< draft-ietf-dnsop-dns-tcp-requirements-14.txt   draft-ietf-dnsop-dns-tcp-requirements-15.txt >
Domain Name System Operations J.T. Kristoff Domain Name System Operations J.T. Kristoff
Internet-Draft DataPlane.org Internet-Draft DataPlane.org
Updates: 1123, 1536 (if approved) D. Wessels Updates: 1123, 1536 (if approved) D. Wessels
Intended status: Best Current Practice Verisign Intended status: Best Current Practice Verisign
Expires: 10 June 2022 7 December 2021 Expires: 10 July 2022 6 January 2022
DNS Transport over TCP - Operational Requirements DNS Transport over TCP - Operational Requirements
draft-ietf-dnsop-dns-tcp-requirements-14 draft-ietf-dnsop-dns-tcp-requirements-15
Abstract Abstract
This document updates RFC 1123 and RFC 1536. This document requires This document updates RFC 1123 and RFC 1536. This document requires
the operational practice of permitting DNS messages to be carried the operational practice of permitting DNS messages to be carried
over TCP on the Internet as a Best Current Practice. This over TCP on the Internet as a Best Current Practice. This
operational requirement is aligned with the implementation operational requirement is aligned with the implementation
requirements in RFC 7766. The use of TCP includes both DNS over requirements in RFC 7766. The use of TCP includes both DNS over
unencrypted TCP, as well as over an encrypted TLS session. The unencrypted TCP, as well as over an encrypted TLS session. The
document also considers the consequences of this form of DNS document also considers the consequences of this form of DNS
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 June 2022. This Internet-Draft will expire on 10 July 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
skipping to change at page 2, line 33 skipping to change at page 2, line 33
4.2. Connection Management . . . . . . . . . . . . . . . . . . 12 4.2. Connection Management . . . . . . . . . . . . . . . . . . 12
4.3. Connection Termination . . . . . . . . . . . . . . . . . 13 4.3. Connection Termination . . . . . . . . . . . . . . . . . 13
4.4. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 13 4.4. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 13
4.5. Defaults and Recommended Limits . . . . . . . . . . . . . 14 4.5. Defaults and Recommended Limits . . . . . . . . . . . . . 14
5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 15 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 15
5.1. Truncation, Retries, and Timeouts . . . . . . . . . . . . 15 5.1. Truncation, Retries, and Timeouts . . . . . . . . . . . . 15
5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 16 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 16
6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 16 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 16
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
11.1. Normative References . . . . . . . . . . . . . . . . . . 18 11.1. Normative References . . . . . . . . . . . . . . . . . . 18
11.2. Informative References . . . . . . . . . . . . . . . . . 19 11.2. Informative References . . . . . . . . . . . . . . . . . 19
Appendix A. Standards Related to DNS Transport over TCP . . . . 26 Appendix A. Standards Related to DNS Transport over TCP . . . . 27
A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND
SPECIFICATION . . . . . . . . . . . . . . . . . . . . . 26 SPECIFICATION . . . . . . . . . . . . . . . . . . . . . 27
A.2. IETF RFC 1536 - Common DNS Implementation Errors and A.2. IETF RFC 1536 - Common DNS Implementation Errors and
Suggested Fixes . . . . . . . . . . . . . . . . . . . . 27 Suggested Fixes . . . . . . . . . . . . . . . . . . . . 27
A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS . . . . 27 A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS . . . . 27
A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY) . . . . . . . . . . . . . . . . . . 27 Changes (DNS NOTIFY) . . . . . . . . . . . . . . . . . . 27
A.5. IETF RFC 2181 - Clarifications to the DNS A.5. IETF RFC 2181 - Clarifications to the DNS
Specification . . . . . . . . . . . . . . . . . . . . . 27 Specification . . . . . . . . . . . . . . . . . . . . . 27
A.6. IETF RFC 2694 - DNS extensions to Network Address A.6. IETF RFC 2694 - DNS extensions to Network Address
Translators (DNS_ALG) . . . . . . . . . . . . . . . . . 27 Translators (DNS_ALG) . . . . . . . . . . . . . . . . . 28
A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC . . 27 A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC . . 28
A.8. IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver A.8. IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver
message size requirements . . . . . . . . . . . . . . . 28 message size requirements . . . . . . . . . . . . . . . 28
A.9. IETF RFC 4472 - Operational Considerations and Issues with A.9. IETF RFC 4472 - Operational Considerations and Issues with
IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . . . 28 IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . . . 28
A.10. IETF RFC 5452 - Measures for Making DNS More Resilient A.10. IETF RFC 5452 - Measures for Making DNS More Resilient
against Forged Answers . . . . . . . . . . . . . . . . . 28 against Forged Answers . . . . . . . . . . . . . . . . . 28
A.11. IETF RFC 5507 - Design Choices When Expanding the DNS . . 28 A.11. IETF RFC 5507 - Design Choices When Expanding the DNS . . 29
A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines . . . 28 A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines . . . 29
A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 29 A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 29
A.14. IETF RFC 7534 - AS112 Nameserver Operations . . . . . . . 29 A.14. IETF RFC 7534 - AS112 Nameserver Operations . . . . . . . 29
A.15. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 29 A.15. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 29
A.16. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) . 29 A.16. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) . 29
A.17. IETF RFC 6950 - Architectural Considerations on Application A.17. IETF RFC 6950 - Architectural Considerations on Application
Features in the DNS . . . . . . . . . . . . . . . . . . 29 Features in the DNS . . . . . . . . . . . . . . . . . . 30
A.18. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 29 A.18. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 30
A.19. IETF RFC 7720 - DNS Root Name Service Protocol and A.19. IETF RFC 7720 - DNS Root Name Service Protocol and
Deployment Requirements . . . . . . . . . . . . . . . . 30 Deployment Requirements . . . . . . . . . . . . . . . . 30
A.20. IETF RFC 7766 - DNS Transport over TCP - Implementation A.20. IETF RFC 7766 - DNS Transport over TCP - Implementation
Requirements . . . . . . . . . . . . . . . . . . . . . . 30 Requirements . . . . . . . . . . . . . . . . . . . . . . 30
A.21. IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option . . 30 A.21. IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option . . 30
A.22. IETF RFC 7858 - Specification for DNS over Transport Layer A.22. IETF RFC 7858 - Specification for DNS over Transport Layer
Security (TLS) . . . . . . . . . . . . . . . . . . . . . 30 Security (TLS) . . . . . . . . . . . . . . . . . . . . . 31
A.23. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 30 A.23. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 31
A.24. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 31 A.24. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 31
A.25. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 31 A.25. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 31
A.26. IETF RFC 8094 - DNS over Datagram Transport Layer Security A.26. IETF RFC 8094 - DNS over Datagram Transport Layer Security
(DTLS) . . . . . . . . . . . . . . . . . . . . . . . . . 31 (DTLS) . . . . . . . . . . . . . . . . . . . . . . . . . 32
A.27. IETF RFC 8162 - Using Secure DNS to Associate Certificates A.27. IETF RFC 8162 - Using Secure DNS to Associate Certificates
with Domain Names for S/MIME . . . . . . . . . . . . . . 31 with Domain Names for S/MIME . . . . . . . . . . . . . . 32
A.28. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, A.28. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses,
Encoding, Characters, Matching, and Root Structure: Time for Encoding, Characters, Matching, and Root Structure: Time for
Another Look? . . . . . . . . . . . . . . . . . . . . . 31 Another Look? . . . . . . . . . . . . . . . . . . . . . 32
A.29. IETF RFC 8467 - Padding Policies for Extension Mechanisms A.29. IETF RFC 8467 - Padding Policies for Extension Mechanisms
for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . 32 for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . 32
A.30. IETF RFC 8482 - Providing Minimal-Sized Responses to DNS A.30. IETF RFC 8482 - Providing Minimal-Sized Responses to DNS
Queries That Have QTYPE=ANY . . . . . . . . . . . . . . 32 Queries That Have QTYPE=ANY . . . . . . . . . . . . . . 32
A.31. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 32 A.31. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 33
A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 32 A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 33
A.33. IETF RFC 8490 - DNS Stateful Operations . . . . . . . . . 32 A.33. IETF RFC 8490 - DNS Stateful Operations . . . . . . . . . 33
A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service
Providers . . . . . . . . . . . . . . . . . . . . . . . 33 Providers . . . . . . . . . . . . . . . . . . . . . . . 33
A.35. IETF RFC 8806 - Running a Root Server Local to a A.35. IETF RFC 8806 - Running a Root Server Local to a
Resolver . . . . . . . . . . . . . . . . . . . . . . . . 33 Resolver . . . . . . . . . . . . . . . . . . . . . . . . 33
