idnits 2.17.1
draft-ietf-dnsop-qname-minimisation-03.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
** The abstract seems to contain references
([I-D.ietf-dprive-problem-statement]), which it shouldn't. Please
replace those with straight textual mentions of the documents in question.
== There are 2 instances of lines with non-RFC2606-compliant FQDNs in the
document.
-- The document has examples using IPv4 documentation addresses according
to RFC6890, but does not use any IPv6 documentation addresses. Maybe
there should be IPv6 examples, too?
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (June 7, 2015) is 3246 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 389
-- Looks like a reference, but probably isn't: '2' on line 392
-- Looks like a reference, but probably isn't: '3' on line 394
-- Looks like a reference, but probably isn't: '4' on line 396
-- Looks like a reference, but probably isn't: '5' on line 399
== Outdated reference: A later version (-06) exists of
draft-ietf-dprive-problem-statement-05
-- Obsolete informational reference (is this intentional?): RFC 6982
(Obsoleted by RFC 7942)
== Outdated reference: A later version (-03) exists of
draft-wkumari-dnsop-hammer-01
Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Domain Name System Operations (dnsop) Working Group S. Bortzmeyer
3 Internet-Draft AFNIC
4 Intended status: Experimental June 7, 2015
5 Expires: December 9, 2015
7 DNS query name minimisation to improve privacy
8 draft-ietf-dnsop-qname-minimisation-03
10 Abstract
12 This document describes one of the techniques that could be used to
13 improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a
14 technique called "QNAME minimisation", where the DNS resolver no
15 longer sends the full original QNAME to the upstream name server.
17 REMOVE BEFORE PUBLICATION Discussions of the document should take
18 place on the DNSOP working group mailing list [dnsop].
20 Status of This Memo
22 This Internet-Draft is submitted in full conformance with the
23 provisions of BCP 78 and BCP 79.
25 Internet-Drafts are working documents of the Internet Engineering
26 Task Force (IETF). Note that other groups may also distribute
27 working documents as Internet-Drafts. The list of current Internet-
28 Drafts is at http://datatracker.ietf.org/drafts/current/.
30 Internet-Drafts are draft documents valid for a maximum of six months
31 and may be updated, replaced, or obsoleted by other documents at any
32 time. It is inappropriate to use Internet-Drafts as reference
33 material or to cite them other than as "work in progress."
35 This Internet-Draft will expire on December 9, 2015.
37 Copyright Notice
39 Copyright (c) 2015 IETF Trust and the persons identified as the
40 document authors. All rights reserved.
42 This document is subject to BCP 78 and the IETF Trust's Legal
43 Provisions Relating to IETF Documents
44 (http://trustee.ietf.org/license-info) in effect on the date of
45 publication of this document. Please review these documents
46 carefully, as they describe your rights and restrictions with respect
47 to this document. Code Components extracted from this document must
48 include Simplified BSD License text as described in Section 4.e of
49 the Trust Legal Provisions and are provided without warranty as
50 described in the Simplified BSD License.
52 Table of Contents
54 1. Introduction and background . . . . . . . . . . . . . . . . . 2
55 2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 3
56 3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 3
57 4. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . 5
58 5. Operational considerations . . . . . . . . . . . . . . . . . 5
59 6. Performance considerations . . . . . . . . . . . . . . . . . 5
60 7. Security considerations . . . . . . . . . . . . . . . . . . . 6
61 8. Implementation status - REMOVE BEFORE PUBLICATION . . . . . . 6
62 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
63 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
64 10.1. Normative References . . . . . . . . . . . . . . . . . . 7
65 10.2. Informative References . . . . . . . . . . . . . . . . . 8
66 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9
67 Appendix A. An algorithm to find the zone cut . . . . . . . . . 9
68 Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10
69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
71 1. Introduction and background
73 The problem statement is exposed in
74 [I-D.ietf-dprive-problem-statement] TODO: add a reference to the
75 specific section when ietf-dprive-problem-statement will be published
76 as RFC. The terminology ("QNAME", "resolver", etc) is also defined
77 in this companion document. This specific solution is not intended
78 to fully solve the DNS privacy problem; instead, it should be viewed
79 as one tool amongst many.
