idnits 2.17.1 draft-ietf-dnsop-dns-tcp-requirements-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 13, 2017) is 2354 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC768' is mentioned on line 605, but not defined == Missing Reference: 'RFC793' is mentioned on line 605, but not defined ** Obsolete undefined reference: RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2541 (Obsoleted by RFC 4641) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Domain Name System Operations J. Kristoff 3 Internet-Draft DePaul University 4 Intended status: Best Current Practice D. Wessels 5 Expires: May 17, 2018 Verisign 6 November 13, 2017 8 DNS Transport over TCP - Operational Requirements 9 draft-ietf-dnsop-dns-tcp-requirements-01 11 Abstract 13 This document encourages the practice of permitting DNS messages to 14 be carried over TCP on the Internet. It also describes some of the 15 consequences of this behavior and the potential operational issues 16 that can arise when this best common practice is not upheld. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on May 17, 2018. 35 Copyright Notice 37 Copyright (c) 2017 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 54 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1. Uneven Transport Usage and Preference . . . . . . . . . . 3 56 2.2. Waiting for Large Messages and Reliability . . . . . . . 4 57 2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 2.4. Fragmentation and Truncation . . . . . . . . . . . . . . 5 59 2.5. "Only Zone Transfers Use TCP" . . . . . . . . . . . . . . 6 60 3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 6 61 4. Network and System Considerations . . . . . . . . . . . . . . 7 62 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 7 63 5.1. DNS Wedgie . . . . . . . . . . . . . . . . . . . . . . . 8 64 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 8 65 5.3. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 8 66 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 8 67 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 68 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 69 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 70 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 71 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 72 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 73 11.2. Informative References . . . . . . . . . . . . . . . . . 9 74 Appendix A. Standards Related to DNS Transport over TCP . . . . 13 75 A.1. TODO - additional, relevant RFCs . . . . . . . . . . . . 13 76 A.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 13 77 A.3. IETF RFC 7720 - DNS Root Name Service Protocol and 78 Deployment Requirements . . . . . . . . . . . . . . . . . 13 79 A.4. IETF RFC 7766 - DNS Transport over TCP - Implementation 80 Requirements . . . . . . . . . . . . . . . . . . . . . . 13 81 A.5. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option . . . 14 82 A.6. IETF RFC 7858 - Specification for DNS over Transport 83 Layer Security (TLS) . . . . . . . . . . . . . . . . . . 14 84 A.7. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 14 85 A.8. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 14 86 A.9. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 14 87 A.10. IETF RFC 8094 - DNS over Datagram Transport Layer 88 Security (DTLS) . . . . . . . . . . . . . . . . . . . . . 15 89 A.11. IETF RFC 8162 - Using Secure DNS to Associate 90 Certificates with Domain Names for S/MIME . . . . . . . . 15 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 93 1. Introduction 95 DNS messages may be delivered using UDP or TCP communications. While 96 most DNS transactions are carried over UDP, some operators have been 97 led to believe that any DNS over TCP traffic is unwanted or 98 unnecessary for general DNS operation. As usage and features have 99 evolved, TCP transport has become increasingly important for correct 100 and safe operation of the Internet DNS. Reflecting modern usage, the 101 DNS standards were recently updated to declare support for TCP is now 102 a required part of the DNS implementation specifications in 103 [RFC7766]. This document is the formal requirements equivalent for 104 the operational community, encouraging operators to ensure DNS over 105 TCP communications support is on par with DNS over UDP 106 communications. 108 1.1. Requirements Language 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 112 document are to be interpreted as described in RFC 2119 [RFC2119]. 114 2. Background 116 2.1. Uneven Transport Usage and Preference 118 In the original suite of DNS specifications, [RFC1034] and [RFC1035] 119 clearly specified that DNS messages could be carried in either UDP or 120 TCP, but they also made clear a preference for UDP as the transport 121 for queries in the general case. As stated in [RFC1035]: 123 "While virtual circuits can be used for any DNS activity, 124 datagrams are preferred for queries due to their lower overhead 125 and better performance." 