idnits 2.17.1 draft-ietf-dnsop-no-response-issue-22.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 14, 2020) is 1466 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Andrews 3 Internet-Draft R. Bellis 4 Intended status: Best Current Practice ISC 5 Expires: October 16, 2020 April 14, 2020 7 A Common Operational Problem in DNS Servers - Failure To Communicate 8 draft-ietf-dnsop-no-response-issue-22 10 Abstract 12 The DNS is a query / response protocol. Failing to respond to 13 queries, or responding incorrectly, causes both immediate operational 14 problems and long term problems with protocol development. 16 This document identifies a number of common kinds of queries to which 17 some servers either fail to respond or else respond incorrectly. 18 This document also suggests procedures for zone operators to apply to 19 identify and remediate the problem. 21 The document does not look at the DNS data itself, just the structure 22 of the responses. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on October 16, 2020. 41 Copyright Notice 43 Copyright (c) 2020 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3. Common kinds of queries that result in no or bad responses. . 5 61 3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5 62 3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5 63 3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5 64 3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6 65 3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6 66 3.1.5. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6 67 3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6 68 3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7 69 3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7 70 3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7 71 3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7 72 3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8 73 3.2.6. DO=1 Handling . . . . . . . . . . . . . . . . . . . . 8 74 3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8 75 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8 76 5. Packet Scrubbing Services . . . . . . . . . . . . . . . . . . 9 77 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10 78 7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10 79 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 80 8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 12 81 8.1.1. Is The Server Configured For The Zone? . . . . . . . 12 82 8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 12 83 8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 13 84 8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 15 85 8.1.5. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15 86 8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16 87 8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16 88 8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 17 89 8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17 90 8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18 91 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS 92 Flags . . . . . . . . . . . . . . . . . . . . . . . . 19 93 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS 94 Options . . . . . . . . . . . . . . . . . . . . . . . 20 95 8.2.7. Testing Truncated Responses . . . . . . . . . . . . . 20 96 8.2.8. Testing DO=1 Handling . . . . . . . . . . . . . . . . 21 97 8.2.9. Testing EDNS Version Negotiation With DO=1 . . . . . 21 98 8.2.10. Testing With Multiple Defined EDNS Options . . . . . 22 99 8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 22 100 9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 23 101 10. Security Considerations . . . . . . . . . . . . . . . . . . . 24 102 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 103 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 104 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 105 13.1. Normative References . . . . . . . . . . . . . . . . . . 24 106 13.2. Informative References . . . . . . . . . . . . . . . . . 25 107 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 109 1. Introduction 111 The DNS [RFC1034], [RFC1035] is a query / response protocol. Failing 112 to respond to queries, or responding incorrectly, causes both 113 immediate operational problems and long term problems with protocol 114 development. 116 Failure to respond to a query is indistinguishable from packet loss 117 without doing an analysis of query-response patterns. Additionally 118 failure to respond results in unnecessary queries being made by DNS 119 clients, and introduces delays to the resolution process. 121 Due to the inability to distinguish between packet loss and 122 nameservers or middle boxes dropping EDNS [RFC6891] queries, packet 123 loss is sometimes misclassified as lack of EDNS support which can 124 lead to DNSSEC validation failures. 126 The existence of servers which fail to respond to queries results in 127 developers being hesitant to deploy new standards. Such servers need 128 to be identified and remediated. 130 The DNS has response codes that cover almost any conceivable query 131 response. A nameserver should be able to respond to any conceivable 132 query using them. There should be no need to drop queries because a 133 nameserver does not understand them. 135 Unless a nameserver is under attack, it should respond to all DNS 136 requests directed to it. When a nameserver is under attack it may 137 wish to drop packets. A common attack is to use a nameserver as an 138 amplifier by sending spoofed packets. This is done because response 139 packets are bigger than the queries and large amplification factors 140 are available especially if EDNS is supported. Limiting the rate of 141 responses is reasonable when this is occurring and the client should 142 retry. This however only works if legitimate clients are not being 143 forced to guess whether EDNS queries are accepted or not. As long as 144 there are still a pool of servers that don't respond to EDNS 145 requests, clients have no way to know if the lack of response is due 146 to packet loss, or EDNS packets not being supported, or rate limiting 147 due to the server being under attack. Misclassification of server 148 behaviour is unavoidable when rate limiting is used until the 149 population of servers which fail to respond to well-formed queries 150 drops to near zero. 152 Nameservers should respond to queries even if the queried name is not 153 for any name the server is configured to answer for. Misconfigured 154 nameservers are a common occurrence in the DNS and receiving queries 155 for zones that the server is not configured for is not necessarily an 156 indication that the server is under attack. Parent zone operators 157 are advised to regularly check that the delegating NS records are 158 consistent with those of the delegated zone and to correct them when 159 they are not [RFC1034], Section 4.4.2, Paragraph 3. Doing this 160 regularly should reduce the instances of broken delegations. 