< draft-wkumari-dnsop-multiple-responses-00.txt   draft-wkumari-dnsop-multiple-responses-01.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Standards Track Z. Yan Intended status: Standards Track Z. Yan
Expires: July 15, 2015 CNNIC Expires: January 07, 2016 CNNIC
W. Hardaker W. Hardaker
Parsons, Inc. Parsons, Inc.
January 11, 2015 July 06, 2015
Returning multiple answers in a DNS response. Returning multiple answers in DNS responses.
draft-wkumari-dnsop-multiple-responses-00 draft-wkumari-dnsop-multiple-responses-01
Abstract Abstract
This document (re)introduces the ability to provide multiple answers This document (re)introduces the ability to provide multiple answers
in a DNS response. in a DNS response.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 15, 2015. This Internet-Draft will expire on January 07, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 12 skipping to change at page 2, line 12
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Returning multiple answers . . . . . . . . . . . . . . . . . 3 4. Returning multiple answers . . . . . . . . . . . . . . . . . 3
5. Additional records pseudo-RR . . . . . . . . . . . . . . . . 4 5. Additional records pseudo-RR . . . . . . . . . . . . . . . . 5
6. Signalling support . . . . . . . . . . . . . . . . . . . . . 5 5.1. File Format . . . . . . . . . . . . . . . . . . . . . . . 5
7. Use of Additional information . . . . . . . . . . . . . . . . 6 5.2. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 5
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. Signaling support . . . . . . . . . . . . . . . . . . . . . . 6
9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 7. Stub-Resolver Considerations . . . . . . . . . . . . . . . . 6
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 8. Use of Additional information . . . . . . . . . . . . . . . . 6
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
11.1. Normative References . . . . . . . . . . . . . . . . . . 7 10. Security Considerations . . . . . . . . . . . . . . . . . . . 7
11.2. Informative References . . . . . . . . . . . . . . . . . 7 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 7 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 12.1. Normative References . . . . . . . . . . . . . . . . . . 7
12.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
Often the name being resolved in the DNS provides information about Often the name being resolved in the DNS provides information about
why the name is being resolved, allowing the authoritative name why the name is being resolved, allowing the authoritative name
server operator to predict what other answers the client will soon server operator to predict what other answers the client will soon
query for. By providing multiple answers in the response, the query for. By providing multiple answers in the response, an
authoritative name server operator can ensure that the recursive authoritative name server operator can ensure that the recursive
server that the client is using has all the answers in its cache. server that the client is using has all the answers in its cache.
For example, the name server operator of Example Widgets, Inc For example, the name server operator of Example Widgets, Inc
(example.com) knows that the example.com web page at www.example.com (example.com) knows that the example.com web page at www.example.com
contains various resources, including some images (served from contains various other resources, including some images (served from
images.example.com), some Cascading Style Sheets (served from images.example.com), some Cascading Style Sheets (served from
css.example.com) and some JavaScript (data.example.com). A client css.example.com) and some JavaScript (data.example.com). A client
attempting to resolve www.example.com is very likely to be a web attempting to resolve www.example.com is very likely to be a web
browser, rendering the page, and so will need to also resolve all of browser rendering the page and so will need to also resolve all of
the other names for these other resources. Providing all of these the other names to obtain these other resources. Providing all of
answers in response to a query for www.example.com allows the these answers in response to a query for www.example.com allows the
recursive server to populate its cache and have all of the answers recursive server to populate its cache and have all of the answers
available when the client asks for them. available when the client asks for them.
Other examples where this technique is useful include SMTP (including Other examples where this technique is useful include SMTP (including
the mail server address when serving the MX record), SRV (providing the mail server address when serving the MX record), SRV (providing
the target information in addition to the SRV response) and TLSA the target information in addition to the SRV response) and TLSA
(providing any TLSA records associated with a name). (providing any TLSA records associated with a name).