127 Another early, important, and influential document, [RFC1123], 128 detailed the preference for UDP more explicitly: 130 "DNS resolvers and recursive servers MUST support UDP, and SHOULD 131 support TCP, for sending (non-zone-transfer) queries." 133 and further stipulated: 135 A name server MAY limit the resources it devotes to TCP queries, 136 but it SHOULD NOT refuse to service a TCP query just because it 137 would have succeeded with UDP. 139 Culminating in [RFC1536], DNS over TCP came to be associated 140 primarily with the zone transfer mechanism, while most DNS queries 141 and responses were seen as the dominion of UDP. 143 2.2. Waiting for Large Messages and Reliability 145 As stipulated in the original specifications, DNS messages over UDP 146 were restricted to a 512-byte message size. However, even while 147 [RFC1123] made a clear preference for UDP, it foresaw DNS over TCP 148 becoming more popular in the future: 150 "[...] it is also clear that some new DNS record types defined in 151 the future will contain information exceeding the 512 byte limit 152 that applies to UDP, and hence will require TCP. 154 At least two new, widely anticipated developments were set to elevate 155 the need for DNS over TCP transactions. The first was dynamic 156 updates defined in [RFC2136] and the second was the set of extensions 157 collectively known as DNSSEC originally specified in [RFC2541]. The 158 former suggested "requestors who require an accurate response code 159 must use TCP", while the later warned "[...] larger keys increase the 160 size of KEY and SIG RRs. This increases the chance of DNS UDP packet 161 overflow and the possible necessity for using higher overhead TCP in 162 responses." 164 Yet defying some expectations, DNS over TCP remained little used in 165 real traffic across the Internet. Dynamic updates saw little 166 deployment between autonomous networks. Around the time DNSSEC was 167 first defined, another new feature affecting DNS over UDP helped 168 solidify its dominance for message transactions. 170 2.3. EDNS0 172 In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0) 173 in [RFC2671]. This document standardized a way for communicating DNS 174 nodes to perform rudimentary capabilities negotiation. One such 175 capability written into the base specification and present in every 176 ENDS0 compatible message is the value of the maximum UDP payload size 177 the sender can support. This unsigned 16-bit field specifies in 178 bytes the maximum (possibly fragmented) DNS message size a node is 179 capable of receiving. In practice, typical values are a subset of 180 the 512 to 4096 byte range. EDNS0 became widely deployed over the 181 next several years and numerous surveys have shown many systems 182 currently support larger UDP MTUs [CASTRO2010], [NETALYZR] with 183 EDNS0. 185 The natural effect of EDNS0 deployment meant DNS messages larger than 186 512 bytes would be less reliant on TCP than they might otherwise have 187 been. While a non-negligible population of DNS systems lack EDNS0 or 188 may still fall back to TCP for some transactions, DNS over TCP 189 transactions remain a very small fraction of overall DNS traffic 190 [VERISIGN]. 192 2.4. Fragmentation and Truncation 194 Although EDNS0 provides a way for endpoints to signal support for DNS 195 messages exceeding 512 bytes, the realities of today's Internet mean 196 large messages do not always get through. Any IP packet whose size 197 exceeds the MTU of a link it transits will be fragmented and then 198 reassembled by the receiving host. Unfortunately, it is not uncommon 199 for middleboxes and firewalls to block IP fragments. If one or more 200 fragments do not arrive, the application does not receive the message 201 and the request times out. 203 For IPv4-connected hosts, the de-facto MTU is the Ethernet payload 204 size of 1500 bytes. This means that the largest unfragmented UDP DNS 205 message that can be sent over IPv4 is 1472 bytes. For IPv6 the 206 situation is a little more complicated. First, IPv6 headers are 40 207 bytes (versus 20 in IPv4). Second, it seems as though some people 208 have mis-interpreted IPv6's required minimum MTU of 1280 as a 209 required maximum. Third, fragmentation in IPv6 can only be done by 210 the host originating the packet. The need to fragment is conveyed in 211 an ICMPv6 "packet too big" message. The originating host indicates a 212 fragmented packet with IPv6 extension headers. Unfortunately, it is 213 quite common for both ICMPv6 and IPv6 extension headers to be blocked 214 by middleboxes. According to [HUSTON] some 35% of IPv6-capable 215 recursive resolvers are unable to receive a fragmented IPv6 packet. 