162 This document does not try to identify all possible errors nor does 163 it supply an exhaustive list of tests. 165 2. Consequences 167 Failure to follow the relevant DNS RFCs has multiple adverse 168 consequences. Some are caused directly by the non-compliant 169 behaviour and others as a result of work-arounds forced on recursive 170 servers. Addressing known issues now will reduce future 171 interoperability issues as the DNS protocol continues to evolve and 172 clients make use of newly-introduced DNS features. In particular the 173 base DNS specification [RFC1034], [RFC1035] and the EDNS 174 specification [RFC6891], when implemented, need to be followed. 176 Some examples of known consequences include: 178 o The AD (Authenticated Data) bit in a response cannot be trusted to 179 mean anything as some servers incorrectly copy the flag bit from 180 the request to the response [RFC1035], [RFC4035]. The use of the 181 AD bit in requests is defined in [RFC6840]. 183 o Widespread non-response to EDNS queries has led to recursive 184 servers having to assume that EDNS is not supported and that 185 fallback to plain DNS is required, potentially causing DNSSEC 186 validation failures. 188 o Widespread non-response to EDNS options requires recursive servers 189 to decide whether to probe to see if it is the specific EDNS 190 option or the use of EDNS in general that is causing the non 191 response. In the limited amount of time required to resolve a 192 query before the client times out this is not possible. 194 o Incorrectly returning FORMERR to an EDNS option being present 195 leads to the recursive server not being able to determine if the 196 server is just broken in the handling of the EDNS option or 197 doesn't support EDNS at all. 199 o Mishandling of unknown query types has contributed to the 200 abandonment of the transition of the SPF type. 202 o Mishandling of unknown query types has slowed up the development 203 of DANE and resulted in additional rules being specified to reduce 204 the probability of interacting with a broken server when making 205 TLSA queries. 207 The consequences of servers not following the RFCs will only grow if 208 measures are not put in place to remove non compliant servers from 209 the ecosystem. Working around issues due to non-compliance with RFCs 210 is not sustainable. 212 Most (if not all) of these consequences could have been avoided if 213 action had been taken to remove non-compliant servers as soon as 214 people were aware of them, i.e. to actively seek out broken 215 implementations and servers and inform their developers and operators 216 that they need to fix their servers. 218 3. Common kinds of queries that result in no or bad responses. 220 This section is broken down into Basic DNS requests and EDNS 221 requests. 223 3.1. Basic DNS Queries 225 3.1.1. Zone Existence 227 If a zone is delegated to a server, that server should respond to an 228 SOA query for that zone with an SOA record. Failing to respond at 229 all is always incorrect, regardless of the configuration of the 230 server. Responding with anything other than an SOA record in the 231 Answer section indicates a bad delegation. 233 3.1.2. Unknown / Unsupported Type Queries 235 Some servers fail to respond to unknown or unsupported types. If a 236 server receives a query for a type that it doesn't recognise, or 237 doesn't implement, it is expected to return the appropriate response 238 as if it did recognise the type but does not have any data for that 239 type: either NOERROR, or NXDOMAIN. The exceptions to this are 240 queries for Meta-RR types which may return NOTIMP. 242 3.1.3. DNS Flags 244 Some servers fail to respond to DNS queries with various DNS flags 245 set, regardless of whether they are defined or still reserved. At 246 the time of writing there are servers that fail to respond to queries 247 with the AD flag set to 1 and servers that fail to respond to queries 248 with the last reserved flag set. 250 Servers should respond to such queries. If the server does not know 251 the meaning of a flag it must not copy it to the response [RFC1035] 252 Section 4.1.1. If the server does not understand the meaning of a 253 request it should reply with a FORMERR response with unknown flags 254 set to zero. 256 3.1.3.1. Recursive Queries 258 A non-recursive server is supposed to respond to recursive queries as 259 if the RD bit is not set [RFC1034]. 261 3.1.4. Unknown DNS opcodes 263 The use of previously undefined opcodes is to be expected. Since the 264 DNS was first defined two new opcodes have been added, UPDATE and 265 NOTIFY. 267 NOTIMP is the expected rcode to an unknown or unimplemented opcode. 269 Note: while new opcodes will most probably use the current layout 270 structure for the rest of the message there is no requirement that 271 anything other than the DNS header match. 273 3.1.5. TCP Queries 275 All DNS servers are supposed to respond to queries over TCP 276 [RFC7766]. While firewalls should not block TCP connection attempts, 277 those that do they should cleanly terminate the connection by sending 278 TCP RESET or sending ICMP/ICMPv6 Administratively Prohibited 279 messages. Dropping TCP connections introduces excessive delays to 280 the resolution process. 282 3.2. EDNS Queries 284 EDNS queries are specified in [RFC6891]. 