idnits 2.17.1 draft-ietf-dnsop-qname-minimisation-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 8, 2016) is 3024 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 381 ** Obsolete normative reference: RFC 7626 (Obsoleted by RFC 9076) == Outdated reference: A later version (-03) exists of draft-wkumari-dnsop-hammer-01 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Domain Name System Operations (dnsop) Working Group S. Bortzmeyer 3 Internet-Draft AFNIC 4 Intended status: Experimental January 8, 2016 5 Expires: July 11, 2016 7 DNS query name minimisation to improve privacy 8 draft-ietf-dnsop-qname-minimisation-09 10 Abstract 12 This document describes a technique to improve DNS privacy, a 13 technique called "QNAME minimisation", where the DNS resolver no 14 longer sends the full original QNAME to the upstream name server. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on July 11, 2016. 33 Copyright Notice 35 Copyright (c) 2016 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction and background . . . . . . . . . . . . . . . . . 2 51 2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 3 52 3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 4 53 4. Protocol and compatibility discussion . . . . . . . . . . . . 5 54 5. Operational considerations . . . . . . . . . . . . . . . . . 5 55 6. Performance considerations . . . . . . . . . . . . . . . . . 6 56 7. On the experimentation . . . . . . . . . . . . . . . . . . . 6 57 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 58 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 59 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 60 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 61 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 62 11.2. Informative References . . . . . . . . . . . . . . . . . 8 63 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 Appendix A. An algorithm to perform QNAME minimisation . . . . . 9 65 Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 68 1. Introduction and background 70 The problem statement is described in [RFC7626]. The terminology 71 ("QNAME", "resolver", etc) is also defined in this companion 72 document. This specific solution is not intended to fully solve the 73 DNS privacy problem; instead, it should be viewed as one tool amongst 74 many. 76 QNAME minimisation follows the principle explained in section 6.1 of 77 [RFC6973]: the less data you send out, the fewer privacy problems you 78 have. 80 Currently, when a resolver receives the query "What is the AAAA 81 record for www.example.com?", it sends to the root (assuming a cold 82 resolver, whose cache is empty) the very same question. Sending the 83 full QNAME to the authoritative name server is a tradition, not a 84 protocol requirement. This tradition comes [mockapetris-history] 85 from a desire to optimize the number of requests, when the same name 86 server is authoritative for many zones in a given name (something 87 which was more common in the old days, where the same name servers 88 served .com and the root) or when the same name server is both 89 recursive and authoritative (something which is strongly discouraged 90 now). Whatever the merits of this choice at this time, the DNS is 91 quite different now. 93 2. QNAME minimisation 95 The idea is to minimise the amount of data sent from the DNS resolver 96 to the authoritative name server. In the example in the previous 97 section, sending "What are the NS records for .com?" would have been 98 sufficient (since it will be the answer from the root anyway). The 99 rest of this section describes the recommended way to do QNAME 100 minimisation, the one which maximimes privacy benefits (other 101 alternatives are discussed in appendixes). 103 A resolver which implements QNAME minimisation, and which does not 104 have already the answer in its cache, instead of sending the full 105 QNAME and the original QTYPE upstream, sends a request to the name 106 server authoritative for the closest known ancestor of the original 107 QNAME. The request is done with: 109 the QTYPE NS, 111 the QNAME which is the original QNAME, stripped to just one label 112 more than the zone for which the server is authoritative. 114 For example, a resolver receives a request to resolve 115 foo.bar.baz.example. Let's assume it already knows that 116 ns1.nic.example is authoritative for .example and the resolver does 117 not know a more specific authoritative name server. It will send the 118 query QTYPE=NS,QNAME=baz.example to ns1.nic.example. 120 The minimising resolver works perfectly when it knows the zone cut 121 (zone cuts are described in section 6 of [RFC2181]). But zone cuts 122 do not necessarily exist at every label boundary. If we take the 123 name www.foo.bar.example, it is possible that there is a zone cut 124 between "foo" and "bar" but not between "bar" and "example". So, 125 assuming the resolver already knows the name servers of .example, 126 when it receives the query "What is the AAAA record of 127 www.foo.bar.example", it does not always know where the zone cut will 128 be. To find it out, it will query the .example name servers for the 129 NS records for bar.example. It will get a NODATA response, 130 indicating there is no zone cut at that point, so it has to to query 131 the .example name servers again with one more label, and so on. 132 (Appendix A describes this algorithm in deeper details.) 