idnits 2.17.1 draft-ietf-dnsop-no-response-issue-20.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 7, 2020) is 1473 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Andrews 3 Internet-Draft R. Bellis 4 Intended status: Best Current Practice ISC 5 Expires: October 9, 2020 April 7, 2020 7 A Common Operational Problem in DNS Servers - Failure To Communicate 8 draft-ietf-dnsop-no-response-issue-20 10 Abstract 12 The DNS is a query / response protocol. Failing to respond to 13 queries, or responding incorrectly, causes both immediate operational 14 problems and long term problems with protocol development. 16 This document identifies a number of common kinds of queries to which 17 some servers either fail to respond or else respond incorrectly. 18 This document also suggests procedures for zone operators to apply to 19 identify and remediate the problem. 21 The document does not look at the DNS data itself, just the structure 22 of the responses. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on October 9, 2020. 41 Copyright Notice 43 Copyright (c) 2020 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3. Common kinds of queries that result in no or bad responses. . 5 61 3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5 62 3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5 63 3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5 64 3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6 65 3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6 66 3.1.5. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6 67 3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6 68 3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7 69 3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7 70 3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7 71 3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7 72 3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8 73 3.2.6. DO=1 Handling . . . . . . . . . . . . . . . . . . . . 8 74 3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8 75 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8 76 5. Packet Scrubbing Services . . . . . . . . . . . . . . . . . . 9 77 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10 78 7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10 79 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 80 8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11 81 8.1.1. Is The Server Configured For The Zone? . . . . . . . 12 82 8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 12 83 8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 13 84 8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 15 85 8.1.5. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15 86 8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16 87 8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16 88 8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 17 89 8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17 90 8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18 91 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS 92 Flags . . . . . . . . . . . . . . . . . . . . . . . . 18 93 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS 94 Options . . . . . . . . . . . . . . . . . . . . . . . 19 95 8.2.7. Testing Truncated Responses . . . . . . . . . . . . . 20 96 8.2.8. Testing DO=1 Handling . . . . . . . . . . . . . . . . 20 97 8.2.9. Testing EDNS Version Negotiation With DO=1 . . . . . 21 98 8.2.10. Testing With Multiple Defined EDNS Options . . . . . 22 99 8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 22 100 9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22 101 10. Security Considerations . . . . . . . . . . . . . . . . . . . 24 102 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 103 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 104 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 105 13.1. Normative References . . . . . . . . . . . . . . . . . . 24 106 13.2. Informative References . . . . . . . . . . . . . . . . . 25 107 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 109 1. Introduction 111 The DNS [RFC1034], [RFC1035] is a query / response protocol. Failing 112 to respond to queries, or responding incorrectly, causes both 113 immediate operational problems and long term problems with protocol 114 development. 116 Failure to respond to a query is indistinguishable from packet loss 117 without doing an analysis of query-response patterns. Additionally 118 failure to respond results in unnecessary queries being made by DNS 119 clients, and introduces delays to the resolution process. 121 Due to the inability to distinguish between packet loss and 122 nameservers dropping EDNS [RFC6891] queries, packet loss is sometimes 123 misclassified as lack of EDNS support which can lead to DNSSEC 124 validation failures. 126 The existence of servers which fail to respond to queries results in 127 developers being hesitant to deploy new standards. Such servers need 128 to be identified and remediated. 130 The DNS has response codes that cover almost any conceivable query 131 response. A nameserver should be able to respond to any conceivable 132 query using them. There should be no need to drop queries because a 133 nameserver does not understand them. 135 Unless a nameserver is under attack, it should respond to all DNS 136 requests directed to it. When a nameserver is under attack it may 137 wish to drop packets. A common attack is to use a nameserver as an 138 amplifier by sending spoofed packets. This is done because response 139 packets are bigger than the queries and large amplification factors 140 are available especially if EDNS is supported. Limiting the rate of 141 responses is reasonable when this is occurring and the client should 142 retry. This however only works if legitimate clients are not being 143 forced to guess whether EDNS queries are accepted or not. While 144 there is still a pool of servers that don't respond to EDNS requests, 145 clients have no way to know if the lack of response is due to packet 146 loss, or EDNS packets not being supported, or rate limiting due to 147 the server being under attack. Misclassification of server behaviour 148 is unavoidable when rate limiting is used until the population of 149 servers which fail to respond to well-formed queries drops to near 150 zero. 152 Nameservers should respond to queries even if the queried name is not 153 for any name the server is configured to answer for. Misconfigured 154 nameservers are a common occurrence in the DNS and receiving queries 155 for zones that the server is not configured for is not necessarily an 156 indication that the server is under attack. Parent zone operators 157 are advised to regularly check that the delegating NS records are 158 consistent with those of the delegated zone and to correct them when 159 they are not [RFC1034], Section 4.4.2, Paragraph 3. Doing this 160 regularly should reduce the instances of broken delegations. 