17487/RFC8201, July 2017, | DOI 10.17487/RFC8201, July 2017, | |||
| <https://www.rfc-editor.org/info/rfc8201>. | <https://www.rfc-editor.org/info/rfc8201>. | |||
| [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
| Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | |||
| January 2019, <https://www.rfc-editor.org/info/rfc8499>. | January 2019, <https://www.rfc-editor.org/info/rfc8499>. | |||
| [RFC8899] Fairhurst, G., Jones, T., Tuexen, M., Ruengeler, I., and | [RFC8899] Fairhurst, G., Jones, T., Tüxen, M., Rüngeler, I., and T. | |||
| T. Voelker, "Packetization Layer Path MTU Discovery for | Völker, "Packetization Layer Path MTU Discovery for | |||
| Datagram Transports", RFC 8899, DOI 10.17487/RFC8899, | Datagram Transports", RFC 8899, DOI 10.17487/RFC8899, | |||
| September 2020, <https://www.rfc-editor.org/info/rfc8899>. | September 2020, <https://www.rfc-editor.org/info/rfc8899>. | |||
| [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, B., Troan, O., | [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., | |||
| and F. Gont, "IP Fragmentation Considered Fragile", | and F. Gont, "IP Fragmentation Considered Fragile", | |||
| BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020, | BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020, | |||
| <https://www.rfc-editor.org/info/rfc8900>. | <https://www.rfc-editor.org/info/rfc8900>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [Brandt2018] | [Brandt2018] | |||
| Brandt, M., Dai, T., Klein, A., Shulman, H., and M. | Brandt, M., Dai, T., Klein, A., Shulman, H., and M. | |||
| Waidner, "Domain Validation++ For MitM-Resilient PKI", | Waidner, "Domain Validation++ For MitM-Resilient PKI", | |||
| Proceedings of the 2018 ACM SIGSAC Conference on Computer | Proceedings of the 2018 ACM SIGSAC Conference on Computer | |||
| skipping to change at page 9, line 15 ¶ | skipping to change at page 9, line 40 ¶ | |||
| [Herzberg2013] | [Herzberg2013] | |||
| Herzberg, A. and H. Shulman, "Fragmentation Considered | Herzberg, A. and H. Shulman, "Fragmentation Considered | |||
| Poisonous", IEEE Conference on Communications and Network | Poisonous", IEEE Conference on Communications and Network | |||
| Security , 2013. | Security , 2013. | |||
| [Hlavacek2013] | [Hlavacek2013] | |||
| Hlavacek, T., "IP fragmentation attack on DNS", RIPE 67 | Hlavacek, T., "IP fragmentation attack on DNS", RIPE 67 | |||
| Meeting , 2013, <https://ripe67.ripe.net/ | Meeting , 2013, <https://ripe67.ripe.net/ | |||
| presentations/240-ipfragattack.pdf>. | presentations/240-ipfragattack.pdf>. | |||
| [RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, | ||||
| "Advanced Sockets Application Program Interface (API) for | ||||
| IPv6", RFC 3542, DOI 10.17487/RFC3542, May 2003, | ||||
| <https://www.rfc-editor.org/info/rfc3542>. | ||||
| [RFC7739] Gont, F., "Security Implications of Predictable Fragment | ||||
| Identification Values", RFC 7739, DOI 10.17487/RFC7739, | ||||
| February 2016, <https://www.rfc-editor.org/info/rfc7739>. | ||||
| Appendix A. How to retrieve path MTU value to a destination from | Appendix A. How to retrieve path MTU value to a destination from | |||
| applications | applications | |||
| Socket options: "IP_MTU (since Linux 2.2) Retrieve the current known | Socket options: "IP_MTU (since Linux 2.2) Retrieve the current known | |||
| path MTU of the current socket. Valid only when the socket has been | path MTU of the current socket. Valid only when the socket has been | |||
| connected. Returns an integer. Only valid as a getsockopt(2)." | connected. Returns an integer. Only valid as a getsockopt(2)." | |||
| (Quoted from Debian GNU Linux manual: ip(7)) | (Quoted from Debian GNU Linux manual: ip(7)) | |||
| "IPV6_MTU getsockopt(): Retrieve the current known path MTU of the | "IPV6_MTU getsockopt(): Retrieve the current known path MTU of the | |||
| current socket. Only valid when the socket has been connected. | current socket. Only valid when the socket has been connected. | |||
| skipping to change at page 10, line 4 ¶ | skipping to change at page 10, line 37 ¶ | |||
| below-zone) glue in the additional data section. In case of non- | below-zone) glue in the additional data section. In case of non- | |||
| existent domain name or non-existent type, the start of authority | existent domain name or non-existent type, the start of authority | |||
| (SOA RR) will be placed in the Authority Section. | (SOA RR) will be placed in the Authority Section. | |||
| In addition, if the zone is DNSSEC signed and a query has the DNSSEC | In addition, if the zone is DNSSEC signed and a query has the DNSSEC | |||
| OK bit, signatures are added in answer section, or the corresponding | OK bit, signatures are added in answer section, or the corresponding | |||
| DS RRSet and signatures are added in authority section. Details are | DS RRSet and signatures are added in authority section. Details are | |||
| defined in [RFC4035] and [RFC5155]. | defined in [RFC4035] and [RFC5155]. | |||
| Authors' Addresses | Authors' Addresses | |||
| Kazunori Fujiwara | Kazunori Fujiwara | |||
| Japan Registry Services Co., Ltd. | Japan Registry Services Co., Ltd. | |||
| Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda | Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda, Chiyoda-ku, Tokyo | |||
| Chiyoda-ku, Tokyo 101-0065 | 101-0065 | |||
| Japan | Japan | |||
| Phone: +81 3 5215 8451 | Phone: +81 3 5215 8451 | |||
| Email: fujiwara@jprs.co.jp | Email: fujiwara@jprs.co.jp | |||
| Paul Vixie | Paul Vixie | |||
| Farsight Security Inc | Farsight Security Inc | |||
| 177 Bovet Road, Suite 180 | 177 Bovet Road, Suite 180 | |||
| San Mateo, CA 94402 | San Mateo, CA, 94402 | |||
| United States of America | United States of America | |||
| Phone: +1 650 393 3994 | Phone: +1 650 393 3994 | |||
| Email: vixie@fsi.io | Email: vixie@fsi.io | |||
| End of changes. 39 change blocks. | ||||
| 73 lines changed or deleted | 82 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||