134 Since the information about the zone cuts will be stored in the 135 resolver's cache, the performance cost is probably reasonable. 136 Section 6 discusses this performance discrepancy further. 138 Note that DNSSEC-validating resolvers already have access to this 139 information, since they have to know the zone cut (the DNSKEY record 140 set is just below, the DS record set just above). 142 3. Possible issues 144 QNAME minimisation is legal, since the original DNS RFC do not 145 mandate sending the full QNAME. So, in theory, it should work 146 without any problems. However, in practice, some problems may occur 147 (see an analysis in [huque-qnamemin] and an interesting discussion in 148 [huque-qnamestorify]). 150 Some broken name servers do not react properly to qtype=NS requests. 151 For instance, some authoritative name servers embedded in load 152 balancers reply properly to A queries but send REFUSED to NS queries. 153 This behaviour is a protocol violation, and there is no need to stop 154 improving the DNS because of such behaviour. However, QNAME 155 minimisation may still work with such domains since they are only 156 leaf domains (no need to send them NS requests). Such setup breaks 157 more than just QNAME minimisation. It breaks negative answers, since 158 the servers don't return the correct SOA, and it also breaks anything 159 dependent upon NS and SOA records existing at the top of the zone. 161 Another way to deal with such incorrect name servers would be to try 162 with QTYPE=A requests (A being chosen because it is the most common 163 and hence a qtype which will be always accepted, while a qtype NS may 164 ruffle the feathers of some middleboxes). Instead of querying name 165 servers with a query "NS example.com", we could use "A _.example.com" 166 and see if we get a referral. 168 A problem can also appear when a name server does not react properly 169 to ENT (Empty Non-Terminals). If ent.example.com has no resource 170 records but foobar.ent.example.com does, then ent.example.com is an 171 ENT. A query, whatever the qtype, for ent.example.com must return 172 NODATA (NOERROR / ANSWER: 0). However, some name servers incorrectly 173 return NXDOMAIN for ENTs. If a resolver queries only 174 foobar.ent.example.com, everything will be OK but, if it implements 175 QNAME minimisation, it may query ent.example.com and get a NXDOMAIN. 176 See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad 177 consequences of this bad behaviour. 179 A possible solution, currently implemented in Knot, is to retry with 180 the full query when you receive a NXDOMAIN. It works but it is not 181 ideal for privacy. 183 Other practices that do not conform to the DNS protocol standards may 184 pose a problem: there is a common DNS trick used by some Web hosters 185 that also do DNS hosting that exploits the fact that the DNS protocol 186 (pre-DNSSEC) allows certain serious misconfigurations, such as parent 187 and child zones disagreeing on the location of a zone cut. 188 Basically, they have a single zone with wildcards for each TLD like: 190 *.example. 60 IN A 192.0.2.6 192 (They could just wildcard all of "*.", which would be sufficient. We 193 don't know why they don't do it.) 195 This lets them have many Web hosting customers without having to 196 configure thousands of individual zones on their nameservers. They 197 just tell the prospective customer to point their NS records at the 198 hoster's nameservers, and the Web hoster doesn't have to provision 199 anything in order to make the customer's domain resolve. NS queries 200 to the hoster will therefore not give the right result, which may 201 endanger QNAME minimisation (it will be a problem for DNSSEC, too). 203 4. Protocol and compatibility discussion 205 QNAME minimisation is compatible with the current DNS system and 206 therefore can easily be deployed; since it is a unilateral change to 207 the resolver, it does not change the protocol. (Because it is an 208 unilateral change, resolver implementers may do QNAME minimisation in 209 slightly different ways, see the appendices for examples.) 211 One should note that the behaviour suggested here (minimising the 212 amount of data sent in QNAMEs from the resolver) is NOT forbidden by 213 the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). As said in 214 Section 1, the current method, sending the full QNAME, is not 215 mandated by the DNS protocol. 217 It may be noticed that many documents explaining the DNS and intended 218 for a wide audience, incorrectly describe the resolution process as 219 using QNAME minimisation, for instance by showing a request going to 220 the root, with just the TLD in the query. As a result, these 221 documents may confuse the privacy analysis of the users who see them. 223 5. Operational considerations 225 The administrators of the forwarders, and of the authoritative name 226 servers, will get less data, which will reduce the utility of the 227 statistics they can produce (such as the percentage of the various 228 QTYPEs) [kaliski-minimum]. 