162 This document does not try to identify all possible errors nor does 163 it supply an exhaustive list of tests. 165 2. Consequences 167 Failure to follow the relevant DNS RFCs has multiple adverse 168 consequences. Some are caused directly from the non-compliant 169 behaviour and others as a result of work-arounds forced on recursive 170 servers. Addressing known issues now will reduce future 171 interoperability issues as the DNS protocol continues to evolve and 172 clients make use of newly-introduced DNS features. In particular the 173 base DNS specification [RFC1034], [RFC1035] and the EDNS 174 specification [RFC6891], when implemented, need to be followed. 176 Some examples of known consequences include: 178 o The AD flag bit in a response cannot be trusted to mean anything 179 as some servers incorrectly copy the flag bit from the request to 180 the response [RFC1035], [RFC4035]. The use of the AD flag bit in 181 requests is defined in [RFC6840]. 183 o Widespread non-response to EDNS queries has lead to recursive 184 servers having to assume that EDNS is not supported and that 185 fallback to plain DNS is required, potentially causing DNSSEC 186 validation failures. 188 o Widespread non-response to EDNS options, requires recursive 189 servers to have to decide whether to probe to see if it is the 190 EDNS option or just EDNS that is causing the non response. In the 191 limited amount of time required to resolve a query before the 192 client times out this is not possible. 194 o Incorrectly returning FORMERR to an EDNS option being present, 195 leads to the recursive server not being able to determine if the 196 server is just broken in the handling of the EDNS option or 197 doesn't support EDNS at all. 199 o Mishandling of unknown query types has contributed to the 200 abandonment of the transition of the SPF type. 202 o Mishandling of unknown query types has slowed up the development 203 of DANE and resulted in additional rules being specified to reduce 204 the probability of interacting with a broken server when making 205 TLSA queries. 207 The consequences of servers not following the RFCs will only grow if 208 measures are not put in place to remove non compliant servers from 209 the ecosystem. Working around issues due to non-compliance with RFCs 210 is not sustainable. 212 Most (if not all) of these consequences could have been avoided if 213 action had been taken to remove non-compliant servers as soon as 214 people were aware of them, i.e. to actively seek out broken 215 implementations and servers and inform their developers and operators 216 that they need to fix their servers. 218 3. Common kinds of queries that result in no or bad responses. 220 This section is broken down into Basic DNS requests and EDNS 221 requests. 223 3.1. Basic DNS Queries 225 3.1.1. Zone Existence 227 If a zone is delegated to a server, that server should respond to an 228 SOA query for that zone with an SOA record. Failing to respond at 229 all is always incorrect, regardless of the configuration of the 230 server. Responding with anything other than an SOA record in the 231 Answer section indicates a bad delegation. 233 3.1.2. Unknown / Unsupported Type Queries 235 Some servers fail to respond to unknown or unsupported types. If a 236 server receives a query for a type that it doesn't recognise, or 237 doesn't implement, it is expected to return the appropriate response 238 as if it did recognise the type but does not have any data for that 239 type: either NOERROR, or NXDOMAIN. The exception to this are queries 240 for Meta-RR types which may return NOTIMP. 242 3.1.3. DNS Flags 244 Some servers fail to respond to DNS queries with various DNS flags 245 set, regardless of whether they are defined or still reserved. At 246 the time of writing there are servers that fail to respond to queries 247 with the AD bit set to 1 and servers that fail to respond to queries 248 with the last reserved flag bit set. 250 Servers should respond to such queries. If the server does not know 251 the meaning of a flag bit it must not copy it to the response 252 [RFC1035] Section 4.1.1. If the server does not understand the 253 meaning of a request it should reply with a FORMERR response with 254 unknown flags set to zero. 256 3.1.3.1. Recursive Queries 258 A non-recursive server is supposed to respond to recursive queries as 259 if the RD bit is not set [RFC1034]. 261 3.1.4. Unknown DNS opcodes 263 The use of previously undefined opcodes is to be expected. Since the 264 DNS was first defined two new opcodes have been added, UPDATE and 265 NOTIFY. 267 NOTIMP is the expected rcode to an unknown or unimplemented opcode. 269 Note: while new opcodes will most probably use the current layout 270 structure for the rest of the message there is no requirement that 271 anything other than the DNS header match. 273 3.1.5. TCP Queries 275 All DNS servers are supposed to respond to queries over TCP 276 [RFC7766]. While firewalls should not block TCP connection attempts 277 if they do they should cleanly terminate the connection by sending 278 TCP RESET or sending ICMP/ICMPv6 Administratively Prohibited 279 messages. Dropping TCP connections introduces excessive delays to 280 the resolution process. 282 3.2. EDNS Queries 284 EDNS queries are specified in [RFC6891]. 