idnits 2.17.1 draft-ietf-dnsop-dns-tcp-requirements-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There is 1 instance of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC1123, updated by this document, for RFC5378 checks: 1989-10-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (6 January 2022) is 839 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 883 (Obsoleted by RFC 1034, RFC 1035) -- Obsolete informational reference (is this intentional?): RFC 2541 (Obsoleted by RFC 4641) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) -- Obsolete informational reference (is this intentional?): RFC 5966 (Obsoleted by RFC 7766) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Domain Name System Operations J.T. Kristoff 3 Internet-Draft DataPlane.org 4 Updates: 1123, 1536 (if approved) D. Wessels 5 Intended status: Best Current Practice Verisign 6 Expires: 10 July 2022 6 January 2022 8 DNS Transport over TCP - Operational Requirements 9 draft-ietf-dnsop-dns-tcp-requirements-15 11 Abstract 13 This document updates RFC 1123 and RFC 1536. This document requires 14 the operational practice of permitting DNS messages to be carried 15 over TCP on the Internet as a Best Current Practice. This 16 operational requirement is aligned with the implementation 17 requirements in RFC 7766. The use of TCP includes both DNS over 18 unencrypted TCP, as well as over an encrypted TLS session. The 19 document also considers the consequences of this form of DNS 20 communication and the potential operational issues that can arise 21 when this Best Current Practice is not upheld. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 10 July 2022. 40 Copyright Notice 42 Copyright (c) 2022 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Revised BSD License text as 51 described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Revised BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 58 2. History of DNS over TCP . . . . . . . . . . . . . . . . . . . 4 59 2.1. Uneven Transport Usage and Preference . . . . . . . . . . 5 60 2.2. Waiting for Large Messages and Reliability . . . . . . . 5 61 2.3. EDNS(0) . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 2.4. Fragmentation and Truncation . . . . . . . . . . . . . . 6 63 2.5. "Only Zone Transfers Use TCP" . . . . . . . . . . . . . . 8 64 2.6. Reuse, Pipelining, and Out-of-Order Processing . . . . . 8 65 3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 9 66 4. Network and System Considerations . . . . . . . . . . . . . . 10 67 4.1. Connection Establishment and Admission . . . . . . . . . 10 68 4.2. Connection Management . . . . . . . . . . . . . . . . . . 12 69 4.3. Connection Termination . . . . . . . . . . . . . . . . . 13 70 4.4. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 13 71 4.5. Defaults and Recommended Limits . . . . . . . . . . . . . 14 72 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 15 73 5.1. Truncation, Retries, and Timeouts . . . . . . . . . . . . 15 74 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 16 75 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 16 76 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 77 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 78 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18 79 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 80 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 81 11.1. Normative References . . . . . . . . . . . . . . . . . . 18 82 11.2. Informative References . . . . . . . . . . . . . . . . . 19 83 Appendix A. Standards Related to DNS Transport over TCP . . . . 27 84 A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND 85 SPECIFICATION . . . . . . . . . . . . . . . . . . . . . 27 86 A.2. IETF RFC 1536 - Common DNS Implementation Errors and 87 Suggested Fixes . . . . . . . . . . . . . . . . . . . . 27 88 A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS . . . . 27 89 A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone 90 Changes (DNS NOTIFY) . . . . . . . . . . . . . . . . . . 27 91 A.5. IETF RFC 2181 - Clarifications to the DNS 92 Specification . . . . . . . . . . . . . . . . . . . . . 27 93 A.6. IETF RFC 2694 - DNS extensions to Network Address 94 Translators (DNS_ALG) . . . . . . . . . . . . . . . . . 28 95 A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC . . 28 96 A.8. IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver 97 message size requirements . . . . . . . . . . . . . . . 28 98 A.9. IETF RFC 4472 - Operational Considerations and Issues with 99 IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . . . 28 100 A.10. IETF RFC 5452 - Measures for Making DNS More Resilient 101 against Forged Answers . . . . . . . . . . . . . . . . . 28 102 A.11. IETF RFC 5507 - Design Choices When Expanding the DNS . . 29 103 A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines . . . 29 104 A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 29 105 A.14. IETF RFC 7534 - AS112 Nameserver Operations . . . . . . . 29 106 A.15. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 29 107 A.16. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) . 29 108 A.17. IETF RFC 6950 - Architectural Considerations on Application 109 Features in the DNS . . . . . . . . . . . . . . . . . . 30 110 A.18. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 30 111 A.19. IETF RFC 7720 - DNS Root Name Service Protocol and 112 Deployment Requirements . . . . . . . . . . . . . . . . 30 113 A.20. IETF RFC 7766 - DNS Transport over TCP - Implementation 114 Requirements . . . . . . . . . . . . . . . . . . . . . . 30 115 A.21. IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option . . 30 116 A.22. IETF RFC 7858 - Specification for DNS over Transport Layer 117 Security (TLS) . . . . . . . . . . . . . . . . . . . . . 31 118 A.23. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 31 119 A.24. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 31 120 A.25. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 31 121 A.26. IETF RFC 8094 - DNS over Datagram Transport Layer Security 122 (DTLS) . . . . . . . . . . . . . . . . . . . . . . . . . 32 123 A.27. IETF RFC 8162 - Using Secure DNS to Associate Certificates 124 with Domain Names for S/MIME . . . . . . . . . . . . . . 32 125 A.28. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, 126 Encoding, Characters, Matching, and Root Structure: Time for 127 Another Look? . . . . . . . . . . . . . . . . . . . . . 32 128 A.29. IETF RFC 8467 - Padding Policies for Extension Mechanisms 129 for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . 32 130 A.30. IETF RFC 8482 - Providing Minimal-Sized Responses to DNS 131 Queries That Have QTYPE=ANY . . . . . . . . . . . . . . 32 132 A.31. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 33 133 A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 33 134 A.33. IETF RFC 8490 - DNS Stateful Operations . . . . . . . . . 33 135 A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service 136 Providers . . . . . . . . . . . . . . . . . . . . . . . 33 137 A.35. IETF RFC 8806 - Running a Root Server Local to a 138 Resolver . . . . . . . . . . . . . . . . . . . . . . . . 33 139 A.36. IETF RFC 8906 - A Common Operational Problem in DNS 140 Servers: Failure to Communicate . . . . . . . . . . . . 33 141 A.37. IETF RFC 8932 - Recommendations for DNS Privacy Service 142 Operators . . . . . . . . . . . . . . . . . . . . . . . 34 144 A.38. IETF RFC 8945 - Secret Key Transaction Authentication for 145 DNS (TSIG) . . . . . . . . . . . . . . . . . . . . . . . 34 146 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 148 1. Introduction 150 DNS messages are delivered using UDP or TCP communications. While 151 most DNS transactions are carried over UDP, some operators have been 152 led to believe that any DNS over TCP traffic is unwanted or 153 unnecessary for general DNS operation. When DNS over TCP has been 154 restricted, a variety of communication failures and debugging 155 challenges often arise. As DNS and new naming system features have 156 evolved, TCP as a transport has become increasingly important for the 157 correct and safe operation of an Internet DNS. Reflecting modern 158 usage, the DNS standards declare that support for TCP is a required 159 part of the DNS implementation specifications [RFC7766]. This 160 document is the formal requirements equivalent for the operational 161 community, encouraging system administrators, network engineers, and 162 security staff to ensure DNS over TCP communications support is on 163 par with DNS over UDP communications. It updates [RFC1123] 164 Section 6.1.3.2 to clarify that all DNS resolvers and recursive 165 servers MUST support and service both TCP and UDP queries, and also 166 updates [RFC1536] to remove the misconception that TCP is only useful 167 for zone transfers. 