< draft-kristoff-dnsop-dns-tcp-requirements-00.txt   draft-kristoff-dnsop-dns-tcp-requirements-01.txt >
Domain Name System Operations J. Kristoff Domain Name System Operations J. Kristoff
Internet-Draft Team Cymru Internet-Draft DePaul University
Intended status: Best Current Practice March 11, 2016 Intended status: Best Current Practice August 25, 2016
Expires: September 12, 2016 Expires: February 26, 2017
DNS Transport over TCP - Operational Requirements DNS Transport over TCP - Operational Requirements
draft-kristoff-dnsop-dns-tcp-requirements-00 draft-kristoff-dnsop-dns-tcp-requirements-01
Abstract Abstract
This document encourages the practice of permitting DNS messages to This document encourages the practice of permitting DNS messages to
be carried over TCP on the Internet. It also describes some of the be carried over TCP on the Internet. It also describes some of the
consequences of this behavior and the potential operational issues consequences of this behavior and the potential operational issues
that can arise when this best common practice is not applied. that can arise when this best common practice is not applied.
Status of This Memo Status of This Memo
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2016. This Internet-Draft will expire on February 26, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1. Uneven Transport Usage and Preference . . . . . . . . . . 2 2.1. Uneven Transport Usage and Preference . . . . . . . . . . 2
2.2. Waiting for Large Messages and Reliability . . . . . . . 3 2.2. Waiting for Large Messages and Reliability . . . . . . . 3
2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 4 3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 4
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 4. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . 5 8.1. Normative References . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
DNS messages may be delivered using UDP or TCP communications. While DNS messages may be delivered using UDP or TCP communications. While
most DNS transactions are carried over UDP, some operators have been most DNS transactions are carried over UDP, some operators have been
led to believe that any DNS over TCP traffic is unwanted or led to believe that any DNS over TCP traffic is unwanted or
unnecessary for general DNS operation. As DNS usage has evolved, DNS unnecessary for general DNS operation. As usage and features have
over TCP has become increasingly important for correct and safe evolved, TCP transport has become increasingly important for correct
operation of the Internet DNS. Reflecting modern usage, the DNS and safe operation of the Internet DNS. Reflecting modern usage, the
standards were recently updated to declare support for TCP is now a DNS standards were recently updated to declare support for TCP is now
required part of the DNS implementation specifications in [RFC7766]. a required part of the DNS implementation specifications in
This document is the formal requirements equivalent for the [RFC7766]. This document is the formal requirements equivalent for
operational community, encouraging operators to ensure DNS over TCP the operational community, encouraging operators to ensure DNS over
communications support in on par with DNS over UDP communications. TCP communications support in on par with DNS over UDP
communications.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Background 2. Background
2.1. Uneven Transport Usage and Preference 2.1. Uneven Transport Usage and Preference
In the original suite of DNS specifications, [RFC1034] and [RFC1035] In the original suite of DNS specifications, [RFC1034] and [RFC1035]
clearly specified that DNS messages could be carried in either UDP or clearly specified that DNS messages could be carried in either UDP or
TCP, but they also made clear a preference for UDP as the transport TCP, but they also made clear a preference for UDP as the transport
for queries in the general case. As stated in [RFC1035]: for queries in the general case. As stated in [RFC1035]:
"While virtual circuits can be used for any DNS activity, "While virtual circuits can be used for any DNS activity,
datagrams are preferred for queries due to their lower overhead datagrams are preferred for queries due to their lower overhead
and better performance." and better performance."
Another early, important and influential document, [RFC1123], Another early, important, and influential document, [RFC1123],
detailed the preference for UDP more explicitly: detailed the preference for UDP more explicitly:
"DNS resolvers and recursive servers MUST support UDP, and SHOULD "DNS resolvers and recursive servers MUST support UDP, and SHOULD
support TCP, for sending (non-zone-transfer) queries." support TCP, for sending (non-zone-transfer) queries."
and further stipulated: and further stipulated:
A name server MAY limit the resources it devotes to TCP queries, A name server MAY limit the resources it devotes to TCP queries,
but it SHOULD NOT refuse to service a TCP query just because it but it SHOULD NOT refuse to service a TCP query just because it
would have succeeded with UDP. would have succeeded with UDP.
skipping to change at page 4, line 13 skipping to change at page 4, line 13
solidify its dominance for message transactions. solidify its dominance for message transactions.