286 3.2.1. EDNS Queries - Version Independent 288 Identifying servers that fail to respond to EDNS queries can be done 289 by first confirming that the server responds to regular DNS queries, 290 followed by a series of otherwise identical queries using EDNS, then 291 making the original query again. A series of EDNS queries is needed 292 as at least one DNS implementation responds to the first EDNS query 293 with FORMERR but fails to respond to subsequent queries from the same 294 address for a period until a regular DNS query is made. The EDNS 295 query should specify a UDP buffer size of 512 bytes to avoid false 296 classification of not supporting EDNS due to response packet size. 298 If the server responds to the first and last queries but fails to 299 respond to most or all of the EDNS queries, it is probably faulty. 300 The test should be repeated a number of times to eliminate the 301 likelihood of a false positive due to packet loss. 303 Firewalls may also block larger EDNS responses but there is no easy 304 way to check authoritative servers to see if the firewall is mis- 305 configured. 307 3.2.2. EDNS Queries - Version Specific 309 Some servers respond correctly to EDNS version 0 queries but fail to 310 respond to EDNS queries with version numbers that are higher than 311 zero. Servers should respond with BADVERS to EDNS queries with 312 version numbers that they do not support. 314 Some servers respond correctly to EDNS version 0 queries but fail to 315 set QR=1 when responding to EDNS versions they do not support. Such 316 responses may be discarded as invalid (as QR is not 1) or treated as 317 requests (when the source port of the original request was port 53). 319 3.2.3. EDNS Options 321 Some servers fail to respond to EDNS queries with EDNS options set. 322 The original EDNS specification left this behaviour undefined 323 [RFC2671], but the correct behaviour was clarified in [RFC6891]. 324 Unknown EDNS options are supposed to be ignored by the server. 326 3.2.4. EDNS Flags 328 Some servers fail to respond to EDNS queries with EDNS flags set. 329 Servers should ignore EDNS flags they do not understand and must not 330 add them to the response [RFC6891]. 332 3.2.5. Truncated EDNS Responses 334 Some EDNS aware servers fail to include an OPT record when a 335 truncated response is sent. An OPT record is supposed to be included 336 in a truncated response [RFC6891]. 338 Some EDNS aware servers fail to honour the advertised EDNS UDP buffer 339 size and send over-sized responses [RFC6891]. Servers must send UDP 340 responses no larger than the advertised EDNS UDP buffer size. 342 3.2.6. DO=1 Handling 344 Some nameservers incorrectly only return an EDNS response when the DO 345 bit [RFC3225] is 1 in the query. Servers that support EDNS should 346 always respond to EDNS requests with EDNS responses. 348 Some nameservers fail to copy the DO bit to the response despite 349 clearly supporting DNSSEC by returning an RRSIG records to EDNS 350 queries with DO=1. Nameservers that support DNSSEC are expected to 351 copy the DO bit from the request to the response. 353 3.2.7. EDNS over TCP 355 Some EDNS aware servers incorrectly limit the TCP response sizes to 356 the advertised UDP response size. This breaks DNS resolution to 357 clients where the response sizes exceed the advertised UDP response 358 size despite the server and the client being capable of sending and 359 receiving larger TCP responses respectively. It effectively defeats 360 setting TC=1 in UDP responses. 362 4. Firewalls and Load Balancers 364 Firewalls and load balancers can affect the externally visible 365 behaviour of a nameserver. Tests for conformance should to be done 366 from outside of any firewall so that the system is tested as a whole. 368 Firewalls and load balancers should not drop DNS packets that they 369 don't understand. They should either pass the packets or generate an 370 appropriate error response. 372 Requests for unknown query types are normal client behaviour and 373 should not be construed as an attack. Nameservers have always been 374 expected to be able to handle such queries. 376 Requests for unknown query classes are normal client behaviour and 377 should not be construed as an attack. Nameservers have always been 378 expected to be able to handle such queries. 380 Requests with unknown opcodes are normal client behaviour and should 381 not be construed as an attack. Nameservers have always been expected 382 to be able to handle such queries. 384 Requests with unassigned flags set (DNS or EDNS) are expected client 385 behaviour and should not be construed as an attack. The behaviour 386 for unassigned flags is to ignore them in the request and to not set 387 them in the response. Dropping DNS / EDNS packets with unassigned 388 flags makes it difficult to deploy extensions that make use of them 389 due to the need to reconfigure and update firewalls. 391 Requests with unknown EDNS options are expected client behaviour and 392 should not be construed as an attack. The correct behaviour for 393 unknown EDNS options is to ignore their presence when constructing a 394 reply. 396 Requests with unknown EDNS versions are expected client behaviour and 397 should not be construed as an attack. The correct behaviour for 398 unknown EDNS versions is to return BADVERS along with the highest 399 EDNS version the server supports. Dropping EDNS packets breaks EDNS 400 version negotiation. 402 Firewalls should not assume that there will only be a single response 403 message to a request. There have been proposals to use EDNS to 404 signal that multiple DNS messages be returned rather than a single 405 UDP message that is fragmented at the IP layer. 407 DNS, and EDNS in particular, are designed to allow clients to be able 408 to use new features against older servers without having to validate 409 every option. Indiscriminate blocking of messages breaks that 410 design. 412 However, there may be times when a nameserver mishandles messages 413 with a particular flag, EDNS option, EDNS version field, opcode, type 414 or class field or combination thereof to the point where the 415 integrity of the nameserver is compromised. Firewalls should offer 416 the ability to selectively reject messages using an appropriately 417 constructed response based on all these fields while awaiting a fix 418 from the nameserver vendor. Returning FORMERR or REFUSED are two 419 potential error codes to return. 421 5. Packet Scrubbing Services 423 Packet scrubbing services are used to filter out undesired traffic, 424 including but not limited to, denial of service traffic. This is 425 often done using heuristic analysis of the traffic. 