169 1.1. Requirements Language 171 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 172 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 173 "OPTIONAL" in this document are to be interpreted as described in BCP 174 14 [RFC2119] [RFC8174] when, and only when, they appear in all 175 capitals, as shown here. 177 2. History of DNS over TCP 179 The curious state of disagreement between operational best practices 180 and guidance for DNS transport protocols derives from conflicting 181 messages operators have received from other operators, implementors, 182 and even the IETF. Sometimes these mixed signals have been explicit; 183 on other occasions, conflicting messages have been implicit. This 184 section presents an interpretation of the storied and conflicting 185 history that led to this document. This section is included for 186 informational purposes only. 188 2.1. Uneven Transport Usage and Preference 190 In the original suite of DNS specifications, [RFC1034] and [RFC1035] 191 clearly specified that DNS messages could be carried in either UDP or 192 TCP, but they also stated a preference for UDP as the best transport 193 for queries in the general case. As stated in [RFC1035]: 195 "While virtual circuits can be used for any DNS activity, 196 datagrams are preferred for queries due to their lower overhead 197 and better performance." 199 Another early, important, and influential document, [RFC1123], marked 200 the preference for a transport protocol more explicitly: 202 "DNS resolvers and recursive servers MUST support UDP, and SHOULD 203 support TCP, for sending (non-zone-transfer) queries." 205 and further stipulated: 207 "A name server MAY limit the resources it devotes to TCP queries, 208 but it SHOULD NOT refuse to service a TCP query just because it 209 would have succeeded with UDP." 211 Culminating in [RFC1536], DNS over TCP came to be associated 212 primarily with the zone transfer mechanism, while most DNS queries 213 and responses were seen as the dominion of UDP. 215 2.2. Waiting for Large Messages and Reliability 217 In the original specifications, the maximum DNS over UDP message size 218 was enshrined at 512 bytes. However, even while [RFC1123] preferred 219 UDP for non-zone transfer queries, it foresaw DNS over TCP becoming 220 more popular in the future to overcome this limitation: 222 "[...] it is also clear that some new DNS record types defined in 223 the future will contain information exceeding the 512 byte limit 224 that applies to UDP, and hence will require TCP." 226 At least two new, widely anticipated developments were set to elevate 227 the need for DNS over TCP transactions. The first was dynamic 228 updates defined in [RFC2136] and the second was the set of extensions 229 collectively known as DNSSEC, whose operational considerations are 230 originally given in [RFC2541]. The former suggested "requestors who 231 require an accurate response code must use TCP," while the latter 232 warned "... larger keys increase the size of KEY and SIG RRs. This 233 increases the chance of DNS UDP packet overflow and the possible 234 necessity for using higher overhead TCP in responses." 235 Yet, defying some expectations, DNS over TCP remained little-used in 236 real traffic across the Internet in the late 1990s. Dynamic updates 237 saw little deployment between autonomous networks. Around the time 238 DNSSEC was first defined, another new feature helped solidify UDP 239 transport dominance for message transactions. 241 2.3. EDNS(0) 243 In 1999 the IETF published the Extension Mechanisms for DNS (EDNS(0)) 244 in [RFC2671] (superseded in 2013 by an update in [RFC6891]). That 245 document standardized a way for communicating DNS nodes to perform 246 rudimentary capabilities negotiation. One such capability written 247 into the base specification and present in every EDNS(0)-compatible 248 message is the value of the maximum UDP payload size the sender can 249 support. This unsigned 16-bit field specifies, in bytes, the maximum 250 (possibly fragmented) DNS message size a node is capable of receiving 251 over UDP. In practice, typical values are a subset of the 512- to 252 4096-byte range. EDNS(0) became widely deployed over the next 253 several years, and numerous surveys ([CASTRO2010], [NETALYZR]) have 254 shown that many systems support larger UDP MTUs with EDNS(0). 256 The natural effect of EDNS(0) deployment meant DNS messages larger 257 than 512 bytes would be less reliant on TCP than they might otherwise 258 have been. While a non-negligible population of DNS systems lacked 259 EDNS(0) or fell back to TCP when necessary, DNS clients still 260 strongly prefer UDP to TCP. For example, as of 2014, DNS over TCP 261 transactions remained a very small fraction of overall DNS traffic 262 received by root name servers [VERISIGN]. 264 2.4. Fragmentation and Truncation 266 Although EDNS(0) provides a way for endpoints to signal support for 267 DNS messages exceeding 512 bytes, the realities of a diverse and 268 inconsistently deployed Internet may result in some large messages 269 being unable to reach their destination. Any IP datagram whose size 270 exceeds the MTU of a link it transits will be fragmented and then 271 reassembled by the receiving host. Unfortunately, it is not uncommon 272 for middleboxes and firewalls to block IP fragments. If one or more 273 fragments do not arrive, the application does not receive the message 274 and the request times out. 276 For IPv4-connected hosts, the MTU is often the Ethernet payload size 277 of 1500 bytes. This means that the largest unfragmented UDP DNS 278 message that can be sent over IPv4 is likely 1472 bytes, although 279 tunnel encapsulation may reduce that maximum message size in some 280 cases. 282 For IPv6, the situation is a little more complicated. First, IPv6 283 headers are 40 bytes (versus 20 without options in IPv4). Second, 284 approximately one third of DNS recursive resolvers use the minimum 285 MTU of 1280 bytes [APNIC]. Third, fragmentation in IPv6 can only be 286 done by the host originating the datagram. The need to fragment is 287 conveyed in an ICMPv6 "packet too big" message. The originating host 288 indicates a fragmented datagram with IPv6 extension headers. 289 Unfortunately, it is quite common for both ICMPv6 and IPv6 extension 290 headers to be blocked by middleboxes. According to [HUSTON] some 35% 291 of IPv6-capable recursive resolvers were unable to receive a 292 fragmented IPv6 packet. When the originating host receives a signal 293 that fragmentation is required, it is expected to populate its Path 294 MTU cache for that destination. The application, then, will retry 295 the query after a timeout since the host does not generally retain 296 copies of messages sent over UDP for potential retransmission. 298 The practical consequence of all this is that DNS requestors must be 299 prepared to retry queries with different EDNS(0) maximum message size 300 values. Administrators of [BIND] are likely to be familiar with 301 seeing "success resolving ... after reducing the advertised EDNS(0) 302 UDP packet size to 512 octets" messages in their system logs. 304 Often, reducing the EDNS(0) UDP packet size leads to a successful 305 response. That is, the necessary data fits within the smaller 306 message size. However, when the data does not fit, the server sets 307 the truncated flag in its response, indicating the client should 308 retry over TCP to receive the whole response. This is undesirable 309 from the client's point of view because it adds more latency and 310 potentially undesirable from the server's point of view due to the 311 increased resource requirements of TCP. 313 Note that a receiver is unable to differentiate between packets lost 314 due to congestion and packets (fragments) intentionally dropped by 315 firewalls or middleboxes. Over network paths with non-trivial 316 amounts of packet loss, larger, fragmented DNS responses are more 317 likely to never arrive and time out compared to smaller, unfragmented 318 responses. Clients might be misled into retrying queries with 319 different EDNS(0) UDP packet size values for the wrong reason. 321 The issues around fragmentation, truncation, and TCP are driving 322 certain implementation and policy decisions in the DNS. Notably, 323 Cloudflare implemented what it calls "DNSSEC black lies" [CLOUDFLARE] 324 and uses ECDSA algorithms, such that their signed responses fit 325 easily in 512 bytes. The Key Signing Key (KSK) Rollover design team 326 [DESIGNTEAM] spent a lot of time thinking and worrying about response 327 sizes. There is growing sentiment in the DNSSEC community that RSA 328 key sizes beyond 2048-bits are impractical and that critical 329 infrastructure zones should transition to elliptic curve algorithms 330 to keep response sizes manageable [ECDSA]. 332 More recently, renewed security concerns about fragmented DNS 333 messages ([AVOID_FRAGS], [FRAG_POISON]) are leading implementors to 334 consider smaller responses and lower default EDNS(0) UDP payload size 335 values for both queriers and responders [FLAGDAY2020]. 