286 3.2.1. EDNS Queries - Version Independent 288 Identifying servers that fail to respond to EDNS queries can be done 289 by first confirming that the server responds to regular DNS queries, 290 followed by a series of otherwise identical queries using EDNS, then 291 making the original query again. A series of EDNS queries is needed 292 as at least one DNS implementation responds to the first EDNS query 293 with FORMERR but fails to respond to subsequent queries from the same 294 address for a period until a regular DNS query is made. The EDNS 295 query should specify a UDP buffer size of 512 bytes to avoid false 296 classification of not supporting EDNS due to response packet size. 298 If the server responds to the first and last queries but fails to 299 respond to most or all of the EDNS queries, it is probably faulty. 300 The test should be repeated a number of times to eliminate the 301 likelihood of a false positive due to packet loss. 303 Firewalls may also block larger EDNS responses but there is no easy 304 way to check authoritative servers to see if the firewall is mis- 305 configured. 307 3.2.2. EDNS Queries - Version Specific 309 Some servers respond correctly to EDNS version 0 queries but fail to 310 respond to EDNS queries with version numbers that are higher than 311 zero. Servers should respond with BADVERS to EDNS queries with 312 version numbers that they do not support. 314 Some servers respond correctly to EDNS version 0 queries but fail to 315 set QR=1 when responding to EDNS versions they do not support. Such 316 responses may be discarded as invalid (as QR is not 1) or treated as 317 requests (when the source port of the original request was port 53). 319 3.2.3. EDNS Options 321 Some servers fail to respond to EDNS queries with EDNS options set. 322 The original EDNS specification left this behaviour undefined 323 [RFC2671], but the correct behaviour was clarified in [RFC6891]. 324 Unknown EDNS options are supposed to be ignored by the server. 326 3.2.4. EDNS Flags 328 Some servers fail to respond to EDNS queries with EDNS flags set. 329 Servers should ignore EDNS flags they do not understand and must not 330 add them to the response [RFC6891]. 332 3.2.5. Truncated EDNS Responses 334 Some EDNS aware servers fail to include an OPT record when a 335 truncated response is sent. An OPT record is supposed to be included 336 in a truncated response [RFC6891]. 338 Some EDNS aware servers fail to honour the advertised EDNS UDP buffer 339 size and send over-sized responses [RFC6891]. Servers must send UDP 340 responses no larger than the advertised EDNS UDP buffer size. 342 3.2.6. DO=1 Handling 344 Some nameservers incorrectly only return an EDNS response when the DO 345 bit [RFC3225] is 1 in the query. Servers that support EDNS should 346 always respond to EDNS requests with EDNS responses. 348 Some nameservers fail to copy the DO bit to the response despite 349 clearly supporting DNSSEC by returning an RRSIG records to EDNS 350 queries with DO=1. Nameservers that support DNSSEC are expected to 351 copy the DO bit from the request to the response. 353 3.2.7. EDNS over TCP 355 Some EDNS aware servers incorrectly limit the TCP response sizes to 356 the advertised UDP response size. This breaks DNS resolution to 357 clients where the response sizes exceed the advertised UDP response 358 size despite the server and the client being capable of sending and 359 receiving larger TCP responses respectively. It effectively defeats 360 setting TC=1 in UDP responses. 362 4. Firewalls and Load Balancers 364 Firewalls and load balancers can affect the externally visible 365 behaviour of a nameserver. Tests for conformance should to be done 366 from outside of any firewall so that the system is tested as a whole. 368 Firewalls and load balancers should not drop DNS packets that they 369 don't understand. They should either pass the packets or generate an 370 appropriate error response. 372 Requests for unknown query types are normal client behaviour and 373 should not be construed as an attack. Nameservers have always been 374 expected to be able to handle such queries. 376 Requests for unknown query classes are normal client behaviour and 377 should not be construed as an attack. Nameservers have always been 378 expected to be able to handle such queries. 380 Requests with unknown opcodes are normal client behaviour and should 381 not be construed as an attack. Nameservers have always been expected 382 to be able to handle such queries. 384 Requests with unassigned flags set (DNS or EDNS) are expected client 385 behaviour and should not be construed as an attack. The behaviour 386 for unassigned flags is to ignore them in the request and to not set 387 them in the response. Dropping DNS / EDNS packets with unassigned 388 flags makes it difficult to deploy extensions that make use of them 389 due to the need to reconfigure and update firewalls. 391 Requests with unknown EDNS options are expected client behaviour and 392 should not be construed as an attack. The correct behaviour for 393 unknown EDNS options is to ignore their presence when constructing a 394 reply. 396 Requests with unknown EDNS versions are expected client behaviour and 397 should not be construed as an attack. The correct behaviour for 398 unknown EDNS versions is to return BADVERS along with the highest 399 EDNS version the server supports. Dropping EDNS packets breaks EDNS 400 version negotiation. 402 Firewalls should not assume that there will only be a single response 403 message to a request. There have been proposals to use EDNS to 404 signal that multiple DNS messages be returned rather than a single 405 UDP message that is fragmented at the IP layer. 407 DNS, and EDNS in particular, are designed to allow clients to be able 408 to use new features against older servers without having to validate 409 every option. Indiscriminate blocking of messages breaks that 410 design. 412 However, there may be times when a nameserver mishandles messages 413 with a particular flag, EDNS option, EDNS version field, opcode, type 414 or class field or combination thereof to the point where the 415 integrity of the nameserver is compromised. Firewalls should offer 416 the ability to selectively reject messages using an appropriately 417 constructed response based on all these fields while awaiting a fix 418 from the nameserver vendor. Returning FORMERR or REFUSED are two 419 potential error codes to return. 421 5. Packet Scrubbing Services 423 Packet scrubbing services are used to filter out undesired traffic, 424 including but not limited to, denial of service traffic. This is 425 often done using heuristic analysis of the traffic. 