idnits 2.17.1 draft-ietf-dnsop-respsize-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 36 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 13 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 13, 2014) is 3718 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) -- Obsolete informational reference (is this intentional?): RFC 2672 (Obsoleted by RFC 6672) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Vixie 3 Internet-Draft Farsight Security, Inc. 4 Intended status: Informational A. Kato 5 Expires: August 17, 2014 Keio University/WIDE Project 6 J. Abley 7 Dyn, Inc. 8 February 13, 2014 10 DNS Referral Response Size Issues 11 draft-ietf-dnsop-respsize-15 13 Abstract 15 With a mandated default minimum maximum UDP message size of 512 16 octets, the DNS protocol presents some special problems for zones 17 wishing to expose a moderate or high number of authority servers (NS 18 resource records). This document explains the operational issues 19 caused by, or related to this response size limit, and suggests ways 20 to optimize the use of this limited space. Guidance is offered to 21 DNS server implementors and to DNS zone administrators. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 17, 2014. 40 Copyright Notice 42 Copyright (c) 2014 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Introduction and Overview . . . . . . . . . . . . . . . . . . 4 59 3. Delegation Details . . . . . . . . . . . . . . . . . . . . . . 5 60 3.1. Relevant Protocol Elements . . . . . . . . . . . . . . . . 5 61 3.2. Advice to Zone Administrators . . . . . . . . . . . . . . 6 62 3.3. Advice to Server Implementors . . . . . . . . . . . . . . 7 63 4. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 12 65 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 67 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 68 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 69 9.1. Normative References . . . . . . . . . . . . . . . . . . . 16 70 9.2. Informative References . . . . . . . . . . . . . . . . . . 16 71 Appendix A. The response simulator program . . . . . . . . . . . 18 72 Appendix B. Editorial Notes . . . . . . . . . . . . . . . . . . . 20 73 B.1. Change History . . . . . . . . . . . . . . . . . . . . . . 20 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 76 1. Terminology 78 This document uses terminology specific to the Domain Name System 79 (DNS), including the following common abbreviations: 81 A: A resource record type used to specify an IPv4 address [RFC1034] 83 AAAA: A resource record type used to specify an IPv6 address 84 [RFC3596] 86 CNAME: A resource record type used to define a canonical name 87 [RFC1034] 89 DNAME: A resource record type used to map a DNS subtree onto another 90 domain [RFC2672] 92 DNSSEC: DNS Security Extensions [RFC4033] 94 DO: "DNS OK" -- a flag in the EDNS header used to signal the ability 95 to use DNSSEC [RFC4035] 97 EDNS: Extension mechanisms for DNS [RFC6891] 99 EDNS0: EDNS version 0 [RFC6891] 101 MTU: Maximum Transmission Unit, the maximum size for a datagram to 102 be forwarded on an interface without needing fragmentation 103 [RFC0791] [RFC2460] 105 NS: A resource record type used to specify a nameserver on either 106 side of a zone cut [RFC1034] 108 RR: Resource Record [RFC1034] 110 RRSet: Resource Record Set [RFC1034] 112 TC: A bit in the DNS message header used to indicate that the 113 message has been truncated [RFC1034] 115 In an exchange of DNS messages between two hosts, this document 116 refers to the host sending a DNS request as the initiator, and the 117 host sending a DNS response as the responder. 119 2. Introduction and Overview 121 The original DNS standard limited the UDP message size to 512 octets 122 (see Section 4.2.1 of [RFC1035]). Even though this limitation was 123 due to the required minimum IP reassembly limit for IPv4, it became a 124 hard DNS protocol limit and is not implicitly relaxed by changes in a 125 network layer protocol, e.g. by the larger minimum MTU specified in 126 IPv6 [RFC2460] than in IPv4 [RFC0791]. 