This is purely an optimization - by providing all of other, related This is purely an optimization - by providing all of other, related
answers that the client is likely to need along with the answer that answers that the client is likely to need along with the answer that
skipping to change at page 4, line 4 skipping to change at page 4, line 8
4. Returning multiple answers 4. Returning multiple answers
The authoritative nameserver should include as many of the instructed The authoritative nameserver should include as many of the instructed
Additional records and Supporting information as will fit in the Additional records and Supporting information as will fit in the
response packet. response packet.
In order to include Additional records in a response, certain In order to include Additional records in a response, certain
conditions need to be met. [Ed note: Some discussion on each rule is conditions need to be met. [Ed note: Some discussion on each rule is
below] below]
1. Additional records MUST only be included when the primary name is
DNSSEC secured.
2. Additional records MUST only be served over TCP connections. 1. Additional records MUST only be included when the primary name
This is to mitigate Denial of Service reflection attacks.[1] and each additional record are signed using DNSSEC "valid".
3. Additional records MUST be leaf records at the same node in the 2. Additional records MUST only be served over TCP connections, or
DNS tree[2] when DNS Cookies [ToDo: Ref] are in use. This is to mitigate
Denial of Service reflection attacks.[1]
4. The DNSSEC supporting information must be included. This is the 3. Additional records SHOULD be contained within the same zone as
RRSIGs required to validate the Additional record information. the primary name[2], or MAY be additionally be contained within a
child zone for which the name server is authoritative for,
assuming all DNSSEC validation records required to validate the
child(ren) are included as well. Note that the DS record, and NS
and glue records for a child zone may be returned even when no
other additional data for the child will be included.
5. All of the records MUST be signed with the same DNSSEC keys. 4. The DNSSEC supporting information necessary to perform validation
on the records must be included. I.E., the RRSIGs required to
validate the Additional record information must be included.
6. The authoritative nameserver SHOULD include as many of the 5. The authoritative nameserver SHOULD include as many of the
additional records as will fit in the response. Each Additional additional records as will fit in the response. Each Additional
record MUST have its matching Supporting information. Additional record MUST have its matching Supporting information. Additional
records MUST be inserted in the order specified in the Additional records MUST be inserted in the order specified in the Additional
records list. records list.
7. Operators SHOULD only include Additional answers that they expect 6. Operators SHOULD only include Additional answers that they expect
a client to actually need. [3] a client to actually need. [3]
[Ed note 1: The above MAY be troll bait. I'm not really sure if this [Ed note 1: The above MAY be troll bait. I'm not really sure if this
is a good idea or not - moving folk towards TCP is probably a good is a good idea or not - moving folk towards TCP is probably a good
idea, and this is somewhat of an optional record type. Then again, idea, and this is somewhat of an optional record type. Then again,
special handing (TCP only) for a record would be unusual. Additional special handing (TCP only) for a record would be unusual. Additional
records could cause responses to become really large, but there are records could cause responses to become really large, but there are
already enough large records that can be used for reflection attacks already enough large records that can be used for reflection attacks
that we can just give up on the whole "keep responses as small as that we can just give up on the whole "keep responses as small as
possible" ship. ] possible" ship. ]
skipping to change at page 4, line 48 skipping to change at page 5, line 9
is this rule actually needed? I *think* it would be bad for .com is this rule actually needed? I *think* it would be bad for .com
servers to be able to include Additional records for servers to be able to include Additional records for
www.foo.bar.baz.example.com, but perhaps <handwave>public-suffix- www.foo.bar.baz.example.com, but perhaps <handwave>public-suffix-
list?! This rule also makes it easier to decide what all DNSSEC list?! This rule also makes it easier to decide what all DNSSEC
information is required.] information is required.]