427 Packet scrubbing services can affect the externally visible behaviour 428 of a nameserver in a similar way to firewalls. If an operator uses a 429 packet scrubbing service, they should check that legitimate queries 430 are not being blocked. 432 Packet scrubbing services, unlike firewalls, are also turned on and 433 off in response to denial of service attacks. One needs to take care 434 when choosing a scrubbing service. 436 Ideally, Operators should run these tests against a packet scrubbing 437 service to ensure that these tests are not seen as attack vectors. 439 6. Whole Answer Caches 441 Whole answer caches take a previously constructed answer and return 442 it to a subsequent query for the same question. However, they can 443 return the wrong response if they do not take all of the relevant 444 attributes of the query into account. 446 In addition to the standard tuple of a non- 447 exhaustive set of attributes that must be considered include: RD, AD, 448 CD, OPT record, DO, EDNS buffer size, EDNS version, EDNS options, and 449 transport. 451 7. Response Code Selection 453 Choosing the correct response code when responding to DNS queries is 454 important. Response codes should be chosen considering how clients 455 will handle them. 457 For unimplemented opcodes NOTIMP is the expected response code. 458 Note: Newly implemented opcodes may change the message format by 459 extending the header, changing the structure of the records, etc. 460 Servers are not expected to be able to parse these, and should 461 respond with a response code of NOTIMP rather than FORMERR (which 462 would be expected if there was a parse error with an known opcode). 464 For unimplemented type codes, and in the absence of other errors, the 465 only valid response is NoError if the qname exists, and NameError 466 (NXDOMAIN) otherwise. For Meta-RRs NOTIMP may be returned instead. 468 If a zone cannot be loaded because it contains unimplemented type 469 codes that are not encoded as unknown record types according to 470 [RFC3597] then the expected response is SERVFAIL as the whole zone 471 should be rejected Section 5.2 [RFC1035]. If a zone loads then 472 Section 4.3.2 [RFC1034] applies. 474 If the server supports EDNS and receives a query with an unsupported 475 EDNS version, the correct response is BADVERS [RFC6891]. 477 If the server does not support EDNS at all, FORMERR is the expected 478 error code. That said a minimal EDNS server implementation requires 479 parsing the OPT records and responding with an empty OPT record in 480 the additional section in most cases. There is no need to interpret 481 any EDNS options present in the request as unsupported EDNS options 482 are expected to be ignored [RFC6891]. Additionally EDNS flags can be 483 ignored. The only part of the OPT record that needs to be examined 484 is the version field to determine if BADVERS needs to be sent or not. 486 8. Testing 488 Testing is divided into two sections: "Basic DNS", which all servers 489 should meet, and "Extended DNS", which should be met by all servers 490 that support EDNS (a server is deemed to support EDNS if it gives a 491 valid EDNS response to any EDNS query). If a server does not support 492 EDNS it should still respond to all the tests, albeit with error 493 responses. 495 These tests query for records at the apex of a zone that the server 496 is nominally configured to serve. All tests should use the same 497 zone. 499 It is advisable to run all of the tests below in parallel so as to 500 minimise the delays due to multiple timeouts when the servers do not 501 respond. There are 16 queries directed to each nameserver (assuming 502 no packet loss) testing different aspects of Basic DNS and Extended 503 DNS. 505 The tests below use dig from BIND 9.11.0 [ISC]. Replace $zone with 506 the name of the zone being used for testing. Replace $server with 507 the name or address of the server being tested. 509 When testing recursive servers set RD=1 and choose a zone name that 510 is known to exist and is not being served by the recursive server. 511 The root zone (".") is often a good candidate as it is DNSSEC signed. 512 RD=1, rather than RD=0, should be present in the responses for all 513 test involving the opcode QUERY. Non-authoritative answers (AA=0) 514 are expected when talking to a recursive server. AD=1 is only 515 expected if the server is validating responses and one or both AD=1 516 or DO=1 is set in the request otherwise AD=0 is expected. 518 8.1. Testing - Basic DNS 520 This first set of tests cover basic DNS server behaviour and all 521 servers should pass these tests. 523 8.1.1. Is The Server Configured For The Zone? 525 Ask for the SOA record of the configured zone. This query is made 526 with no DNS flag bits set and without EDNS. 528 We expect the SOA record for the zone to be returned in the answer 529 section, the rcode to be set to NOERROR, and the AA and QR bits to be 530 set in the header; RA may also be set [RFC1034]. We do not expect an 531 OPT record to be returned [RFC6891]. 533 Verify the server is configured for the zone: 535 dig +noedns +noad +norec soa $zone @$server 537 expect: status: NOERROR 538 expect: the SOA record to be present in the answer section 539 expect: flag: aa to be present 540 expect: flag: rd to NOT be present 541 expect: flag: ad to NOT be present 542 expect: the OPT record to NOT be present 544 8.1.2. Testing Unknown Types 546 Identifying servers that fail to respond to unknown or unsupported 547 types can be done by making an initial DNS query for an A record, 548 making a number of queries for an unallocated type, then making a 549 query for an A record again. IANA maintains a registry of allocated 550 types. 552 If the server responds to the first and last queries but fails to 553 respond to the queries for the unallocated type, it is probably 554 faulty. The test should be repeated a number of times to eliminate 555 the likelihood of a false positive due to packet loss. 557 Ask for the TYPE1000 RRset at the configured zone's name. This query 558 is made with no DNS flag bits set and without EDNS. TYPE1000 has 559 been chosen for this purpose as IANA is unlikely to allocate this 560 type in the near future and it is not in a range reserved for private 561 use [RFC6895]. Any unallocated type code could be chosen for this 562 test. 564 We expect no records to be returned in the answer section, the rcode 565 to be set to NOERROR, and the AA and QR bits to be set in the header; 566 RA may also be set [RFC1034]. We do not expect an OPT record to be 567 returned [RFC6891]. 