idnits 2.17.1 draft-ietf-dnsop-dns-tcp-requirements-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document updates RFC1123, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC1123, updated by this document, for RFC5378 checks: 1989-10-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 2, 2019) is 1941 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC768' is mentioned on line 854, but not defined == Missing Reference: 'RFC793' is mentioned on line 854, but not defined ** Obsolete undefined reference: RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2541 (Obsoleted by RFC 4641) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) -- Obsolete informational reference (is this intentional?): RFC 5077 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6304 (Obsoleted by RFC 7534) Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Domain Name System Operations J. Kristoff 3 Internet-Draft DePaul University 4 Updates: 1123 (if approved) D. Wessels 5 Intended status: Best Current Practice Verisign 6 Expires: July 6, 2019 January 2, 2019 8 DNS Transport over TCP - Operational Requirements 9 draft-ietf-dnsop-dns-tcp-requirements-03 11 Abstract 13 This document encourages the practice of permitting DNS messages to 14 be carried over TCP on the Internet. It also considers the 15 consequences with this form of DNS communication and the potential 16 operational issues that can arise when this best common practice is 17 not upheld. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on July 6, 2019. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1. Uneven Transport Usage and Preference . . . . . . . . . . 4 57 2.2. Waiting for Large Messages and Reliability . . . . . . . 4 58 2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 2.4. Fragmentation and Truncation . . . . . . . . . . . . . . 5 60 2.5. "Only Zone Transfers Use TCP" . . . . . . . . . . . . . . 6 61 3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 7 62 4. Network and System Considerations . . . . . . . . . . . . . . 8 63 4.1. Connection Admission . . . . . . . . . . . . . . . . . . 8 64 4.2. Connection Management . . . . . . . . . . . . . . . . . . 9 65 4.3. Connection Termination . . . . . . . . . . . . . . . . . 10 66 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 10 67 5.1. DNS Wedgie . . . . . . . . . . . . . . . . . . . . . . . 11 68 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 11 69 5.3. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 11 70 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 12 71 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 72 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 73 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 74 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13 75 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 76 11.1. Normative References . . . . . . . . . . . . . . . . . . 13 77 11.2. Informative References . . . . . . . . . . . . . . . . . 13 78 Appendix A. Standards Related to DNS Transport over TCP . . . . 18 79 A.1. TODO - additional, relevant RFCs . . . . . . . . . . . . 18 80 A.2. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 18 81 A.3. IETF RFC 6304 - AS112 Nameserver Operations . . . . . . . 18 82 A.4. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 18 83 A.5. IETF RFC 6950 - Architectural Considerations on 84 Application Features in the DNS . . . . . . . . . . . . . 18 85 A.6. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 18 86 A.7. IETF RFC 7720 - DNS Root Name Service Protocol and 87 Deployment Requirements . . . . . . . . . . . . . . . . . 19 88 A.8. IETF RFC 7766 - DNS Transport over TCP - Implementation 89 Requirements . . . . . . . . . . . . . . . . . . . . . . 19 90 A.9. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option . . . 19 91 A.10. IETF RFC 7858 - Specification for DNS over Transport 92 Layer Security (TLS) . . . . . . . . . . . . . . . . . . 19 93 A.11. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 19 94 A.12. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 20 95 A.13. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 20 96 A.14. IETF RFC 8094 - DNS over Datagram Transport Layer 97 Security (DTLS) . . . . . . . . . . . . . . . . . . . . . 20 98 A.15. IETF RFC 8162 - Using Secure DNS to Associate 99 Certificates with Domain Names for S/MIME . . . . . . . . 20 100 A.16. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, 101 Encoding, Characters, Matching, and Root Structure: Time 102 for Another Look? . . . . . . . . . . . . . . . . . . . . 20 103 A.17. IETF RFC 8467 - Padding Policies for Extension Mechanisms 104 for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . . 21 105 A.18. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 21 106 A.19. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 21 107 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 109 1. Introduction 111 DNS messages may be delivered using UDP or TCP communications. While 112 most DNS transactions are carried over UDP, some operators have been 113 led to believe that any DNS over TCP traffic is unwanted or 114 unnecessary for general DNS operation. As usage and features have 115 evolved, TCP transport has become increasingly important for correct 116 and safe operation of the Internet DNS. Reflecting modern usage, the 117 DNS standards were recently updated to declare support for TCP is now 118 a required part of the DNS implementation specifications in 119 [RFC7766]. This document is the formal requirements equivalent for 120 the operational community, encouraging operators to ensure DNS over 121 TCP communications support is on par with DNS over UDP 122 communications. 