128 The EDNS protocol extension starting with version 0 permits larger 129 responses by mutual agreement of the initiator and responder (see 130 Section 4.3 and Section 6.2 of [RFC6891]), and it is recommended to 131 support EDNS. The 512 octets UDP message size limit will remain in 132 practical effect until substantially all DNS servers and resolvers 133 support EDNS. 135 Since DNS responses include a copy of the request, the space 136 available for response data is somewhat less than the full 512 137 octets. Negative responses are quite small, but for positive and 138 referral responses, every octet must be carefully and sparingly 139 allocated. While the response size of positive responses is also a 140 concern in [RFC3226], this document specifically addresses referral 141 response size. 143 While more than fourteen years passed since the publication of the 144 original EDNS0 document [RFC2671], measurements conducted at the M 145 Root Server in May 2012 suggested that only around 65% of initiators 146 support it. This fraction was consistent with similar measurements 147 conducted in 2010 and 2011. The long tail of EDNS deployment may 148 eventually be measured in decades. 150 DNS initiators and responders that support DNSSEC [RFC4033], and 151 signal a desire to use it, can expect larger response sizes in the 152 case where those responses contain DNSSEC RRSets. EDNS support in 153 DNSSEC-aware initiators and responders can be assumed, since the 154 desire to use DNSSEC is signalled using the DO flag in the EDNS0 155 header. 157 Even in scenarios where EDNS support in initiators and responders can 158 be assumed, e.g. in the case of messages exchanged using DNSSEC, or 159 at some future time where EDNS deployment can be considered 160 ubiquitous, there will still be cases when MTU limitations or IP 161 fragmentation/reassembly problems in firewalls and other middleboxes 162 will cause EDNS failures which lead to non-extended DNS retries. A 163 smaller referral response will always be better than a larger one if 164 the same end result can be achieved either way. See [RFC5625], 165 [SAC035], and Section 6.2.6 of [RFC6891] for further discussion. 167 3. Delegation Details 169 3.1. Relevant Protocol Elements 171 A positive delegation response will include the following elements: 173 +--------------------+-------------------------------------------+ 174 | Section | Description | 175 +--------------------+-------------------------------------------+ 176 | Header Section | Fixed length (12 octets) | 177 | | | 178 | Question Section | Original query (name, class, type) | 179 | | | 180 | Answer Section | Empty, or a CNAME/DNAME chain | 181 | | | 182 | Authority Section | NS RRSet (name server names) | 183 | | | 184 | Additional Section | A and AAAA RRSets (name server addresses) | 185 +--------------------+-------------------------------------------+ 187 If the total size of the UDP response exceeds 512 octets or the size 188 advertised in EDNS, and if the data that does not fit was "required", 189 then the TC bit will be set to indicate truncation. This will 190 usually cause the requester to retry using TCP, depending on what 191 information was desired and what information was omitted. For 192 example, truncation in the authority section is of no interest to a 193 stub resolver who only plans to consume the answer section. If a 194 retry using TCP is needed, the total cost of the transaction is much 195 higher. See Section 6.1.3.2 of [RFC1123] for details on the 196 requirement that UDP be attempted before falling back to TCP. 198 RRSets are are never sent partially unless the TC bit is set to 199 indicate truncation. When the TC bit is set, the final apparent 200 RRSet in the final non-empty section must be considered "possibly 201 damaged" (see Section 6.2 of [RFC1035] and Section 9 of [RFC2181]). 203 With or without truncation, the glue present in the additional data 204 section should be considered "possibly incomplete", and requesters 205 should be prepared to re-query for any damaged or missing RRSets. 206 Note that truncation of the additional data section might not be 207 signaled via the TC bit since additional data is often optional (see 208 discussion in Appendix B of [RFC4472]). 