idnits 2.17.1
draft-ietf-dnsop-qname-minimisation-04.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
** The abstract seems to contain references
([I-D.ietf-dprive-problem-statement]), which it shouldn't. Please
replace those with straight textual mentions of the documents in question.
== There are 2 instances of lines with non-RFC2606-compliant FQDNs in the
document.
-- The document has examples using IPv4 documentation addresses according
to RFC6890, but does not use any IPv6 documentation addresses. Maybe
there should be IPv6 examples, too?
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (June 19, 2015) is 3234 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 401
-- Looks like a reference, but probably isn't: '2' on line 404
-- Looks like a reference, but probably isn't: '3' on line 406
-- Looks like a reference, but probably isn't: '4' on line 408
-- Looks like a reference, but probably isn't: '5' on line 411
-- Obsolete informational reference (is this intentional?): RFC 6982
(Obsoleted by RFC 7942)
== Outdated reference: A later version (-03) exists of
draft-wkumari-dnsop-hammer-01
Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Domain Name System Operations (dnsop) Working Group S. Bortzmeyer
3 Internet-Draft AFNIC
4 Intended status: Experimental June 19, 2015
5 Expires: December 21, 2015
7 DNS query name minimisation to improve privacy
8 draft-ietf-dnsop-qname-minimisation-04
10 Abstract
12 This document describes one of the techniques that could be used to
13 improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a
14 technique called "QNAME minimisation", where the DNS resolver no
15 longer sends the full original QNAME to the upstream name server.
17 REMOVE BEFORE PUBLICATION Discussions of the document should take
18 place on the DNSOP working group mailing list [dnsop].
20 Status of This Memo
22 This Internet-Draft is submitted in full conformance with the
23 provisions of BCP 78 and BCP 79.
25 Internet-Drafts are working documents of the Internet Engineering
26 Task Force (IETF). Note that other groups may also distribute
27 working documents as Internet-Drafts. The list of current Internet-
28 Drafts is at http://datatracker.ietf.org/drafts/current/.
30 Internet-Drafts are draft documents valid for a maximum of six months
31 and may be updated, replaced, or obsoleted by other documents at any
32 time. It is inappropriate to use Internet-Drafts as reference
33 material or to cite them other than as "work in progress."
35 This Internet-Draft will expire on December 21, 2015.
37 Copyright Notice
39 Copyright (c) 2015 IETF Trust and the persons identified as the
40 document authors. All rights reserved.
42 This document is subject to BCP 78 and the IETF Trust's Legal
43 Provisions Relating to IETF Documents
44 (http://trustee.ietf.org/license-info) in effect on the date of
45 publication of this document. Please review these documents
46 carefully, as they describe your rights and restrictions with respect
47 to this document. Code Components extracted from this document must
48 include Simplified BSD License text as described in Section 4.e of
49 the Trust Legal Provisions and are provided without warranty as
50 described in the Simplified BSD License.
52 Table of Contents
54 1. Introduction and background . . . . . . . . . . . . . . . . . 2
55 2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 3
56 3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 4
57 4. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . 5
58 5. Operational considerations . . . . . . . . . . . . . . . . . 5
59 6. Performance considerations . . . . . . . . . . . . . . . . . 5
60 7. Security considerations . . . . . . . . . . . . . . . . . . . 6
61 8. Implementation status - REMOVE BEFORE PUBLICATION . . . . . . 7
62 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
63 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
64 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
65 10.2. Informative References . . . . . . . . . . . . . . . . . 8
66 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9
67 Appendix A. An algorithm to find the zone cut . . . . . . . . . 9
68 Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10
69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
71 1. Introduction and background
73 The problem statement is exposed in
74 [I-D.ietf-dprive-problem-statement] TODO: add a reference to the
75 specific section when ietf-dprive-problem-statement will be published
76 as RFC. The terminology ("QNAME", "resolver", etc) is also defined
77 in this companion document. This specific solution is not intended
78 to fully solve the DNS privacy problem; instead, it should be viewed
79 as one tool amongst many.
81 It follows the principle explained in section 6.1 of [RFC6973]: the
82 less data you send out, the fewer privacy problems you'll get.
84 Under current practice, when a resolver receives the query "What is
85 the AAAA record for www.example.com?", it sends to the root (assuming
86 a cold resolver, whose cache is empty) the very same question.