124 1.1. Requirements Language 126 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 127 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 128 document are to be interpreted as described in RFC 2119 [RFC2119]. 130 2. Background 132 The curious state of disagreement in operational best practices and 133 guidance for DNS transport protocols derives from conflicting 134 messages operators have gotten from other operators, implementors, 135 and even the IETF. Sometimes these mixed signals have been explicit, 136 on other occasions they have suspiciously implicit. Here we 137 summarize our interpretation of the storied and conflicting history 138 that has brought us to this document. 140 2.1. Uneven Transport Usage and Preference 142 In the original suite of DNS specifications, [RFC1034] and [RFC1035] 143 clearly specified that DNS messages could be carried in either UDP or 144 TCP, but they also made clear a preference for UDP as the transport 145 for queries in the general case. As stated in [RFC1035]: 147 "While virtual circuits can be used for any DNS activity, 148 datagrams are preferred for queries due to their lower overhead 149 and better performance." 151 Another early, important, and influential document, [RFC1123], 152 detailed the preference for UDP more explicitly: 154 "DNS resolvers and recursive servers MUST support UDP, and SHOULD 155 support TCP, for sending (non-zone-transfer) queries." 157 and further stipulated: 159 "A name server MAY limit the resources it devotes to TCP queries, 160 but it SHOULD NOT refuse to service a TCP query just because it 161 would have succeeded with UDP." 163 Culminating in [RFC1536], DNS over TCP came to be associated 164 primarily with the zone transfer mechanism, while most DNS queries 165 and responses were seen as the dominion of UDP. 167 2.2. Waiting for Large Messages and Reliability 169 In the original specifications, the maximum DNS over UDP message size 170 was enshrined at 512 bytes. However, even while [RFC1123] made a 171 clear preference for UDP, it foresaw DNS over TCP becoming more 172 popular in the future to overcome this limitation: 174 "[...] it is also clear that some new DNS record types defined in 175 the future will contain information exceeding the 512 byte limit 176 that applies to UDP, and hence will require TCP. 178 At least two new, widely anticipated developments were set to elevate 179 the need for DNS over TCP transactions. The first was dynamic 180 updates defined in [RFC2136] and the second was the set of extensions 181 collectively known as DNSSEC originally specified in [RFC2541]. The 182 former suggested "requestors who require an accurate response code 183 must use TCP", while the later warned "[...] larger keys increase the 184 size of KEY and SIG RRs. This increases the chance of DNS UDP packet 185 overflow and the possible necessity for using higher overhead TCP in 186 responses." 187 Yet defying some expectations, DNS over TCP remained little used in 188 real traffic across the Internet. Dynamic updates saw little 189 deployment between autonomous networks. Around the time DNSSEC was 190 first defined, another new feature helped solidify UDP's transport 191 dominance for message transactions. 193 2.3. EDNS0 195 In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0) 196 in [RFC2671] (superseded in 2013 by an update in [RFC6891]). This 197 document standardized a way for communicating DNS nodes to perform 198 rudimentary capabilities negotiation. One such capability written 199 into the base specification and present in every ENDS0 compatible 200 message is the value of the maximum UDP payload size the sender can 201 support. This unsigned 16-bit field specifies in bytes the maximum 202 (possibly fragmented) DNS message size a node is capable of 203 receiving. In practice, typical values are a subset of the 512 to 204 4096 byte range. EDNS0 became widely deployed over the next several 205 years and numerous surveys have shown many systems currently support 206 larger UDP MTUs [CASTRO2010], [NETALYZR] with EDNS0. 208 The natural effect of EDNS0 deployment meant DNS messages larger than 209 512 bytes would be less reliant on TCP than they might otherwise have 210 been. While a non-negligible population of DNS systems lack EDNS0 or 211 may still fall back to TCP for some transactions, DNS over TCP 212 transactions remain a very small fraction of overall DNS traffic 213 [VERISIGN]. 215 2.4. Fragmentation and Truncation 217 Although EDNS0 provides a way for endpoints to signal support for DNS 218 messages exceeding 512 bytes, the realities of a diverse and 219 inconsistently deployed Internet may result in some large messages 220 being unable to reach their destination. Any IP datagram whose size 221 exceeds the MTU of a link it transits will be fragmented and then 222 reassembled by the receiving host. Unfortunately, it is not uncommon 223 for middleboxes and firewalls to block IP fragments. If one or more 224 fragments do not arrive, the application does not receive the message 225 and the request times out. 227 For IPv4-connected hosts, the de-facto MTU is often the Ethernet 228 payload size of 1500 bytes. This means that the largest unfragmented 229 UDP DNS message that can be sent over IPv4 is likely 1472 bytes. For 230 IPv6, the situation is a little more complicated. First, IPv6 231 headers are 40 bytes (versus 20 without option in IPv4). Second, it 232 seems as though some people have mis-interpreted IPv6's required 233 minimum MTU of 1280 as a required maximum. Third, fragmentation in 234 IPv6 can only be done by the host originating the datagram. The need 235 to fragment is conveyed in an ICMPv6 "packet too big" message. The 236 originating host indicates a fragmented datagram with IPv6 extension 237 headers. Unfortunately, it is quite common for both ICMPv6 and IPv6 238 extension headers to be blocked by middleboxes. According to 239 [HUSTON] some 35% of IPv6-capable recursive resolvers are unable to 240 receive a fragmented IPv6 packet. 