210 DNS label compression allows the component labels of a domain name to 211 be instantiated exactly once per DNS message, and then referenced 212 with a two-octet "pointer" from other locations in that same DNS 213 message (see Section 4.1.4 of [RFC1035]). If all name server names 214 in a message share a common parent domain (for example, all of them 215 are in the "ROOT-SERVERS.NET" domain), then more space will be 216 available for incompressible data (such as name server addresses). 218 The query name can be as long as 255 octets of network data. In this 219 worst case scenario, the question section will be 259 octets in size, 220 which would leave only 240 octets for the authority and additional 221 sections (after deducting 12 octets for the fixed length header) in a 222 referral. 224 3.2. Advice to Zone Administrators 226 Average and maximum question section sizes can be predicted by the 227 zone administrator, since they will know what names actually exist 228 and can measure which ones are queried for most often. Note that if 229 the zone contains any wildcards, it is possible for maximum length 230 queries to require positive responses, but that it is reasonable to 231 expect truncation and TCP retry in that case. For cost and 232 performance reasons, the majority of requests should be satisfied 233 without truncation or TCP retry. 235 Some queries for non-existant names can be large. If DNSSEC is not 236 being used this is unlikely to pose a problem since unsigned negative 237 responses need not contain any answer, authority or additional 238 records. See Section 2.1 of [RFC2308] for more information about the 239 format of negative responses without DNSSEC. Negative responses from 240 DNSSEC-signed zones can be much larger, however, due to the need to 241 provide authenticated denial of existance [RFC7129]. 243 The minimum useful number of name servers is two, for redundancy (see 244 Section 4.1 of [RFC1034]). A zone's name servers should be reachable 245 by all IP protocols versions (e.g., IPv4 and IPv6) in common use. As 246 long as the servers are well managed, the server serving IPv6 might 247 be different from the server serving IPv4 sharing the same server 248 name. 250 The best case is no truncation at all. This is because many 251 requesters will retry using TCP immediately, or will automatically 252 requery for RRSets that are possibly truncated, without considering 253 whether the omitted data was actually necessary. 255 Anycast [RFC3258] [RFC4786] is a useful technique for improving 256 performance and below the zone cut being described by a delegation is 257 responses. 259 While it is irrelevant to the response size issue, all zones have to 260 be served via IPv4 as well as IPv6 to avoid name space fragmentation 261 [RFC3901]. 263 3.3. Advice to Server Implementors 265 Each NS RR for a zone will add 12 fixed octets (name, type, class, 266 ttl, and rdlen) plus 2 to 255 variable octets (for the NSDNAME). 267 Each A RR will require 16 octets, and each AAAA RR will require 28 268 octets. 270 While DNS distinguishes between necessary and optional resource 271 records, this distinction is according to protocol elements necessary 272 to signify facts, and takes no official notice of protocol content 273 necessary to ensure correct operation. For example, a name server 274 name that is in or below the zone cut being described by a delegation 275 is "necessary content", since there is no way to reach that zone 276 unless the parent zone's delegation includes "glue records" 277 describing that name server's addresses. 279 Recall that the TC bit is only set when a required RRSet can not be 280 included in its entirety (see Section 9 of [RFC2181]). Even when 281 some of the RRSets to be included in the additional section don't fit 282 in the response size, the TC bit isn't set. These RRSets may be 283 important for a referral. Some DNS implementations try to resolve 284 these missing glue records separately which will introduce extra 285 queries and extra time to resolve a given name. 287 A delegation response should prioritize glue records as follows. 