337 2.5. "Only Zone Transfers Use TCP" 339 Today, the majority of the DNS community expects, or at least has a 340 desire, to see DNS over TCP transactions occur without interference 341 [FLAGDAY2020]. However, there has also been a long-held belief by 342 some operators, particularly for security-related reasons, that DNS 343 over TCP services should be purposely limited or not provided at all 344 [CHES94], [DJBDNS]. A popular meme is that DNS over TCP is only ever 345 used for zone transfers and is generally unnecessary otherwise, with 346 filtering all DNS over TCP traffic even described as a best practice. 348 The position on restricting DNS over TCP had some justification given 349 that historical implementations of DNS nameservers provided very 350 little in the way of TCP connection management (for example see 351 Section 6.1.2 of [RFC7766] for more details). However, modern 352 standards and implementations are nearing parity with the more 353 sophisticated TCP management techniques employed by, for example, 354 HTTP(S) servers and load balancers. 356 2.6. Reuse, Pipelining, and Out-of-Order Processing 358 The idea that a TCP connection can support multiple transactions goes 359 back as far as [RFC0883], which states: "Multiple messages may be 360 sent over a virtual circuit." Although [RFC1035], which updates the 361 former, omits this particular detail, it has been generally accepted 362 that a TCP connection can be used for more than one query and 363 response. 365 [RFC5966] clarified that servers are not required to preserve the 366 order of queries and responses over any transport. [RFC7766], which 367 updates the former, further encourages query pipelining over TCP to 368 achieve performance on par with UDP. A server that sends out-of- 369 order responses to pipelined queries avoids head-of-line blocking 370 when the response for a later query is ready before the response to 371 an earlier query. 373 However, TCP can potentially suffer from a different head-of-line 374 blocking problem due to packet loss. Since TCP itself enforces 375 ordering, a single lost segment delays delivery of data in any 376 following segments until the lost segment is retransmitted and 377 successfully received. 379 3. DNS over TCP Requirements 381 An average increase in DNS message size (e.g., due to DNSSEC), the 382 continued development of new DNS features (Appendix A), and a denial 383 of service mitigation technique (Section 8), all show that DNS over 384 TCP transactions are as important to the correct and safe operation 385 of the Internet DNS as ever, if not more so. Furthermore, there has 386 been research that argues connection-oriented DNS transactions may 387 provide security and privacy advantages over UDP transport [TDNS]. 388 In fact, the standard for DNS over TLS [RFC7858] is just this sort of 389 specification. Therefore, this document makes explicit that it is 390 undesirable for network operators to artificially inhibit DNS over 391 TCP transport. 393 Section 6.1.3.2 in [RFC1123] is updated: All DNS resolvers and 394 servers MUST support and service both UDP and TCP queries. 396 * DNS servers (including forwarders) MUST support and service TCP 397 for receiving queries, so that clients can reliably receive 398 responses that are larger than what either side considers too 399 large for UDP. 401 * DNS clients MUST support TCP for sending queries, so that they can 402 retry truncated UDP responses as necessary. 404 Furthermore, the requirement in Section 6.1.3.2 of [RFC1123] around 405 limiting the resources a server devotes to queries is hereby updated: 407 OLD: 409 A name server MAY limit the resources it devotes to TCP queries, 410 but it SHOULD NOT refuse to service a TCP query just because it 411 would have succeeded with UDP. 413 NEW: 415 A name server MAY limit the resources it devotes to queries, but 416 it MUST NOT refuse to service a query just because it would have 417 succeeded with another transport protocol. 419 Lastly, Section 1 of [RFC1536] is updated to eliminate the 420 misconception that TCP is only useful for zone transfers: 422 OLD: 424 DNS implements the classic request-response scheme of client- 425 server interaction. UDP is, therefore, the chosen protocol for 426 communication though TCP is used for zone transfers. 428 NEW: 430 DNS implements the classic request-response scheme of client- 431 server interaction. 433 Filtering of DNS over TCP is harmful in the general case. DNS 434 resolver and server operators MUST support and provide DNS service 435 over both UDP and TCP transports. Likewise, network operators MUST 436 allow DNS service over both UDP and TCP transports. It is 437 acknowledged that DNS over TCP service can pose operational 438 challenges that are not present when running DNS over UDP alone, and 439 vice-versa. However, the potential damage incurred by prohibiting 440 DNS over TCP service is more detrimental to the continued utility and 441 success of the DNS than when its usage is allowed. 443 4. Network and System Considerations 445 This section describes measures that systems and applications can 446 take to optimize performance over TCP and to protect themselves from 447 TCP-based resource exhaustion and attacks. 449 4.1. Connection Establishment and Admission 451 Resolvers and other DNS clients should be aware that some servers 452 might not be reachable over TCP. For this reason, clients MAY track 453 and limit the number of TCP connections and connection attempts to a 454 single server. Reachability problems can be caused by network 455 elements close to the server, close to the client, or anywhere along 456 the path between them. Mobile clients that cache connection failures 457 MAY do so on a per-network basis, or MAY clear such a cache upon 458 change of network. 460 Additionally, DNS clients MAY enforce a short timeout on 461 unestablished connections, rather than rely on the host operating 462 system's TCP connection timeout, which is often around 60-120 seconds 463 (i.e., due to an initial retransmission timeout of 1 second, the 464 exponential back off rules of [RFC6298], and a limit of six retries 465 as is the default in Linux). 467 The SYN flooding attack is a denial-of-service method affecting hosts 468 that run TCP server processes [RFC4987]. This attack can be very 469 effective if not mitigated. One of the most effective mitigation 470 techniques is SYN cookies, described in Section 3.6 of [RFC4987], 471 which allows the server to avoid allocating any state until the 472 successful completion of the three-way handshake. 474 Services not intended for use by the public Internet, such as most 475 recursive name servers, SHOULD be protected with access controls. 476 Ideally these controls are placed in the network, well before any 477 unwanted TCP packets can reach the DNS server host or application. 478 If this is not possible, the controls can be placed in the 479 application itself. In some situations (e.g. attacks) it may be 480 necessary to deploy access controls for DNS services that should 481 otherwise be globally reachable. See also [RFC5358]. 483 The FreeBSD and NetBSD operating systems have an "accept filter" 484 feature ([accept_filter]) that postpones delivery of TCP connections 485 to applications until a complete, valid request has been received. 486 The dns_accf(9) filter ensures that a valid DNS message is received. 487 If not, the bogus connection never reaches the application. The 488 Linux TCP_DEFER_ACCEPT feature, while more limited in scope, can 489 provide some of the same benefits as the BSD accept filter feature. 490 These features are implemented as low-level socket options, and are 491 not activated automatically. If applications wish to use these 492 features, they need to make specific calls to set the right options, 493 and administrators may also need to configure the applications to 494 appropriately use the features. 496 Per [RFC7766], applications and administrators are advised to 497 remember that TCP MAY be used before sending any UDP queries. 498 Networks and applications MUST NOT be configured to refuse TCP 499 queries that were not preceded by a UDP query. 501 TCP Fast Open [RFC7413] (TFO) allows TCP clients to shorten the 502 handshake for subsequent connections to the same server. TFO saves 503 one round-trip time in the connection setup. DNS servers SHOULD 504 enable TFO when possible. Furthermore, DNS servers clustered behind 505 a single service address (e.g., anycast or load-balancing), SHOULD 506 either use the same TFO server key on all instances, or disable TFO 507 for all members of the cluster. 