idnits 2.17.1 draft-ietf-dnsop-qname-minimisation-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([I-D.ietf-dprive-problem-statement]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 1, 2015) is 3189 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 393 -- Looks like a reference, but probably isn't: '2' on line 396 -- Looks like a reference, but probably isn't: '3' on line 398 -- Looks like a reference, but probably isn't: '4' on line 400 -- Looks like a reference, but probably isn't: '5' on line 403 -- Obsolete informational reference (is this intentional?): RFC 6982 (Obsoleted by RFC 7942) == Outdated reference: A later version (-03) exists of draft-wkumari-dnsop-hammer-01 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Domain Name System Operations (dnsop) Working Group S. Bortzmeyer 3 Internet-Draft AFNIC 4 Intended status: Experimental August 1, 2015 5 Expires: February 2, 2016 7 DNS query name minimisation to improve privacy 8 draft-ietf-dnsop-qname-minimisation-05 10 Abstract 12 This document describes one of the techniques that could be used to 13 improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a 14 technique called "QNAME minimisation", where the DNS resolver no 15 longer sends the full original QNAME to the upstream name server. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on February 2, 2016. 34 Copyright Notice 36 Copyright (c) 2015 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction and background . . . . . . . . . . . . . . . . . 2 52 2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 2 53 3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 3 54 4. Protocol and compatibility discussion . . . . . . . . . . . . 5 55 5. Operational considerations . . . . . . . . . . . . . . . . . 5 56 6. Performance considerations . . . . . . . . . . . . . . . . . 5 57 7. Security considerations . . . . . . . . . . . . . . . . . . . 6 58 8. Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION 6 59 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 60 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 61 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 62 10.2. Informative References . . . . . . . . . . . . . . . . . 8 63 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 Appendix A. An algorithm to find the zone cut . . . . . . . . . 9 65 Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 68 1. Introduction and background 70 The problem statement is exposed in 71 [I-D.ietf-dprive-problem-statement]. The terminology ("QNAME", 72 "resolver", etc) is also defined in this companion document. This 73 specific solution is not intended to fully solve the DNS privacy 74 problem; instead, it should be viewed as one tool amongst many. 76 It follows the principle explained in section 6.1 of [RFC6973]: the 77 less data you send out, the fewer privacy problems you'll get. 79 Under current practice, when a resolver receives the query "What is 80 the AAAA record for www.example.com?", it sends to the root (assuming 81 a cold resolver, whose cache is empty) the very same question. 82 Sending the full QNAME to the authoritative name server is a 83 tradition, not a protocol requirement. This tradition 84 comes[mockapetris-history] from a desire to optimize the number of 85 requests, when the same name server is authoritative for many zones 86 in a given name (something which was more common in the old days, 87 where the same name servers served .com and the root) or when the 88 same name server is both recursive and authoritative (something which 89 is strongly discouraged now). Whatever the merits of this choice at 90 this time, the DNS is quite different now. 92 2. QNAME minimisation 94 The idea is to minimise the amount of data sent from the DNS resolver 95 to the authoritative name server. In the example in the previous 96 section, sending "What are the NS records for .com?" would have been 97 sufficient (since it will be the answer from the root anyway). The 98 rest of this section describes the recommended way to do QNAME 99 minimisation, the one which maximimes privacy benefits (other 100 alternatives are discussed in appendixes). 102 A resolver which implements QNAME minimisation, and which does not 103 have already the answer in its cache, instead of sending the full 104 QNAME and the original QTYPE upstream, sends a request to the name 105 server authoritative for the closest known parent of the original 106 QNAME. The request is done with: 108 the QTYPE NS, 110 the QNAME which is the original QNAME, stripped to just one label 111 more than the zone for which the server is authoritative. 113 For example, a resolver receives a request to resolve 114 foo.bar.baz.example. Let's assume it already knows that 115 ns1.nic.example is authoritative for .example and the resolver does 116 not know a more specific authoritative name server. It will send the 117 query QTYPE=NS,QNAME=baz.example to ns1.nic.example. 119 The minimising resolver works perfectly when it knows the zone cut 120 [RFC2181] (section 6). But zone cuts do not necessarily exist at 121 every label boundary. If we take the name www.foo.bar.example, it is 122 possible that there is a zone cut between "foo" and "bar" but not 123 between "bar" and "example". So, assuming the resolver already knows 124 the name servers of .example, when it receives the query "What is the 125 AAAA record of www.foo.bar.example", it does not always know where 126 the zone cut will be. To find it out, it will query the .example 127 name servers for the NS records for bar.example. It will get a 128 NODATA response, indicating there is no zone cut at that point, so it 129 has to to query the .example name servers again with one more label, 130 and so on. (Appendix A describes this algorithm in deeper details.) 