87 Sending the full QNAME to the authoritative name server is a
88 tradition, not a protocol requirement. This tradition
89 comes[mockapetris-history] from a desire to optimize the number of
90 requests, when the same name server is authoritative for many zones
91 in a given name (something which was more common in the old days,
92 where the same name servers served .com and the root) or when the
93 same name server is both recursive and authoritative (something which
94 is strongly discouraged now). Whatever the merits of this choice at
95 this time, the DNS is quite different now.
97 2. QNAME minimisation
99 The idea is to minimise the amount of data sent from the DNS resolver
100 to the authoritative name server. In the example in the previous
101 section, sending "What are the NS records for .com?" would have been
102 sufficient (since it will be the answer from the root anyway). The
103 rest of this section describes the recommended way to do QNAME
104 minimisation, the one which maximimes privacy benefits (other
105 alternatives are discussed in appendixes).
107 A resolver which implements QNAME minimisation, and which does not
108 have already the answer in its cache, instead of sending the full
109 QNAME and the original QTYPE upstream, sends a request to the name
110 server authoritative for the closest known parent of the original
111 QNAME. The request is done with:
113 the QTYPE NS,
115 the QNAME which is the original QNAME, stripped to just one label
116 more than the zone for which the server is authoritative.
118 For example, a resolver receives a request to resolve
119 foo.bar.baz.example. Let's assume it already knows that
120 ns1.nic.example is authoritative for .example and the resolver does
121 not know a more specific authoritative name server. It will send the
122 query QTYPE=NS,QNAME=baz.example to ns1.nic.example.
124 The minimising resolver works perfectly when it knows the zone cut
125 [RFC2181] (section 6). But zone cuts do not necessarily exist at
126 every label boundary. If we take the name www.foo.bar.example, it is
127 possible that there is a zone cut between "foo" and "bar" but not
128 between "bar" and "example". So, assuming the resolver already knows
129 the name servers of .example, when it receives the query "What is the
130 AAAA record of www.foo.bar.example", it does not always know where
131 the zone cut will be. To find it out, it will query the .example
132 name servers for the NS records for bar.example. It will get a
133 NODATA response, indicating there is no zone cut at that point, so it
134 has to to query the .example name servers again with one more label,
135 and so on. (Appendix A describes this algorithm in deeper details.)
137 Since the information about the zone cuts will be stored in the
138 resolver's cache, the performance cost is probably reasonable.
139 Section 6 discusses this performance discrepancy further.
141 Note that DNSSEC-validating resolvers already have access to this
142 information, since they have to know the zone cut (the DNSKEY record
143 set is just below, the DS record set just above).
145 3. Possible issues
147 QNAME minimisation is legal, since the original DNS RFC do not
148 mandate sending the full QNAME. So, in theory, it should work
149 without any problems. However, in practice, some problems may occur
150 (see an analysis in [huque-qnamemin]).
152 Some broken name servers do not react properly to qtype=NS requests.
153 For instance, some authoritative name servers embedded in load
154 balancers reply properly to A queries but send REFUSED to NS queries.
155 REMOVE THIS SENTENCE BEFORE PUBLICATION: As an example of today, look
156 at www.ratp.fr (not ratp.fr). This behaviour is a gross protocol
157 violation, and there is no need to stop improving the DNS because of
158 such brokenness. However, QNAME minimisation may still work with
159 such domains since they are only leaf domains (no need to send them
160 NS requests). Such setup breaks more than just QNAME minimisation.
161 It breaks negative answers, since the servers don't return the
162 correct SOA, and it also breaks anything dependent upon NS and SOA
163 records existing at the top of the zone.
165 A problem can also appear when a name server does not react properly
166 to ENT (Empty Non-Terminals). If ent.example.com has no resource
167 records but foobar.ent.example.com does, then ent.example.com is an
168 ENT. A query, whatever the qtype, for ent.example.com must return
169 NODATA (NOERROR / ANSWER: 0). However, some broken name servers
170 return NXDOMAIN for ENTs. REMOVE THIS SENTENCE BEFORE PUBLICATION:
171 As an example of today, look at com.akadns.net or www.upenn.edu with
172 its delegations to Akamai. If a resolver queries only
173 foobar.ent.example.com, everything will be OK but, if it implements
174 QNAME minimisation, it may query ent.example.com and get a NXDOMAIN.
175 See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad
176 consequences of this brokenness.