427 Packet scrubbing services can affect the externally visible behaviour 428 of a nameserver in a similar way to firewalls. If an operator uses a 429 packet scrubbing service, they should check that legitimate queries 430 are not being blocked. 432 Packet scrubbing services, unlike firewalls, are also turned on and 433 off in response to denial of service attacks. One needs to take care 434 when choosing a scrubbing service. 436 Ideally, Operators should run these tests against a packet scrubbing 437 service to ensure that these tests are not seen as attack vectors. 439 6. Whole Answer Caches 441 Whole answer caches take a previously constructed answer and return 442 it to a subsequent query for the same question. However, they can 443 return the wrong response if they do not take all of the relevant 444 attributes of the query into account. 446 In addition to the standard tuple of a non- 447 exhaustive set of attributes that must be considered include: RD, AD, 448 CD, OPT record, DO, EDNS buffer size, EDNS version, EDNS options, and 449 transport. 451 7. Response Code Selection 453 Choosing the correct response code when responding to DNS queries is 454 important. Response codes should be chosen considering how clients 455 will handle them. 457 For unimplemented opcodes NOTIMP is the expected response code. 458 Note: Newly implemented opcodes may change the message format by 459 extending the header, changing the structure of the records, etc. 460 Servers are not expected to be able to parse these, and should 461 respond with a response code of NOTIMP rather than FORMERR (which 462 would be expected if there was a parse error with an known opcode). 464 For unimplemented type codes, and in the absence of other errors, the 465 only valid response is NoError if the qname exists, and NameError 466 (NXDOMAIN) otherwise. For Meta-RRs NOTIMP may be returned instead. 468 If a zone cannot be loaded because it contains unimplemented type 469 codes that are not encoded as unknown record types according to 470 [RFC3597] then the expected response is SERVFAIL as the whole zone 471 should be rejected Section 5.2 [RFC1035]. If a zone loads then 472 Section 4.3.2 [RFC1034] applies. 474 If the server supports EDNS and receives a query with an unsupported 475 EDNS version, the correct response is BADVERS [RFC6891]. 477 If the server does not support EDNS at all, FORMERR is the expected 478 error code. That said a minimal EDNS server implementation requires 479 parsing the OPT records and responding with an empty OPT record in 480 the additional section in most cases. There is no need to interpret 481 any EDNS options present in the request as unsupported EDNS options 482 are expected to be ignored [RFC6891]. Additionally EDNS flags can be 483 ignored. The only part of the OPT record that needs to be examined 484 is the version field to determine if BADVERS needs to be sent or not. 486 8. Testing 488 Testing is divided into two sections. "Basic DNS", which all servers 489 should meet, and "Extended DNS", which should be met by all servers 490 that support EDNS (a server is deemed to support EDNS if it gives a 491 valid EDNS response to any EDNS query). If a server does not support 492 EDNS it should still respond to all the tests, albeit with error 493 responses. 495 These tests query for records at the apex of a zone that the server 496 is nominally configured to serve. All tests should use the same 497 zone. 499 It is advisable to run all of the tests below in parallel so as to 500 minimise the delays due to multiple timeouts when the servers do not 501 respond. There are 16 queries directed to each nameserver (assuming 502 no packet loss) testing different aspects of Basic DNS and Extended 503 DNS. 505 The tests below use dig from BIND 9.11.0. 507 When testing recursive servers set RD=1 and choose a zone name that 508 is know to exist and is not being served by the recursive server. 509 The root zone (".") is often a good candidate as it is DNSSEC signed. 510 RD=1, rather than RD=0, should be present in the responses for all 511 test involving the opcode QUERY. Non-authoritative answers (AA=0) 512 are expected when talking to a recursive server. AD=1 is only 513 expected if the server is validating responses and one or both AD=1 514 or DO=1 is set in the request otherwise AD=0 is expected. 516 8.1. Testing - Basic DNS 518 This first set of tests cover basic DNS server behaviour and all 519 servers should pass these tests. 521 8.1.1. Is The Server Configured For The Zone? 523 Ask for the SOA record of the configured zone. This query is made 524 with no DNS flag bits set and without EDNS. 526 We expect the SOA record for the zone to be returned in the answer 527 section, the rcode to be set to NOERROR, and the AA and QR bits to be 528 set in the header; RA may also be set [RFC1034]. We do not expect an 529 OPT record to be returned [RFC6891]. 531 Verify the server is configured for the zone: 533 dig +noedns +noad +norec soa $zone @$server 535 expect: status: NOERROR 536 expect: the SOA record to be present in the answer section 537 expect: flag: aa to be present 538 expect: flag: rd to NOT be present 539 expect: flag: ad to NOT be present 540 expect: the OPT record to NOT be present 542 8.1.2. Testing Unknown Types 544 Identifying servers that fail to respond to unknown or unsupported 545 types can be done by making an initial DNS query for an A record, 546 making a number of queries for an unallocated type, then making a 547 query for an A record again. IANA maintains a registry of allocated 548 types. 550 If the server responds to the first and last queries but fails to 551 respond to the queries for the unallocated type, it is probably 552 faulty. The test should be repeated a number of times to eliminate 553 the likelihood of a false positive due to packet loss. 555 Ask for the TYPE1000 RRset at the configured zone's name. This query 556 is made with no DNS flag bits set and without EDNS. TYPE1000 has 557 been chosen for this purpose as IANA is unlikely to allocate this 558 type in the near future and it is not in a range reserved for private 559 use [RFC6895]. Any unallocated type code could be chosen for this 560 test. 562 We expect no records to be returned in the answer section, the rcode 563 to be set to NOERROR, and the AA and QR bits to be set in the header; 564 RA may also be set [RFC1034]. We do not expect an OPT record to be 565 returned [RFC6891]. 