217 The practical consequence of all this is that DNS requestors must be 218 prepared to retry queries with different EDNS0 maximum message size 219 values. Administrators of BIND are likely to be familiar with seeing 220 "success resolving ... after reducing the advertised EDNS0 UDP packet 221 size to 512 octets" in their system logs. 223 Often, reducing the EDNS0 UDP packet size leads to a successful 224 response. That is, the necessary data fits within the smaller packet 225 size. However, when the data does not fit, the server sets the 226 truncated flag in its response, indicating the client should retry 227 over TCP to receive the whole response. This is undesirable from the 228 client's point of view because it adds more latency, and potentially 229 undesirable from the server's point of view due to the increased 230 resource requirements of TCP. 232 The issues around fragmentation, truncation, and TCP are driving 233 certain implementation and policy decisions in the DNS. Notably, 234 Cloudflare implemented what it calls "DNSSEC black lies" [CLOUDFLARE] 235 and uses ECDSA algorithms, such that their signed responses fit 236 easily in 512 bytes. The KSK Rollover design team [DESIGNTEAM] spent 237 a lot of time thinking and worrying about response sizes. There is 238 growing sentiment in the DNSSEC community that RSA key sizes beyond 239 2048-bits are impractical and that critical infrastructure zones 240 should transition to elliptic curve algorithms to keep response sizes 241 manageable. 243 2.5. "Only Zone Transfers Use TCP" 245 There are many in the DNS community who configure DNS over TCP 246 services and expect DNS over TCP transactions to occur without 247 interference. However there has also been a long held belief by some 248 operators, particularly for security-related reasons, that DNS over 249 TCP services should be purposely limited or not provided at all 250 [CHES94], [DJBDNS]. A popular meme has also held the imagination of 251 some that DNS over TCP is only ever used for zone transfers and is 252 generally unnecessary otherwise, with filtering all DNS over TCP 253 traffic even described as a best practice. 255 The position on restricting DNS over TCP had some justification given 256 that historic implementations of DNS nameservers provided very little 257 in the way of TCP connection management (for example see 258 Section 6.1.2 of [RFC7766] for more details). However modern 259 standards and implementations are moving to align with the more 260 sophisticated TCP management techniques employed by, for example, 261 HTTP(S) servers and load balancers. 263 3. DNS over TCP Requirements 265 An average increase in DNS message size, the continued development of 266 new DNS features and a denial of service mitigation technique (see 267 Section 9) have suggested that DNS over TCP transactions are as 268 important to the correct and safe operation of the Internet DNS as 269 ever, if not more so. Furthermore, there has been serious research 270 that has suggested connection-oriented DNS transactions may provide 271 security and privacy advantages over UDP transport [TDNS]. In fact, 272 [RFC7858], a Standards Track document is just this sort of 273 specification. Therefore, it might be desirable for network 274 operators to avoid artificially inhibiting the potential utility and 275 advances in the DNS such as these. 277 Section 6.1.3.2 in [RFC1123] is updated: All general-purpose DNS 278 servers MUST be able to service both UDP and TCP queries. 280 o Authoritative servers MUST service TCP queries so that they do not 281 limit the size of responses to what fits in a single UDP packet. 283 o Recursive servers (or forwarders) MUST service TCP queries so that 284 they do not prevent large responses from a TCP-capable server from 285 reaching its TCP-capable clients. 287 Regarding the choice of limiting the resources a server devotes to 288 queries, Section 6.1.3.2 in [RFC1123] also says: 290 A name server MAY limit the resources it devotes to TCP queries, 291 but it SHOULD NOT refuse to service a TCP query just because it 292 would have succeeded with UDP. 294 This requirement is hereby updated: A name server MAY limit the the 295 resources it devotes to queries, but it MUST NOT refuse to service a 296 query just because it would have succeeded with another transport 297 protocol. 299 Filtering of DNS over TCP is considered harmful in the general case. 300 DNS resolver and server operators MUST provide DNS service over both 301 UDP and TCP transports. Likewise, network operators MUST allow DNS 302 service over both UDP and TCP transports. It must be acknowledged 303 that DNS over TCP service can pose operational challenges that are 304 not present when running DNS over UDP alone, and vice-versa. 305 However, it is the aim of this document to argue that the potential 306 damage incurred by prohibiting DNS over TCP service is more 307 detrimental to the continued utility and success of the DNS than when 308 its usage is allowed. 310 4. Network and System Considerations 312 TODO: refer to IETF RFC 7766 connection handling discussion, various 313 TCP hardening documents, network operator protocol and traffic best 314 practices, etc. 316 5. DNS over TCP Filtering Risks 318 Networks that filter DNS over TCP risk losing access to significant 319 or important pieces of the DNS name space. For a variety of reasons 320 a DNS answer may require a DNS over TCP query. This may include 321 large message sizes, lack of EDNS0 support, DDoS mitigation 322 techniques, or perhaps some future capability that is as yet 323 unforeseen will also demand TCP transport. 