242 The practical consequence of all this is that DNS requestors must be 243 prepared to retry queries with different EDNS0 maximum message size 244 values. Administrators of BIND are likely to be familiar with seeing 245 "success resolving ... after reducing the advertised EDNS0 UDP packet 246 size to 512 octets" messages in their system logs. 248 Often, reducing the EDNS0 UDP packet size leads to a successful 249 response. That is, the necessary data fits within the smaller 250 message size. However, when the data does not fit, the server sets 251 the truncated flag in its response, indicating the client should 252 retry over TCP to receive the whole response. This is undesirable 253 from the client's point of view because it adds more latency, and 254 potentially undesirable from the server's point of view due to the 255 increased resource requirements of TCP. 257 The issues around fragmentation, truncation, and TCP are driving 258 certain implementation and policy decisions in the DNS. Notably, 259 Cloudflare implemented what it calls "DNSSEC black lies" [CLOUDFLARE] 260 and uses ECDSA algorithms, such that their signed responses fit 261 easily in 512 bytes. The KSK Rollover design team [DESIGNTEAM] spent 262 a lot of time thinking and worrying about response sizes. There is 263 growing sentiment in the DNSSEC community that RSA key sizes beyond 264 2048-bits are impractical and that critical infrastructure zones 265 should transition to elliptic curve algorithms to keep response sizes 266 manageable. 268 2.5. "Only Zone Transfers Use TCP" 270 Today, the majority of the DNS community expects, or at least has a 271 desire, to see DNS over TCP transactions to occur without 272 interference. However there has also been a long held belief by some 273 operators, particularly for security-related reasons, that DNS over 274 TCP services should be purposely limited or not provided at all 275 [CHES94], [DJBDNS]. A popular meme has also held the imagination of 276 some that DNS over TCP is only ever used for zone transfers and is 277 generally unnecessary otherwise, with filtering all DNS over TCP 278 traffic even described as a best practice. 280 The position on restricting DNS over TCP had some justification given 281 that historic implementations of DNS nameservers provided very little 282 in the way of TCP connection management (for example see 283 Section 6.1.2 of [RFC7766] for more details). However modern 284 standards and implementations are moving to align with the more 285 sophisticated TCP management techniques employed by, for example, 286 HTTP(S) servers and load balancers. 288 3. DNS over TCP Requirements 290 An average increase in DNS message size, the continued development of 291 new DNS features and a denial of service mitigation technique (see 292 Section 9) have suggested that DNS over TCP transactions are as 293 important to the correct and safe operation of the Internet DNS as 294 ever, if not more so. Furthermore, there has been serious research 295 that has suggested connection-oriented DNS transactions may provide 296 security and privacy advantages over UDP transport [TDNS]. In fact, 297 [RFC7858], a Standards Track document is just this sort of 298 specification. Therefore, we now believe it is undesirable for 299 network operators to artificially inhibit the potential utility and 300 advances in the DNS such as these. 302 TODO: I think the text below needs some work/discussion because 7766 303 already updated 1123 in a very similar way except that 7766 speaks of 304 "implement" and this one speaks of "service". 1123 speaks of 305 "support" and doesn't distinguish between implement/service. 307 Section 6.1.3.2 in [RFC1123] is updated: All general-purpose DNS 308 servers MUST be able to service both UDP and TCP queries. 310 o Authoritative servers MUST service TCP queries so that they do not 311 limit the size of responses to what fits in a single UDP packet. 313 o Recursive servers (or forwarders) MUST service TCP queries so that 314 they do not prevent large responses from a TCP-capable server from 315 reaching its TCP-capable clients. 317 Regarding the choice of limiting the resources a server devotes to 318 queries, Section 6.1.3.2 in [RFC1123] also says: 320 "A name server MAY limit the resources it devotes to TCP queries, 321 but it SHOULD NOT refuse to service a TCP query just because it 322 would have succeeded with UDP." 324 This requirement is hereby updated: A name server MAY limit the the 325 resources it devotes to queries, but it MUST NOT refuse to service a 326 query just because it would have succeeded with another transport 327 protocol. 