567 Check that queries for an unknown type work: 569 dig +noedns +noad +norec type1000 $zone @$server 571 expect: status: NOERROR 572 expect: an empty answer section. 573 expect: flag: aa to be present 574 expect: flag: rd to NOT be present 575 expect: flag: ad to NOT be present 576 expect: the OPT record to NOT be present 578 8.1.3. Testing Header Bits 580 8.1.3.1. Testing CD=1 Queries 582 Ask for the SOA record of the configured zone. This query is made 583 with only the CD DNS flag bit set, all other DNS bits clear, and 584 without EDNS. 586 We expect the SOA record for the zone to be returned in the answer 587 section, the rcode to be set to NOERROR, and the AA and QR bits to be 588 set in the header. We do not expect an OPT record to be returned. 590 If the server supports DNSSEC, CD should be set in the response 591 [RFC4035] otherwise CD should be clear [RFC1034]. 593 Check that queries with CD=1 work: 595 dig +noedns +noad +norec +cd soa $zone @$server 597 expect: status: NOERROR 598 expect: the SOA record to be present in the answer section 599 expect: flag: aa to be present 600 expect: flag: rd to NOT be present 601 expect: flag: ad to NOT be present 602 expect: the OPT record to NOT be present 604 8.1.3.2. Testing AD=1 Queries 606 Ask for the SOA record of the configured zone. This query is made 607 with only the AD DNS flag bit set and all other DNS bits clear and 608 without EDNS. 610 We expect the SOA record for the zone to be returned in the answer 611 section, the rcode to be set to NOERROR, and the AA and QR bits to be 612 set in the header. We do not expect an OPT record to be returned. 613 The purpose of this query is to detect blocking of queries with the 614 AD bit present, not the specific value of AD in the response. 616 Check that queries with AD=1 work: 618 dig +noedns +norec +ad soa $zone @$server 620 expect: status: NOERROR 621 expect: the SOA record to be present in the answer section 622 expect: flag: aa to be present 623 expect: flag: rd to NOT be present 624 expect: the OPT record to NOT be present 626 AD use in queries is defined in [RFC6840]. 628 8.1.3.3. Testing Reserved Bit 630 Ask for the SOA record of the configured zone. This query is made 631 with only the final reserved DNS flag bit set and all other DNS bits 632 clear and without EDNS. 634 We expect the SOA record for the zone to be returned in the answer 635 section, the rcode to be set to NOERROR, and the AA and QR bits to be 636 set in the header; RA may be set. The final reserved bit must not be 637 set [RFC1034]. We do not expect an OPT record to be returned 638 [RFC6891]. 640 Check that queries with the last unassigned DNS header flag work and 641 that the flag bit is not copied to the response: 643 dig +noedns +noad +norec +zflag soa $zone @$server 645 expect: status: NOERROR 646 expect: the SOA record to be present in the answer section 647 expect: MBZ to NOT be in the response (see below) 648 expect: flag: aa to be present 649 expect: flag: rd to NOT be present 650 expect: flag: ad to NOT be present 651 expect: the OPT record to NOT be present 653 MBZ (Must Be Zero) is a dig-specific indication that the flag bit has 654 been incorrectly copied. See Section 4.1.1, [RFC1035] "Z Reserved 655 for future use. Must be zero in all queries and responses." 657 8.1.3.4. Testing Recursive Queries 659 Ask for the SOA record of the configured zone. This query is made 660 with only the RD DNS flag bit set and without EDNS. 662 We expect the SOA record for the zone to be returned in the answer 663 section, the rcode to be set to NOERROR, and the AA, QR and RD bits 664 to be set in the header; RA may also be set [RFC1034]. We do not 665 expect an OPT record to be returned [RFC6891]. 667 Check that recursive queries work: 669 dig +noedns +noad +rec soa $zone @$server 671 expect: status: NOERROR 672 expect: the SOA record to be present in the answer section 673 expect: flag: aa to be present 674 expect: flag: rd to be present 675 expect: flag: ad to NOT be present 676 expect: the OPT record to NOT be present 678 8.1.4. Testing Unknown Opcodes 680 Construct a DNS message that consists of only a DNS header with 681 opcode set to 15 (currently not allocated), no DNS header bits set 682 and empty question, answer, authority and additional sections. 684 Check that new opcodes are handled: 686 dig +noedns +noad +opcode=15 +norec +header-only @$server 688 expect: status: NOTIMP 689 expect: opcode: 15 690 expect: all sections to be empty 691 expect: flag: aa to NOT be present 692 expect: flag: rd to NOT be present 693 expect: flag: ad to NOT be present 694 expect: the OPT record to NOT be present 696 8.1.5. Testing TCP 698 Whether a server accepts TCP connections can be tested by first 699 checking that it responds to UDP queries to confirm that it is up and 700 operating, then attempting the same query over TCP. An additional 701 query should be made over UDP if the TCP connection attempt fails to 702 confirm that the server under test is still operating. 704 Ask for the SOA record of the configured zone. This query is made 705 with no DNS flag bits set and without EDNS. This query is to be sent 706 using TCP. 708 We expect the SOA record for the zone to be returned in the answer 709 section, the rcode to be set to NOERROR, and the AA and QR bits to be 710 set in the header; RA may also be set [RFC1034]. We do not expect an 711 OPT record to be returned [RFC6891]. 713 Check that TCP queries work: 715 dig +noedns +noad +norec +tcp soa $zone @$server 717 expect: status: NOERROR 718 expect: the SOA record to be present in the answer section 719 expect: flag: aa to be present 720 expect: flag: rd to NOT be present 721 expect: flag: ad to NOT be present 722 expect: the OPT record to NOT be present 724 The requirement that TCP be supported is defined in [RFC7766]. 726 8.2. Testing - Extended DNS 728 The next set of tests cover various aspects of EDNS behaviour. If 729 any of these tests succeed (indicating at least some EDNS support) 730 then all of them should succeed. There are servers that support EDNS 731 but fail to handle plain EDNS queries correctly so a plain EDNS query 732 is not a good indicator of lack of EDNS support. 