[Ed note 3: This is not enforceable. ] [Ed note 3: This is not enforceable. ]
5. Additional records pseudo-RR 5. Additional records pseudo-RR
To allow the authoritative nameserver operator to configure what To allow the authoritative nameserver operator to configure the name
additional records to serve when it receives a query to a label, we server with the additional records to serve when it receives a query
introduce the Additional pseudo Resource Record (RR). This is a to a label, we introduce the Additional Resource Record (RR).
pseudo-record as it provides instruction to the authoritative
nameserver, and does not appear on the wire. [Ed note: I had
originally considered a comment, or some sort of format where we
listed additional records under the primary one, but we a: wanted it
to survive zone transfers, and b: not trip up zone file parsers. ]
The format of the Additional pseudo-RR is: 5.1. File Format
label ADD "label,typel; label,type; label,type; ..." The format of the Additional RR is:
label ADD "label,type; label,type; label,type; ..."
For example, if the operator of example.com would like to also return For example, if the operator of example.com would like to also return
A record answers for images.example.com, css.example.com and both an A record answers for images.example.com, css.html.example.com and
A and AAAA for data.example.com when queried for www.example.com he both an A and AAAA for data.example.com when queried for
would enter: www.example.com he would enter:
www ADD "images,A; css,A; data,A; data,AAA;" www ADD "images,A; css.html,A; data,A; data,AAA;"
The entries in the ADD list are ordered. An authoritative nameserver The entries in the ADD list are ordered. An authoritative nameserver
MUST attempt to insert the records in the order listed when filling SHOULD insert the records in the order listed when filling the
the response packet. This is to allow the operator to express a response packet. This is to allow the operator to express a
preference in case all the records to not fit. The TTL of the preference in case all the records to not fit. The TTL of the
records added to the Additional section are the same as if queried records added to the Additional section are MUST be the same as if
directly. queried directly.
In some cases the operator might not really know what all additional In some cases the operator might not know what all additional records
records clients need. For example, the owner of www.example.com may clients need. For example, the owner of www.example.com may have
have outsourced his DNS operations to a third party. The DNS outsourced his DNS operations to a third party. DNS operators may be
operator may be able to mine their query logs, and see that, in a able to mine their query logs, and see that, in a large majority of
large majority of cases, a recursive server asks for foo.example.com cases, a recursive server asks for foo.example.com and then very soon
and then very soon after asks for bar.example.com, and so may decide after asks for bar.example.com, and so may decide to optimize this by
to optimize this by opportunistically returning bar when queried for opportunistically returning bar when queried for foo. This
foo. This functionality could also be included in the authoritative functionality could also be included in the authoritative name server
name server software itself, but discussions of these re outside the software itself, but discussions of these re outside the scope of
scope of this document. this document.
6. Signalling support 5.2. Wire Format
Iterative nameservers that support Additional records signal this by The wire format of the Additional RR is the same as the wire format
setting the Z bit (bit 25 of the DNS header). for a TXT RR:
[RFC5395] Section 2.1 says: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
There have been ancient DNS implementations for which the Z bit Where TXT-DATA is one or more charter-strings.
being on in a query meant that only a response from the primary
server for a zone is acceptable. It is believed that current
DNS implementations ignore this bit.
Assigning a meaning to the Z bit requires an IETF Standards Action. The Additional RR has RR type TBD [RFC Editor: insert the IANA
assigned value and delete this note]
[ Ed note: Hey, was worth a try :-) I'm fine with an EDNS0 bit 6. Signaling support
instead... ]
7. Use of Additional information Iterative nameservers that support Additional records signal this by
setting the OPT record's PL ("plus") bit (bit NN [TBD: assigned by
IANA] in the EDNS0 extension header to 1.
7. Stub-Resolver Considerations
No modifications need to be made to stub-resolvers to get the
predominate benefit of this protocol, since the majority of the speed
gain will take place between the validating recursive resolver and
the authoritative name server. However, stub resolvers may wish to
query directly for the Additional RR if it wants to pre-query for
data that will likely be needed in the process of supporting its
application.