329 Filtering of DNS over TCP is considered harmful in the general case. 330 DNS resolver and server operators MUST provide DNS service over both 331 UDP and TCP transports. Likewise, network operators MUST allow DNS 332 service over both UDP and TCP transports. It must be acknowledged 333 that DNS over TCP service can pose operational challenges that are 334 not present when running DNS over UDP alone, and vice-versa. 335 However, it is the aim of this document to argue that the potential 336 damage incurred by prohibiting DNS over TCP service is more 337 detrimental to the continued utility and success of the DNS than when 338 its usage is allowed. 340 4. Network and System Considerations 342 This section describes measures that systems and applications can 343 take to optimize performance over TCP and to protect themselves from 344 TCP-based resource exhaustion and attacks. 346 4.1. Connection Admission 348 The SYN flooding attack is a denial-of-service method affecting hosts 349 that run TCP server processes [RFC4987]. This attack can be very 350 effective if not mitigated. One of the most effective mitigation 351 techniques is SYN cookies, which allows the server to avoid 352 allocating any state until the successful completion of the three-way 353 handshake. 355 Services not intended for use by the public Internet, such as most 356 recursive name servers, SHOULD be protected with access controls. 357 Ideally these controls are placed in the network, well before before 358 any unwanted TCP packets can reach the DNS server host or 359 application. If this is not possible, the controls can be placed in 360 the application itself. In some situations (e.g. attacks) it may be 361 necessary to deploy access controls for DNS services that should 362 otherwise be globally reachable. 364 The FreeBSD operating system has an "accept filter" feature that 365 postpones delivery of TCP connections to applications until a 366 complete, valid request has been received. The dns_accf(9) filter 367 ensures that a valid DNS message is received. If not, the bogus 368 connection never reaches the application. Applications must be coded 369 and configured to make use of this filter. 371 Per [RFC7766], applications and administrators are advised to 372 remember that TCP MAY be used before sending any UDP queries. 373 Networks and applications MUST NOT be configured to refuse TCP 374 queries that were not preceded by a UDP query. 376 TCP Fast Open [RFC7413] (TFO) allows TCP clients to shorten the 377 handshake for subsequent connections to the same server. TFO saves 378 one round-trip time in the connection setup. DNS servers SHOULD 379 enable TFO when possible. Furthermore, DNS servers clustered behind 380 a single service address (e.g., anycast or load-balancing), SHOULD 381 use the same TFO server key on all instances. 383 DNS clients SHOULD also enable TFO when possible. Currently, on some 384 operating systems it is not implemented or disabled by default. 385 [WIKIPEDIA_TFO] describes applications and operating systems that 386 support TFO. 388 4.2. Connection Management 390 Since host memory for TCP state is a finite resource, DNS servers 391 MUST actively manage their connections. Applications that do not 392 actively manage their connections can encounter resource exhaustion 393 leading to denial of service. For DNS, as in other protocols, there 394 is a tradeoff between keeping connections open for potential future 395 use and the need to free up resources for new connections that will 396 arrive. 398 DNS server software SHOULD provide a configurable limit on the total 399 number of established TCP connections. If the limit is reached, the 400 application is expected to either close existing (idle) connections 401 or refuse new connections. Operators SHOULD ensure the limit is 402 configured appropriately for their particular situation. 404 DNS server software MAY provide a configurable limit on the number of 405 established connections per source IP address or subnet. This can be 406 used to ensure that a single or small set of users can not consume 407 all TCP resources and deny service to other users. Operators SHOULD 408 ensure this limit is configured appropriately, based on their number 409 of diversity of users. 411 DNS server software SHOULD provide a configurable timeout for idle 412 TCP connections. For very busy name servers this might be set to a 413 low value, such as a few seconds. For less busy servers it might be 414 set to a higher value, such as tens of seconds. DNS clients and 415 servers SHOULD signal their timeout values using the edns-tcp- 416 keepalive option [RFC7828]. 418 DNS server software MAY provide a configurable limit on the number of 419 transactions per TCP connection. This document does not offer advice 420 on particular values for such a limit. 422 Similarly, DNS server software MAY provide a configurable limit on 423 the total duration of a TCP connection. This document does not offer 424 advice on particular values for such a limit. 426 Since clients may not be aware of server-imposed limits, clients 427 utilizing TCP for DNS need to always be prepared to re-establish 428 connections or otherwise retry outstanding queries. 430 4.3. Connection Termination 432 In general, it is preferable for clients to initiate the close of a 433 TCP connection. The TCP peer that initiates a connection close 434 retains the socket in the TIME_WAIT state for some amount of time, 435 possibly a few minutes. On a busy server, the accumulation of many 436 sockets in TIME_WAIT can cause performance problems or even denial of 437 service. 