734 8.2.1. Testing Minimal EDNS 736 Ask for the SOA record of the configured zone. This query is made 737 with no DNS flag bits set. EDNS version 0 is used without any EDNS 738 options or EDNS flags set. 740 We expect the SOA record for the zone to be returned in the answer 741 section, the rcode to be set to NOERROR, and the AA and QR bits to be 742 set in the header; RA may also be set [RFC1034]. We expect an OPT 743 record to be returned. There should be no EDNS flags present in the 744 response. The EDNS version field should be 0 and there should be no 745 EDNS options present [RFC6891]. 747 Check that plain EDNS queries work: 749 dig +nocookie +edns=0 +noad +norec soa $zone @$server 751 expect: status: NOERROR 752 expect: the SOA record to be present in the answer section 753 expect: an OPT record to be present in the additional section 754 expect: EDNS Version 0 in response 755 expect: flag: aa to be present 756 expect: flag: ad to NOT be present 758 +nocookie disables sending a EDNS COOKIE option which is otherwise 759 enabled by default in BIND 9.11.0 (and later). 761 8.2.2. Testing EDNS Version Negotiation 763 Ask for the SOA record of a zone the server is nominally configured 764 to serve. This query is made with no DNS flag bits set. EDNS 765 version 1 is used without any EDNS options or EDNS flags set. 767 We expect the SOA record for the zone to NOT be returned in the 768 answer section with the extended rcode set to BADVERS and the QR bit 769 to be set in the header; RA may also be set [RFC1034]. We expect an 770 OPT record to be returned. There should be no EDNS flags present in 771 the response. The EDNS version field should be 0 in the response as 772 no other EDNS version has as yet been specified [RFC6891]. 774 Check that EDNS version 1 queries work (EDNS supported): 776 dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server 778 expect: status: BADVERS 779 expect: the SOA record to NOT be present in the answer section 780 expect: an OPT record to be present in the additional section 781 expect: EDNS Version 0 in response 782 expect: flag: aa to NOT be present 783 expect: flag: ad to NOT be present 785 +noednsneg has been set as dig supports EDNS version negotiation and 786 we want to see only the response to the initial EDNS version 1 query. 788 8.2.3. Testing Unknown EDNS Options 790 Ask for the SOA record of the configured zone. This query is made 791 with no DNS flag bits set. EDNS version 0 is used without any EDNS 792 flags. An EDNS option is present with a value that has not yet been 793 assigned by IANA. We have picked an unassigned code of 100 for the 794 example below. Any unassigned EDNS option code could have been 795 choosen for this test. 797 We expect the SOA record for the zone to be returned in the answer 798 section, the rcode to be set to NOERROR, and the AA and QR bits to be 799 set in the header; RA may also be set [RFC1034]. We expect an OPT 800 record to be returned. There should be no EDNS flags present in the 801 response. The EDNS version field should be 0 as EDNS versions other 802 than 0 are yet to be specified and there should be no EDNS options 803 present as unknown EDNS options are supposed to be ignored by the 804 server [RFC6891] Section 6.1.2. 806 Check that EDNS queries with an unknown option work (EDNS supported): 808 dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server 810 expect: status: NOERROR 811 expect: the SOA record to be present in the answer section 812 expect: an OPT record to be present in the additional section 813 expect: OPT=100 to NOT be present 814 expect: EDNS Version 0 in response 815 expect: flag: aa to be present 816 expect: flag: ad to NOT be present 818 8.2.4. Testing Unknown EDNS Flags 820 Ask for the SOA record of the configured zone. This query is made 821 with no DNS flag bits set. EDNS version 0 is used without any EDNS 822 options. An unassigned EDNS flag bit is set (0x40 in this case). 824 We expect the SOA record for the zone to be returned in the answer 825 section, the rcode to be set to NOERROR, and the AA and QR bits to be 826 set in the header; RA may also be set [RFC1034]. We expect an OPT 827 record to be returned. There should be no EDNS flags present in the 828 response as unknown EDNS flags are supposed to be ignored. The EDNS 829 version field should be 0 and there should be no EDNS options present 830 [RFC6891]. 832 Check that EDNS queries with unknown flags work (EDNS supported): 834 dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server 836 expect: status: NOERROR 837 expect: the SOA record to be present in the answer section 838 expect: an OPT record to be present in the additional section 839 expect: MBZ not to be present 840 expect: EDNS Version 0 in response 841 expect: flag: aa to be present 842 expect: flag: ad to NOT be present 844 MBZ (Must Be Zero) is a dig-specific indication that a flag bit has 845 been incorrectly copied as per Section 6.1.4, [RFC6891]. 847 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS Flags 849 Ask for the SOA record of the configured zone. This query is made 850 with no DNS flag bits set. EDNS version 1 is used without any EDNS 851 options. An unassigned EDNS flag bit is set (0x40 in this case). 853 We expect the SOA record for the zone to NOT be returned in the 854 answer section with the extended rcode set to BADVERS and the QR bit 855 to be set in the header; RA may also be set [RFC1034]. We expect an 856 OPT record to be returned. There should be no EDNS flags present in 857 the response as unknown EDNS flags are supposed to be ignored. The 858 EDNS version field should be 0 as EDNS versions other than 0 are yet 859 to be specified and there should be no EDNS options present 860 [RFC6891]. 862 Check that EDNS version 1 queries with unknown flags work (EDNS 863 supported): 865 dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \ 866 $zone @$server 868 expect: status: BADVERS 869 expect: SOA record to NOT be present 870 expect: an OPT record to be present in the additional section 871 expect: MBZ not to be present 872 expect: EDNS Version 0 in response 873 expect: flag: aa to NOT be present 874 expect: flag: ad to NOT be present 876 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options 878 Ask for the SOA record of the configured zone. This query is made 879 with no DNS flag bits set. EDNS version 1 is used. An unknown EDNS 880 option is present. We have picked an unassigned code of 100 for the 881 example below. Any unassigned EDNS option code could have been 882 chosen for this test. 884 We expect the SOA record for the zone to NOT be returned in the 885 answer section with the extended rcode set to BADVERS and the QR bit 886 to be set in the header; RA may also be set [RFC1034]. We expect an 887 OPT record to be returned. There should be no EDNS flags present in 888 the response. The EDNS version field should be 0 as EDNS versions 889 other than 0 are yet to be specified and there should be no EDNS 890 options present [RFC6891]. 