230 DNS administrators are reminded that the data on DNS requests that 231 they store may have legal consequences, depending on your 232 jurisdiction (check with your local lawyer). 234 6. Performance considerations 236 The main goal of QNAME minimisation is to improve privacy by sending 237 less data. However, it may have other advantages. For instance, if 238 a root name server receives a query from some resolver for A.example 239 followed by B.example followed by C.example, the result will be three 240 NXDOMAINs, since .example does not exist in the root zone. Under 241 query name minimisation, the root name servers would hear only one 242 question (for .example itself) to which they could answer NXDOMAIN, 243 thus opening up a negative caching opportunity in which the full 244 resolver could know a priori that neither B.example or C.example 245 could exist. Thus in this common case the total number of upstream 246 queries under QNAME minimisation would be counter-intuitively less 247 than the number of queries under the traditional iteration (as 248 described in the DNS standard). 250 QNAME minimisation may also improve look-up performance for TLD 251 operators. For a typical TLD, delegation-only, and with delegations 252 just under the TLD, a 2-label QNAME query is optimal for finding the 253 delegation owner name. 255 QNAME minimisation can decrease performance in some cases, for 256 instance for a deep domain name (like 257 www.host.group.department.example.com where 258 host.group.department.example.com is hosted on example.com's name 259 servers). Let's assume a resolver which knows only the name servers 260 of .example. Without QNAME minimisation, it would send these 261 .example nameservers a query for 262 www.host.group.department.example.com and immediately get a specific 263 referral or an answer, without the need for more queries to probe for 264 the zone cut. For such a name, a cold resolver with QNAME 265 minimisation will, depending how QNAME minimisation is implemented, 266 send more queries, one per label. Once the cache is warm, there will 267 be no difference with a traditional resolver. Actual testing is 268 described in [huque-qnamemin]. Such deep domains are specially 269 common under ip6.arpa. 271 7. On the experimentation 273 This document has status "Experimental". Since the beginning of time 274 (or DNS), the fully qualified host name was always sent to the 275 authoritative name servers. There was a concern that changing this 276 behavior may engage the Law of Unintended Consequences. Hence this 277 status. 279 The idea about the experiment is to observe QNAME minimisation in 280 action with multiple resolvers, various authoritative name servers, 281 etc. 283 8. IANA Considerations 285 This document has no actions for IANA. 287 9. Security Considerations 289 QNAME minimisation's benefits are clear in the case where you want to 290 decrease exposure to the authoritative name server. But minimising 291 the amount of data sent also, in part, addresses the case of a wire 292 sniffer as well as the case of privacy invasion by the servers. 293 (Encryption is of course a better defense against wire sniffers but, 294 unlike QNAME minimisation, it changes the protocol and cannot be 295 deployed unilaterally. Also, the effect of QNAME minimisation on 296 wire sniffers depends on whether the sniffer is, on the DNS path.) 298 QNAME minimisation offers zero protection against the recursive 299 resolver, which still sees the full request coming from the stub 300 resolver. 302 All the alternatives mentioned in Appendix B decrease privacy in the 303 hope of improving performance. They must not be used if you want the 304 maximum privacy. 306 10. Acknowledgments 308 Thanks to Olaf Kolkman for the original idea during a KLM flight from 309 Amsterdam to Vancouver, although the concept is probably much older 310 [1]. Thanks for Shumon Huque and Marek Vavrusa for implementation 311 and testing. Thanks to Mark Andrews and Francis Dupont for the 312 interesting discussions. Thanks to Brian Dickson, Warren Kumari, 313 Evan Hunt and David Conrad for remarks and suggestions. Thanks to 314 Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone 315 cut algorithm in Appendix A and for discussion of the algorithm. 316 Thanks to Paul Vixie for pointing out that there are practical 317 advantages (besides privacy) to QNAME minimisation. Thanks to 318 Phillip Hallam-Baker for the fallback on A queries, to deal with 319 broken servers. Thanks to Robert Edmonds for an interesting anti- 320 pattern. 322 11. References 324 11.1. Normative References 326 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 327 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 328 . 330 [RFC1035] Mockapetris, P., "Domain names - implementation and 331 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 332 November 1987, . 