509 DNS clients MAY also enable TFO. At the time of this writing, on 510 some operating systems it is not implemented, or is disabled by 511 default. [WIKIPEDIA_TFO] describes applications and operating 512 systems that support TFO. 514 4.2. Connection Management 516 Since host memory for TCP state is a finite resource, DNS clients and 517 servers SHOULD actively manage their connections. Applications that 518 do not actively manage their connections can encounter resource 519 exhaustion leading to denial of service. For DNS, as in other 520 protocols, there is a tradeoff between keeping connections open for 521 potential future use and the need to free up resources for new 522 connections that will arrive. 524 Operators of DNS server software SHOULD be aware that operating 525 system and application vendors MAY impose a limit on the total number 526 of established connections. These limits may be designed to protect 527 against DDoS attacks or performance degradation. Operators SHOULD 528 understand how to increase these limits if necessary, and the 529 consequences of doing so. Limits imposed by the application SHOULD 530 be lower than limits imposed by the operating system, so that the 531 application can apply its own policy to connection management, such 532 as closing the oldest idle connections first. 534 DNS server software MAY provide a configurable limit on the number of 535 established connections per source IP address or subnet. This can be 536 used to ensure that a single or small set of users cannot consume all 537 TCP resources and deny service to other users. Note, however, that 538 if this limit is enabled, it possibly limits client performance while 539 leaving some TCP resources unutilized. Operators SHOULD be aware of 540 these tradeoffs and ensure this limit, if configured, is set 541 appropriately based on the number and diversity of their users, and 542 whether users connect from unique IP addresses or through a shared 543 Network Address Translator [RFC3022]. 545 DNS server software SHOULD provide a configurable timeout for idle 546 TCP connections. This can be used to free up resources for new 547 connections and to ensure that idle connections are eventually 548 closed. At the same time, it possibly limits client performance 549 while leaving some TCP resources unutilized. For very busy name 550 servers this might be set to a low value, such as a few seconds. For 551 less busy servers it might be set to a higher value, such as tens of 552 seconds. DNS clients and servers SHOULD signal their timeout values 553 using the edns-tcp-keepalive option [RFC7828]. 555 DNS server software MAY provide a configurable limit on the number of 556 transactions per TCP connection. This can help protect against 557 unfair connection use (e.g., not releasing connection slots to other 558 clients) and network evasion attacks. 560 Similarly, DNS server software MAY provide a configurable limit on 561 the total duration of a TCP connection. This can help protect 562 against unfair connection use, slow read attacks, and network evasion 563 attacks. 565 Since clients may not be aware of server-imposed limits, clients 566 utilizing TCP for DNS need to always be prepared to re-establish 567 connections or otherwise retry outstanding queries. 569 4.3. Connection Termination 571 The TCP peer that initiates a connection close retains the socket in 572 the TIME_WAIT state for some amount of time, possibly a few minutes. 573 It is generally preferable for clients to initiate the close of a TCP 574 connection so that busy servers do not accumulate many sockets in the 575 TIME_WAIT state, which can cause performance problems or even denial 576 of service. The edns-tcp-keepalive EDNS(0) option [RFC7828] can be 577 used to encourage clients to close connections. 579 On systems where large numbers of sockets in TIME_WAIT are observed 580 (either as client or server), and are affecting an application's 581 performance, it may be tempting to tune local TCP parameters. For 582 example, the Linux kernel has a "sysctl" parameter named 583 net.ipv4.tcp_tw_reuse which allows connections in the TIME_WAIT state 584 to be reused in specific circumstances. Note, however, this affects 585 only outgoing (client) connections and has no impact on servers. In 586 most cases it is NOT RECOMMENDED to change parameters related to the 587 TIME_WAIT state. It should only be done by those with detailed 588 knowledge of both TCP and the affected application. 590 4.4. DNS-over-TLS 592 DNS messages may be sent over TLS to provide privacy between stubs 593 and recursive resolvers. [RFC7858] is a Standards Track document 594 describing how this works. Although DNS-over-TLS utilizes TCP port 595 853 instead of port 53, this document applies equally well to DNS- 596 over-TLS. Note, however, DNS-over-TLS is only defined between stubs 597 and recursives at the time of this writing. 599 The use of TLS places even stronger operational burdens on DNS 600 clients and servers. Cryptographic functions for authentication and 601 encryption require additional processing. Unoptimized connection 602 setup with TLS 1.3 [RFC8446] takes one additional round-trip compared 603 to TCP. Connection setup times can be reduced with TCP Fast Open, 604 and TLS False Start [RFC7918] for TLS 1.2. TLS 1.3 session 605 resumption does not reduce round-trip latency because no application 606 profile for use of TLS 0-RTT data with DNS has been published at the 607 time of this writing. However, TLS session resumption can reduce the 608 number of cryptographic operations, and in TLS 1.2, session 609 resumption does reduce the number of additional round trips from two 610 to one. 612 4.5. Defaults and Recommended Limits 614 A survey of features and defaults was conducted for popular open 615 source DNS server implementations at the time of writing. This 616 section documents those defaults and makes recommendations for 617 configurable limits that can be used in the absence of any other 618 information. Any recommended values in this document are only 619 intended as a starting point for administrators that are unsure what 620 sorts of limits might be reasonable. Operators SHOULD use 621 application-specific monitoring, system logs, and system monitoring 622 tools to gauge whether their service is operating within or exceeding 623 these limits, and adjust accordingly. 625 Most open source DNS server implementations provide a configurable 626 limit on the total number of established connections. Default values 627 range from 20 to 150. In most cases, where the majority of queries 628 take place over UDP, 150 is a reasonable limit. For services or 629 environments where most queries take place over TCP or TLS, 5000 is a 630 more appropriate limit. 632 Only some open source implementations provide a way to limit the 633 number of connections per source IP address or subnet, but the 634 default is to have no limit. For environments or situations where it 635 may be necessary to enable this limit, 25 connections per source IP 636 address is a reasonable starting point. The limit should be 637 increased when aggregated by subnet, or for services where most 638 queries take place over TCP or TLS. 640 Most open source implementations provide a configurable idle timeout 641 on connections. Default values range from 2 to 30 seconds. In most 642 cases, 10 seconds is a reasonable default for this limit. Longer 643 timeouts improve connection reuse, but busy servers may need to use a 644 lower limit. 646 Only some open source implementations provide a way to limit the 647 number of transactions per connection, but the default is to have no 648 limit. This document does not offer advice on particular values for 649 such a limit. 651 Only some open source implementations provide a way to limit the 652 duration of connection, but the default is to have no limit. This 653 document does not offer advice on particular values for such a limit. 655 5. DNS over TCP Filtering Risks 657 Networks that filter DNS over TCP risk losing access to significant 658 or important pieces of the DNS namespace. For a variety of reasons a 659 DNS answer may require a DNS over TCP query. This may include large 660 message sizes, lack of EDNS(0) support, DDoS mitigation techniques 661 (including [RRL]), or perhaps some future capability that is as yet 662 unforeseen will also demand TCP transport. 664 For example, [RFC7901] describes a latency-avoiding technique that 665 sends extra data in DNS responses. This makes responses larger and 666 potentially increases the effectiveness of DDoS reflection attacks. 667 The specification mandates the use of TCP or DNS Cookies [RFC7873]. 669 Even if any or all particular answers have consistently been returned 670 successfully with UDP in the past, this continued behavior cannot be 671 guaranteed when DNS messages are exchanged between autonomous 672 systems. Therefore, filtering of DNS over TCP is considered harmful 673 and contrary to the safe and successful operation of the Internet. 