892 Check that EDNS version 1 queries with unknown options work (EDNS 893 supported): 895 dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \ 896 $zone @$server 898 expect: status: BADVERS 899 expect: SOA record to NOT be present 900 expect: an OPT record to be present in the additional section 901 expect: OPT=100 to NOT be present 902 expect: EDNS Version 0 in response 903 expect: flag: aa to NOT be present 904 expect: flag: ad to NOT be present 906 8.2.7. Testing Truncated Responses 908 Ask for the DNSKEY records of the configured zone, which must be a 909 DNSSEC signed zone. This query is made with no DNS flag bits set. 910 EDNS version 0 is used without any EDNS options. The only EDNS flag 911 set is DO. The EDNS UDP buffer size is set to 512. The intention of 912 this query is to elicit a truncated response from the server. Most 913 signed DNSKEY responses are bigger than 512 bytes. This test will 914 not give a valid result if the zone is not signed. 916 We expect a response, the rcode to be set to NOERROR, and the AA and 917 QR bits to be set, AD may be set in the response if the server 918 supports DNSSEC otherwise it should be clear; TC and RA may also be 919 set [RFC1035] [RFC4035]. We expect an OPT record to be present in 920 the response. There should be no EDNS flags other than DO present in 921 the response. The EDNS version field should be 0 and there should be 922 no EDNS options present [RFC6891]. 924 If TC is not set it is not possible to confirm that the server 925 correctly adds the OPT record to the truncated responses or not. 927 dig +norec +dnssec +bufsize=512 +ignore dnskey $zone @$server 928 expect: NOERROR 929 expect: OPT record with version set to 0 931 8.2.8. Testing DO=1 Handling 933 Ask for the SOA record of the configured zone, which does not need to 934 be DNSSEC signed. This query is made with no DNS flag bits set. 935 EDNS version 0 is used without any EDNS options. The only EDNS flag 936 set is DO. 938 We expect the SOA record for the zone to be returned in the answer 939 section, the rcode to be set to NOERROR, and the AA and QR bits to be 940 set in the response, AD may be set in the response if the server 941 supports DNSSEC otherwise it should be clear; RA may also be set 942 [RFC1034]. We expect an OPT record to be returned. There should be 943 no EDNS flags other than DO present in the response which should be 944 present if the server supports DNSSEC. The EDNS version field should 945 be 0 and there should be no EDNS options present [RFC6891]. 947 Check that DO=1 queries work (EDNS supported): 949 dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server 951 expect: status: NOERROR 952 expect: the SOA record to be present in the answer section 953 expect: an OPT record to be present in the additional section 954 expect: DO=1 to be present if an RRSIG is in the response 955 expect: EDNS Version 0 in response 956 expect: flag: aa to be present 958 8.2.9. Testing EDNS Version Negotiation With DO=1 960 Ask for the SOA record of the configured zone, which does not need to 961 be DNSSEC signed. This query is made with no DNS flag bits set. 962 EDNS version 1 is used without any EDNS options. The only EDNS flag 963 set is DO. 965 We expect the SOA record for the zone to NOT be returned in the 966 answer section, the rcode to be set to NOERROR, ; the QR bit and 967 possibly the RA bit to be set [RFC1034]. We expect an OPT record to 968 be returned. There should be no EDNS flags other than DO present in 969 the response which should be there if the server supports DNSSEC. 970 The EDNS version field should be 0 and there should be no EDNS 971 options present [RFC6891]. 973 Check that EDNS version 1, DO=1 queries work (EDNS supported): 975 dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \ 976 $zone @$server 978 expect: status: BADVERS 979 expect: SOA record to NOT be present 980 expect: an OPT record to be present in the additional section 981 expect: DO=1 to be present if the EDNS version 0 DNSSEC query test 982 returned DO=1 983 expect: EDNS Version 0 in response 984 expect: flag: aa to NOT be present 986 8.2.10. Testing With Multiple Defined EDNS Options 988 Ask for the SOA record of the configured zone. This query is made 989 with no DNS flag bits set. EDNS version 0 is used. A number of 990 defined EDNS options are present (NSID [RFC5001], DNS COOKIE 991 [RFC7873], EDNS Client Subnet [RFC7871] and EDNS Expire [RFC7314]). 993 We expect the SOA record for the zone to be returned in the answer 994 section, the rcode to be set to NOERROR, and the AA and QR bits to be 995 set in the header; RA may also be set [RFC1034]. We expect an OPT 996 record to be returned. There should be no EDNS flags present in the 997 response. The EDNS version field should be 0. Any of the requested 998 EDNS options supported by the server and permitted server 999 configuration may be returned [RFC6891]. 1001 Check that EDNS queries with multiple defined EDNS options work: 1003 dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \ 1004 soa $zone @$server 1006 expect: status: NOERROR 1007 expect: the SOA record to be present in the answer section 1008 expect: an OPT record to be present in the additional section 1009 expect: EDNS Version 0 in response 1010 expect: flag: aa to be present 1011 expect: flag: ad to NOT be present 1013 8.3. When EDNS Is Not Supported 1015 If EDNS is not supported by the nameserver, we expect a response to 1016 each of the above queries. That response may be a FORMERR error 1017 response or the OPT record may just be ignored. 1019 Some nameservers only return a EDNS response when a particular EDNS 1020 option or flag (e.g. DO=1) is present in the request. This 1021 behaviour is not compliant behaviour and may hide other incorrect 1022 behaviour from the above tests. Re-testing with the triggering 1023 option / flag present will expose this misbehaviour. 