439 On systems where large numbers of sockets in TIME_WAIT are observed, 440 it may be beneficial to tune the local TCP parameters. For example, 441 the Linux kernel provides a number of "sysctl" parameters related to 442 TIME_WAIT, such as net.ipv4.tcp_fin_timeout, net.ipv4.tcp_tw_recycle, 443 and net.ipv4.tcp_tw_reuse. In extreme cases, implementors and 444 operators of very busy servers may find it necessary to utilize the 445 SO_LINGER socket option ([Stevens] Section 7.5) with a value of zero 446 so that the server doesn't accumulate TIME_WAIT sockets. 448 5. DNS over TCP Filtering Risks 450 Networks that filter DNS over TCP risk losing access to significant 451 or important pieces of the DNS name space. For a variety of reasons 452 a DNS answer may require a DNS over TCP query. This may include 453 large message sizes, lack of EDNS0 support, DDoS mitigation 454 techniques, or perhaps some future capability that is as yet 455 unforeseen will also demand TCP transport. 457 For example, [RFC7901] describes a latency-avoiding technique that 458 sends extra data in DNS responses. This makes responses larger and 459 potentially increases the risk of DDoS reflection attacks. The 460 specification mandates the use of TCP or DNS Cookies ([RFC7873]). 462 Even if any or all particular answers have consistently been returned 463 successfully with UDP in the past, this continued behavior cannot be 464 guaranteed when DNS messages are exchanged between autonomous 465 systems. Therefore, filtering of DNS over TCP is considered harmful 466 and contrary to the safe and successful operation of the Internet. 467 This section enumerates some of the known risks we know about at the 468 time of this writing when networks filter DNS over TCP. 470 5.1. DNS Wedgie 472 Networks that filter DNS over TCP may inadvertently cause problems 473 for third party resolvers as experienced by [TOYAMA]. If for 474 instance a resolver receives a truncated answer from a server, but 475 when the resolver resends the query using TCP and the TCP response 476 never arrives, not only will full answer be unavailable, but the 477 resolver will incur the full extent of TCP retransmissions and time 478 outs. This situation might place extreme strain on resolver 479 resources. If the number and frequency of these truncated answers 480 are sufficiently high, we refer to the steady-state of lost resources 481 as a result a "DNS" wedgie". A DNS wedgie is often not easily or 482 completely mitigated by the affected DNS resolver operator. 484 5.2. DNS Root Zone KSK Rollover 486 Recent plans for a new root zone DNSSEC KSK have highlighted a 487 potential problem in retrieving the keys [LEWIS]. Some packets in 488 the KSK rollover process will be larger than 1280 bytes, the IPv6 489 minimum MTU for links carrying IPv6 traffic.[RFC2460] While studies 490 have shown that problems due to fragment filtering or an inability to 491 generate and receive these larger messages are negligible, any DNS 492 server that is unable to receive large DNS over UDP messages or 493 perform DNS over TCP may experience severe disruption of DNS service 494 if performing DNSSEC validation. 496 TODO: Is this "overcome by events" now? We've had 1414 byte DNSKEY 497 responses at the three ZSK rollover periods since KSK-2017 became 498 published in the root zone. 500 5.3. DNS-over-TLS 502 DNS messages may be sent over TLS to provide privacy between stubs 503 and recursive resolvers. [RFC7858] is a standards track document 504 describing how this works. Although it utilizes TCP port 853 instead 505 of port 53, this document applies equally well to DNS-over-TLS. 506 Note, however, DNS-over-TLS is currently only defined between stubs 507 and recursives. 509 The use of TLS places even strong operational burdens on DNS clients 510 and servers. Cryptographic functions for authentication and 511 encryption require additional processing. Unoptimized connection 512 setup takes two additional round-trips compared to TCP, but can be 513 reduced with Fast TLS connection resumption [RFC5077] and TLS False 514 Start [RFC7918]. 516 6. Logging and Monitoring 518 Developers of applications that log or monitor DNS are advised to not 519 ignore TCP because it is rarely used or because it is hard to 520 process. Operators are advised to ensure that their monitoring and 521 logging applications properly capture DNS-over-TCP messages. 522 Otherwise, attacks, exfiltration attempts, and normal traffic may go 523 undetected. 525 DNS messages over TCP are in no way guaranteed to arrive in single 526 segments. In fact, a clever attacker may attempt to hide certain 527 messages by forcing them over very small TCP segments. Applications 528 that capture network packets (e.g., with libpcap) should be prepared 529 to implement and perform full TCP segment reassembly. dnscap 530 [dnscap] is an open-source example of a DNS logging program that 531 implements TCP reassembly. 533 Developers should also keep in mind connection reuse, pipelining, and 534 out-of-order responses when building and testing DNS monitoring 535 applications. 537 7. Acknowledgments 539 This document was initially motivated by feedback from students who 540 pointed out that they were hearing contradictory information about 541 filtering DNS over TCP messages. Thanks in particular to a teaching 542 colleague, JPL, who perhaps unknowingly encouraged the initial 543 research into the differences of what the community has historically 544 said and did. Thanks to all the NANOG 63 attendees who provided 545 feedback to an early talk on this subject. 