289 first: All glue RRSets for one name server whose name is in or below 290 the zone being delegated, or which has multiple address RRSets 291 (currently A and AAAA), or preferably both; 293 second: Alternate between adding all glue RRSets for any name 294 servers whose names are in or below the zone being delegated, and 295 all glue RRSets for any name servers who have multiple address 296 RRSets (currently A and AAAA); 298 thence: All other glue RRSets, in any order. 300 Whenever there are multiple candidates for a position in this 301 priority scheme, one should be chosen on a round-robin or fully 302 random basis. The goal of this priority scheme is to offer 303 "necessary" glue first to fill into the response if possible. 305 If any "necessary" content cannot be fit in the response, then it is 306 advisable that the TC bit be set in order to force a TCP retry, 307 rather than have the zone be unreachable. Note that a parent 308 server's proper response to a query for in-child glue or below-child 309 glue is a referral rather than an answer, and that this referral must 310 be able to contain the in-child or below-child glue, and that in 311 outlying cases, only EDNS or TCP will be large enough to contain that 312 data. 314 The glue record order should be independent of the version of IP used 315 in the query because the DNS server might just see a query from an 316 intermediate server rather than the query from the original client. 318 4. Analysis 320 An instrumented protocol trace of a best case delegation response is 321 shown in Figure 1. Note that 13 servers are named, and 13 addresses 322 are given. This query was artificially designed to exactly reach the 323 512 octets limit. 325 ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13 326 ;; QUERY SECTION: 327 ;; [23456789.123456789.123456789.\ 328 123456789.123456789.123456789.com A IN] ;; @80 330 ;; AUTHORITY SECTION: 331 com. 172800 NS E.GTLD-SERVERS.NET. ;; @112 332 com. 172800 NS F.GTLD-SERVERS.NET. ;; @128 333 com. 172800 NS G.GTLD-SERVERS.NET. ;; @144 334 com. 172800 NS H.GTLD-SERVERS.NET. ;; @160 335 com. 172800 NS I.GTLD-SERVERS.NET. ;; @176 336 com. 172800 NS J.GTLD-SERVERS.NET. ;; @192 337 com. 172800 NS K.GTLD-SERVERS.NET. ;; @208 338 com. 172800 NS L.GTLD-SERVERS.NET. ;; @224 339 com. 172800 NS M.GTLD-SERVERS.NET. ;; @240 340 com. 172800 NS A.GTLD-SERVERS.NET. ;; @256 341 com. 172800 NS B.GTLD-SERVERS.NET. ;; @272 342 com. 172800 NS C.GTLD-SERVERS.NET. ;; @288 343 com. 172800 NS D.GTLD-SERVERS.NET. ;; @304 345 ;; ADDITIONAL SECTION: 346 A.GTLD-SERVERS.NET. 172800 A 192.5.6.30 ;; @320 347 B.GTLD-SERVERS.NET. 172800 A 192.33.14.30 ;; @336 348 C.GTLD-SERVERS.NET. 172800 A 192.26.92.30 ;; @352 349 D.GTLD-SERVERS.NET. 172800 A 192.31.80.30 ;; @368 350 E.GTLD-SERVERS.NET. 172800 A 192.12.94.30 ;; @384 351 F.GTLD-SERVERS.NET. 172800 A 192.35.51.30 ;; @400 352 G.GTLD-SERVERS.NET. 172800 A 192.42.93.30 ;; @416 353 H.GTLD-SERVERS.NET. 172800 A 192.54.112.30 ;; @432 354 I.GTLD-SERVERS.NET. 172800 A 192.43.172.30 ;; @448 355 J.GTLD-SERVERS.NET. 172800 A 192.48.79.30 ;; @464 356 K.GTLD-SERVERS.NET. 172800 A 192.52.178.30 ;; @480 357 L.GTLD-SERVERS.NET. 172800 A 192.41.162.30 ;; @496 358 M.GTLD-SERVERS.NET. 172800 A 192.55.83.30 ;; @512 360 ;; MSG SIZE sent: 80 rcvd: 512 362 Figure 1 364 For longer query names, the number of address records supplied will 365 be lower. Furthermore, it is only by using a common parent name 366 (which is "GTLD-SERVERS.NET." in this example) that all 13 addresses 367 are able to fit, due to the use of label compression pointers in the 368 last 12 occurrences of the parent domain name. The outputs from the 369 response simulator in Appendix A (written in perl [PERL]) shown in 370 Figure 2 and Figure 3 demonstrate these properties. 372 % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br 373 a.dns.br requires 10 bytes 374 b.dns.br requires 4 bytes 375 c.dns.br requires 4 bytes 376 d.dns.br requires 4 bytes 377 # of NS: 4 378 For maximum size query (255 byte): 379 only A is considered: # of A is 4 (green) 380 A and AAAA are considered: # of A+AAAA is 3 (yellow) 381 preferred-glue A is assumed: # of A is 4, # of AAAA is 3 (yellow) 382 For average size query (64 byte): 383 only A is considered: # of A is 4 (green) 384 A and AAAA are considered: # of A+AAAA is 4 (green) 385 preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) 387 Figure 2 389 % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int 390 ns-ext.isc.org requires 16 bytes 391 ns.psg.com requires 12 bytes 392 ns.ripe.net requires 13 bytes 393 ns.eu.int requires 11 bytes 394 # of NS: 4 395 For maximum size query (255 byte): 396 only A is considered: # of A is 4 (green) 397 A and AAAA are considered: # of A+AAAA is 3 (yellow) 398 preferred-glue A is assumed: # of A is 4, # of AAAA is 2 (yellow) 399 For average size query (64 byte): 400 only A is considered: # of A is 4 (green) 401 A and AAAA are considered: # of A+AAAA is 4 (green) 402 preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) 404 Figure 3 406 Here we use the term "green" if all address records could fit, or 407 "yellow" if two or more could fit, or "orange" if only one could fit, 408 or "red" if no address record could fit. It's clear that without a 409 common parent for name server names, much space would be lost. For 410 these examples we use an average/common name size of 15 octets, 411 befitting our assumption of "GTLD-SERVERS.NET." as our common parent 412 name. 414 We assume a medium query name size of 64 since that is the typical 415 size seen in trace data at the time of this writing. If 416 Internationalized Domain Name (IDN) or any other technology that 417 results in larger query names be deployed significantly in advance of 418 EDNS, then new measurements and new estimates will have to be made. 420 5. Conclusions 422 The current practice of giving all name server names a common parent 423 (such as "GTLD-SERVERS.NET." or "ROOT-SERVERS.NET.") saves space in 424 DNS responses and allows for more name servers to be enumerated than 425 would otherwise be possible, since the common parent domain name only 426 appears once in a DNS message and is referred to via "compression 427 pointers" thereafter. 429 If all name server names for a zone share a common parent, then it is 430 operationally advisable to make all servers for the zone thus served 431 also be authoritative for the zone of that common parent. For 432 example, the root name servers (?.ROOT-SERVERS.NET.) can answer 433 authoritatively for the ROOT-SERVERS.NET. zone. This is to ensure 434 that the zone's servers always have the zone's name servers' glue 435 available when delegating, and will be able to respond with answers 436 rather than referrals if a requester who wants that glue comes back 437 asking for it. In this case the name server will likely be a 438 "stealth master" -- authoritative but not advertised in the glue 439 zone's NS RRSet. See Section 2 of [RFC1996] for more information 440 about stealth masters. 442 Thirteen (13) is the effective maximum number of name server names 443 usable with traditional (non-extended) DNS, assuming a common parent 444 domain name, and given that implicit referral response truncation is 445 undesirable in the average case. 447 More than one address record in a protocol family per server is 448 inadvisable since the necessary glue RRSets (A or AAAA) are 449 atomically indivisible, and will be larger than a single resource 450 record. Larger RRSets are more likely to lead to or encounter 451 truncation. 453 More than one address record across protocol families is less likely 454 to lead to or encounter truncation, partly because multiprotocol 455 clients, which are required to handle larger RRSets such as AAAA RRs, 456 are more likely to speak EDNS, which can use a larger UDP response 457 size limit, and partly because the resource records (A and AAAA) are 458 in different RRSets and are therefore divisible from each other. 460 Name server names that are at or below the zone they serve are more 461 sensitive to referral response truncation, and glue records for them 462 should be considered "more important" than other glue records, in the 463 assembly of referral responses. 465 6. Security Considerations 467 The recommendations contained in this document have no known security 468 implications. 470 7. IANA Considerations 472 This document has no IANA actions. 474 8. Acknowledgements 476 The authors thank Peter Koch, Rob Austein, Mark Andrews, Kenji 477 Rikitake, Stephane Bortzmeyer, Olafur Gudmundsson, Alfred Hoenes, 478 Alexander Mayrhofer, and Ray Bellis for their valuable comments and 479 suggestions. 