idnits 2.17.1 draft-fujiwara-dnsop-nsec-aggressiveuse-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 125: '...d full resolvers MAY use NSEC/NSEC3 re...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 10, 2015) is 3328 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group K. Fujiwara 3 Internet-Draft JPRS 4 Intended status: Informational A. Kato 5 Expires: September 11, 2015 Keio/WIDE 6 March 10, 2015 8 Aggressive use of NSEC/NSEC3 9 draft-fujiwara-dnsop-nsec-aggressiveuse-00 11 Abstract 13 DNS highly depends on cache, however, cache usage of non-existence 14 information was limited to exact matching. This draft proposes the 15 aggressive use of NSEC/NSEC3 resource record, which is able to 16 express non-existence of range of names authoritatively. With this 17 proposal, shorter latency to many of negative response is expected as 18 well as some level of mitigation of random sub-domain attacks 19 (referred to as "Water Torture" attacks). And more, non-existent TLD 20 queries to Root DNS servers will decrease. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 11, 2015. 39 Copyright Notice 41 Copyright (c) 2015 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 58 3. Possible Solution . . . . . . . . . . . . . . . . . . . . . . 3 59 4. Possible side effect . . . . . . . . . . . . . . . . . . . . 4 60 5. Another option . . . . . . . . . . . . . . . . . . . . . . . 5 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 62 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 63 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 65 8.2. Informative References . . . . . . . . . . . . . . . . . 6 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 68 1. Introduction 70 While negative (non-existence) information of DNS caching mechanism 71 has been known as DNS negative cache [RFC2308], it requires exact 72 matching in most cases. Assume that "example.com" zone doesn't have 73 names such as "a.example.com" and "b.example.com". When a full 74 resolver receives a query "a.example.com" , it performs a DNS 75 resolution process, and eventually gets NXDOMAIN and cache it into 76 its negative cache. When the full resolver receives another query 77 "b.example.com", it doesn't match with "a.example.com". So it will 78 send a query to one of the authoritative servers of "example.com". 79 This was because the NXDOMAIN response just says there is no such 80 name "a.example.com" and it has no ability to tell that there is no 81 such name "b.example.com". 83 By the way, DNSSEC [RFC4035] [RFC5155] has been practically deployed 84 recently. Two resource record types (NSEC and NSEC3) are used for 85 authentic non-existence. For a zone signed with NSEC, it may be 86 possible to use the information carried in NSEC resource records to 87 indicate that the range of names where no valid name exists. Such 88 use is discouraged by Section 4.5 of RFC 4035. 90 This document proposes to make a minor change to RFC 4035 and the 91 full resolver can use NSEC/NSEC3 resource records aggressively. 93 2. Problem Statement 95 Random sub-domain attacks (referred to as "Water Torture" attacks) 96 send many non-existent queries to full resolvers. Their query names 97 consist of random prefixes and a target domain name. As a result, 98 the negative cache does not work well and target full resolvers 99 result in sending queries to authoritative DNS servers of the target 100 domain name. 102 When number of queries is very large, the full resolver's outstanding 103 queue will be full, and then, the full resolver will drop queries 104 from both users and attackers. 106 The countermeasures performed at present are rate limiting and 107 disabling name resolution of target domain names. 109 3. Possible Solution 111 If the target domain names are DNSSEC signed, aggressive use of NSEC/ 112 NSEC3 resource records solves the problem. 114 DNSSEC defines NSEC resource record. Section 4.5 of [RFC4035] shows 115 that "In theory, a resolver could use wildcards or NSEC RRs to 116 generate positive and negative responses (respectively) until the TTL 117 or signatures on the records in question expire. However, it seems 118 prudent for resolvers to avoid blocking new authoritative data or 119 synthesizing new data on their own. Resolvers that follow this 120 recommendation will have a more consistent view of the namespace". 122 To reduce non-existent queries to authoritative DNS servers, the 123 countermeasure is to relax this restriction. 125 Then, DNSSEC enabled full resolvers MAY use NSEC/NSEC3 resource 126 records to generate negative responses until their effective TTLs or 127 signatures on the records in question expire. 129 This technique is called as "NSEC/NSEC3 aggressive negative caching" 130 in Unbound [Unbound] TODO file. Unbound has aggressive negative 131 caching code in its DLV validator. 