178 Another way to deal with such broken name servers would be to try
179 with QTYPE=A requests (A being chosen because it is the most common
180 and hence a qtype which will be always accepted, while a qtype NS may
181 ruffle the feathers of some middleboxes). Instead of querying name
182 servers with a query "NS example.com", we could use "A _.example.com"
183 and see if we get a referral.
185 Other strange and non-conformant practices may pose a problem: there
186 is a common DNS anti-pattern used by low-end web hosters that also do
187 DNS hosting that exploits the fact that the DNS protocol (pre-DNSSEC)
188 allows certain serious misconfigurations, such as parent and child
189 zones disagreeing on the location of a zone cut. Basically, they
190 have a single zone with wildcards for each TLD like:
192 *.example. 60 IN A 192.0.2.6
193 (It is not known why they don't just wildcard all of "*." and be done
194 with it.)
196 This lets them turn up many web hosting customers without having to
197 configure thousands of individual zones on their nameservers. They
198 just tell the prospective customer to point their NS records at the
199 hoster's nameservers, and the Web hoster doesn't have to provision
200 anything in order to make the customer's domain resolve. NS queries
201 to the hoster will therefore do not give the right result, which may
202 endanger QNAME minimisation (it will be a problem for DNSSEC, too).
204 4. Discussion
206 QNAME minimisation is compatible with the current DNS system and
207 therefore can easily be deployed; since it is a unilateral change to
208 the resolver, it does not change the protocol. (Because it is an
209 unilateral change, resolver implementers may do QNAME minimisation in
210 slightly different ways, see the appendices for examples.)
212 One should note that the behaviour suggested here (minimising the
213 amount of data sent in QNAMEs from the resolver) is NOT forbidden by
214 the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). As said in
215 Section 1, the current method, sending the full QNAME, is not
216 mandated by the DNS protocol.
218 It may be noticed that many documents explaining the DNS and intended
219 for a wide audience, incorrectly describe the resolution process as
220 using QNAME minimisation, for instance by showing a request going to
221 the root, with just the TLD in the query. As a result, these
222 documents may confuse the privacy analysis of the users who see them.
224 5. Operational considerations
226 The administrators of the forwarders, and of the authoritative name
227 servers, will get less data, which will reduce the utility of the
228 statistics they can produce (such as the percentage of the various
229 QTYPEs) [kaliski-minimum].
231 DNS administrators are reminded that the data on DNS requests that
232 they store may have legal consequences, depending on your
233 jurisdiction (check with your local lawyer).
235 6. Performance considerations
237 The main goal of QNAME minimisation is to improve privacy by sending
238 less data. However, it may have other advantages. For instance, if
239 a root name server receives a query from some resolver for A.example
240 followed by B.example followed by C.example, the result will be three
241 NXDOMAINs, since .example does not exist in the root zone. Under
242 query name minimisation, the root name servers would hear only one
243 question (for .example itself) to which they could answer NXDOMAIN,
244 thus opening up a negative caching opportunity in which the full
245 resolver could know a priori that neither B.example or C.example
246 could exist. Thus in this common case the total number of upstream
247 queries under QNAME minimisation would be counter-intuitively less
248 than the number of queries under the traditional iteration (as
249 described in the DNS standard).
251 QNAME minimisation may also improve look-up performance for TLD
252 operators. For a typical TLD, delegation-only, and with delegations
253 just under the TLD, a 2-label QNAME query is optimal for finding the
254 delegation owner name.
256 QNAME minimisation can decrease performance in some cases, for
257 instance for a deep domain name (like
258 www.host.group.department.example.com where
259 host.group.department.example.com is hosted on example.com's name
260 servers). Let's assume a resolver which knows only the name servers
261 of .example. Without QNAME minimisation, it would send these
262 .example nameservers a query for
263 www.host.group.department.example.com and immediately get a specific
264 referral or an answer, without the need for more queries to probe for
265 the zone cut. For such a name, a cold resolver with QNAME
266 minimisation will, depending how QNAME minimisation is implemented,
267 send more queries, one per label. Once the cache is warm, there will
268 be no difference with a traditional resolver. A possible solution is
269 to always use the traditional algorithm when the cache is cold and
270 then to move to QNAME minimisation. This will decrease the privacy a
271 bit but will guarantee no degradation of performance. Actual testing
272 is described in [huque-qnamemin]. Such deep domains are specially
273 common under ip6.arpa.