569 Check that queries for an unknown type work: 571 dig +noedns +noad +norec type1000 $zone @$server 573 expect: status: NOERROR 574 expect: an empty answer section. 575 expect: flag: aa to be present 576 expect: flag: rd to NOT be present 577 expect: flag: ad to NOT be present 578 expect: the OPT record to NOT be present 580 8.1.3. Testing Header Bits 582 8.1.3.1. Testing CD=1 Queries 584 Ask for the SOA record of the configured zone. This query is made 585 with only the CD DNS flag bit set, all other DNS bits clear, and 586 without EDNS. 588 We expect the SOA record for the zone to be returned in the answer 589 section, the rcode to be set to NOERROR, and the AA and QR bits to be 590 set in the header. We do not expect an OPT record to be returned. 592 If the server supports DNSSEC, CD should be set in the response 593 [RFC4035] otherwise CD should be clear [RFC1034]. 595 Check that queries with CD=1 work: 597 dig +noedns +noad +norec +cd soa $zone @$server 599 expect: status: NOERROR 600 expect: the SOA record to be present in the answer section 601 expect: flag: aa to be present 602 expect: flag: rd to NOT be present 603 expect: flag: ad to NOT be present 604 expect: the OPT record to NOT be present 606 8.1.3.2. Testing AD=1 Queries 608 Ask for the SOA record of the configured zone. This query is made 609 with only the AD DNS flag bit set and all other DNS bits clear and 610 without EDNS. 612 We expect the SOA record for the zone to be returned in the answer 613 section, the rcode to be set to NOERROR, and the AA and QR bits to be 614 set in the header. We do not expect an OPT record to be returned. 615 The purpose of this query is to detect blocking of queries with the 616 AD bit present, not the specific value of AD in the response. 618 Check that queries with AD=1 work: 620 dig +noedns +norec +ad soa $zone @$server 622 expect: status: NOERROR 623 expect: the SOA record to be present in the answer section 624 expect: flag: aa to be present 625 expect: flag: rd to NOT be present 626 expect: the OPT record to NOT be present 628 AD use in queries is defined in [RFC6840]. 630 8.1.3.3. Testing Reserved Bit 632 Ask for the SOA record of the configured zone. This query is made 633 with only the final reserved DNS flag bit set and all other DNS bits 634 clear and without EDNS. 636 We expect the SOA record for the zone to be returned in the answer 637 section, the rcode to be set to NOERROR, and the AA and QR bits to be 638 set in the header; RA may be set. The final reserved bit must not be 639 set [RFC1034]. We do not expect an OPT record to be returned 640 [RFC6891]. 642 Check that queries with the last unassigned DNS header flag work and 643 that the flag bit is not copied to the response: 645 dig +noedns +noad +norec +zflag soa $zone @$server 647 expect: status: NOERROR 648 expect: the SOA record to be present in the answer section 649 expect: MBZ to NOT be in the response (see below) 650 expect: flag: aa to be present 651 expect: flag: rd to NOT be present 652 expect: flag: ad to NOT be present 653 expect: the OPT record to NOT be present 655 MBZ (Must Be Zero) is a dig-specific indication that the flag bit has 656 been incorrectly copied. See Section 4.1.1, [RFC1035] "Z Reserved 657 for future use. Must be zero in all queries and responses." 659 8.1.3.4. Testing Recursive Queries 661 Ask for the SOA record of the configured zone. This query is made 662 with only the RD DNS flag bit set and without EDNS. 664 We expect the SOA record for the zone to be returned in the answer 665 section, the rcode to be set to NOERROR, and the AA, QR and RD bits 666 to be set in the header; RA may also be set [RFC1034]. We do not 667 expect an OPT record to be returned [RFC6891]. 669 Check that recursive queries work: 671 dig +noedns +noad +rec soa $zone @$server 673 expect: status: NOERROR 674 expect: the SOA record to be present in the answer section 675 expect: flag: aa to be present 676 expect: flag: rd to be present 677 expect: flag: ad to NOT be present 678 expect: the OPT record to NOT be present 680 8.1.4. Testing Unknown Opcodes 682 Construct a DNS message that consists of only a DNS header with 683 opcode set to 15 (currently not allocated), no DNS header bits set 684 and empty question, answer, authority and additional sections. 686 Check that new opcodes are handled: 688 dig +noedns +noad +opcode=15 +norec +header-only @$server 690 expect: status: NOTIMP 691 expect: opcode: 15 692 expect: all sections to be empty 693 expect: flag: aa to NOT be present 694 expect: flag: rd to NOT be present 695 expect: flag: ad to NOT be present 696 expect: the OPT record to NOT be present 698 8.1.5. Testing TCP 700 Whether a server accepts TCP connections can be tested by first 701 checking that it responds to UDP queries to confirm that it is up and 702 operating, then attempting the same query over TCP. An additional 703 query should be made over UDP if the TCP connection attempt fails to 704 confirm that the server under test is still operating. 706 Ask for the SOA record of the configured zone. This query is made 707 with no DNS flag bits set and without EDNS. This query is to be sent 708 using TCP. 710 We expect the SOA record for the zone to be returned in the answer 711 section, the rcode to be set to NOERROR, and the AA and QR bits to be 712 set in the header; RA may also be set [RFC1034]. We do not expect an 713 OPT record to be returned [RFC6891]. 715 Check that TCP queries work: 717 dig +noedns +noad +norec +tcp soa $zone @$server 719 expect: status: NOERROR 720 expect: the SOA record to be present in the answer section 721 expect: flag: aa to be present 722 expect: flag: rd to NOT be present 723 expect: flag: ad to NOT be present 724 expect: the OPT record to NOT be present 726 The requirement that TCP be supported is defined in [RFC7766]. 728 8.2. Testing - Extended DNS 730 The next set of tests cover various aspects of EDNS behaviour. If 731 any of these tests succeed (indicating at least some EDNS support) 732 then all of them should succeed. There are servers that support EDNS 733 but fail to handle plain EDNS queries correctly so a plain EDNS query 734 is not a good indicator of lack of EDNS support. 