547 The following individuals provided an array of feedback to help 548 improve this document: Sara Dickinson, Bob Harold, Tatuya Jinmei, and 549 Paul Hoffman. The authors are indebted to their contributions. Any 550 remaining errors or imperfections are the sole responsibility of the 551 document authors. 553 8. IANA Considerations 555 This memo includes no request to IANA. 557 9. Security Considerations 559 Ironically, returning truncated DNS over UDP answers in order to 560 induce a client query to switch to DNS over TCP has become a common 561 response to source address spoofed, DNS denial-of-service attacks 562 [RRL]. Historically, operators have been wary of TCP-based attacks, 563 but in recent years, UDP-based flooding attacks have proven to be the 564 most common protocol attack on the DNS. Nevertheless, a high rate of 565 short-lived DNS transactions over TCP may pose challenges. While 566 many operators have provided DNS over TCP service for many years 567 without duress, past experience is no guarantee of future success. 569 DNS over TCP is not unlike many other Internet TCP services. TCP 570 threats and many mitigation strategies have been well documented in a 571 series of documents such as [RFC4953], [RFC4987], [RFC5927], and 572 [RFC5961]. 574 10. Privacy Considerations 576 TODO: Does this document warrant privacy considerations? 578 11. References 580 11.1. Normative References 582 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 583 Requirement Levels", BCP 14, RFC 2119, 584 DOI 10.17487/RFC2119, March 1997, 585 . 587 11.2. Informative References 589 [CASTRO2010] 590 Castro, S., Zhang, M., John, W., Wessels, D., and k. 591 claffy, "Understanding and preparing for DNS evolution", 592 2010. 594 [CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet 595 Security: Repelling the Wily Hacker", 1994. 597 [CLOUDFLARE] 598 Grant, D., "Economical With The Truth: Making DNSSEC 599 Answers Cheap", June 2016, 600 . 602 [DESIGNTEAM] 603 Design Team Report, "Root Zone KSK Rollover Plan", 604 December 2015, . 607 [DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002, 608 . 610 [dnscap] DNS-OARC, "DNSCAP", May 2018, 611 . 613 [HUSTON] Huston, G., "Dealing with IPv6 fragmentation in the DNS", 614 August 2017, . 617 [LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74 Budapest, 618 Hungary, May 2017, . 621 [NETALYZR] 622 Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson, 623 "Netalyzr: Illuminating The Edge Network", 2010. 625 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 626 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 627 . 629 [RFC1035] Mockapetris, P., "Domain names - implementation and 630 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 631 November 1987, . 633 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - 634 Application and Support", STD 3, RFC 1123, 635 DOI 10.17487/RFC1123, October 1989, 636 . 638 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. 639 Miller, "Common DNS Implementation Errors and Suggested 640 Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993, 641 . 643 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 644 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 645 RFC 2136, DOI 10.17487/RFC2136, April 1997, 646 . 648 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 649 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 650 December 1998, . 652 [RFC2541] Eastlake 3rd, D., "DNS Security Operational 653 Considerations", RFC 2541, DOI 10.17487/RFC2541, March 654 1999, . 656 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 657 RFC 2671, DOI 10.17487/RFC2671, August 1999, 658 . 660 [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", 661 RFC 4953, DOI 10.17487/RFC4953, July 2007, 662 . 664 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 665 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 666 . 668 [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, 669 "Transport Layer Security (TLS) Session Resumption without 670 Server-Side State", RFC 5077, DOI 10.17487/RFC5077, 671 January 2008, . 673 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, 674 DOI 10.17487/RFC5927, July 2010, 675 . 677 [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol 678 (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010, 679 . 681 [RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's 682 Robustness to Blind In-Window Attacks", RFC 5961, 683 DOI 10.17487/RFC5961, August 2010, 684 . 686 [RFC6304] Abley, J. and W. Maton, "AS112 Nameserver Operations", 687 RFC 6304, DOI 10.17487/RFC6304, July 2011, 688 . 690 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 691 DOI 10.17487/RFC6762, February 2013, 692 . 694 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 695 for DNS (EDNS(0))", STD 75, RFC 6891, 696 DOI 10.17487/RFC6891, April 2013, 697 . 699 [RFC6950] Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba, 700 "Architectural Considerations on Application Features in 701 the DNS", RFC 6950, DOI 10.17487/RFC6950, October 2013, 702 . 704 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 705 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 706 . 708 [RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS", 709 RFC 7477, DOI 10.17487/RFC7477, March 2015, 710 . 