A.36. IETF RFC 8906 - A Common Operational Problem in DNS A.36. IETF RFC 8906 - A Common Operational Problem in DNS
Servers: Failure to Communicate . . . . . . . . . . . . 33 Servers: Failure to Communicate . . . . . . . . . . . . 33
A.37. IETF RFC 8932 - Recommendations for DNS Privacy Service A.37. IETF RFC 8932 - Recommendations for DNS Privacy Service
Operators . . . . . . . . . . . . . . . . . . . . . . . 33 Operators . . . . . . . . . . . . . . . . . . . . . . . 34
A.38. IETF RFC 8945 - Secret Key Transaction Authentication for A.38. IETF RFC 8945 - Secret Key Transaction Authentication for
DNS (TSIG) . . . . . . . . . . . . . . . . . . . . . . . 33 DNS (TSIG) . . . . . . . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
DNS messages are delivered using UDP or TCP communications. While DNS messages are delivered using UDP or TCP communications. While
most DNS transactions are carried over UDP, some operators have been most DNS transactions are carried over UDP, some operators have been
led to believe that any DNS over TCP traffic is unwanted or led to believe that any DNS over TCP traffic is unwanted or
unnecessary for general DNS operation. When DNS over TCP has been unnecessary for general DNS operation. When DNS over TCP has been
restricted, a variety of communication failures and debugging restricted, a variety of communication failures and debugging
challenges often arise. As DNS and new naming system features have challenges often arise. As DNS and new naming system features have
evolved, TCP as a transport has become increasingly important for the evolved, TCP as a transport has become increasingly important for the
skipping to change at page 14, line 5 skipping to change at page 14, line 5
describing how this works. Although DNS-over-TLS utilizes TCP port describing how this works. Although DNS-over-TLS utilizes TCP port
853 instead of port 53, this document applies equally well to DNS- 853 instead of port 53, this document applies equally well to DNS-
over-TLS. Note, however, DNS-over-TLS is only defined between stubs over-TLS. Note, however, DNS-over-TLS is only defined between stubs
and recursives at the time of this writing. and recursives at the time of this writing.
The use of TLS places even stronger operational burdens on DNS The use of TLS places even stronger operational burdens on DNS
clients and servers. Cryptographic functions for authentication and clients and servers. Cryptographic functions for authentication and
encryption require additional processing. Unoptimized connection encryption require additional processing. Unoptimized connection
setup with TLS 1.3 [RFC8446] takes one additional round-trip compared setup with TLS 1.3 [RFC8446] takes one additional round-trip compared
to TCP. Connection setup times can be reduced with TCP Fast Open, to TCP. Connection setup times can be reduced with TCP Fast Open,
and TLS False Start [RFC7918]. TLS session resumption does not and TLS False Start [RFC7918] for TLS 1.2. TLS 1.3 session
reduce round-trip latency because no application profile for use of resumption does not reduce round-trip latency because no application
TLS 0-RTT data with DNS has been published at the time of this profile for use of TLS 0-RTT data with DNS has been published at the
writing. However, TLS session resumption can reduce the number of time of this writing. However, TLS session resumption can reduce the
cryptographic operations. number of cryptographic operations, and in TLS 1.2, session
resumption does reduce the number of additional round trips from two
to one.
4.5. Defaults and Recommended Limits 4.5. Defaults and Recommended Limits
A survey of features and defaults was conducted for popular open A survey of features and defaults was conducted for popular open
source DNS server implementations at the time of writing. This source DNS server implementations at the time of writing. This
section documents those defaults and makes recommendations for section documents those defaults and makes recommendations for
configurable limits that can be used in the absence of any other configurable limits that can be used in the absence of any other
information. Any recommended values in this document are only information. Any recommended values in this document are only
intended as a starting point for administrators that are unsure what intended as a starting point for administrators that are unsure what
sorts of limits might be reasonable. Operators SHOULD use sorts of limits might be reasonable. Operators SHOULD use
skipping to change at page 17, line 11 skipping to change at page 17, line 11
As an alternative to packet capture, some DNS server software As an alternative to packet capture, some DNS server software
supports dnstap [dnstap] as an integrated monitoring protocol supports dnstap [dnstap] as an integrated monitoring protocol
intended to facilitate wide-scale DNS monitoring. intended to facilitate wide-scale DNS monitoring.