81 It follows the principle explained in section 6.1 of [RFC6973]: the
82 less data you send out, the fewer privacy problems you'll get.
84 Under current practice, when a resolver receives the query "What is
85 the AAAA record for www.example.com?", it sends to the root (assuming
86 a cold resolver, whose cache is empty) the very same question.
87 Sending the full QNAME to the authoritative name server is a
88 tradition, not a protocol requirement. This tradition
89 comes[mockapetris-history] from a desire to optimize the number of
90 requests, when the same name server is authoritative for many zones
91 in a given name (something which was more common in the old days,
92 where the same name servers served .com and the root) or when the
93 same name server is both recursive and authoritative (something which
94 is strongly discouraged now). Whatever the merits of this choice at
95 this time, the DNS is quite different now.
97 2. QNAME minimisation
99 The idea is to minimise the amount of data sent from the DNS resolver
100 to the authoritative name server. In the example in the previous
101 section, sending "What are the NS records for .com?" would have been
102 sufficient (since it will be the answer from the root anyway). The
103 rest of this section describes the recommended way to do QNAME
104 minimisation, the one which maximimes privacy benefits (other
105 alternatives are discussed in appendixes).
107 A resolver which implements QNAME minimisation, and which does not
108 have already the answer in its cache, instead of sending the full
109 QNAME and the original QTYPE upstream, sends a request to the name
110 server authoritative for the closest known parent of the original
111 QNAME. The request is done with:
113 the QTYPE NS,
115 the QNAME which is the original QNAME, stripped to just one label
116 more than the zone for which the server is authoritative.
118 For example, a resolver receives a request to resolve
119 foo.bar.baz.example. Let's assume it already knows that
120 ns1.nic.example is authoritative for .example and the resolver does
121 not know a more specific authoritative name server. It will send the
122 query QTYPE=NS,QNAME=baz.example to ns1.nic.example.
124 To do such minimisation, the resolver needs to know the zone cut
125 [RFC2181]. Zone cuts do not necessarily exist at every label
126 boundary. If we take the name www.foo.bar.example, it is possible
127 that there is a zone cut between "foo" and "bar" but not between
128 "bar" and "example". So, assuming the resolver already knows the
129 name servers of .example, when it receives the query "What is the
130 AAAA record of www.foo.bar.example", it does not always know whether
131 the request should be sent to the name servers of bar.example or to
132 those of example. [RFC2181] suggests a method to find the zone cut
133 (section 6), so resolvers may try it.
135 Note that DNSSEC-validating resolvers already have access to this
136 information, since they have to find the zone cut (the DNSKEY record
137 set is just below, the DS record set just above).
139 3. Possible issues
141 QNAME minimisation is legal, since the original DNS RFC do not
142 mandate sending the full QNAME. So, in theory, it should work
143 without any problems. However, in practice, some problems may occur
144 (see an analysis in [huque-qnamemin]).
146 Some broken name servers do not react properly to qtype=NS requests.
147 For instance, some authoritative name servers embedded in load
148 balancers reply properly to A queries but send REFUSED to NS queries.
149 REMOVE THIS SENTENCE BEFORE PUBLICATION: As an example of today, look
150 at www.ratp.fr (not ratp.fr). This behaviour is a gross protocol
151 violation, and there is no need to stop improving the DNS because of
152 such brokenness. However, QNAME minimisation may still work with
153 such domains since they are only leaf domains (no need to send them
154 NS requests). Such setup breaks more than just QNAME minimisation.
155 It breaks negative answers, since the servers don't return the
156 correct SOA, and it also breaks anything dependent upon NS and SOA
157 records existing at the top of the zone.
159 A problem can also appear when a name server does not react properly
160 to ENT (Empty Non-Terminals). If ent.example.com has no resource
161 records but foobar.ent.example.com does, then ent.example.com is an
162 ENT. A query, whatever the qtype, for ent.example.com must return
163 NODATA (NOERROR / ANSWER: 0). However, some broken name servers
164 return NXDOMAIN for ENTs. REMOVE THIS SENTENCE BEFORE PUBLICATION:
165 As an example of today, look at com.akadns.net or www.upenn.edu with
166 its delegations to Akamai. If a resolver queries only
167 foobar.ent.example.com, everything will be OK but, if it implements
168 QNAME minimisation, it may query ent.example.com and get a NXDOMAIN.
169 See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad
170 consequences of this brokenness.