712 [RFC7720] Blanchet, M. and L-J. Liman, "DNS Root Name Service 713 Protocol and Deployment Requirements", BCP 40, RFC 7720, 714 DOI 10.17487/RFC7720, December 2015, 715 . 717 [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 718 D. Wessels, "DNS Transport over TCP - Implementation 719 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 720 . 722 [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The 723 edns-tcp-keepalive EDNS0 Option", RFC 7828, 724 DOI 10.17487/RFC7828, April 2016, 725 . 727 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 728 and P. Hoffman, "Specification for DNS over Transport 729 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 730 2016, . 732 [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) 733 Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, 734 . 736 [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, 737 DOI 10.17487/RFC7901, June 2016, 738 . 740 [RFC7918] Langley, A., Modadugu, N., and B. Moeller, "Transport 741 Layer Security (TLS) False Start", RFC 7918, 742 DOI 10.17487/RFC7918, August 2016, 743 . 745 [RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy, 746 "DNSSEC Roadblock Avoidance", BCP 207, RFC 8027, 747 DOI 10.17487/RFC8027, November 2016, 748 . 750 [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram 751 Transport Layer Security (DTLS)", RFC 8094, 752 DOI 10.17487/RFC8094, February 2017, 753 . 755 [RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to 756 Associate Certificates with Domain Names for S/MIME", 757 RFC 8162, DOI 10.17487/RFC8162, May 2017, 758 . 760 [RFC8324] Klensin, J., "DNS Privacy, Authorization, Special Uses, 761 Encoding, Characters, Matching, and Root Structure: Time 762 for Another Look?", RFC 8324, DOI 10.17487/RFC8324, 763 February 2018, . 765 [RFC8467] Mayrhofer, A., "Padding Policies for Extension Mechanisms 766 for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467, 767 October 2018, . 769 [RFC8483] Song, L., Ed., Liu, D., Vixie, P., Kato, A., and S. Kerr, 770 "Yeti DNS Testbed", RFC 8483, DOI 10.17487/RFC8483, 771 October 2018, . 773 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 774 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 775 . 777 [RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting 778 (DNS RRL)", ISC-TN 2012-1 Draft1, April 2012. 780 [Stevens] Stevens, W., Fenner, B., and A. Rudoff, "UNIX Network 781 Programming Volume 1, Third Edition: The Sockets 782 Networking API", November 2003. 784 [TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N. 785 Somaiya, "Connection-oriented DNS to Improve Privacy and 786 Security", 2015. 788 [TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and 789 K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache 790 Servers", NANOG 32 Reston, VA USA, 2004. 792 [VERISIGN] 793 Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in 794 Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los 795 Angeles, 2014. 797 [WIKIPEDIA_TFO] 798 Wikipedia, "TCP Fast Open", May 2018, 799 . 801 Appendix A. Standards Related to DNS Transport over TCP 803 This section enumerates all known IETF RFC documents that are 804 currently of status standard, informational, best common practice or 805 experimental and either implicitly or explicitly make assumptions or 806 statements about the use of TCP as a transport for the DNS germane to 807 this document. 809 A.1. TODO - additional, relevant RFCs 811 A.2. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) 813 The [RFC5936] standards track document provides a detailed 814 specification for the zone transfer protocol, as originally outlined 815 in the early DNS standards. AXFR operation is limited to TCP and not 816 specified for UDP. This document discusses TCP usage at length. 818 A.3. IETF RFC 6304 - AS112 Nameserver Operations 820 [RFC6304] is an informational document enumerating the requirements 821 for operation of AS112 project DNS servers. New AS112 nodes are 822 tested for their ability to provide service on both UDP and TCP 823 transports, with the implication that TCP service is an expected part 824 of normal operations. 826 A.4. IETF RFC 6762 - Multicast DNS 828 This standards track document [RFC6762] the TC bit is deemed to have 829 essentially the same meaning as described in the original DNS 830 specifications. That is, if a response with the TCP bit set is 831 receiver "[...] the querier SHOULD reissue its query using TCP in 832 order to receive the larger response." 834 A.5. IETF RFC 6950 - Architectural Considerations on Application 835 Features in the DNS 837 An informational document [RFC6950] that draws attention to large 838 data in the DNS. TCP is referenced in the context as a common 839 fallback mechnanism and counter to some spoofing attacks. 841 A.6. IETF RFC 7477 - Child-to-Parent Synchronization in DNS 843 This standards track document [RFC7477] specifies a RRType and 844 protocol to signal and synchronize NS, A, and AAAA resource record 845 changes from a child to parent zone. Since this protocol may require 846 multiple requests and responses, it recommends utilizing DNS over TCP 847 to ensure the conversation takes place between a consistent pair of 848 end nodes. 850 A.7. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment 851 Requirements 853 This best current practice[RFC7720] declares root name service "MUST 854 support UDP [RFC768] and TCP [RFC793] transport of DNS queries and 855 responses." 