2.3. EDNS0 2.3. EDNS0
In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0) In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0)
in [RFC2671]. This document standardized a way for communicating DNS in [RFC2671]. This document standardized a way for communicating DNS
nodes to perform rudimentary capabilities negotiation. One such nodes to perform rudimentary capabilities negotiation. One such
capability written into the base specification and present in every capability written into the base specification and present in every
ENDS0 compatible message is the value of the maximum UDP payload size ENDS0 compatible message is the value of the maximum UDP payload size
the sender can support. This unsigned 16-bit field specifies in the sender can support. This unsigned 16-bit field specifies in
bytes the maximum DNS MTU. In practice, typical values are from a bytes the maximum DNS MTU. In practice, typical values are a subset
subset of ranges between 512 to 4096 bytes inclusive. EDNS0 was of the 512 to 4096 byte range. EDNS0 was rapidly and widely deployed
rapidly and widely deployed over the next several years and numerous over the next several years and numerous surveys have shown many
surveys have shown many systems currently support larger UDP MTUs systems currently support larger UDP MTUs [CASTRO2010], [NETALYZR]
[CASTRO2010], [NETALYZR] with EDNS0. with EDNS0.
The natural effect of EDNS0 deployment meant large DNS messages would The natural effect of EDNS0 deployment meant large DNS messages would
be less reliant on TCP than they might otherwise have been. While a be less reliant on TCP than they might otherwise have been. While a
nonneglible population of DNS systems lack EDNS0 or may still fall nonneglible population of DNS systems lack EDNS0 or may still fall
back to TCP for some transactions, DNS over TCP transactions remain a back to TCP for some transactions, DNS over TCP transactions remain a
very small fraction of overall DNS traffic [VERISIGN]. Nevertheless, very small fraction of overall DNS traffic [VERISIGN]. Nevertheless,
some average increase in DNS message size, the continued development some average increase in DNS message size, the continued development
of new DNS features and a denial of service mitigation technique (see of new DNS features and a denial of service mitigation technique (see
Section 6) have suggested that DNS over TCP transactions are as Section 7) have suggested that DNS over TCP transactions are as
important to the correct and safe operation of the Internet DNS as important to the correct and safe operation of the Internet DNS as
ever, if not more so. Furthermore, there has been serious research ever, if not more so. Furthermore, there has been serious research
that has suggested connection-oriented DNS transactions may provide that has suggested connection-oriented DNS transactions may provide
security and privacy advantages over UDP transport [TDNS]. It might security and privacy advantages over UDP transport [TDNS].
be desirable for network operators to avoid artificially inhibiting Therefore, it might be desirable for network operators to avoid
potential utility and advances in the DNS such as these. artificially inhibiting the potential utility and advances in the DNS
such as these.
3. DNS over TCP Requirements 3. DNS over TCP Requirements
Even while many in the DNS community expect DNS over TCP transactions Even while many in the DNS community expect DNS over TCP transactions
to occur without interference, in practice there has been a long held to occur without interference, in practice there has been a long held
belief by some operators, particularly for security-related reasons, belief by some operators, particularly for security-related reasons,
to the contrary [CHES94], [DJBDNS]. A popular meme has also held the to the contrary [CHES94], [DJBDNS]. A popular meme has also held the
imagination of some that DNS over TCP is only ever used for zone imagination of some that DNS over TCP is only ever used for zone
transfers and is generally unnecessary otherwise, with filtering any transfers and is generally unnecessary otherwise, with filtering all
DNS over TCP traffic even described as a best practice. Arguably any DNS over TCP traffic even described as a best practice. Arguably any
exposed Internet service poses some risk, but these beliefs are often exposed Internet service poses some risk, but these beliefs are often
invalid. DNS over TCP filtering is considered harmful in the general invalid. DNS over TCP filtering is considered harmful in the general
case. DNS resolver and server operators MUST provide DNS service case. DNS resolver and server operators MUST provide DNS service
over both UDP and TCP transports. over both UDP and TCP transports. Likewise, network operators MUST
allow DNS service over both UDP and TCP transports.
4. Acknowledgements 4. DNS over TCP Filtering Risks
Networks that filter DNS over TCP may inadvertently cause problems
for third party resolvers as experienced by [TOYAMA]. If for
instance a resolver receives a truncated answer from a server, but if
when the resolver resends the query using TCP and the TCP response
never arrives, the resolver will incur the full extent of TCP
retransmissions and time outs.