334 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 335 Morris, J., Hansen, M., and R. Smith, "Privacy 336 Considerations for Internet Protocols", RFC 6973, DOI 337 10.17487/RFC6973, July 2013, 338 . 340 [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, 341 DOI 10.17487/RFC7626, August 2015, 342 . 344 11.2. Informative References 346 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 347 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 348 . 350 [I-D.wkumari-dnsop-hammer] 351 Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly 352 Automated Method for Maintaining Expiring Records", draft- 353 wkumari-dnsop-hammer-01 (work in progress), July 2014. 355 [I-D.vixie-dnsext-resimprove] 356 Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS 357 Resolvers for Resiliency, Robustness, and Responsiveness", 358 draft-vixie-dnsext-resimprove-00 (work in progress), June 359 2010. 361 [mockapetris-history] 362 Mockapetris, P., "Private discussion", January 2015. 364 [kaliski-minimum] 365 Kaliski, B., "Minimum Disclosure: What Information Does a 366 Name Server Need to Do Its Job?", March 2015, 367 . 370 [huque-qnamemin] 371 Huque, S., "Query name minimization and authoritative 372 server behavior", May 2015, . 375 [huque-qnamestorify] 376 Huque, S., "Qname Minimization @ DNS-OARC", May 2015, 377 . 379 11.3. URIs 381 [1] https://lists.dns-oarc.net/pipermail/dns- 382 operations/2010-February/005003.html 384 Appendix A. An algorithm to perform QNAME minimisation 386 This algorithm performs name resolution with QNAME minimisation in 387 presence of not-yet-known zone cuts. 389 Although a validating resolver already has the logic to find the zone 390 cut, other resolvers may be interested by this algorithm to follow in 391 order to locate the cuts. This is just a possible help for 392 implementors, it is not intended to be normative: 394 (0) If the query can be answered from the cache, do so, otherwise 395 iterate as follows: 397 (1) Find closest enclosing NS RRset in your cache. The owner of 398 this NS RRset will be a suffix of the QNAME - the longest suffix 399 of any NS RRset in the cache. Call this ANCESTOR. 401 (2) Initialize CHILD to the same as ANCESTOR. 403 (3) If CHILD is the same as the QNAME, resolve the original query 404 using ANCESTOR's name servers, and finish. 406 (4) Otherwise, add a label from the QNAME to the start of CHILD. 408 (5) If you have a negative cache entry for the NS RRset at CHILD, 409 go back to step 3. 411 (6) Query for CHILD IN NS using ANCESTOR's name servers. The 412 response can be: 414 (6a) A referral. Cache the NS RRset from the authority section 415 and go back to step 1. 417 (6b) An authoritative answer. Cache the NS RRset from the 418 answer section and go back to step 1. 420 (6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response 421 to the original query and stop. 423 (6d) A NOERROR/NODATA answer. Cache this negative answer and 424 go back to step 3. 426 Appendix B. Alternatives 428 Remember that QNAME minimisation is unilateral so a resolver is not 429 forced to implement it exactly as described here. 431 There are several ways to perform QNAME minimisation. The one in 432 Section 2 is the suggested one. It can be called the aggressive 433 algorithm, since the resolver only sends NS queries as long as it 434 does not know the zone cuts. This is the safest, from a privacy 435 point of view. Another possible algorithm, not fully studied at this 436 time, could be to "piggyback" on the traditional resolution code. At 437 startup, it sends traditional full QNAMEs and learns the zone cuts 438 from the referrals received, then switches to NS queries asking only 439 for the minimum domain name. This leaks more data but could require 440 fewer changes in the existing resolver codebase. 442 In the above specification, the original QTYPE is replaced by NS (or 443 may be A, if too many servers react incorrectly to NS requests), 444 which is the best approach to preserve privacy. But this erases 445 information about the relative use of the various QTYPEs, which may 446 be interesting for researchers (for instance if they try to follow 447 IPv6 deployment by counting the percentage of AAAA vs. A queries). A 448 variant of QNAME minimisation would be to keep the original QTYPE. 450 Another useful optimisation may be, in the spirit of the HAMMER idea 451 [I-D.wkumari-dnsop-hammer] to probe in advance for the introduction 452 of zone cuts where none previously existed (i.e. confirm their 453 continued absence, or discover them.) 455 To address the "number of queries" issue, described in Section 6, a 456 possible solution is to always use the traditional algorithm when the 457 cache is cold and then to move to QNAME minimisation (precisely 458 defining what is "hot" or "cold" is left to the implementer). This 459 will decrease the privacy but will guarantee no degradation of 460 performance. 462 Author's Address 464 Stephane Bortzmeyer 465 AFNIC 466 1, rue Stephenson 467 Montigny-le-Bretonneux 78180 468 France 470 Phone: +33 1 39 30 83 46 471 Email: bortzmeyer+ietf@nic.fr 472 URI: http://www.afnic.fr/