857 A.8. IETF RFC 7766 - DNS Transport over TCP - Implementation 858 Requirements 860 The standards track document [RFC7766] might be considered the direct 861 ancestor of this operational requirements document. The 862 implementation requirements document codifies mandatory support for 863 DNS over TCP in compliant DNS software. 865 A.9. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option 867 This standards track document [RFC7828] defines an EDNS0 option to 868 negotiate an idle timeout value for long-lived DNS over TCP 869 connections. Consequently, this document is only applicable and 870 relevant to DNS over TCP sessions and between implementations that 871 support this option. 873 A.10. IETF RFC 7858 - Specification for DNS over Transport Layer 874 Security (TLS) 876 This standards track document [RFC7858] defines a method for putting 877 DNS messages into a TCP-based encrypted channel using TLS. This 878 specification is noteworthy for explicitly targetting the stub-to- 879 recursive traffic, but does not preclude its application from 880 recursive-to-authoritative traffic. 882 A.11. IETF RFC 7873 - Domain Name System (DNS) Cookies 884 This standards track document [RFC7873] describes an EDNS0 option to 885 provide additional protection against query and answer forgery. This 886 specification mentions DNS over TCP as a reasonable fallback 887 mechanism when DNS Cookies are not available. The specification does 888 make mention of DNS over TCP processing in two specific situations. 889 In one, when a server receives only a client cookie in a request, the 890 server should consider whether the request arrived over TCP and if 891 so, it should consider accepting TCP as sufficient to authenticate 892 the request and respond accordingly. In another, when a client 893 receives a BADCOOKIE reply using a fresh server cookie, the client 894 should retry using TCP as the transport. 896 A.12. IETF RFC 7901 - CHAIN Query Requests in DNS 898 This experimental specification [RFC7901] describes an EDNS0 option 899 that can be used by a security-aware validating resolver to request 900 and obtain a complete DNSSEC validation path for any single query. 901 This document requires the use of DNS over TCP or a source IP address 902 verified transport mechanism such as EDNS-COOKIE.[RFC7873] 904 A.13. IETF RFC 8027 - DNSSEC Roadblock Avoidance 906 This document [RFC8027] details observed problems with DNSSEC 907 deployment and mitigation techniques. Network traffic blocking and 908 restrictions, including DNS over TCP messages, are highlighted as one 909 reason for DNSSEC deployment issues. While this document suggests 910 these sorts of problems are due to "non-compliant infrastructure" and 911 is of type BCP, the scope of the document is limited to detection and 912 mitigation techniques to avoid so-called DNSSEC roadblocks. 914 A.14. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS) 916 This experimental specification [RFC8094] details a protocol that 917 uses a datagram transport (UDP), but stipulates that "DNS clients and 918 servers that implement DNS over DTLS MUST also implement DNS over TLS 919 in order to provide privacy for clients that desire Strict Privacy 920 [...]". This requirement implies DNS over TCP must be supported in 921 case the message size is larger than the path MTU. 923 A.15. IETF RFC 8162 - Using Secure DNS to Associate Certificates with 924 Domain Names for S/MIME 926 This experimental specification [RFC8162] describes a technique to 927 authenticate user X.509 certificates in an S/MIME system via the DNS. 928 The document points out that the new experimental resource record 929 types are expected to carry large payloads, resulting in the 930 suggestion that "applications SHOULD use TCP -- not UDP -- to perform 931 queries for the SMIMEA resource record." 933 A.16. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, 934 Encoding, Characters, Matching, and Root Structure: Time for 935 Another Look? 937 An informational document [RFC8324] that briefly discusses the common 938 role and challenges of DNS over TCP throughout the history of DNS. 940 A.17. IETF RFC 8467 - Padding Policies for Extension Mechanisms for DNS 941 (EDNS(0)) 943 An experimental document [RFC8467] reminds implementers to consider 944 the underlying transport protocol (e.g. TCP) when calculating the 945 padding length when artificially increasing the DNS message size with 946 an EDNS(0) padding option. 948 A.18. IETF RFC 8483 - Yeti DNS Testbed 950 This informational document [RFC8483] describes a testbed environment 951 that highlights some DNS over TCP behaviors, including issues 952 involving packet fragmentation and operational requirements for TCP 953 stream assembly in order to conduct DNS measurement and analysis. 955 A.19. IETF RFC 8484 - DNS Queries over HTTPS (DoH) 957 This standards track document [RFC8484] defines a protocol for 958 sending DNS queries and responses over HTTPS. This specification 959 assumes TLS and TCP for the underlying security and transport layers 960 respectively. Self-described as a a technique that more closely 961 resembles a tunneling mechanism, DoH nevertheless likely implies DNS 962 over TCP in some sense if not directly. 964 Authors' Addresses 966 John Kristoff 967 DePaul University 968 Chicago, IL 60604 969 US 971 Phone: +1 312 493 0305 972 Email: jtk@depaul.edu 973 URI: https://aharp.iorc.depaul.edu 975 Duane Wessels 976 Verisign 977 12061 Bluemont Way 978 Reston, VA 20190 979 US 981 Phone: +1 703 948 3200 982 Email: dwessels@verisign.com 983 URI: http://verisigninc.com