275 7. Security considerations
277 QNAME minimisation's benefits are clear in the case where you want to
278 decrease exposure to the authoritative name server. But minimising
279 the amount of data sent also, in part, addresses the case of a wire
280 sniffer as well the case of privacy invasion by the servers.
281 (Encryption is of course a better defense against wire sniffers but,
282 unlike QNAME minimisation, it changes the protocol and cannot be
283 deployed unilaterally. Also, the effect of QNAME minimisation on
284 wire sniffers depend on whether the sniffer is, on the DNS path.)
286 QNAME minimisation offers zero protection against the recursive
287 resolver, which still sees the full request coming from the stub
288 resolver.
290 8. Implementation status - REMOVE BEFORE PUBLICATION
292 This section records the status of known implementations of the
293 protocol defined by this specification at the time of posting of this
294 Internet-Draft, and is based on a proposal described in [RFC6982].
295 The description of implementations in this section is intended to
296 assist the IETF in its decision processes in progressing drafts to
297 RFCs. Please note that the listing of any individual implementation
298 here does not imply endorsement by the IETF. Furthermore, no effort
299 has been spent to verify the information presented here that was
300 supplied by IETF contributors. This is not intended as, and must not
301 be construed to be, a catalog of available implementations or their
302 features. Readers are advised to note that other implementations may
303 exist.
305 According to [RFC6982], "this will allow reviewers and working groups
306 to assign due consideration to documents that have the benefit of
307 running code, which may serve as evidence of valuable experimentation
308 and feedback that have made the implemented protocols more mature.
309 It is up to the individual working groups to use this information as
310 they see fit".
312 As of today, no production resolver implements QNAME minimisation but
313 it has been publically announced for the future Knot DNS resolver
314 [1]. For Unbound, see ticket 648 [2] and for PowerDNS [3].
316 The algorithm to find the zone cuts described in Appendix A is
317 implemented with QNAME minimisation in the sample code zonecut.go
318 [4]. It is also implemented, for a much longer time, in an option of
319 dig, "dig +trace", but without QNAME minimisation.
321 Another implementation was done by Shumon Huque for testing, and is
322 described in [huque-qnamemin].
324 9. Acknowledgments
326 Thanks to Olaf Kolkman for the original idea although the concept is
327 probably much older [5]. Thanks for Shumon Huque for implementation
328 and testing. Thanks to Mark Andrews and Francis Dupont for the
329 interesting discussions. Thanks to Brian Dickson, Warren Kumari,
330 Evan Hunt and David Conrad for remarks and suggestions. Thanks to
331 Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone
332 cut algorithm in Appendix A and for discussion of the algorithm.
333 Thanks to Paul Vixie for pointing out that there are practical
334 advantages (besides privacy) to QNAME minimisation. Thanks to
335 Phillip Hallam-Baker for the fallback on A queries, to deal with
336 broken servers. Thanks to Robert Edmonds for an interesting anti-
337 pattern.
339 10. References
341 10.1. Normative References
343 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
344 STD 13, RFC 1034, November 1987.
346 [RFC1035] Mockapetris, P., "Domain names - implementation and
347 specification", STD 13, RFC 1035, November 1987.
349 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
350 Morris, J., Hansen, M., and R. Smith, "Privacy
351 Considerations for Internet Protocols", RFC 6973, July
352 2013.
354 [I-D.ietf-dprive-problem-statement]
355 Bortzmeyer, S., "DNS privacy considerations", draft-ietf-
356 dprive-problem-statement-06 (work in progress), June 2015.
358 10.2. Informative References
360 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
361 Specification", RFC 2181, July 1997.
363 [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
364 Code: The Implementation Status Section", RFC 6982, July
365 2013.
367 [I-D.wkumari-dnsop-hammer]
368 Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly
369 Automated Method for Maintaining Expiring Records", draft-
370 wkumari-dnsop-hammer-01 (work in progress), July 2014.