7. IANA Considerations 7. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
8. Security Considerations 8. Security Considerations
This document, providing operational requirements, is the companion
to the implementation requirements of DNS over TCP, provided in
[RFC7766]. The security considerations from [RFC7766] still apply.
Ironically, returning truncated DNS over UDP answers in order to Ironically, returning truncated DNS over UDP answers in order to
induce a client query to switch to DNS over TCP has become a common induce a client query to switch to DNS over TCP has become a common
response to source address spoofed, DNS denial-of-service attacks response to source address spoofed, DNS denial-of-service attacks
[RRL]. Historically, operators have been wary of TCP-based attacks, [RRL]. Historically, operators have been wary of TCP-based attacks,
but in recent years, UDP-based flooding attacks have proven to be the but in recent years, UDP-based flooding attacks have proven to be the
most common protocol attack on the DNS. Nevertheless, a high rate of most common protocol attack on the DNS. Nevertheless, a high rate of
short-lived DNS transactions over TCP may pose challenges. In fact, short-lived DNS transactions over TCP may pose challenges. In fact,
[DAI21] details a class of IP fragmentation attacks on DNS [DAI21] details a class of IP fragmentation attacks on DNS
transactions if the IP Identifier field (16 bits in IPv4 and 32 bits transactions if the IP Identifier field (16 bits in IPv4 and 32 bits
in IPv6) can be predicted and a system is coerced to fragment rather in IPv6) can be predicted and a system is coerced to fragment rather
skipping to change at page 17, line 37 skipping to change at page 17, line 41
series of documents such as [RFC4953], [RFC4987], [RFC5927], and series of documents such as [RFC4953], [RFC4987], [RFC5927], and
[RFC5961]. [RFC5961].
As mentioned in Section 6, applications that implement TCP stream As mentioned in Section 6, applications that implement TCP stream
reassembly need to limit the amount of memory allocated to connection reassembly need to limit the amount of memory allocated to connection
tracking. A failure to do so could lead to a total failure of the tracking. A failure to do so could lead to a total failure of the
logging or monitoring application. Imposition of resource limits logging or monitoring application. Imposition of resource limits
creates a tradeoff between allowing some stream reassembly to creates a tradeoff between allowing some stream reassembly to
continue and allowing some evasion attacks to succeed. continue and allowing some evasion attacks to succeed.
This document recommends that DNS Servers enable TFO when possible.
[RFC7413] recommends that a pool of servers behind a load balancer
with shared server IP address also share the key used to generate
Fast Open cookies, to prevent inordinate fallback to the 3WHS. This
guidance remains accurate, but comes with a caveat: compromise of one
server would reveal this group-shared key, and allow for attacks
involving the other servers in the pool by forging invalid Fast Open
cookies.
9. Privacy Considerations 9. Privacy Considerations
Since DNS over both UDP and TCP uses the same underlying message Since DNS over both UDP and TCP uses the same underlying message
format, the use of one transport instead of the other does not change format, the use of one transport instead of the other does not change
the privacy characteristics of the message content (i.e., the name the privacy characteristics of the message content (i.e., the name
being queried). A number of protocols have recently been developed being queried). A number of protocols have recently been developed
to provide DNS privacy, including DNS over TLS [RFC7858], DNS over to provide DNS privacy, including DNS over TLS [RFC7858], DNS over
DTLS [RFC8094], DNS over HTTPS [RFC8484], with even more on the way. DTLS [RFC8094], DNS over HTTPS [RFC8484], with even more on the way.
Because TCP is somewhat more complex than UDP, some characteristics Because TCP is somewhat more complex than UDP, some characteristics
 End of changes. 20 change blocks. 
29 lines changed or deleted 44 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/