8. Use of Additional information
When receiving Additional information, an iterative server follows When receiving Additional information, an iterative server follows
certain rules: certain rules:
1. Additional records MUST be validated before being used. 1. Additional records MUST be validated before being used.
2. Additional records SHOULD be annotated in the cache as having 2. Additional records SHOULD be annotated in the cache as having
been received as Additional records. been received as Additional records.
3. Additional records SHOULD have lower priority in the cache than 3. Additional records SHOULD have lower priority in the cache than
answers received because they were requested. This is to help answers received because they were requested. This is to help
evict Additional records from the cache first, and help stop evict Additional records from the cache first, and help stop
cache filling attacks. cache filling attacks.
4. Iterative servers MAY choose to ignore Additional records for any 4. Iterative servers MAY choose to ignore Additional records for any
reason, including CPU or cache space concerns, phase of the moon, reason, including CPU or cache space concerns, phase of the moon,
etc. It may choose to only accept all, some or none of the etc. It may choose to only accept all, some or none of the
Additional records. Additional records.
8. IANA Considerations 9. IANA Considerations
This document contains no IANA considerations.Template: Fill this in! This document contains the following IANA assignment requirements:
9. Security Considerations 1. The PL bit discussed in Section 6 needs to be allocated.
10. Security Considerations
Additional records will make DNS responses even larger than they are Additional records will make DNS responses even larger than they are
currently, leading to more large records that can be used for DNS currently, leading to more large records that can be used for DNS
reflection attacks. We mitigate this by only serving these over TCP. reflection attacks. We mitigate this by only serving these over TCP.
A malicious authorative server could include a large number of A malicious authoritative server could include a large number of
Additional records (and associated DNSSEC information) and attempt to Additional records (and associated DNSSEC information) and attempt to
DoS the recursive by making it do lots of DNSSEC validation. I don't DoS the recursive by making it do lots of DNSSEC validation. I don't
view this as a very serious threat (CPU for validation is cheap view this as a very serious threat (CPU for validation is cheap
compared to bandwith), but we mitigate this by allowing the iterative compared to bandwidth), but we mitigate this by allowing the
to ignore Additional records whenever it wants. iterative to ignore Additional records whenever it wants.
By requiring the ALL of the Additional records are signed, and all By requiring the ALL of the Additional records are signed, and all
necessary DNSSEC information for validation be included we avoid necessary DNSSEC information for validation be included we avoid
cache poisoning (I hope :-)) cache poisoning (I hope :-))
10. Acknowledgements 11. Acknowledgements
The authors wish to thank some folk. The authors wish to thank some folk.
11. References 12. References
11.1. Normative References 12.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[RFC5395] Eastlake, D., "Domain Name System (DNS) IANA [RFC5395] Eastlake, D., "Domain Name System (DNS) IANA
Considerations", RFC 5395, November 2008. Considerations", RFC 5395, November 2008.
[Ref.Bellovin] [Ref.Bellovin]
Bellovin, S., "Using the Domain Name System for System Bellovin, S., "Using the Domain Name System for System
Break-Ins", 1995, <https://www.cs.columbia.edu/~smb/ Break-Ins", 1995, <https://www.cs.columbia.edu/~smb/papers
papers/dnshack.pdf>. /dnshack.pdf>.
11.2. Informative References 12.2. Informative References
[I-D.ietf-sidr-iana-objects] [I-D.ietf-sidr-iana-objects]
Manderson, T., Vegoda, L., and S. Kent, "RPKI Objects Manderson, T., Vegoda, L., and S. Kent, "RPKI Objects
issued by IANA", draft-ietf-sidr-iana-objects-03 (work in issued by IANA", draft-ietf-sidr-iana-objects-03 (work in
progress), May 2011. progress), May 2011.
Appendix A. Changes / Author Notes. Appendix A. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
 End of changes. 40 change blocks. 
84 lines changed or deleted 105 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/