1025 9. Remediation 1027 Name server operators are generally expected to test their own 1028 infrastructure for compliance to standards. The above tests should 1029 be run when new systems are brought online, and should be repeated 1030 periodically to ensure continued interoperability. 1032 Domain registrants who do not maintain their own DNS infrastructure 1033 are entitled to a DNS service that conforms to standards and 1034 interoperates well. Registrants who become aware that their DNS 1035 operator does not have a well maintained or compliant infrastructure 1036 should insist that their service provider correct issues, and switch 1037 providers if they do not. 1039 In the event that an operator experiences problems due to the 1040 behaviour of name servers outside their control, the above tests will 1041 help in narrowing down the precise issue(s) which can then be 1042 reported to the relevant party. 1044 If contact information for the operator of a misbehaving name server 1045 is not already known, the following methods of communication could be 1046 considered: 1048 o the RNAME of the zone authoritative for the name of the 1049 misbehaving server 1051 o the RNAME of zones for which the offending server is authoritative 1053 o administrative or technical contacts listed in the registration 1054 information for the parent domain of the name of the misbehaving 1055 server, or for zones for which the name server is authoritative 1057 o the registrar or registry for such zones 1059 o DNS-specific operational fora (e.g. mailing lists) 1061 Operators of parent zones may wish to regularly test the 1062 authoritative name servers of their child zones. However, parent 1063 operators can have widely varying capabilities in terms of 1064 notification or remediation depending on whether they have a direct 1065 relationship with the child operator. Many TLD registries, for 1066 example, cannot directly contact their registrants and may instead 1067 need to communicate through the relevant registrar. In such cases 1068 it may be most efficient for registrars to take on the responsibility 1069 for testing the name servers of their registrants, since they have a 1070 direct relationship. 1072 When notification is not effective at correcting problems with a 1073 misbehaving name server, parent operators can choose to remove NS 1074 record sets (and glue records below) that refer to the faulty server 1075 until the servers are fixed. This should only be done as a last 1076 resort and with due consideration, as removal of a delegation can 1077 have unanticipated side effects. For example, other parts of the DNS 1078 tree may depend on names below the removed zone cut, and the parent 1079 operator may find themselves responsible for causing new DNS failures 1080 to occur. 1082 10. Security Considerations 1084 Testing protocol compliance can potentially result in false reports 1085 of attempts to break services from Intrusion Detection Services and 1086 firewalls. All of the tests are well-formed (though not necessarily 1087 common) DNS queries. None of the tests listed above should cause any 1088 harm to a protocol-compliant server. 1090 Relaxing firewall settings to ensure EDNS compliance could 1091 potentially expose a critical implementation flaw in the nameserver. 1092 Nameservers should be tested for conformance before relaxing firewall 1093 settings. 1095 When removing delegations for non-compliant servers there can be a 1096 knock on effect on other zones that require these zones to be 1097 operational for the nameservers addresses to be resolved. 1099 11. IANA Considerations 1101 There are no actions for IANA. 1103 12. Acknowledgements 1105 The contributions of the following are gratefully acknowledged: 1107 Matthew Pounsett, Tim Wicinski. 1109 13. References 1111 13.1. Normative References 1113 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1114 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 1115 . 1117 [RFC1035] Mockapetris, P., "Domain names - implementation and 1118 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1119 November 1987, . 1121 [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", 1122 RFC 3225, DOI 10.17487/RFC3225, December 2001, 1123 . 1125 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1126 Rose, "Protocol Modifications for the DNS Security 1127 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 1128 . 1130 [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and 1131 Implementation Notes for DNS Security (DNSSEC)", RFC 6840, 1132 DOI 10.17487/RFC6840, February 2013, 1133 . 1135 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 1136 for DNS (EDNS(0))", STD 75, RFC 6891, 1137 DOI 10.17487/RFC6891, April 2013, 1138 . 1140 [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA 1141 Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, 1142 April 2013, . 1144 [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 1145 D. Wessels, "DNS Transport over TCP - Implementation 1146 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 1147 . 1149 13.2. Informative References 1151 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 1152 RFC 2671, DOI 10.17487/RFC2671, August 1999, 1153 . 1155 [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record 1156 (RR) Types", RFC 3597, DOI 10.17487/RFC3597, September 1157 2003, . 1159 [RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option", 1160 RFC 5001, DOI 10.17487/RFC5001, August 2007, 1161 . 1163 [RFC7314] Andrews, M., "Extension Mechanisms for DNS (EDNS) EXPIRE 1164 Option", RFC 7314, DOI 10.17487/RFC7314, July 2014, 1165 . 1167 [RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. 1168 Kumari, "Client Subnet in DNS Queries", RFC 7871, 1169 DOI 10.17487/RFC7871, May 2016, 1170 . 1172 [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) 1173 Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, 1174 . 1176 Authors' Addresses 1178 M. Andrews 1179 Internet Systems Consortium 1180 950 Charter Street 1181 Redwood City, CA 94063 1182 US 1184 Email: marka@isc.org 1186 Ray Bellis 1187 Internet Systems Consortium 1188 950 Charter Street 1189 Redwood City, CA 94063 1190 US 1192 Email: ray@isc.org