172 Another way to deal with such broken name servers would be to try
173 with QTYPE=A requests (A being chosen because it is the most common
174 and hence a qtype which will be always accepted, while a qtype NS may
175 ruffle the feathers of some middleboxes). Instead of querying name
176 servers with a query "NS example.com", we could use "A _.example.com"
177 and see if we get a referral.
179 Other strange and non-conformant practices may pose a problem: there
180 is a common DNS anti-pattern used by low-end web hosters that also do
181 DNS hosting that exploits the fact that the DNS protocol (pre-DNSSEC)
182 allows certain serious misconfigurations, such as parent and child
183 zones disagreeing on the location of a zone cut. Basically, they
184 have a single zone with wildcards for each TLD like:
186 *.example. 60 IN A 192.0.2.6
188 (It is not known why they don't just wildcard all of "*." and be done
189 with it.)
191 This lets them turn up many web hosting customers without having to
192 configure thousands of individual zones on their nameservers. They
193 just tell the prospective customer to point their NS records at the
194 hoster's nameservers, and the Web hoster doesn't have to provision
195 anything in order to make the customer's domain resolve. NS queries
196 to the hoster will therefore do not give the right result, which may
197 endanger QNAME minimisation (it will be a problem for DNSSEC, too).
199 4. Discussion
201 QNAME minimisation is compatible with the current DNS system and
202 therefore can easily be deployed; since it is a unilateral change to
203 the resolver, it does not change the protocol. (Because of that,
204 resolver implementers may do QNAME minimisation in slightly different
205 ways, see the appendices for examples.).
207 One should note that the behaviour suggested here (minimising the
208 amount of data sent in QNAMEs from the resolver) is NOT forbidden by
209 the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). As said in
210 Section 1, the current method, sending the full QNAME, is not
211 mandated by the DNS protocol.
213 It may be noticed that many documents explaining the DNS and intended
214 for a wide audience, incorrectly describe the resolution process as
215 using QNAME minimisation, for instance by showing a request going to
216 the root, with just the TLD in the query. As a result, these
217 documents may confuse the privacy analysis of the users who see them.
219 5. Operational considerations
221 The administrators of the forwarders, and of the authoritative name
222 servers, will get less data, which will reduce the utility of the
223 statistics they can produce (such as the percentage of the various
224 QTYPEs) [kaliski-minimum].
226 DNS administrators are reminded that the data on DNS requests that
227 they store may have legal consequences, depending on your
228 jurisdiction (check with your local lawyer).
230 6. Performance considerations
232 The main goal of QNAME minimisation is to improve privacy by sending
233 less data. However, it may have other advantages. For instance, if
234 a root name server receives a query from some resolver for A.example
235 followed by B.example followed by C.example, the result will be three
236 NXDOMAINs, since .example does not exist in the root zone. Under
237 query name minimisation, the root name servers would hear only one
238 question (for .example itself) to which they could answer NXDOMAIN,
239 thus opening up a negative caching opportunity in which the full
240 resolver could know a priori that neither B.example or C.example
241 could exist. Thus in this common case the total number of upstream
242 queries under QNAME minimisation would be counter-intuitively less
243 than the number of queries under the traditional iteration (as
244 described in the DNS standard).
246 QNAME minimisation may also improve look-up performance for TLD
247 operators. For a typical TLD, delegation-only, and with delegations
248 just under the TLD, a 2-label QNAME query is optimal for finding the
249 delegation owner name.
251 QNAME minimisation can decrease performance in some cases, for
252 instance for a deep domain name (like
253 www.host.group.department.example.com where
254 host.group.department.example.com is hosted on example.com's name
255 servers). For such a name, a cold resolver will, depending how QNAME
256 minimisation is implemented, send more queries. Once the cache is
257 warm, there will be no difference with a traditional resolver. A
258 possible solution is to always use the traditional algorithm when the
259 cache is cold and then to move to QNAME minimisation. This will
260 decrease the privacy a bit but will guarantee no degradation of
261 performance. Actual testing is described in [huque-qnamemin]. Such
262 deep domains are specially common under ip6.arpa.