132 Since the information about the zone cuts will be stored in the 133 resolver's cache, the performance cost is probably reasonable. 134 Section 6 discusses this performance discrepancy further. 136 Note that DNSSEC-validating resolvers already have access to this 137 information, since they have to know the zone cut (the DNSKEY record 138 set is just below, the DS record set just above). 140 3. Possible issues 142 QNAME minimisation is legal, since the original DNS RFC do not 143 mandate sending the full QNAME. So, in theory, it should work 144 without any problems. However, in practice, some problems may occur 145 (see an analysis in [huque-qnamemin]). 147 Some broken name servers do not react properly to qtype=NS requests. 148 For instance, some authoritative name servers embedded in load 149 balancers reply properly to A queries but send REFUSED to NS queries. 150 This behaviour is a gross protocol violation, and there is no need to 151 stop improving the DNS because of such brokenness. However, QNAME 152 minimisation may still work with such domains since they are only 153 leaf domains (no need to send them NS requests). Such setup breaks 154 more than just QNAME minimisation. It breaks negative answers, since 155 the servers don't return the correct SOA, and it also breaks anything 156 dependent upon NS and SOA records existing at the top of the zone. 158 Another way to deal with such broken name servers would be to try 159 with QTYPE=A requests (A being chosen because it is the most common 160 and hence a qtype which will be always accepted, while a qtype NS may 161 ruffle the feathers of some middleboxes). Instead of querying name 162 servers with a query "NS example.com", we could use "A _.example.com" 163 and see if we get a referral. 165 A problem can also appear when a name server does not react properly 166 to ENT (Empty Non-Terminals). If ent.example.com has no resource 167 records but foobar.ent.example.com does, then ent.example.com is an 168 ENT. A query, whatever the qtype, for ent.example.com must return 169 NODATA (NOERROR / ANSWER: 0). However, some broken name servers 170 return NXDOMAIN for ENTs. If a resolver queries only 171 foobar.ent.example.com, everything will be OK but, if it implements 172 QNAME minimisation, it may query ent.example.com and get a NXDOMAIN. 173 See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad 174 consequences of this brokenness. 176 Other strange and non-conformant practices may pose a problem: there 177 is a common DNS anti-pattern used by low-end web hosters that also do 178 DNS hosting that exploits the fact that the DNS protocol (pre-DNSSEC) 179 allows certain serious misconfigurations, such as parent and child 180 zones disagreeing on the location of a zone cut. Basically, they 181 have a single zone with wildcards for each TLD like: 183 *.example. 60 IN A 192.0.2.6 185 (It is not known why they don't just wildcard all of "*." and be done 186 with it.) 188 This lets them turn up many web hosting customers without having to 189 configure thousands of individual zones on their nameservers. They 190 just tell the prospective customer to point their NS records at the 191 hoster's nameservers, and the Web hoster doesn't have to provision 192 anything in order to make the customer's domain resolve. NS queries 193 to the hoster will therefore do not give the right result, which may 194 endanger QNAME minimisation (it will be a problem for DNSSEC, too). 196 4. Protocol and compatibility discussion 198 QNAME minimisation is compatible with the current DNS system and 199 therefore can easily be deployed; since it is a unilateral change to 200 the resolver, it does not change the protocol. (Because it is an 201 unilateral change, resolver implementers may do QNAME minimisation in 202 slightly different ways, see the appendices for examples.) 204 One should note that the behaviour suggested here (minimising the 205 amount of data sent in QNAMEs from the resolver) is NOT forbidden by 206 the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). As said in 207 Section 1, the current method, sending the full QNAME, is not 208 mandated by the DNS protocol. 210 It may be noticed that many documents explaining the DNS and intended 211 for a wide audience, incorrectly describe the resolution process as 212 using QNAME minimisation, for instance by showing a request going to 213 the root, with just the TLD in the query. As a result, these 214 documents may confuse the privacy analysis of the users who see them. 216 5. Operational considerations 218 The administrators of the forwarders, and of the authoritative name 219 servers, will get less data, which will reduce the utility of the 220 statistics they can produce (such as the percentage of the various 221 QTYPEs) [kaliski-minimum]. 223 DNS administrators are reminded that the data on DNS requests that 224 they store may have legal consequences, depending on your 225 jurisdiction (check with your local lawyer). 