325 For example, both [RFC7901] and [draft-extra-answers] describe 326 latency-avoiding techniques that send extra data in DNS responses. 327 This makes the responses larger and potentially damaging in DDoS 328 reflection attacks. The former mandates the use of TCP or DNS 329 Cookies ([RFC7873]) and the latter offers it as a possibility in 330 Security Considerations. 332 Even if any or all particular answers have consistently been returned 333 successfully with UDP in the past, this continued behavior cannot be 334 guaranteed when DNS messages are exchanged between autonomous 335 systems. Therefore, filtering of DNS over TCP is considered harmful 336 and contrary to the safe and successful operation of the Internet. 337 This section enumerates some of the known risks we know about at the 338 time of this writing when networks filter DNS over TCP. 340 5.1. DNS Wedgie 342 Networks that filter DNS over TCP may inadvertently cause problems 343 for third party resolvers as experienced by [TOYAMA]. If for 344 instance a resolver receives a truncated answer from a server, but 345 when the resolver resends the query using TCP and the TCP response 346 never arrives, not only will full answer be unavailable, but the 347 resolver will incur the full extent of TCP retransmissions and time 348 outs. This situation might place extreme strain on resolver 349 resources. If the number and frequency of these truncated answers 350 are sufficiently high, we refer to the steady-state of lost resources 351 as a result a "DNS" wedgie". A DNS wedgie is often not easily or 352 completely mitigated by the affected DNS resolver operator. 354 5.2. DNS Root Zone KSK Rollover 356 Recent plans for a new root zone DNSSEC KSK have highlighted a 357 potential problem in retrieving the keys.[LEWIS] Some packets in the 358 KSK rollover process will be larger than 1280 bytes, the IPv6 minimum 359 MTU for links carrying IPv6 traffic.[RFC2460] While studies have 360 shown that problems due to fragment filtering or an inability to 361 generate and receive these larger messages are negligible, any DNS 362 server that is unable to receive large DNS over UDP messages or 363 perform DNS over TCP may experience severe disruption of DNS service 364 if performing DNSSEC validation. 366 5.3. DNS-over-TLS 368 TODO: DNS-over-TLS 370 6. Logging and Monitoring 372 TODO: Developers of applications that log or monitor DNS are advised 373 to not ignore TCP because it is hard. Also be prepared for 374 connection reuse, pipelining, and out-of-order responses. If using 375 packet-based (e.g. libpcap) collection techniques, the application 376 must be prepared to implement/perform TCP segment reassembly. 378 7. Acknowledgments 380 This document was initially motivated by feedback from students who 381 pointed out that they were hearing contradictory information about 382 filtering DNS over TCP messages. Thanks in particular to a teaching 383 colleague, JPL, who perhaps unknowingly encouraged the initial 384 research into the differences of what the community has historically 385 said and did. Thanks to all the NANOG 63 attendees who provided 386 feedback to an early talk on this subject. 388 The following individuals provided an array of feedback to help 389 improve this document: Sara Dickinson, Bob Harold, Tatuya Jinmei, and 390 Paul Hoffman. The authors are indebted to their contributions. Any 391 remaining errors or imperfections are the sole responsibility of the 392 document authors. 394 8. IANA Considerations 396 This memo includes no request to IANA. 398 9. Security Considerations 400 Ironically, returning truncated DNS over UDP answers in order to 401 induce a client query to switch to DNS over TCP has become a common 402 response to source address spoofed, DNS denial-of-service attacks 403 [RRL]. Historically, operators have been wary of TCP-based attacks, 404 but in recent years, UDP-based flooding attacks have proven to be the 405 most common protocol attack on the DNS. Nevertheless, a high rate of 406 short-lived DNS transactions over TCP may pose challenges. While 407 many operators have provided DNS over TCP service for many years 408 without duress, past experience is no guarantee of future success. 410 DNS over TCP is not unlike many other Internet TCP services. TCP 411 threats and many mitigation strategies have been well documented in a 412 series of documents such as [RFC4953], [RFC4987], [RFC5927], and 413 [RFC5961]. 415 10. Privacy Considerations 417 11. References 419 11.1. Normative References 421 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 422 Requirement Levels", BCP 14, RFC 2119, 423 DOI 10.17487/RFC2119, March 1997, 424 . 