idnits 2.17.1 draft-ietf-dnsext-nsid-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 405. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 382. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 389. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 395. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 9, 2005) is 6776 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD' is mentioned on line 132, but not defined ** Obsolete normative reference: RFC 2671 (Obsoleted by RFC 6891) ** Obsolete normative reference: RFC 2845 (Obsoleted by RFC 8945) Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Austein 3 Internet-Draft ISC 4 Expires: March 13, 2006 September 9, 2005 6 DNS Name Server Identifier Option (NSID) 7 draft-ietf-dnsext-nsid-00 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on March 13, 2006. 34 Copyright Notice 36 Copyright (C) The Internet Society (2005). 38 Abstract 40 With the increased use of DNS anycast, load balancing, and other 41 mechanisms allowing more than one DNS name server to share a single 42 IP address, it is sometimes difficult to tell which of a pool of name 43 servers has answered a particular query. While existing ad-hoc 44 mechanism allow an operator to send follow-up queries when it is 45 necessary to debug such a configuration, the only completely reliable 46 way to obtain the identity of the name server which responded is to 47 have the name server include this information in the response itself. 48 This note defines a protocol extension to support this functionality. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1 Reserved Words . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1 The SI Flag . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.2 The NSID Option . . . . . . . . . . . . . . . . . . . . . 4 57 2.3 Presentation Format . . . . . . . . . . . . . . . . . . . 4 58 3. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3.1 The NSID Payload . . . . . . . . . . . . . . . . . . . . . 5 60 3.2 SI and NSID Are Not Transitive . . . . . . . . . . . . . . 7 61 3.3 User Interface Issues . . . . . . . . . . . . . . . . . . 7 62 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 64 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 7.1 Normative References . . . . . . . . . . . . . . . . . . . 8 67 7.2 Informative References . . . . . . . . . . . . . . . . . . 9 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9 69 Intellectual Property and Copyright Statements . . . . . . . . 10 71 1. Introduction 73 With the increased use of DNS anycast, load balancing, and other 74 mechanisms allowing more than one DNS name server to share a single 75 IP address, it is sometimes difficult to tell which of a pool of name 76 servers has answered a particular query. 78 Existing ad-hoc mechanisms allow an operator to send follow-up 79 queries when it is necessary to debug such a configuration, but there 80 are situations in which this is not a totally satisfactory solution, 81 since anycast routing may have changed, or the server pool in 82 question may be behind some kind of extremely dynamic load balancing 83 hardware. Thus, while these ad-hoc mechanisms are certainly better 84 than nothing (and have the advantage of already being deployed), a 85 better solution seems desirable. 87 Given that a DNS query is an idempotent operation with no retained 88 state, it would appear that the only completely reliable way to 89 obtain the identity of the name server which responded to a 90 particular query is to have that name server include identifying 91 information in the response itself. This note defines a protocol 92 enhancement to achieve this. 94 1.1 Reserved Words 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 98 document are to be interpreted as described in [RFC2119]. 100 2. Protocol 102 This note uses an EDNS [RFC2671] flag bit to signal the resolver's 103 desire for information identifying the name server, and an EDNS 104 option to hold the name server's response, if any. 106 2.1 The SI Flag 108 A resolver signals its desire for information identifying the server 109 by setting the SI (Send Identification) flag in the extended flags 110 field of the OPT pseudo-RR. 112 The value of the SI flag is [TBD]. 114 The semantics of the SI flag are not transitive. That is: the SI 115 flag is a request that the name server which receives the query 116 identify itself. If the name server side of a recursive name server 117 receives the SI bit, the client is asking the recursive name server 118 to identify itself; if the resolver side of the recursive name server 119 wishes to receive identifying information, it is free to set the SI 120 flag in its own queries, but that is a separate matter. 122 A name server which understands the SI flag SHOULD echo its value 123 back in the response message, regardless of whether the name server 124 chose to honor the request. 126 2.2 The NSID Option 128 A name server which understands the SI flag and chooses to honor it 129 responds by including identifying information in a NSID option in an 130 EDNS OPT pseudo-RR in the response message. 132 The OPTION-CODE for the NSID option is [TBD]. 134 The OPTION-DATA for the NSID option is an opaque byte string the 135 semantics of which are deliberately left outside the protocol. See 136 Section 3.1 for discussion. 138 The NSID option is not transitive. A name server MUST NOT send an 139 NSID option back to a resolver which did not request it. In 140 particular, while a recursive name server may choose to set the SI 141 bit when sending a query, this has no effect on the setting of the SI 142 bit or the presence or absence of the NSID option in the recursive 143 name server's response to the original client. 145 As stated in Section 2.1, this mechanism is not restricted to 146 authoritative name servers; the semantics are intended to be equally 147 applicable to recursive name servers. 149 2.3 Presentation Format 151 User interfaces MUST read and write the content of the NSID option as 152 a sequence of hexadecimal digits, two digits per payload octet. 