227 6. Performance considerations 229 The main goal of QNAME minimisation is to improve privacy by sending 230 less data. However, it may have other advantages. For instance, if 231 a root name server receives a query from some resolver for A.example 232 followed by B.example followed by C.example, the result will be three 233 NXDOMAINs, since .example does not exist in the root zone. Under 234 query name minimisation, the root name servers would hear only one 235 question (for .example itself) to which they could answer NXDOMAIN, 236 thus opening up a negative caching opportunity in which the full 237 resolver could know a priori that neither B.example or C.example 238 could exist. Thus in this common case the total number of upstream 239 queries under QNAME minimisation would be counter-intuitively less 240 than the number of queries under the traditional iteration (as 241 described in the DNS standard). 243 QNAME minimisation may also improve look-up performance for TLD 244 operators. For a typical TLD, delegation-only, and with delegations 245 just under the TLD, a 2-label QNAME query is optimal for finding the 246 delegation owner name. 248 QNAME minimisation can decrease performance in some cases, for 249 instance for a deep domain name (like 250 www.host.group.department.example.com where 251 host.group.department.example.com is hosted on example.com's name 252 servers). Let's assume a resolver which knows only the name servers 253 of .example. Without QNAME minimisation, it would send these 254 .example nameservers a query for 255 www.host.group.department.example.com and immediately get a specific 256 referral or an answer, without the need for more queries to probe for 257 the zone cut. For such a name, a cold resolver with QNAME 258 minimisation will, depending how QNAME minimisation is implemented, 259 send more queries, one per label. Once the cache is warm, there will 260 be no difference with a traditional resolver. Actual testing is 261 described in [huque-qnamemin]. Such deep domains are specially 262 common under ip6.arpa. 264 7. Security considerations 266 QNAME minimisation's benefits are clear in the case where you want to 267 decrease exposure to the authoritative name server. But minimising 268 the amount of data sent also, in part, addresses the case of a wire 269 sniffer as well the case of privacy invasion by the servers. 270 (Encryption is of course a better defense against wire sniffers but, 271 unlike QNAME minimisation, it changes the protocol and cannot be 272 deployed unilaterally. Also, the effect of QNAME minimisation on 273 wire sniffers depend on whether the sniffer is, on the DNS path.) 275 QNAME minimisation offers zero protection against the recursive 276 resolver, which still sees the full request coming from the stub 277 resolver. 279 All the alternatives mentioned in Appendix B decrease privacy in the 280 hope of improving performances. They must not be used if you want 281 the maximum privacy. 283 8. Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION 285 This section records the status of known implementations of the 286 protocol defined by this specification at the time of posting of this 287 Internet-Draft, and is based on a proposal described in [RFC6982]. 289 The description of implementations in this section is intended to 290 assist the IETF in its decision processes in progressing drafts to 291 RFCs. Please note that the listing of any individual implementation 292 here does not imply endorsement by the IETF. Furthermore, no effort 293 has been spent to verify the information presented here that was 294 supplied by IETF contributors. This is not intended as, and must not 295 be construed to be, a catalog of available implementations or their 296 features. Readers are advised to note that other implementations may 297 exist. 299 According to [RFC6982], "this will allow reviewers and working groups 300 to assign due consideration to documents that have the benefit of 301 running code, which may serve as evidence of valuable experimentation 302 and feedback that have made the implemented protocols more mature. 303 It is up to the individual working groups to use this information as 304 they see fit". 306 As of today, no production resolver implements QNAME minimisation but 307 it has been publically announced for the future Knot DNS resolver 308 [1]. For Unbound, see ticket 648 [2] and for PowerDNS [3]. 310 The algorithm to find the zone cuts described in Appendix A is 311 implemented with QNAME minimisation in the sample code zonecut.go 312 [4]. It is also implemented, for a much longer time, in an option of 313 dig, "dig +trace", but without QNAME minimisation. 315 Another implementation was done by Shumon Huque for testing, and is 316 described in [huque-qnamemin]. 318 9. Acknowledgments 320 Thanks to Olaf Kolkman for the original idea during a KLM flight from 321 Amsterdam to Vancouver, although the concept is probably much older 322 [5]. Thanks for Shumon Huque and Marek Vavrusa for implementation 323 and testing. Thanks to Mark Andrews and Francis Dupont for the 324 interesting discussions. Thanks to Brian Dickson, Warren Kumari, 325 Evan Hunt and David Conrad for remarks and suggestions. Thanks to 326 Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone 327 cut algorithm in Appendix A and for discussion of the algorithm. 328 Thanks to Paul Vixie for pointing out that there are practical 329 advantages (besides privacy) to QNAME minimisation. Thanks to 330 Phillip Hallam-Baker for the fallback on A queries, to deal with 331 broken servers. Thanks to Robert Edmonds for an interesting anti- 332 pattern. 