426 11.2. Informative References 428 [CASTRO2010] 429 Castro, S., Zhang, M., John, W., Wessels, D., and k. 430 claffy, "Understanding and preparing for DNS evolution", 431 2010. 433 [CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet 434 Security: Repelling the Wily Hacker", 1994. 436 [CLOUDFLARE] 437 Grant, D., "Economical With The Truth: Making DNSSEC 438 Answers Cheap", June 2016, 439 . 441 [DESIGNTEAM] 442 Design Team Report, "Root Zone KSK Rollover Plan", 443 December 2015, . 446 [DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002, 447 . 449 [draft-extra-answers] 450 Kumari, W., Yan, Z., Hardaker, W., and D. Lawrence, 451 "Returning extra answers in DNS responses.", draft- 452 wkumari-dnsop-multiple-responses-05 (work in progress), 453 July 2017. 455 [HUSTON] Huston, G., "Dealing with IPv6 fragmentation in the DNS", 456 August 2017, . 459 [LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74 Budapest, 460 Hungary, May 2017, . 463 [NETALYZR] 464 Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson, 465 "Netalyzr: Illuminating The Edge Network", 2010. 467 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 468 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 469 . 471 [RFC1035] Mockapetris, P., "Domain names - implementation and 472 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 473 November 1987, . 475 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - 476 Application and Support", STD 3, RFC 1123, 477 DOI 10.17487/RFC1123, October 1989, 478 . 480 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. 481 Miller, "Common DNS Implementation Errors and Suggested 482 Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993, 483 . 485 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 486 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 487 RFC 2136, DOI 10.17487/RFC2136, April 1997, 488 . 490 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 491 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 492 December 1998, . 494 [RFC2541] Eastlake 3rd, D., "DNS Security Operational 495 Considerations", RFC 2541, DOI 10.17487/RFC2541, March 496 1999, . 498 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 499 RFC 2671, DOI 10.17487/RFC2671, August 1999, 500 . 502 [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", 503 RFC 4953, DOI 10.17487/RFC4953, July 2007, 504 . 506 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 507 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 508 . 510 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, 511 DOI 10.17487/RFC5927, July 2010, 512 . 514 [RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's 515 Robustness to Blind In-Window Attacks", RFC 5961, 516 DOI 10.17487/RFC5961, August 2010, 517 . 519 [RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS", 520 RFC 7477, DOI 10.17487/RFC7477, March 2015, 521 . 523 [RFC7720] Blanchet, M. and L-J. Liman, "DNS Root Name Service 524 Protocol and Deployment Requirements", BCP 40, RFC 7720, 525 DOI 10.17487/RFC7720, December 2015, 526 . 528 [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 529 D. Wessels, "DNS Transport over TCP - Implementation 530 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 531 . 533 [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The 534 edns-tcp-keepalive EDNS0 Option", RFC 7828, 535 DOI 10.17487/RFC7828, April 2016, 536 . 538 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 539 and P. Hoffman, "Specification for DNS over Transport 540 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 541 2016, . 543 [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) 544 Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, 545 . 547 [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, 548 DOI 10.17487/RFC7901, June 2016, 549 . 551 [RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy, 552 "DNSSEC Roadblock Avoidance", BCP 207, RFC 8027, 553 DOI 10.17487/RFC8027, November 2016, 554 . 556 [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram 557 Transport Layer Security (DTLS)", RFC 8094, 558 DOI 10.17487/RFC8094, February 2017, 559 . 561 [RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to 562 Associate Certificates with Domain Names for S/MIME", 563 RFC 8162, DOI 10.17487/RFC8162, May 2017, 564 . 566 [RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting 567 (DNS RRL)", ISC-TN 2012-1 Draft1, April 2012. 569 [TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N. 570 Somaiya, "Connection-oriented DNS to Improve Privacy and 571 Security", 2015. 573 [TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and 574 K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache 575 Servers", NANOG 32 Reston, VA USA, 2004. 577 [VERISIGN] 578 Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in 579 Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los 580 Angeles, 2014. 582 Appendix A. Standards Related to DNS Transport over TCP 584 This section enumerates all known IETF RFC documents that are 585 currently of status standard, informational, best common practice or 586 experimental and either implicitly or explicitly make assumptions or 587 statements about the use of TCP as a transport for the DNS germane to 588 this document. 