Networks that filter DNS over TCP risk losing access to significant
or important pieces of the DNS name space. For a variety of reasons
a DNS answer may require a DNS over TCP query. This may include
large message sizes, lack of EDNS0 support, DDoS mitigation
techniques, or perhaps some future capability that is as yet
unforeseen will also demand TCP transport.
Even if any or all particular answers have consistently been returned
successfuly with UDP in the past, this continued behavior cannot be
guaranteed when DNS messages are exchanged between autonomous
systems. Therefore, filtering of DNS over TCP is considered harmful
and contrary to the safe and successful operation of the Internet.
5. Acknowledgements
This document was initially motivated by feedback from students who This document was initially motivated by feedback from students who
pointed out that they were hearing contradictory information about pointed out that they were hearing contradictory information about
filtering DNS over TCP messages. Thanks in particular to my teaching filtering DNS over TCP messages. Thanks in particular to my teaching
colleague, JPL, who perhaps unknowingly encouraged the initial colleague, JPL, who perhaps unknowingly encouraged the initial
research into to differences of what the IETF community has research into the differences of what the IETF community has
historically said and did. Thanks to all the NANOG 63 attendees who historically said and did. Thanks to all the NANOG 63 attendees who
provided feedback to an early talk on this subject. provided feedback to an early talk on this subject.
5. IANA Considerations 6. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
6. Security Considerations 7. Security Considerations
Ironically, returning truncated DNS over UDP answers in order to Ironically, returning truncated DNS over UDP answers in order to
induce a client query to switch to DNS over TCP has become a common induce a client query to switch to DNS over TCP has become a common
response to source address spoofed, DNS denial-of-service attacks response to source address spoofed, DNS denial-of-service attacks
[RRL]. Historically, operators have been wary of TCP-based attacks, [RRL]. Historically, operators have been wary of TCP-based attacks,
but in recent years, UDP-based flooding attacks have proven to be the but in recent years, UDP-based flooding attacks have proven to be the
most common protocol attack on the DNS. Nevertheless, a high rate of most common protocol attack on the DNS. Nevertheless, a high rate of
short-lived DNS transactions over TCP may pose challenges. While short-lived DNS transactions over TCP may pose challenges. While
many operators have provided DNS over TCP service for many years many operators have provided DNS over TCP service for many years
without duress, past experience is no guarantee of future success. without duress, past experience is no guarantee of future success.
DNS over TCP is not unlike many other Internet TCP services. TCP DNS over TCP is not unlike many other Internet TCP services. TCP
threats and many mitigation strategies have been well documented in threats and many mitigation strategies have been well documented in
series of documents such as [RFC4953], [RFC4987], [RFC5927], and series of documents such as [RFC4953], [RFC4987], [RFC5927], and
[RFC5961]. [RFC5961].
Networks that filter DNS over TCP may inadvertently cause problems 8. References
for third party resolvers as experienced by [TOYAMA]. If for
instance a resolver receives a truncated answer from a server, but if
when the resolver resends the query using TCP and the TCP response
never arrives, the resolver will incur the full extent of TCP
retransmissions and time outs.
7. References
7.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
7.2. Informative References 8.2. Informative References
[CASTRO2010] [CASTRO2010]
Castro, S., Zhang, M., John, W., Wessels, D., and k. Castro, S., Zhang, M., John, W., Wessels, D., and k.
claffy, "Understanding and preparing for DNS evolution", claffy, "Understanding and preparing for DNS evolution",
2010. 2010.
[CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet [CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet
Security: Repelling the Wily Hacker", 1994. Security: Repelling the Wily Hacker", 1994.
[DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002, [DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002,
skipping to change at page 7, line 38 skipping to change at page 8, line 13
Servers", NANOG 32 Reston, VA USA, 2004. Servers", NANOG 32 Reston, VA USA, 2004.
[VERISIGN] [VERISIGN]
Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in
Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los
Angeles, 2014. Angeles, 2014.
Author's Address Author's Address
John Kristoff John Kristoff
Team Cymru DePaul University
Chicago, IL Chicago, IL
US US
Phone: +1 312 493 0305 Phone: +1 312 493 0305
Email: jtk@cymru.com Email: jtk@depaul.edu
 End of changes. 20 change blocks. 
47 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/