674 This section enumerates some of the known risks at the time of this 675 writing when networks filter DNS over TCP. 677 5.1. Truncation, Retries, and Timeouts 679 Networks that filter DNS over TCP may inadvertently cause problems 680 for third-party resolvers as experienced by [TOYAMA]. For example, a 681 resolver receives queries for a moderately popular domain. The 682 resolver forwards the queries to the domain's authoritative name 683 servers, but those servers respond with the TC bit set. The resolver 684 retries over TCP, but the authoritative server blocks DNS over TCP. 685 The pending connections consume resources on the resolver until they 686 time out. If the number and frequency of these truncated-and-then- 687 blocked queries is sufficiently high, the resolver wastes valuable 688 resources on queries that can never be answered. This condition is 689 generally not easily or completely mitigated by the affected DNS 690 resolver operator. 692 5.2. DNS Root Zone KSK Rollover 694 The plans for deploying a new root zone DNSSEC KSK highlighted a 695 potential problem in retrieving the root zone key set [LEWIS]. 696 During some phases of the KSK rollover process, root zone DNSKEY 697 responses were larger than 1280 bytes, the IPv6 minimum MTU for links 698 carrying IPv6 traffic [RFC8200]. There was some concern 699 [KSK_ROLLOVER_ARCHIVES] that any DNS server unable to receive large 700 DNS messages over UDP, or any DNS message over TCP, would experience 701 disruption while performing DNSSEC validation. 703 However, during the year-long postponement of the KSK rollover there 704 were no reported problems that could be attributed to the 1414 octet 705 DNSKEY response when both the old and new keys were published in the 706 zone. Additionally, there were no reported problems during the two- 707 month period when the old key was published as revoked and the DNSKEY 708 response was 1425 octets in size [ROLL_YOUR_ROOT]. 710 6. Logging and Monitoring 712 Developers of applications that log or monitor DNS SHOULD NOT ignore 713 TCP due to the perception that it is rarely used or is hard to 714 process. Operators SHOULD ensure that their monitoring and logging 715 applications properly capture DNS messages over TCP. Otherwise, 716 attacks, exfiltration attempts, and normal traffic may go undetected. 718 DNS messages over TCP are in no way guaranteed to arrive in single 719 segments. In fact, a clever attacker might attempt to hide certain 720 messages by forcing them over very small TCP segments. Applications 721 that capture network packets (e.g., with libpcap [libpcap]) SHOULD 722 implement and perform full TCP stream reassembly and analyze the 723 reassembled stream instead of the individual packets. Otherwise, 724 they are vulnerable to network evasion attacks [phrack]. 725 Furthermore, such applications need to protect themselves from 726 resource exhaustion attacks by limiting the amount of memory 727 allocated to tracking unacknowledged connection state data. dnscap 728 [dnscap] is an open-source example of a DNS logging program that 729 implements TCP stream reassembly. 731 Developers SHOULD also keep in mind connection reuse, query 732 pipelining, and out-of-order responses when building and testing DNS 733 monitoring applications. 735 As an alternative to packet capture, some DNS server software 736 supports dnstap [dnstap] as an integrated monitoring protocol 737 intended to facilitate wide-scale DNS monitoring. 739 7. IANA Considerations 741 This memo includes no request to IANA. 743 8. Security Considerations 745 This document, providing operational requirements, is the companion 746 to the implementation requirements of DNS over TCP, provided in 747 [RFC7766]. The security considerations from [RFC7766] still apply. 749 Ironically, returning truncated DNS over UDP answers in order to 750 induce a client query to switch to DNS over TCP has become a common 751 response to source address spoofed, DNS denial-of-service attacks 752 [RRL]. Historically, operators have been wary of TCP-based attacks, 753 but in recent years, UDP-based flooding attacks have proven to be the 754 most common protocol attack on the DNS. Nevertheless, a high rate of 755 short-lived DNS transactions over TCP may pose challenges. In fact, 756 [DAI21] details a class of IP fragmentation attacks on DNS 757 transactions if the IP Identifier field (16 bits in IPv4 and 32 bits 758 in IPv6) can be predicted and a system is coerced to fragment rather 759 than retransmit messages. While many operators have provided DNS 760 over TCP service for many years without duress, past experience is no 761 guarantee of future success. 763 DNS over TCP is similar to many other Internet TCP services. TCP 764 threats and many mitigation strategies have been well-documented in a 765 series of documents such as [RFC4953], [RFC4987], [RFC5927], and 766 [RFC5961]. 768 As mentioned in Section 6, applications that implement TCP stream 769 reassembly need to limit the amount of memory allocated to connection 770 tracking. A failure to do so could lead to a total failure of the 771 logging or monitoring application. Imposition of resource limits 772 creates a tradeoff between allowing some stream reassembly to 773 continue and allowing some evasion attacks to succeed. 775 This document recommends that DNS Servers enable TFO when possible. 776 [RFC7413] recommends that a pool of servers behind a load balancer 777 with shared server IP address also share the key used to generate 778 Fast Open cookies, to prevent inordinate fallback to the 3WHS. This 779 guidance remains accurate, but comes with a caveat: compromise of one 780 server would reveal this group-shared key, and allow for attacks 781 involving the other servers in the pool by forging invalid Fast Open 782 cookies. 784 9. Privacy Considerations 786 Since DNS over both UDP and TCP uses the same underlying message 787 format, the use of one transport instead of the other does not change 788 the privacy characteristics of the message content (i.e., the name 789 being queried). A number of protocols have recently been developed 790 to provide DNS privacy, including DNS over TLS [RFC7858], DNS over 791 DTLS [RFC8094], DNS over HTTPS [RFC8484], with even more on the way. 793 Because TCP is somewhat more complex than UDP, some characteristics 794 of a TCP conversation may enable DNS client fingerprinting and 795 tracking that is not possible with UDP. For example, the choice of 796 initial sequence numbers, window size, and options might be able to 797 identify a particular TCP implementation, or even individual hosts 798 behind shared resources such as network address translators (NATs). 800 10. Acknowledgments 802 This document was initially motivated by feedback from students who 803 pointed out that they were hearing contradictory information about 804 filtering DNS over TCP messages. Thanks in particular to a teaching 805 colleague, JPL, who perhaps unknowingly encouraged the initial 806 research into the differences between what the community has 807 historically said and did. Thanks to all the NANOG 63 attendees who 808 provided feedback to an early talk on this subject. 810 The following individuals provided an array of feedback to help 811 improve this document: Joe Abley, Piet Barber, Sara Dickinson, Tony 812 Finch, Bob Harold, Paul Hoffman, Geoff Huston, Tatuya Jinmei, Puneet 813 Sood, and Richard Wilhelm. The authors are also indebted to the 814 contributions stemming from discussion in the tcpm working group 815 meeting at IETF 104. Any remaining errors or imperfections are the 816 sole responsibility of the document authors. 818 11. References 820 11.1. Normative References 822 [RFC1035] Mockapetris, P., "Domain names - implementation and 823 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 824 November 1987, . 826 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 827 Requirement Levels", BCP 14, RFC 2119, 828 DOI 10.17487/RFC2119, March 1997, 829 . 831 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 832 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 833 . 835 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 836 for DNS (EDNS(0))", STD 75, RFC 6891, 837 DOI 10.17487/RFC6891, April 2013, 838 . 840 [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 841 D. Wessels, "DNS Transport over TCP - Implementation 842 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 843 . 845 [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The 846 edns-tcp-keepalive EDNS0 Option", RFC 7828, 847 DOI 10.17487/RFC7828, April 2016, 848 . 850 [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) 851 Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, 852 . 854 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 855 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 856 May 2017, . 858 11.2. Informative References 860 [accept_filter] 861 FreeBSD, "FreeBSD accept_filter(9)", 7 May 2018, 862 . 