334 10. References 336 10.1. Normative References 338 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 339 STD 13, RFC 1034, November 1987. 341 [RFC1035] Mockapetris, P., "Domain names - implementation and 342 specification", STD 13, RFC 1035, November 1987. 344 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 345 Morris, J., Hansen, M., and R. Smith, "Privacy 346 Considerations for Internet Protocols", RFC 6973, July 347 2013. 349 [I-D.ietf-dprive-problem-statement] 350 Bortzmeyer, S., "DNS privacy considerations", draft-ietf- 351 dprive-problem-statement-06 (work in progress), June 2015. 353 10.2. Informative References 355 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 356 Specification", RFC 2181, July 1997. 358 [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 359 Code: The Implementation Status Section", RFC 6982, July 360 2013. 362 [I-D.wkumari-dnsop-hammer] 363 Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly 364 Automated Method for Maintaining Expiring Records", draft- 365 wkumari-dnsop-hammer-01 (work in progress), July 2014. 367 [I-D.vixie-dnsext-resimprove] 368 Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS 369 Resolvers for Resiliency, Robustness, and Responsiveness", 370 draft-vixie-dnsext-resimprove-00 (work in progress), June 371 2010. 373 [mockapetris-history] 374 Mockapetris, P., "Private discussion", January 2015. 376 [kaliski-minimum] 377 Kaliski, B., "Minimum Disclosure: What Information Does a 378 Name Server Need to Do Its Job?", March 2015, 379 . 382 [huque-qnamemin] 383 Huque, S., "Query name minimization and authoritative 384 server behavior", May 2015, . 387 [huque-qnamestorify] 388 Huque, S., "Qname Minimization @ DNS-OARC", May 2015, 389 . 391 10.3. URIs 393 [1] https://ripe70.ripe.net/presentations/121-knot-resolver- 394 ripe70.pdf 396 [2] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=648 398 [3] https://github.com/PowerDNS/pdns/issues/2311 400 [4] https://github.com/bortzmeyer/my-IETF-work/blob/master/draft- 401 ietf-dnsop-QNAME-minimisation/zonecut.go 403 [5] https://lists.dns-oarc.net/pipermail/dns- 404 operations/2010-February/005003.html 406 Appendix A. An algorithm to find the zone cut 408 Although a validating resolver already has the logic to find the zone 409 cut, other resolvers may be interested by this algorithm to follow in 410 order to locate this cut: 412 (0) If the query can be answered from the cache, do so, otherwise 413 iterate as follows: 415 (1) Find closest enclosing NS RRset in your cache. The owner of 416 this NS RRset will be a suffix of the QNAME - the longest suffix 417 of any NS RRset in the cache. Call this PARENT. 419 (2) Initialize CHILD to the same as PARENT. 421 (3) If CHILD is the same as the QNAME, resolve the original query 422 using PARENT's name servers, and finish. 424 (4) Otherwise, add a label from the QNAME to the start of CHILD. 426 (5) If you have a negative cache entry for the NS RRset at CHILD, 427 go back to step 3. 429 (6) Query for CHILD IN NS using PARENT's name servers. The 430 response can be: 432 (6a) A referral. Cache the NS RRset from the authority section 433 and go back to step 1. 435 (6b) An authoritative answer. Cache the NS RRset from the 436 answer section and go back to step 1. 438 (6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response 439 to the original query and stop. 441 (6d) A NOERROR/NODATA answer. Cache this negative answer and 442 go back to step 3. 444 Appendix B. Alternatives 446 Remember that QNAME minimisation is unilateral so a resolver is not 447 forced to implement it exactly as described here. 449 There are several ways to perform QNAME minimisation. The one in 450 Section 2 is the suggested one. It can be called the aggressive 451 algorithm, since the resolver only sends NS queries as long as it 452 does not know the zone cuts. This is the safest, from a privacy 453 point of view. Another possible algorithm, not fully studied at this 454 time, could be to "piggyback" on the traditional resolution code. At 455 startup, it sends traditional full QNAMEs and learns the zone cuts 456 from the referrals received, then switches to NS queries asking only 457 for the minimum domain name. This leaks more data but could require 458 fewer changes in the existing resolver codebase. 460 In the above specification, the original QTYPE is replaced by NS (or 461 may be A, if too many servers react incorrectly to NS requests), 462 which is the best approach to preserve privacy. But this erases 463 information about the relative use of the various QTYPEs, which may 464 be interesting for researchers (for instance if they try to follow 465 IPv6 deployment by counting the percentage of AAAA vs. A queries). A 466 variant of QNAME minimisation would be to keep the original QTYPE. 468 Another useful optimisation may be, in the spirit of the HAMMER idea 469 [I-D.wkumari-dnsop-hammer] to probe in advance for the introduction 470 of zone cuts where none previously existed (i.e. confirm their 471 continued absence, or discover them.) 473 To address the "number of queries" issue, described in Section 6, a 474 possible solution is to always use the traditional algorithm when the 475 cache is cold and then to move to QNAME minimisation. This will 476 decrease the privacy but will guarantee no degradation of 477 performance. 479 Author's Address 481 Stephane Bortzmeyer 482 AFNIC 483 1, rue Stephenson 484 Montigny-le-Bretonneux 78180 485 France 487 Phone: +33 1 39 30 83 46 488 Email: bortzmeyer+ietf@nic.fr 489 URI: http://www.afnic.fr/