736 8.2.1. Testing Minimal EDNS 738 Ask for the SOA record of the configured zone. This query is made 739 with no DNS flag bits set. EDNS version 0 is used without any EDNS 740 options or EDNS flags set. 742 We expect the SOA record for the zone to be returned in the answer 743 section, the rcode to be set to NOERROR, and the AA and QR bits to be 744 set in the header; RA may also be set [RFC1034]. We expect an OPT 745 record to be returned. There should be no EDNS flags present in the 746 response. The EDNS version field should be 0 and there should be no 747 EDNS options present [RFC6891]. 749 Check that plain EDNS queries work: 751 dig +nocookie +edns=0 +noad +norec soa $zone @$server 753 expect: status: NOERROR 754 expect: the SOA record to be present in the answer section 755 expect: an OPT record to be present in the additional section 756 expect: EDNS Version 0 in response 757 expect: flag: aa to be present 758 expect: flag: ad to NOT be present 760 +nocookie disables sending a EDNS COOKIE option which is otherwise 761 enabled by default in BIND 9.11.0 (and later). 763 8.2.2. Testing EDNS Version Negotiation 765 Ask for the SOA record of a zone the server is nominally configured 766 to serve. This query is made with no DNS flag bits set. EDNS 767 version 1 is used without any EDNS options or EDNS flags set. 769 We expect the SOA record for the zone to NOT be returned in the 770 answer section with the extended rcode set to BADVERS and the QR bit 771 to be set in the header; RA may also be set [RFC1034]. We expect an 772 OPT record to be returned. There should be no EDNS flags present in 773 the response. The EDNS version field should be 0 in the response as 774 no other EDNS version has as yet been specified [RFC6891]. 776 Check that EDNS version 1 queries work (EDNS supported): 778 dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server 780 expect: status: BADVERS 781 expect: the SOA record to NOT be present in the answer section 782 expect: an OPT record to be present in the additional section 783 expect: EDNS Version 0 in response 784 expect: flag: aa to NOT be present 785 expect: flag: ad to NOT be present 787 +noednsneg has been set as dig supports EDNS version negotiation and 788 we want to see only the response to the initial EDNS version 1 query. 790 8.2.3. Testing Unknown EDNS Options 792 Ask for the SOA record of the configured zone. This query is made 793 with no DNS flag bits set. EDNS version 0 is used without any EDNS 794 flags. An EDNS option is present with a value that has not yet been 795 assigned by IANA. We have picked an unassigned code of 100 for the 796 example below. Any unassigned EDNS option code could have been 797 choosen for this test. 799 We expect the SOA record for the zone to be returned in the answer 800 section, the rcode to be set to NOERROR, and the AA and QR bits to be 801 set in the header; RA may also be set [RFC1034]. We expect an OPT 802 record to be returned. There should be no EDNS flags present in the 803 response. The EDNS version field should be 0 as EDNS versions other 804 than 0 are yet to be specified and there should be no EDNS options 805 present as unknown EDNS options are supposed to be ignored by the 806 server [RFC6891] Section 6.1.2. 808 Check that EDNS queries with an unknown option work (EDNS supported): 810 dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server 812 expect: status: NOERROR 813 expect: the SOA record to be present in the answer section 814 expect: an OPT record to be present in the additional section 815 expect: OPT=100 to NOT be present 816 expect: EDNS Version 0 in response 817 expect: flag: aa to be present 818 expect: flag: ad to NOT be present 820 8.2.4. Testing Unknown EDNS Flags 822 Ask for the SOA record of the configured zone. This query is made 823 with no DNS flag bits set. EDNS version 0 is used without any EDNS 824 options. An unassigned EDNS flag bit is set (0x40 in this case). 826 We expect the SOA record for the zone to be returned in the answer 827 section, the rcode to be set to NOERROR, and the AA and QR bits to be 828 set in the header; RA may also be set [RFC1034]. We expect an OPT 829 record to be returned. There should be no EDNS flags present in the 830 response as unknown EDNS flags are supposed to be ignored. The EDNS 831 version field should be 0 and there should be no EDNS options present 832 [RFC6891]. 834 Check that EDNS queries with unknown flags work (EDNS supported): 836 dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server 838 expect: status: NOERROR 839 expect: the SOA record to be present in the answer section 840 expect: an OPT record to be present in the additional section 841 expect: MBZ not to be present 842 expect: EDNS Version 0 in response 843 expect: flag: aa to be present 844 expect: flag: ad to NOT be present 846 MBZ (Must Be Zero) is a dig-specific indication that a flag bit has 847 been incorrectly copied as per Section 6.1.4, [RFC6891]. 849 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS Flags 851 Ask for the SOA record of the configured zone. This query is made 852 with no DNS flag bits set. EDNS version 1 is used without any EDNS 853 options. An unassigned EDNS flag bit is set (0x40 in this case). 855 We expect the SOA record for the zone to NOT be returned in the 856 answer section with the extended rcode set to BADVERS and the QR bit 857 to be set in the header; RA may also be set [RFC1034]. We expect an 858 OPT record to be returned. There should be no EDNS flags present in 859 the response as unknown EDNS flags are supposed to be ignored. The 860 EDNS version field should be 0 as EDNS versions other than 0 are yet 861 to be specified and there should be no EDNS options present 862 [RFC6891]. 864 Check that EDNS version 1 queries with unknown flags work (EDNS 865 supported): 867 dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \ 868 $zone @$server 870 expect: status: BADVERS 871 expect: SOA record to NOT be present 872 expect: an OPT record to be present in the additional section 873 expect: MBZ not to be present 874 expect: EDNS Version 0 in response 875 expect: flag: aa to NOT be present 876 expect: flag: ad to NOT be present 878 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options 880 Ask for the SOA record of the configured zone. This query is made 881 with no DNS flag bits set. EDNS version 1 is used. An unknown EDNS 882 option is present. We have picked an unassigned code of 100 for the 883 example below. Any unassigned EDNS option code could have been 884 chosen for this test. 886 We expect the SOA record for the zone to NOT be returned in the 887 answer section with the extended rcode set to BADVERS and the QR bit 888 to be set in the header; RA may also be set [RFC1034]. We expect an 889 OPT record to be returned. There should be no EDNS flags present in 890 the response. The EDNS version field should be 0 as EDNS versions 891 other than 0 are yet to be specified and there should be no EDNS 892 options present [RFC6891]. 