264 7. Security considerations
266 QNAME minimisation's benefits are clear in the case where you want to
267 decrease exposure to the authoritative name server. But minimising
268 the amount of data sent also, in part, addresses the case of a wire
269 sniffer as well the case of privacy invasion by the servers.
270 (Encryption is of course a better defense against wire sniffers but,
271 unlike QNAME minimisation, it changes the protocol and cannot be
272 deployed unilaterally. Also, the effect of QNAME minimisation on
273 wire sniffers depend on whether the sniffer is, on the DNS path.)
275 QNAME minimisation offers zero protection against the recursive
276 resolver, which still sees the full request coming from the stub
277 resolver.
279 8. Implementation status - REMOVE BEFORE PUBLICATION
281 This section records the status of known implementations of the
282 protocol defined by this specification at the time of posting of this
283 Internet-Draft, and is based on a proposal described in [RFC6982].
284 The description of implementations in this section is intended to
285 assist the IETF in its decision processes in progressing drafts to
286 RFCs. Please note that the listing of any individual implementation
287 here does not imply endorsement by the IETF. Furthermore, no effort
288 has been spent to verify the information presented here that was
289 supplied by IETF contributors. This is not intended as, and must not
290 be construed to be, a catalog of available implementations or their
291 features. Readers are advised to note that other implementations may
292 exist.
294 According to [RFC6982], "this will allow reviewers and working groups
295 to assign due consideration to documents that have the benefit of
296 running code, which may serve as evidence of valuable experimentation
297 and feedback that have made the implemented protocols more mature.
298 It is up to the individual working groups to use this information as
299 they see fit".
301 As of today, no production resolver implements QNAME minimisation but
302 it has been publically announced for the future Knot DNS resolver
303 [1]. For Unbound, see ticket 648 [2] and for PowerDNS [3].
305 The algorithm to find the zone cuts described in Appendix A is
306 implemented with QNAME minimisation in the sample code zonecut.go
307 [4]. It is also implemented, for a much longer time, in an option of
308 dig, "dig +trace", but without QNAME minimisation.
310 Another implementation was done by Shumon Huque for testing, and is
311 described in [huque-qnamemin].
313 9. Acknowledgments
315 Thanks to Olaf Kolkman for the original idea although the concept is
316 probably much older [5]. Thanks for Shumon Huque for implementation
317 and testing. Thanks to Mark Andrews and Francis Dupont for the
318 interesting discussions. Thanks to Brian Dickson, Warren Kumari,
319 Evan Hunt and David Conrad for remarks and suggestions. Thanks to
320 Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone
321 cut algorithm in Appendix A. Thanks to Paul Vixie for pointing out
322 that there are practical advantages (besides privacy) to QNAME
323 minimisation. Thanks to Phillip Hallam-Baker for the fallback on A
324 queries, to deal with broken servers. Thanks to Robert Edmonds for
325 an interesting anti-pattern.
327 10. References
329 10.1. Normative References
331 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
332 STD 13, RFC 1034, November 1987.
334 [RFC1035] Mockapetris, P., "Domain names - implementation and
335 specification", STD 13, RFC 1035, November 1987.
337 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
338 Morris, J., Hansen, M., and R. Smith, "Privacy
339 Considerations for Internet Protocols", RFC 6973, July
340 2013.
342 [I-D.ietf-dprive-problem-statement]
343 Bortzmeyer, S., "DNS privacy considerations", draft-ietf-
344 dprive-problem-statement-05 (work in progress), May 2015.
346 10.2. Informative References
348 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
349 Specification", RFC 2181, July 1997.
351 [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
352 Code: The Implementation Status Section", RFC 6982, July
353 2013.
355 [I-D.wkumari-dnsop-hammer]
356 Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly
357 Automated Method for Maintaining Expiring Records", draft-
358 wkumari-dnsop-hammer-01 (work in progress), July 2014.
360 [I-D.vixie-dnsext-resimprove]
361 Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS
362 Resolvers for Resiliency, Robustness, and Responsiveness",
363 draft-vixie-dnsext-resimprove-00 (work in progress), June
364 2010.