590 A.1. TODO - additional, relevant RFCs 592 A.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS 594 This standards track document [RFC7477] specifies a RRType and 595 protocol to signal and synchronize NS, A, and AAAA resource record 596 changes from a child to parent zone. Since this protocol may require 597 multiple requests and responses, it recommends utilizing DNS over TCP 598 to ensure the conversation takes place between a consistent pair of 599 end nodes. 601 A.3. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment 602 Requirements 604 This best current practice[RFC7720] declares root name service "MUST 605 support UDP [RFC768] and TCP [RFC793] transport of DNS queries and 606 responses." 608 A.4. IETF RFC 7766 - DNS Transport over TCP - Implementation 609 Requirements 611 The standards track document [RFC7766] might be considered the direct 612 ancestor of this operational requirements document. The 613 implementation requirements document codifies mandatory support for 614 DNS over TCP in compliant DNS software. 616 A.5. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option 618 This standards track document [RFC7828] defines an EDNS0 option to 619 negotiate an idle timeout value for long-lived DNS over TCP 620 connections. Consequently, this document is only applicable and 621 relevant to DNS over TCP sessions and between implementations that 622 support this option. 624 A.6. IETF RFC 7858 - Specification for DNS over Transport Layer 625 Security (TLS) 627 This standards track document [RFC7858] defines a method for putting 628 DNS messages into a TCP-based encrypted channel using TLS. This 629 specification is noteworthy for explicitly targetting the stub-to- 630 recursive traffic, but does not preclude its application from 631 recursive-to-authoritative traffic. 633 A.7. IETF RFC 7873 - Domain Name System (DNS) Cookies 635 This standards track document [RFC7873] describes an EDNS0 option to 636 provide additional protection against query and answer forgery. This 637 specification mentions DNS over TCP as a reasonable fallback 638 mechanism when DNS Cookies are not available. The specification does 639 make mention of DNS over TCP processing in two specific situations. 640 In one, when a server receives only a client cookie in a request, the 641 server should consider whether the request arrived over TCP and if 642 so, it should consider accepting TCP as sufficient to authenticate 643 the request and respond accordingly. In another, when a client 644 receives a BADCOOKIE reply using a fresh server cookie, the client 645 should retry using TCP as the transport. 647 A.8. IETF RFC 7901 - CHAIN Query Requests in DNS 649 This experimental specification [RFC7901] describes an EDNS0 option 650 that can be used by a security-aware validating resolver to request 651 and obtain a complete DNSSEC validation path for any single query. 652 This document requires the use of DNS over TCP or a source IP address 653 verified transport mechanism such as EDNS-COOKIE.[RFC7873] 655 A.9. IETF RFC 8027 - DNSSEC Roadblock Avoidance 657 This document [RFC8027] details observed problems with DNSSEC 658 deployment and mitigation techniques. Network traffic blocking and 659 restrictions, including DNS over TCP messages, are highlighted as one 660 reason for DNSSEC deployment issues. While this document suggests 661 these sorts of problems are due to "non-compliant infrastructure" and 662 is of type BCP, the scope of the document is limited to detection and 663 mitigation techniques to avoid so-called DNSSEC roadblocks. 665 A.10. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS) 667 This experimental specification [RFC8094] details a protocol that 668 uses a datagram transport (UDP), but stipulates that "DNS clients and 669 servers that implement DNS over DTLS MUST also implement DNS over TLS 670 in order to provide privacy for clients that desire Strict Privacy 671 [...]". This requirement implies DNS over TCP must be supported in 672 case the message size is larger than the path MTU. 674 A.11. IETF RFC 8162 - Using Secure DNS to Associate Certificates with 675 Domain Names for S/MIME 677 This experimental specification [RFC8162] describes a technique to 678 authenticate user X.509 certificates in an S/MIME system via the DNS. 679 The document points out that the new experimental resource record 680 types are expected to carry large payloads, resulting in the 681 suggestion that "applications SHOULD use TCP -- not UDP -- to perform 682 queries for the SMIMEA resource record." 684 Authors' Addresses 686 John Kristoff 687 DePaul University 688 Chicago, IL 60604 689 US 691 Phone: +1 312 493 0305 692 Email: jtk@depaul.edu 693 URI: https://aharp.iorc.depaul.edu 695 Duane Wessels 696 Verisign 697 12061 Bluemont Way 698 Reston, VA 20190 699 US 701 Phone: +1 703 948 3200 702 Email: dwessels@verisign.com 703 URI: http://verisigninc.com