133 The full resolver need to check the existence of wildcards. If the 134 cache does not have an NSEC/NSEC3 resource record whose range 135 includes a wildcard ('*') in a zone which the query name belongs to, 136 wildcard may exist in the zone, then, the aggressive use of NSEC/ 137 NSEC3 cannot be applied and the full resolver need to send the query 138 to authoritative DNS servers. 140 If the zone has a wildcard and it is in full resolver's cache, the 141 full resolver may generate positive responses from the wildcard in 142 the cache. 144 This approach is effective for DNSSEC signed zones with NSEC or 145 NSEC3, except zones with NSEC3 Opt-Out. 147 NSEC/NSEC3 aggressive negative caching works as follows. When the 148 query name has a matching NSEC or NSEC3 resource records in the cache 149 and there is no wildcard in the zone which the query name belongs to, 150 a full resolver is allowed to respond with NXDOMAIN error 151 immediately. 153 The matching procedure may be applied to all ancestor domain names of 154 the query name. 156 This function needs care on the TTL value of negative information 157 because newly added domain names cannot be used while the negative 158 information is effective. RFC 2308 states the maximum number of 159 negative cache TTL value is 10800, and this value is reasonable small 160 but still effective for the purpose of this document. 162 It can eliminate significant amount of DNS queries when an attacker 163 tries to send large number of DNS queries by using randomly generated 164 names. 166 The same discussion is applicable for wildcards. If a query name is 167 covered by NSEC or NSEC3 resource records in the cache and there is a 168 covering wildcard, full resolvers can use wildcards to generate 169 positive responses until wildcard and NSEC/NSEC3 resource records in 170 the cache are effective. 172 Aggressive use of wildcards requires aggressive use of negative 173 information because there may be other domain names. 175 4. Possible side effect 177 Aggressive use of NSEC/NSEC3 resource records may decrease queries to 178 Root DNS servers. 180 People may generate many typos and they tend to generate DNS queries. 181 Some implementations leak non-existent TLD queries whose second level 182 domain are different each other. Well observed TLDs are ".local" and 183 ".belkin". With this proposal, it is possible to return NXDOMAIN to 184 such queries without further DNS recursive resolution process. It 185 may reduces round trip time, as well as reduces the DNS queries to 186 corresponding authoritative servers, including Root DNS servers. 188 5. Another option 190 The proposed technique is applicable to zones where there is a NSEC 191 record to each owner name in the zone even without DNSSEC signed. 192 And it is also applicable to full resolvers without DNSSEC 193 validation. Full resolvers can set DNSSEC OK bit in query packets 194 and they will cache NSEC/NSEC3 resource records. They can apply 195 aggressive use of NSEC/NSEC3 resource records without DNSSEC 196 validation. 198 It is highly recommended to sign the zone, of course, and it is 199 recommended to apply DNSSEC validation of NSEC record prior to cache 200 it in the negative cache. 202 6. IANA Considerations 204 This document has no effect on IANA registries. 206 7. Security Considerations 208 Newly registered resource records may not be used immediately. 209 However, choosing suitable TTL value will mitigate the problem and it 210 is not a security problem. 212 It is also suggested to limit the maximum TTL value of NSEC resource 213 records in the negative cache to, for example, 10800 seconds (3hrs), 214 to mitigate the issue. Implementations which comply with this 215 proposal is suggested to have a configurable maximum value of NSEC 216 RRs in the negative cache. 218 Aggressive use of NSEC/NSEC3 resource records without DNSSEC 219 validation may cause security problems. 221 8. References 223 8.1. Normative References 225 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 226 NCACHE)", RFC 2308, March 1998. 228 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 229 Rose, "Protocol Modifications for the DNS Security 230 Extensions", RFC 4035, March 2005. 232 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 233 Security (DNSSEC) Hashed Authenticated Denial of 234 Existence", RFC 5155, March 2008. 236 8.2. Informative References 238 [Unbound] NLnet Labs, "Unbound DNS validating resolver", 239 . 241 Authors' Addresses 243 Kazunori Fujiwara 244 Japan Registry Services Co., Ltd. 245 Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda 246 Chiyoda-ku, Tokyo 101-0065 247 Japan 249 Phone: +81 3 5215 8451 250 Email: fujiwara@jprs.co.jp 252 Akira Kato 253 Keio University/WIDE Project 254 Graduate School of Media Design, 4-1-1 Hiyoshi 255 Kohoku, Yokohama 223-8526 256 Japan 258 Phone: +81 45 564 2490 259 Email: kato@wide.ad.jp