864 [APNIC] Huston, G., "DNS XL", October 2020, 865 . 867 [AVOID_FRAGS] 868 Fujiwara, K. and P. Vixie, "Fragmentation Avoidance in 869 DNS", Work in Progress, draft-ietf-dnsop-avoid- 870 fragmentation-05, February 2021. 872 [BIND] Internet Systems Consortium, "BIND 9 - ISC", April 2021, 873 . 875 [CASTRO2010] 876 Castro, S., Zhang, M., John, W., Wessels, D., and k.c. 877 claffy, "Understanding and preparing for DNS evolution", 878 2010. 880 [CHES94] Cheswick, W.R. and S.M. Bellovin, "Firewalls and Internet 881 Security: Repelling the Wily Hacker", 1994. 883 [CLOUDFLARE] 884 Grant, D., "Economical With The Truth: Making DNSSEC 885 Answers Cheap", 24 June 2016, 886 . 888 [DAI21] Tianxiang, T., Shulman, H., and M. Waidner, "DNS-over-TCP 889 Considered Vulnerable", 2021. 891 [DESIGNTEAM] 892 Design Team Report, "Root Zone KSK Rollover Plan", 18 893 December 2015, . 896 [DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002, 897 . 899 [dnscap] DNS-OARC, "DNSCAP", 7 May 2018, 900 . 902 [dnstap] Edmonds, R. and P. Vixie, "dnstap", 7 May 2018, 903 . 905 [ECDSA] Rijswijk-Deij, R., Sperotto, A., and A. Pras, "Making the 906 Case for Elliptic Curves in DNSSEC", September 2015, 907 . 909 [FLAGDAY2020] 910 Various DNS software and service providers, "DNS Flag Day 911 2020", October 2020, . 913 [FRAG_POISON] 914 Herzberg, A. and H. Shulman, "Fragmentation Considered 915 Poisonous", May 2012, 916 . 918 [HUSTON] Huston, G., "Dealing with IPv6 fragmentation in the DNS", 919 22 August 2017, . 922 [KSK_ROLLOVER_ARCHIVES] 923 Internet Coporation for Assigned Names and Numbers, "KSK 924 Rollover List Archives", January 2019, 925 . 928 [LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74 Budapest, 929 Hungary, 8 May 2017, . 932 [libpcap] Tcpdump/Libpcap, "Tcpdump and Libpcap", 7 May 2018, 933 . 935 [NETALYZR] Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson, 936 "Netalyzr: Illuminating The Edge Network", 2010. 938 [phrack] horizon, "Defeating Sniffers and Intrusion Detection 939 Systems", December 1998, 940 . 942 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 943 DOI 10.17487/RFC0768, August 1980, 944 . 946 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 947 RFC 793, DOI 10.17487/RFC0793, September 1981, 948 . 950 [RFC0883] Mockapetris, P., "Domain names: Implementation 951 specification", RFC 883, DOI 10.17487/RFC0883, November 952 1983, . 954 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 955 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 956 . 958 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - 959 Application and Support", STD 3, RFC 1123, 960 DOI 10.17487/RFC1123, October 1989, 961 . 963 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. 964 Miller, "Common DNS Implementation Errors and Suggested 965 Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993, 966 . 968 [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, 969 DOI 10.17487/RFC1995, August 1996, 970 . 972 [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone 973 Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996, 974 August 1996, . 976 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 977 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 978 RFC 2136, DOI 10.17487/RFC2136, April 1997, 979 . 981 [RFC2541] Eastlake 3rd, D., "DNS Security Operational 982 Considerations", RFC 2541, DOI 10.17487/RFC2541, March 983 1999, . 985 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 986 RFC 2671, DOI 10.17487/RFC2671, August 1999, 987 . 989 [RFC2694] Srisuresh, P., Tsirtsis, G., Akkiraju, P., and A. 990 Heffernan, "DNS extensions to Network Address Translators 991 (DNS_ALG)", RFC 2694, DOI 10.17487/RFC2694, September 992 1999, . 994 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 995 Address Translator (Traditional NAT)", RFC 3022, 996 DOI 10.17487/RFC3022, January 2001, 997 . 999 [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", 1000 RFC 3225, DOI 10.17487/RFC3225, December 2001, 1001 . 1003 [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver 1004 message size requirements", RFC 3226, 1005 DOI 10.17487/RFC3226, December 2001, 1006 . 1008 [RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational 1009 Considerations and Issues with IPv6 DNS", RFC 4472, 1010 DOI 10.17487/RFC4472, April 2006, 1011 . 1013 [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", 1014 RFC 4953, DOI 10.17487/RFC4953, July 2007, 1015 . 1017 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1018 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 1019 . 1021 [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive 1022 Nameservers in Reflector Attacks", BCP 140, RFC 5358, 1023 DOI 10.17487/RFC5358, October 2008, 1024 . 1026 [RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More 1027 Resilient against Forged Answers", RFC 5452, 1028 DOI 10.17487/RFC5452, January 2009, 1029 . 1031 [RFC5507] IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch, 1032 Ed., "Design Choices When Expanding the DNS", RFC 5507, 1033 DOI 10.17487/RFC5507, April 2009, 1034 . 1036 [RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines", 1037 BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009, 1038 . 1040 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, 1041 DOI 10.17487/RFC5927, July 2010, 1042 . 1044 [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol 1045 (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010, 1046 . 1048 [RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's 1049 Robustness to Blind In-Window Attacks", RFC 5961, 1050 DOI 10.17487/RFC5961, August 2010, 1051 . 1053 [RFC5966] Bellis, R., "DNS Transport over TCP - Implementation 1054 Requirements", RFC 5966, DOI 10.17487/RFC5966, August 1055 2010, . 1057 [RFC6298] Paxson, V., Allman, M., Chu, J., and M. Sargent, 1058 "Computing TCP's Retransmission Timer", RFC 6298, 1059 DOI 10.17487/RFC6298, June 2011, 1060 . 1062 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 1063 DOI 10.17487/RFC6762, February 2013, 1064 . 1066 [RFC6950] Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba, 1067 "Architectural Considerations on Application Features in 1068 the DNS", RFC 6950, DOI 10.17487/RFC6950, October 2013, 1069 . 1071 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 1072 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 1073 . 1075 [RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS", 1076 RFC 7477, DOI 10.17487/RFC7477, March 2015, 1077 . 1079 [RFC7534] Abley, J. and W. Sotomayor, "AS112 Nameserver Operations", 1080 RFC 7534, DOI 10.17487/RFC7534, May 2015, 1081 . 1083 [RFC7720] Blanchet, M. and L-J. Liman, "DNS Root Name Service 1084 Protocol and Deployment Requirements", BCP 40, RFC 7720, 1085 DOI 10.17487/RFC7720, December 2015, 1086 . 1088 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 1089 and P. Hoffman, "Specification for DNS over Transport 1090 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 1091 2016, . 1093 [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, 1094 DOI 10.17487/RFC7901, June 2016, 1095 . 1097 [RFC7918] Langley, A., Modadugu, N., and B. Moeller, "Transport 1098 Layer Security (TLS) False Start", RFC 7918, 1099 DOI 10.17487/RFC7918, August 2016, 1100 . 1102 [RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy, 1103 "DNSSEC Roadblock Avoidance", BCP 207, RFC 8027, 1104 DOI 10.17487/RFC8027, November 2016, 1105 . 1107 [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram 1108 Transport Layer Security (DTLS)", RFC 8094, 1109 DOI 10.17487/RFC8094, February 2017, 1110 . 1112 [RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to 1113 Associate Certificates with Domain Names for S/MIME", 1114 RFC 8162, DOI 10.17487/RFC8162, May 2017, 1115 . 1117 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1118 (IPv6) Specification", STD 86, RFC 8200, 1119 DOI 10.17487/RFC8200, July 2017, 1120 . 1122 [RFC8324] Klensin, J., "DNS Privacy, Authorization, Special Uses, 1123 Encoding, Characters, Matching, and Root Structure: Time 1124 for Another Look?", RFC 8324, DOI 10.17487/RFC8324, 1125 February 2018, . 1127 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1128 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1129 . 1131 [RFC8467] Mayrhofer, A., "Padding Policies for Extension Mechanisms 1132 for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467, 1133 October 2018, . 1135 [RFC8482] Abley, J., Gudmundsson, O., Majkowski, M., and E. Hunt, 1136 "Providing Minimal-Sized Responses to DNS Queries That 1137 Have QTYPE=ANY", RFC 8482, DOI 10.17487/RFC8482, January 1138 2019, . 1140 [RFC8483] Song, L., Ed., Liu, D., Vixie, P., Kato, A., and S. Kerr, 1141 "Yeti DNS Testbed", RFC 8483, DOI 10.17487/RFC8483, 1142 October 2018, . 1144 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 1145 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 1146 . 