372 [I-D.vixie-dnsext-resimprove]
373 Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS
374 Resolvers for Resiliency, Robustness, and Responsiveness",
375 draft-vixie-dnsext-resimprove-00 (work in progress), June
376 2010.
378 [dnsop] IETF, , "The DNSOP working group of IETF", March 2014,
379 .
381 [mockapetris-history]
382 Mockapetris, P., "Private discussion", January 2015.
384 [kaliski-minimum]
385 Kaliski, B., "Minimum Disclosure: What Information Does a
386 Name Server Need to Do Its Job?", March 2015,
387 .
390 [huque-qnamemin]
391 Huque, S., "Query name minimization and authoritative
392 server behavior", May 2015, .
395 [huque-qnamestorify]
396 Huque, S., "Qname Minimization @ DNS-OARC", May 2015,
397 .
399 10.3. URIs
401 [1] https://ripe70.ripe.net/presentations/121-knot-resolver-
402 ripe70.pdf
404 [2] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=648
406 [3] https://github.com/PowerDNS/pdns/issues/2311
408 [4] https://github.com/bortzmeyer/my-IETF-work/blob/master/draft-
409 ietf-dnsop-QNAME-minimisation/zonecut.go
411 [5] https://lists.dns-oarc.net/pipermail/dns-
412 operations/2010-February/005003.html
414 Appendix A. An algorithm to find the zone cut
416 Although a validating resolver already has the logic to find the zone
417 cut, other resolvers may be interested by this algorithm to follow in
418 order to locate this cut:
420 (0) If the query can be answered from the cache, do so, otherwise
421 iterate as follows:
423 (1) Find closest enclosing NS RRset in your cache. The owner of
424 this NS RRset will be a suffix of the QNAME - the longest suffix
425 of any NS RRset in the cache. Call this PARENT.
427 (2) Initialize CHILD to the same as PARENT.
429 (3) If CHILD is the same as the QNAME, resolve the original query
430 using PARENT's name servers, and finish.
432 (4) Otherwise, add a label from the QNAME to the start of CHILD.
434 (5) If you have a negative cache entry for the NS RRset at CHILD,
435 go back to step 3.
437 (6) Query for CHILD IN NS using PARENT's name servers. The
438 response can be:
440 (6a) A referral. Cache the NS RRset from the authority section
441 and go back to step 1.
443 (6b) An authoritative answer. Cache the NS RRset from the
444 answer section and go back to step 1.
446 (6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response
447 to the original query and stop.
449 (6d) A NOERROR/NODATA answer. Cache this negative answer and
450 go back to step 3.
452 Appendix B. Alternatives
454 Remember that QNAME minimisation is unilateral so a resolver is not
455 forced to implement it exactly as described here.
457 There are several ways to perform QNAME minimisation. The one in
458 Section 2 is the suggested one. It can be called the aggressive
459 algorithm, since the resolver only sends NS queries as long as it
460 does not know the zone cuts. This is the safest, from a privacy
461 point of view. Another possible algorithm, not fully studied at this
462 time, could be to "piggyback" on the traditional resolution code. At
463 startup, it sends traditional full QNAMEs and learns the zone cuts
464 from the referrals received, then switches to NS queries asking only
465 for the minimum domain name. This leaks more data but could require
466 fewer changes in the existing resolver codebase.
468 In the above specification, the original QTYPE is replaced by NS (or
469 may be A, if too many servers react incorrectly to NS requests),
470 which is the best approach to preserve privacy. But this erases
471 information about the relative use of the various QTYPEs, which may
472 be interesting for researchers (for instance if they try to follow
473 IPv6 deployment by counting the percentage of AAAA vs. A queries). A
474 variant of QNAME minimisation would be to keep the original QTYPE.
476 Another useful optimisation may be, in the spirit of the HAMMER idea
477 [I-D.wkumari-dnsop-hammer] to probe in advance for the introduction
478 of zone cuts where none previously existed (i.e. confirm their
479 continued absence, or discover them.)
481 Author's Address
483 Stephane Bortzmeyer
484 AFNIC
485 1, rue Stephenson
486 Montigny-le-Bretonneux 78180
487 France
489 Phone: +33 1 39 30 83 46
490 Email: bortzmeyer+ietf@nic.fr
491 URI: http://www.afnic.fr/