894 Check that EDNS version 1 queries with unknown options work (EDNS 895 supported): 897 dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \ 898 $zone @$server 900 expect: status: BADVERS 901 expect: SOA record to NOT be present 902 expect: an OPT record to be present in the additional section 903 expect: OPT=100 to NOT be present 904 expect: EDNS Version 0 in response 905 expect: flag: aa to NOT be present 906 expect: flag: ad to NOT be present 908 8.2.7. Testing Truncated Responses 910 Ask for the DNSKEY records of the configured zone, which must be a 911 DNSSEC signed zone. This query is made with no DNS flag bits set. 912 EDNS version 0 is used without any EDNS options. The only EDNS flag 913 set is DO. The EDNS UDP buffer size is set to 512. The intention of 914 this query is to elicit a truncated response from the server. Most 915 signed DNSKEY responses are bigger than 512 bytes. This test will 916 not give a valid result if the zone is not signed. 918 We expect a response, the rcode to be set to NOERROR, and the AA and 919 QR bits to be set, AD may be set in the response if the server 920 supports DNSSEC otherwise it should be clear; TC and RA may also be 921 set [RFC1035] [RFC4035]. We expect an OPT record to be present in 922 the response. There should be no EDNS flags other than DO present in 923 the response. The EDNS version field should be 0 and there should be 924 no EDNS options present [RFC6891]. 926 If TC is not set it is not possible to confirm that the server 927 correctly adds the OPT record to the truncated responses or not. 929 dig +norec +dnssec +bufsize=512 +ignore dnskey $zone @$server 930 expect: NOERROR 931 expect: OPT record with version set to 0 933 8.2.8. Testing DO=1 Handling 935 Ask for the SOA record of the configured zone, which does not need to 936 be DNSSEC signed. This query is made with no DNS flag bits set. 937 EDNS version 0 is used without any EDNS options. The only EDNS flag 938 set is DO. 940 We expect the SOA record for the zone to be returned in the answer 941 section, the rcode to be set to NOERROR, and the AA and QR bits to be 942 set in the response, AD may be set in the response if the server 943 supports DNSSEC otherwise it should be clear; RA may also be set 944 [RFC1034]. We expect an OPT record to be returned. There should be 945 no EDNS flags other than DO present in the response which should be 946 present if the server supports DNSSEC. The EDNS version field should 947 be 0 and there should be no EDNS options present [RFC6891]. 949 Check that DO=1 queries work (EDNS supported): 951 dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server 953 expect: status: NOERROR 954 expect: the SOA record to be present in the answer section 955 expect: an OPT record to be present in the additional section 956 expect: DO=1 to be present if an RRSIG is in the response 957 expect: EDNS Version 0 in response 958 expect: flag: aa to be present 960 8.2.9. Testing EDNS Version Negotiation With DO=1 962 Ask for the SOA record of the configured zone, which does not need to 963 be DNSSEC signed. This query is made with no DNS flag bits set. 964 EDNS version 1 is used without any EDNS options. The only EDNS flag 965 set is DO. 967 We expect the SOA record for the zone to NOT be returned in the 968 answer section, the rcode to be set to NOERROR, ; the QR bit and 969 possibly the RA bit to be set [RFC1034]. We expect an OPT record to 970 be returned. There should be no EDNS flags other than DO present in 971 the response which should be there if the server supports DNSSEC. 972 The EDNS version field should be 0 and there should be no EDNS 973 options present [RFC6891]. 975 Check that EDNS version 1, DO=1 queries work (EDNS supported): 977 dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \ 978 $zone @$server 980 expect: status: BADVERS 981 expect: SOA record to NOT be present 982 expect: an OPT record to be present in the additional section 983 expect: DO=1 to be present if the EDNS version 0 DNSSEC query test 984 returned DO=1 985 expect: EDNS Version 0 in response 986 expect: flag: aa to NOT be present 988 8.2.10. Testing With Multiple Defined EDNS Options 990 Ask for the SOA record of the configured zone. This query is made 991 with no DNS flag bits set. EDNS version 0 is used. A number of 992 defined EDNS options are present (NSID [RFC5001], DNS COOKIE 993 [RFC7873], EDNS Client Subnet [RFC7871] and EDNS Expire [RFC7314]). 995 We expect the SOA record for the zone to be returned in the answer 996 section, the rcode to be set to NOERROR, and the AA and QR bits to be 997 set in the header; RA may also be set [RFC1034]. We expect an OPT 998 record to be returned. There should be no EDNS flags present in the 999 response. The EDNS version field should be 0. Any of the requested 1000 EDNS options supported by the server and permitted server 1001 configuration may be returned [RFC6891]. 1003 Check that EDNS queries with multiple defined EDNS options work: 1005 dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \ 1006 soa $zone @$server 1008 expect: status: NOERROR 1009 expect: the SOA record to be present in the answer section 1010 expect: an OPT record to be present in the additional section 1011 expect: EDNS Version 0 in response 1012 expect: flag: aa to be present 1013 expect: flag: ad to NOT be present 1015 8.3. When EDNS Is Not Supported 1017 If EDNS is not supported by the nameserver, we expect a response to 1018 each of the above queries. That response may be a FORMERR error 1019 response or the OPT record may just be ignored. 1021 Some nameservers only return a EDNS response when a particular EDNS 1022 option or flag (e.g. DO=1) is present in the request. This 1023 behaviour is not compliant behaviour and may hide other incorrect 1024 behaviour from the above tests. Re-testing with the triggering 1025 option / flag present will expose this misbehaviour. 