1148 [RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., 1149 Lemon, T., and T. Pusateri, "DNS Stateful Operations", 1150 RFC 8490, DOI 10.17487/RFC8490, March 2019, 1151 . 1153 [RFC8501] Howard, L., "Reverse DNS in IPv6 for Internet Service 1154 Providers", RFC 8501, DOI 10.17487/RFC8501, November 2018, 1155 . 1157 [RFC8806] Kumari, W. and P. Hoffman, "Running a Root Server Local to 1158 a Resolver", RFC 8806, DOI 10.17487/RFC8806, June 2020, 1159 . 1161 [RFC8906] Andrews, M. and R. Bellis, "A Common Operational Problem 1162 in DNS Servers: Failure to Communicate", BCP 231, 1163 RFC 8906, DOI 10.17487/RFC8906, September 2020, 1164 . 1166 [RFC8932] Dickinson, S., Overeinder, B., van Rijswijk-Deij, R., and 1167 A. Mankin, "Recommendations for DNS Privacy Service 1168 Operators", BCP 232, RFC 8932, DOI 10.17487/RFC8932, 1169 October 2020, . 1171 [RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D., 1172 Gudmundsson, O., and B. Wellington, "Secret Key 1173 Transaction Authentication for DNS (TSIG)", STD 93, 1174 RFC 8945, DOI 10.17487/RFC8945, November 2020, 1175 . 1177 [ROLL_YOUR_ROOT] 1178 Müller, M., Thomas, M., Wessels, D., Hardaker, W., Chung, 1179 T., Toorop, W., and R.v. Rijswijk-Deij, "Roll, Roll, Roll 1180 Your Root: A Comprehensive Analysis of the First Ever 1181 DNSSEC Root KSK Rollover", October 2019, 1182 . 1184 [RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting 1185 (DNS RRL)", ISC-TN 2012-1 Draft1, April 2012. 1187 [TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N. 1188 Somaiya, "Connection-oriented DNS to Improve Privacy and 1189 Security", 2015. 1191 [TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and 1192 K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache 1193 Servers", NANOG 32 Reston, VA USA, 2004. 1195 [VERISIGN] Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in 1196 Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los 1197 Angeles, 2014. 1199 [WIKIPEDIA_TFO] 1200 Wikipedia, "TCP Fast Open", 4 May 2018, 1201 . 1203 Appendix A. Standards Related to DNS Transport over TCP 1205 This section enumerates all known IETF RFC documents that are 1206 currently of status Internet Standard, Draft Standard, Proposed 1207 Standard, Informational, Best Current Practice, or Experimental and 1208 either implicitly or explicitly make assumptions or statements about 1209 the use of TCP as a transport for the DNS germane to this document. 1211 A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION 1213 The Internet Standard [RFC1035] is the base DNS specification that 1214 explicitly defines support for DNS over TCP. 1216 A.2. IETF RFC 1536 - Common DNS Implementation Errors and Suggested 1217 Fixes 1219 This Informational document [RFC1536] states UDP is the "chosen 1220 protocol for communication though TCP is used for zone transfers." 1221 That statement should now be considered in its historical context and 1222 is no longer a proper reflection of modern expectations. 1224 A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS 1226 This Proposed Standard [RFC1995] documents the use of TCP as the 1227 fallback transport when IXFR responses do not fit into a single UDP 1228 response. As with AXFR, IXFR messages are typically delivered over 1229 TCP by default in practice. 1231 A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone 1232 Changes (DNS NOTIFY) 1234 This Proposed Standard [RFC1996] suggests a primary server may decide 1235 to issue NOTIFY messages over TCP. In practice, NOTIFY messages are 1236 generally sent over UDP, but this specification leaves open the 1237 possibility that the choice of transport protocol is up to the 1238 primary server, and therefore a secondary server ought to be able to 1239 operate over both UDP and TCP. 1241 A.5. IETF RFC 2181 - Clarifications to the DNS Specification 1243 This Proposed Standard [RFC2181] includes clarifying text on how a 1244 client should react to the TC bit set on responses. It is advised 1245 that the response should be discarded and the query resent using TCP. 1247 A.6. IETF RFC 2694 - DNS extensions to Network Address Translators 1248 (DNS_ALG) 1250 This Informational document [RFC2694] enumerates considerations for 1251 network address translation (NAT) devices to properly handle DNS 1252 traffic. This document is noteworthy in its suggestion that 1253 "[t]ypically, TCP is used for AXFR requests," as further evidence 1254 that helps explain why DNS over TCP may have often been treated very 1255 differently than DNS over UDP in operational networks. 1257 A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC 1259 This Proposed Standard [RFC3225] makes statements indicating DNS over 1260 TCP is "detrimental" as a result of increased traffic, latency, and 1261 server load. This document is a companion to the next document in 1262 the RFC series expressing the requirement for EDNS(0) support for 1263 DNSSEC. 1265 A.8. IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver message 1266 size requirements 1268 Although updated by later DNSSEC RFCs, the Proposed Standard 1269 [RFC3226] strongly argues in favor of UDP messages instead of TCP, 1270 largely for performance reasons. The document declares EDNS(0) a 1271 requirement for DNSSEC servers and advocates that packet 1272 fragmentation may be preferable to TCP in certain situations. 1274 A.9. IETF RFC 4472 - Operational Considerations and Issues with IPv6 1275 DNS 1277 This Informational document [RFC4472] notes that IPv6 data may 1278 increase DNS responses beyond what would fit in a UDP message. 1279 Particularly noteworthy, perhaps less common today than when this 1280 document was written, it refers to implementations that truncate data 1281 without setting the TC bit to encourage the client to resend the 1282 query using TCP. 1284 A.10. IETF RFC 5452 - Measures for Making DNS More Resilient against 1285 Forged Answers 1287 This Informational document [RFC5452] arose as public DNS systems 1288 began to experience widespread abuse from spoofed queries, resulting 1289 in amplification and reflection attacks against unwitting victims. 1290 One of the leading justifications for supporting DNS over TCP to 1291 thwart these attacks is briefly described in this document's 9.3 1292 Spoof Detection and Countermeasure section. 1294 A.11. IETF RFC 5507 - Design Choices When Expanding the DNS 1296 This Informational document [RFC5507] was largely an attempt to 1297 dissuade new DNS data types from overloading the TXT resource record 1298 type. In so doing it summarizes the conventional wisdom of DNS 1299 design and implementation practices. The authors suggest TCP 1300 overhead and stateful properties pose challenges compared to UDP, and 1301 imply that UDP is generally preferred for performance and robustness. 1303 A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines 1305 This Best Current Practice document [RFC5625] provides DNS proxy 1306 implementation guidance including the mandate that a proxy "MUST 1307 [...] be prepared to receive and forward queries over TCP" even 1308 though it suggests historically TCP transport has not been strictly 1309 mandatory in stub resolvers or recursive servers. 1311 A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) 1313 This Proposed Standard [RFC5936] provides a detailed specification 1314 for the zone transfer protocol, as originally outlined in the early 1315 DNS standards. AXFR operation is limited to TCP and not specified 1316 for UDP. This document discusses TCP usage at length. 1318 A.14. IETF RFC 7534 - AS112 Nameserver Operations 1320 [RFC7534] is an Informational document enumerating the requirements 1321 for operation of AS112 project DNS servers. New AS112 nodes are 1322 tested for their ability to provide service on both UDP and TCP 1323 transports, with the implication that TCP service is an expected part 1324 of normal operations. 1326 A.15. IETF RFC 6762 - Multicast DNS 1328 In this Proposed Standard [RFC6762], the TC bit is deemed to have 1329 essentially the same meaning as described in the original DNS 1330 specifications. That is, if a response with the TC bit set is 1331 received, "[...] the querier SHOULD reissue its query using TCP in 1332 order to receive the larger response." 1334 A.16. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) 1336 This Internet Standard [RFC6891] helped slow the use of and need for 1337 DNS over TCP messages. This document highlights concerns over server 1338 load and scalability in widespread use of DNS over TCP. 1340 A.17. IETF RFC 6950 - Architectural Considerations on Application 1341 Features in the DNS 1343 An Informational document [RFC6950] that draws attention to large 1344 data in the DNS. TCP is referenced in the context as a common 1345 fallback mechanism and counter to some spoofing attacks. 