154 The NSID payload is binary data. Any comparison between NSID 155 payloads MUST be a comparison of the raw binary data. Copy 156 operations MUST NOT assume that the raw NSID payload is null- 157 terminated. Any resemblance between raw NSID payload data and any 158 form of text is purely a convenience, and does not change the 159 underlying nature of the payload data. 161 See Section 3.3 for discussion. 163 3. Discussion 165 This section discusses certain aspects of the protocol and explains 166 considerations that led to the chosen design. 168 3.1 The NSID Payload 170 The syntax and semantics of the content of the NSID option is 171 deliberately left outside the scope of this specification. This 172 section describe some of the kinds of data that server administrators 173 might choose to provide as the content of the NSID option, and 174 explains the reasoning behind choosing a simple opaque byte string. 176 There are several possibilities for the payload of the NSID option: 177 o It could be the "real" name of the specific name server within the 178 name server pool. 179 o It could be the "real" IP address (IPv4 or IPv6) of the name 180 server within the name server pool. 181 o It could be some sort of pseudo-random number generated in a 182 predictable fashion somehow using the server's IP address or name 183 as a seed value. 184 o It could be some sort of probabilisticly unique identifier 185 initially derived from some sort of random number generator then 186 preserved across reboots of the name server. 187 o It could be some sort of dynamicly generated identifier so that 188 only the name server operator could tell whether or not any two 189 queries had been answered by the same server. 190 o It could be a blob of signed data, with a corresponding key which 191 might (or might not) be available via DNS lookups. 192 o It could be a blob of encrypted data, the key for which could be 193 restricted to parties with a need to know (in the opinion of the 194 server operator). 195 o It could be an arbitrary string of octets chosen at the discretion 196 of the name server operator. 198 Each of these options has advantages and disadvantages: 199 o Using the "real" name is simple, but the name server may not have 200 a "real" name. 201 o Using the "real" address is also simple, and the name server 202 almost certainly does have at least one non-anycast IP address for 203 maintenance operations, but the operator of the name server may 204 not be willing to divulge its non-anycast address. 205 o Given that one common reason for using anycast DNS techniques is 206 an attempt to harden a critical name server against denial of 207 service attacks, some name server operators are likely to want an 208 identifier other than the "real" name or "real" address of the 209 name server instance. 210 o Using a hash or pseudo-random number can provide a fixed length 211 value that the resolver can use to tell two name servers apart 212 without necessarily being able to tell where either one of them 213 "really" is, but makes debugging more difficult if one happens to 214 be in a friendly open environment. Furthermore, hashing might not 215 add much value, since a hash based on an IPv4 address still only 216 involves a 32-bit search space, and DNS names used for servers 217 that operators might have to debug at 4am tend not to be very 218 random. 219 o Probabilisticly unique identifiers have similar properties to 220 hashed identifiers, but (given a sufficiently good random number 221 generator) are immune to the search space issues. However, the 222 strength of this approach is also its weakness: there is no 223 algorithmic transformation by which even the server operator can 224 associate name server instances with identifiers while debugging, 225 which might be annoying. This approach also requires the name 226 server instance to preserve the probabilisticly unique identifier 227 across reboots, but this does not appear to be a serious 228 restriction, since authoritative nameservers almost always have 229 some form of nonvolatile storage in any case, and in the rare case 230 of a name server that does not have any way to store such an 231 identifier, nothing terrible will happen if the name server just 232 generates a new identifier every time it reboots. 233 o Using an arbitrary octet string gives name server operators yet 234 another thing to configure, or mis-configure, or forget to 235 configure. Having all the nodes in an anycast name server 236 constellation identify themselves as "My Name Server" would not be 237 particularly useful. 239 Given all of the issues listed above, there does not appear to be a 240 single solution that will meet all needs. Section 2.2 therefore 241 defines the NSID payload to be an opaque byte string and leaves the 242 choice up to the implementor and name server operator. The following 243 guidelines may be useful to implementors and server operators: 244 o Operators for whom divulging the unicast address is an issue could 245 use the raw binary representation of a probabilisticly unique 246 random number. This should probably be the default implementation 247 behavior. 248 o Operators for whom divulging the unicast address is not an issue 249 could just use the raw binary representation of a unicast address 250 for simplicity. This should only be done via an explicit 251 configuration choice by the operator. 252 o Operators who really need or want the ability to set the NSID 253 payload to an arbitrary value could do so, but this should only be 254 done via an explicit configuration choice by the operator. 256 This approach appears to provide enough information for useful 257 debugging without unintentionally leaking the maintenance addresses 258 of anycast name servers to nogoodniks, while also allowing name 259 server operators who do not find such leakage threatening to provide 260 more information at their own discretion. 262 3.2 SI and NSID Are Not Transitive 264 As specified in Section 2.1 and Section 2.2, the SI flag and NSID 265 option are not transitive. This is strictly a hop-by-hop mechanism. 