366 [dnsop] IETF, , "The DNSOP working group of IETF", March 2014,
367 .
369 [mockapetris-history]
370 Mockapetris, P., "Private discussion", January 2015.
372 [kaliski-minimum]
373 Kaliski, B., "Minimum Disclosure: What Information Does a
374 Name Server Need to Do Its Job?", March 2015,
375 .
378 [huque-qnamemin]
379 Huque, S., "Query name minimization and authoritative
380 server behavior", May 2015, .
383 [huque-qnamestorify]
384 Huque, S., "Qname Minimization @ DNS-OARC", May 2015,
385 .
387 10.3. URIs
389 [1] https://ripe70.ripe.net/presentations/121-knot-resolver-
390 ripe70.pdf
392 [2] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=648
394 [3] https://github.com/PowerDNS/pdns/issues/2311
396 [4] https://github.com/bortzmeyer/my-IETF-work/blob/master/draft-
397 ietf-dnsop-QNAME-minimisation/zonecut.go
399 [5] https://lists.dns-oarc.net/pipermail/dns-
400 operations/2010-February/005003.html
402 Appendix A. An algorithm to find the zone cut
404 Although a validating resolver already has the logic to find the zone
405 cut, other resolvers may be interested by this algorithm to follow in
406 order to locate this cut:
408 (0) If the query can be answered from the cache, do so, otherwise
409 iterate as follows:
411 (1) Find closest enclosing NS RRset in your cache. The owner of
412 this NS RRset will be a suffix of the QNAME - the longest suffix
413 of any NS RRset in the cache. Call this PARENT.
415 (2) Initialize CHILD to the same as PARENT.
417 (3) If CHILD is the same as the QNAME, resolve the original query
418 using PARENT's name servers, and finish.
420 (4) Otherwise, add a label from the QNAME to the start of CHILD.
422 (5) If you have a negative cache entry for the NS RRset at CHILD,
423 go back to step 3.
425 (6) Query for CHILD IN NS using PARENT's name servers. The
426 response can be:
428 (6a) A referral. Cache the NS RRset from the authority section
429 and go back to step 1.
431 (6b) An authoritative answer. Cache the NS RRset from the
432 answer section and go back to step 1.
434 (6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response
435 to the original query and stop.
437 (6d) A NOERROR/NODATA answer. Cache this negative answer and
438 go back to step 3.
440 Appendix B. Alternatives
442 Remember that QNAME minimisation is unilateral so a resolver is not
443 forced to implement it exactly as described here.
445 There are several ways to perform QNAME minimisation. The one in
446 Section 2 is the suggested one. It can be called the aggressive
447 algorithm, since the resolver only sends NS queries as long as it
448 does not know the zone cuts. This is the safest, from a privacy
449 point of view. Another possible algorithm, not fully studied at this
450 time, could be to "piggyback" on the traditional resolution code. At
451 startup, it sends traditional full QNAMEs and learns the zone cuts
452 from the referrals received, then switches to NS queries asking only
453 for the minimum domain name. This leaks more data but could require
454 fewer changes in the existing resolver codebase.
456 In the above specification, the original QTYPE is replaced by NS (or
457 may be A, if too many servers react incorrectly to NS requests),
458 which is the best approach to preserve privacy. But this erases
459 information about the relative use of the various QTYPEs, which may
460 be interesting for researchers (for instance if they try to follow
461 IPv6 deployment by counting the percentage of AAAA vs. A queries). A
462 variant of QNAME minimisation would be to keep the original QTYPE.
464 Another useful optimisation may be, in the spirit of the HAMMER idea
465 [I-D.wkumari-dnsop-hammer] to probe in advance for the introduction
466 of zone cuts where none previously existed (i.e. confirm their
467 continued absence, or discover them.)
469 Author's Address
470 Stephane Bortzmeyer
471 AFNIC
472 1, rue Stephenson
473 Montigny-le-Bretonneux 78180
474 France
476 Phone: +33 1 39 30 83 46
477 Email: bortzmeyer+ietf@nic.fr
478 URI: http://www.afnic.fr/