1347 A.18. IETF RFC 7477 - Child-to-Parent Synchronization in DNS 1349 This Proposed Standard [RFC7477] specifies a RRType and protocol to 1350 signal and synchronize NS, A, and AAAA resource record changes from a 1351 child to parent zone. Since this protocol may require multiple 1352 requests and responses, it recommends utilizing DNS over TCP to 1353 ensure the conversation takes place between a consistent pair of end 1354 nodes. 1356 A.19. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment 1357 Requirements 1359 This Best Current Practice [RFC7720] declares root name service "MUST 1360 support UDP [RFC0768] and TCP [RFC0793] transport of DNS queries and 1361 responses." 1363 A.20. IETF RFC 7766 - DNS Transport over TCP - Implementation 1364 Requirements 1366 This Proposed Standard [RFC7766] instructs DNS implementers to 1367 provide support for carrying DNS over TCP messages in their software, 1368 and might be considered the direct ancestor of this operational 1369 requirements document. The implementation requirements document 1370 codifies mandatory support for DNS over TCP in compliant DNS 1371 software, but makes no recommendations to operators, which we seek to 1372 address here. 1374 A.21. IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option 1376 This Proposed Standard [RFC7828] defines an EDNS(0) option to 1377 negotiate an idle timeout value for long-lived DNS over TCP 1378 connections. Consequently, this document is only applicable and 1379 relevant to DNS over TCP sessions and between implementations that 1380 support this option. 1382 A.22. IETF RFC 7858 - Specification for DNS over Transport Layer 1383 Security (TLS) 1385 This Proposed Standard [RFC7858] defines a method for putting DNS 1386 messages into a TCP-based encrypted channel using TLS. This 1387 specification is noteworthy for explicitly targeting the stub-to- 1388 recursive traffic, but does not preclude its application from 1389 recursive-to-authoritative traffic. 1391 A.23. IETF RFC 7873 - Domain Name System (DNS) Cookies 1393 This Proposed Standard [RFC7873] describes an EDNS(0) option to 1394 provide additional protection against query and answer forgery. This 1395 specification mentions DNS over TCP as an alternative mechanism when 1396 DNS Cookies are not available. The specification does make mention 1397 of DNS over TCP processing in two specific situations. In one, when 1398 a server receives only a client cookie in a request, the server 1399 should consider whether the request arrived over TCP and if so, it 1400 should consider accepting TCP as sufficient to authenticate the 1401 request and respond accordingly. In another, when a client receives 1402 a BADCOOKIE reply using a fresh server cookie, the client should 1403 retry using TCP as the transport. 1405 A.24. IETF RFC 7901 - CHAIN Query Requests in DNS 1407 This Experimental specification [RFC7901] describes an EDNS(0) option 1408 that can be used by a security-aware validating resolver to request 1409 and obtain a complete DNSSEC validation path for any single query. 1410 This document requires the use of DNS over TCP or a source IP address 1411 verified transport mechanism such as EDNS-COOKIE [RFC7873]. 1413 A.25. IETF RFC 8027 - DNSSEC Roadblock Avoidance 1415 This Best Current Practice [RFC8027] details observed problems with 1416 DNSSEC deployment and mitigation techniques. Network traffic 1417 blocking and restrictions, including DNS over TCP messages, are 1418 highlighted as one reason for DNSSEC deployment issues. While this 1419 document suggests these sorts of problems are due to "non-compliant 1420 infrastructure", the scope of the document is limited to detection 1421 and mitigation techniques to avoid so-called DNSSEC roadblocks. 1423 A.26. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS) 1425 This Experimental specification [RFC8094] details a protocol that 1426 uses a datagram transport (UDP), but stipulates that "DNS clients and 1427 servers that implement DNS over DTLS MUST also implement DNS over TLS 1428 in order to provide privacy for clients that desire Strict Privacy 1429 [...]." This requirement implies DNS over TCP must be supported in 1430 case the message size is larger than the path MTU. 1432 A.27. IETF RFC 8162 - Using Secure DNS to Associate Certificates with 1433 Domain Names for S/MIME 1435 This Experimental specification [RFC8162] describes a technique to 1436 authenticate user X.509 certificates in an S/MIME system via the DNS. 1437 The document points out that the new experimental resource record 1438 types are expected to carry large payloads, resulting in the 1439 suggestion that "applications SHOULD use TCP -- not UDP -- to perform 1440 queries for the SMIMEA resource record." 1442 A.28. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, 1443 Encoding, Characters, Matching, and Root Structure: Time for 1444 Another Look? 1446 An Informational document [RFC8324] that briefly discusses the common 1447 role and challenges of DNS over TCP throughout the history of DNS. 1449 A.29. IETF RFC 8467 - Padding Policies for Extension Mechanisms for DNS 1450 (EDNS(0)) 1452 An Experimental document [RFC8467] reminds implementers to consider 1453 the underlying transport protocol (e.g. TCP) when calculating the 1454 padding length when artificially increasing the DNS message size with 1455 an EDNS(0) padding option. 1457 A.30. IETF RFC 8482 - Providing Minimal-Sized Responses to DNS Queries 1458 That Have QTYPE=ANY 1460 [RFC8482] is a Proposed Standard that describes alternative ways that 1461 DNS servers can respond to queries of type ANY, which are sometimes 1462 used to provide amplification in DDoS attacks. The specification 1463 notes that responders may behave differently, depending on the 1464 transport. For example, minimal-sized responses may be used over UDP 1465 transport, while full responses may be given over TCP. 1467 A.31. IETF RFC 8483 - Yeti DNS Testbed 1469 This Informational document [RFC8483] describes a testbed environment 1470 that highlights some DNS over TCP behaviors, including issues 1471 involving packet fragmentation and operational requirements for TCP 1472 stream assembly in order to conduct DNS measurement and analysis. 1474 A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) 1476 This Proposed Standard [RFC8484] defines a protocol for sending DNS 1477 queries and responses over HTTPS. This specification assumes TLS and 1478 TCP for the underlying security and transport layers, respectively. 1479 Self-described as a technique that more closely resembles a tunneling 1480 mechanism, DoH nevertheless likely implies DNS over TCP in some 1481 sense, if not directly. 1483 A.33. IETF RFC 8490 - DNS Stateful Operations 1485 This Proposed Standard [RFC8490] updates the base protocol 1486 specification with a new OPCODE to help manage stateful operations in 1487 persistent sessions, such as those that might be used by DNS over 1488 TCP. 1490 A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service 1491 Providers 1493 This Informational document [RFC8501] identifies potential 1494 operational challenges with Dynamic DNS including denial-of-service 1495 threats. The document suggests TCP may provide some advantages, but 1496 that updating hosts would need to be explicitly configured to use TCP 1497 instead of UDP. 1499 A.35. IETF RFC 8806 - Running a Root Server Local to a Resolver 1501 This Informational document [RFC8806] describes how to obtain and 1502 operate a local copy of the root zone with examples showing how to 1503 pull from authoritative sources using a DNS over TCP zone transfer. 1505 A.36. IETF RFC 8906 - A Common Operational Problem in DNS Servers: 1506 Failure to Communicate 1508 This Best Current Practice document [RFC8906] discusses a number of 1509 DNS operational failure scenarios and how to avoid them. This 1510 includes discussions involving DNS over TCP queries, EDNS over TCP, 1511 and a testing methodology that includes a section on verifying DNS 1512 over TCP functionality. 1514 A.37. IETF RFC 8932 - Recommendations for DNS Privacy Service Operators 1516 This Best Current Practice document [RFC8932] presents privacy 1517 considerations to DNS privacy service operators. These mechanisms 1518 sometimes include the use of TCP and are therefore susceptible to 1519 information leakage such as TCP-based fingerprinting. This document 1520 also references a draft version of this document. 1522 A.38. IETF RFC 8945 - Secret Key Transaction Authentication for DNS 1523 (TSIG) 1525 This Internet Standard [RFC8945] recommends a client use TCP if 1526 truncated TSIG messages are received. 1528 Authors' Addresses 1530 John Kristoff 1531 DataPlane.org 1532 Chicago, IL 60605 1533 United States of America 1535 Phone: +1 312 493 0305 1536 Email: jtk@dataplane.org 1537 URI: https://dataplane.org/jtk/ 1539 Duane Wessels 1540 Verisign 1541 12061 Bluemont Way 1542 Reston, VA 20190 1543 United States of America 1545 Phone: +1 703 948 3200 1546 Email: dwessels@verisign.com 1547 URI: https://verisign.com