267 Most of the discussion of name server identification to date has 268 focused on identifying authoritative name servers, since the best 269 known cases of anycast name servers are a subset of the name servers 270 for the root zone. However, given that anycast DNS techniques are 271 also applicable to recursive name servers, the mechanism may also be 272 useful with recursive name servers. The hop-by-hop semantics support 273 this. 275 While there might be some utility in having a transitive variant of 276 this mechanism (so that, for example, a stub resolver could ask a 277 recursive server to tell it which authoritative name server provided 278 a particular answer to the recursive name server), the semantics of 279 such a variant would be more complicated, and are left for future 280 work. 282 3.3 User Interface Issues 284 Given the range of possible payload contents described in 285 Section 3.1, it is not possible to define a single presentation 286 format for the NSID payload that is efficient, convenient, 287 unambiguous, and aesthetically pleasing. In particular, while it is 288 tempting to use a presentation format that uses some form of textual 289 strings, attempting to support this would significantly complicate 290 what's intended to be a very simple debugging mechanism. 292 In some cases the content of the NSID payload may binary data only be 293 meaningful to the name server operator, and may not be meaningful to 294 the user or application, but the user or application must be able to 295 capture the entire content anyway in order for it to be useful. 296 Thus, the presentation format must support arbitrary binary data. 298 In cases where the name server operator derives the NSID payload from 299 textual data, a textual form such as US-ASCII or UTF-8 strings might 300 at first glance seem easier for a user to deal with. There are, 301 however, a number of complex issues involving internationalized text 302 which, if fully addressed here, would require a set of rules 303 significantly longer than the rest of this specification. See 304 [RFC2277] for an overview of some of these issues. 306 It is much more important for the NSID payload data to be passed 307 unambiguously from server administrator to user than it is for the 308 payload data data to be pretty while in transit. In particular, it's 309 critical that it be straightforward for a user to cut and paste an 310 exact copy of the NSID payload output by a debugging tool into other 311 formats such as email messages or web forms without distortion. 312 Hexadecimal strings, while ugly, are also robust. 314 4. IANA Considerations 316 This mechanism requires allocation of one EDNS flag bit for the SI 317 flag (Section 2.1). 319 This mechanism requires allocation of one ENDS option code for the 320 NSID option (Section 2.2). 322 5. Security Considerations 324 This document describes a channel signaling mechanism, intended 325 primarily for debugging. Channel signaling mechanisms are outside 326 the scope of DNSSEC per se. Applications that require integrity 327 protection for the data being signaled will need to use a channel 328 security mechanism such as TSIG [RFC2845]. 330 Section 3.1 discusses a number of different kinds of information that 331 a name server operator might choose to provide as the value of the 332 NSID option. Some of these kinds of information are security 333 sensitive in some environments. This specification deliberately 334 leaves the syntax and semantics of the NSID option content up to the 335 implementation and the name server operator. 337 6. Acknowledgements 339 Joe Abley, Harald Alvestrand, Mark Andrews, Roy Arends, Steve 340 Bellovin, Randy Bush, David Conrad, Johan Ihren, Daniel Karrenberg, 341 Mike Patton, Paul Vixie, Sam Weiler, and Suzanne Woolf. Apologies to 342 anyone inadvertently omitted from the above list. 344 7. References 346 7.1 Normative References 348 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 349 Requirement Levels", BCP 14, RFC 2119, March 1997. 351 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 352 RFC 2671, August 1999. 354 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. 355 Wellington, "Secret Key Transaction Authentication for DNS 356 (TSIG)", RFC 2845, May 2000. 358 7.2 Informative References 360 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and 361 Languages", BCP 18, RFC 2277, January 1998. 363 Author's Address 365 Rob Austein 366 ISC 367 950 Charter Street 368 Redwood City, CA 94063 369 USA 371 Email: sra@isc.org 373 Intellectual Property Statement 375 The IETF takes no position regarding the validity or scope of any 376 Intellectual Property Rights or other rights that might be claimed to 377 pertain to the implementation or use of the technology described in 378 this document or the extent to which any license under such rights 379 might or might not be available; nor does it represent that it has 380 made any independent effort to identify any such rights. Information 381 on the procedures with respect to rights in RFC documents can be 382 found in BCP 78 and BCP 79. 384 Copies of IPR disclosures made to the IETF Secretariat and any 385 assurances of licenses to be made available, or the result of an 386 attempt made to obtain a general license or permission for the use of 387 such proprietary rights by implementers or users of this 388 specification can be obtained from the IETF on-line IPR repository at 389 http://www.ietf.org/ipr. 391 The IETF invites any interested party to bring to its attention any 392 copyrights, patents or patent applications, or other proprietary 393 rights that may cover technology that may be required to implement 394 this standard. Please address the information to the IETF at 395 ietf-ipr@ietf.org. 397 Disclaimer of Validity 399 This document and the information contained herein are provided on an 400 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 401 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 402 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 403 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 404 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 405 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 407 Copyright Statement 409 Copyright (C) The Internet Society (2005). This document is subject 410 to the rights, licenses and restrictions contained in BCP 78, and 411 except as set forth therein, the authors retain all their rights. 413 Acknowledgment 415 Funding for the RFC Editor function is currently provided by the 416 Internet Society.