1027 9. Remediation 1029 Nameserver operators are generally expected to test their own 1030 infrastructure for compliance to standards. The above tests should 1031 be run when new systems are brought online, and should be repeated 1032 periodically to ensure continued interoperability. 1034 Domain registrants who do not maintain their own DNS infrastructure 1035 are entitled to a DNS service that conforms to standards and 1036 interoperates well. Registrants who become aware that their DNS 1037 operator does not have a well maintained or compliant infrastructure 1038 should insist that their service provider correct issues, and switch 1039 providers if they do not. 1041 In the event that an operator experiences problems due to the 1042 behaviour of nameservers outside their control, the above tests will 1043 help in narrowing down the precise issue(s) which can then be 1044 reported to the relevant party. 1046 If contact information for the operator of a misbehaving nameserver 1047 is not already known, the following methods of communication could be 1048 considered: 1050 o the RNAME of the zone authoritative for the name of the 1051 misbehaving server 1053 o the RNAME of zones for which the offending server is authoritative 1055 o administrative or technical contacts listed in the registration 1056 information for the parent domain of the name of the misbehaving 1057 server, or for zones for which the nameserver is authoritative 1059 o the registrar or registry for such zones 1061 o DNS-specific operational fora (e.g. mailing lists) 1063 Operators of parent zones may wish to regularly test the 1064 authoritative nameservers of their child zones. However, parent 1065 operators can have widely varying capabilities in terms of 1066 notification or remediation depending on whether they have a direct 1067 relationship with the child operator. Many TLD registries, for 1068 example, cannot directly contact their registrants and may instead 1069 need to communicate through the relevant registrar. In such cases 1070 it may be most efficient for registrars to take on the responsibility 1071 for testing the name ervers of their registrants, since they have a 1072 direct relationship. 1074 When notification is not effective at correcting problems with a 1075 misbehaving nameserver, parent operators can choose to remove NS 1076 record sets (and glue records below) that refer to the faulty server 1077 until the servers are fixed. This should only be done as a last 1078 resort and with due consideration, as removal of a delegation can 1079 have unanticipated side effects. For example, other parts of the DNS 1080 tree may depend on names below the removed zone cut, and the parent 1081 operator may find themselves responsible for causing new DNS failures 1082 to occur. 1084 10. Security Considerations 1086 Testing protocol compliance can potentially result in false reports 1087 of attempts to attack services from Intrusion Detection Services and 1088 firewalls. All of the tests are well-formed (though not necessarily 1089 common) DNS queries. None of the tests listed above should cause any 1090 harm to a protocol-compliant server. 1092 Relaxing firewall settings to ensure EDNS compliance could 1093 potentially expose a critical implementation flaw in the nameserver. 1094 Nameservers should be tested for conformance before relaxing firewall 1095 settings. 1097 When removing delegations for non-compliant servers there can be a 1098 knock on effect on other zones that require these zones to be 1099 operational for the nameservers addresses to be resolved. 1101 11. IANA Considerations 1103 There are no actions for IANA. 1105 12. Acknowledgements 1107 The contributions of the following are gratefully acknowledged: 1109 Matthew Pounsett, Tim Wicinski. 1111 13. References 1113 13.1. Normative References 1115 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1116 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 1117 . 1119 [RFC1035] Mockapetris, P., "Domain names - implementation and 1120 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1121 November 1987, . 1123 [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", 1124 RFC 3225, DOI 10.17487/RFC3225, December 2001, 1125 . 1127 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1128 Rose, "Protocol Modifications for the DNS Security 1129 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 1130 . 1132 [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and 1133 Implementation Notes for DNS Security (DNSSEC)", RFC 6840, 1134 DOI 10.17487/RFC6840, February 2013, 1135 . 1137 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 1138 for DNS (EDNS(0))", STD 75, RFC 6891, 1139 DOI 10.17487/RFC6891, April 2013, 1140 . 1142 [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA 1143 Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, 1144 April 2013, . 1146 [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 1147 D. Wessels, "DNS Transport over TCP - Implementation 1148 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 1149 . 1151 13.2. Informative References 1153 [ISC] "Internet Systems Consortuim", . 1155 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 1156 RFC 2671, DOI 10.17487/RFC2671, August 1999, 1157 . 1159 [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record 1160 (RR) Types", RFC 3597, DOI 10.17487/RFC3597, September 1161 2003, . 1163 [RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option", 1164 RFC 5001, DOI 10.17487/RFC5001, August 2007, 1165 . 1167 [RFC7314] Andrews, M., "Extension Mechanisms for DNS (EDNS) EXPIRE 1168 Option", RFC 7314, DOI 10.17487/RFC7314, July 2014, 1169 . 1171 [RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. 1172 Kumari, "Client Subnet in DNS Queries", RFC 7871, 1173 DOI 10.17487/RFC7871, May 2016, 1174 . 1176 [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) 1177 Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, 1178 . 1180 Authors' Addresses 1182 M. Andrews 1183 Internet Systems Consortium 1184 950 Charter Street 1185 Redwood City, CA 94063 1186 US 1188 Email: marka@isc.org 1190 Ray Bellis 1191 Internet Systems Consortium 1192 950 Charter Street 1193 Redwood City, CA 94063 1194 US 1196 Email: ray@isc.org