481 This work was supported by the US National Science Foundation 482 (research grant SCI-0427144) and DNS-OARC. 484 9. References 486 9.1. Normative References 488 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 489 STD 13, RFC 1034, November 1987. 491 [RFC1035] Mockapetris, P., "Domain names - implementation and 492 specification", STD 13, RFC 1035, November 1987. 494 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 495 Specification", RFC 2181, July 1997. 497 9.2. Informative References 499 [PERL] Wall, L., Christiansen, T., and J. Orwant, "Programming 500 Perl, 3rd ed.", ISBN 0-596-00027-8, July 2000. 502 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 503 September 1981. 505 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 506 and Support", STD 3, RFC 1123, October 1989. 508 [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone 509 Changes (DNS NOTIFY)", RFC 1996, August 1996. 511 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 512 NCACHE)", RFC 2308, March 1998. 514 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 515 (IPv6) Specification", RFC 2460, December 1998. 517 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 518 RFC 2671, August 1999. 520 [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", 521 RFC 2672, August 1999. 523 [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver 524 message size requirements", RFC 3226, December 2001. 526 [RFC3258] Hardie, T., "Distributing Authoritative Name Servers via 527 Shared Unicast Addresses", RFC 3258, April 2002. 529 [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, 530 "DNS Extensions to Support IP Version 6", RFC 3596, 531 October 2003. 533 [RFC3901] Durand, A. and J. Ihren, "DNS IPv6 Transport Operational 534 Guidelines", BCP 91, RFC 3901, September 2004. 536 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 537 Rose, "DNS Security Introduction and Requirements", 538 RFC 4033, March 2005. 540 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 541 Rose, "Protocol Modifications for the DNS Security 542 Extensions", RFC 4035, March 2005. 544 [RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational 545 Considerations and Issues with IPv6 DNS", RFC 4472, 546 April 2006. 548 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 549 Services", BCP 126, RFC 4786, December 2006. 551 [RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines", 552 BCP 152, RFC 5625, August 2009. 554 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 555 for DNS (EDNS(0))", STD 75, RFC 6891, April 2013. 557 [RFC7129] Gieben, R. and W. Mekking, "Authenticated Denial of 558 Existence in the DNS", RFC 7129, February 2014. 560 [SAC035] Bellis, R. and L. Phifer, "Test Report: DNSSEC Impact on 561 Broadband Routers and Firewalls", SAC 035, September 2008. 563 Appendix A. The response simulator program 565 #!/usr/bin/perl 566 # 567 # SYNOPSIS 568 # respsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ... 569 # if all queries are assumed to have a same zone suffix, 570 # such as "jp" in JP TLD servers, specify it in -z option 571 # 572 use strict; 573 use Getopt::Std; 575 my ($sz_msg) = (512); 576 my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28); 577 my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2); 578 my (%namedb, $name, $nssect, %opts, $optz); 579 my $n_ns = 0; 581 getopt('z', %opts); 582 if (defined($opts{'z'})) { 583 server_name_len($opts{'z'}); # just register it 584 } 586 foreach $name (@ARGV) { 587 my $len; 588 $n_ns++; 589 $len = server_name_len($name); 590 print "$name requires $len bytes\n"; 591 $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl 592 + $sz_rdlen + $len; 593 } 594 print "# of NS: $n_ns\n"; 595 arsect(255, $nssect, $n_ns, "maximum"); 596 arsect(64, $nssect, $n_ns, "average"); 598 sub server_name_len { 599 my ($name) = @_; 600 my (@labels, $len, $n, $suffix); 602 $name =~ tr/A-Z/a-z/; 603 @labels = split(/\./, $name); 604 $len = length(join('.', @labels)) + 2; 605 for ($n = 0; $#labels >= 0; $n++, shift @labels) { 606 $suffix = join('.', @labels); 607 return length($name) - length($suffix) + $sz_ptr 608 if (defined($namedb{$suffix})); 609 $namedb{$suffix} = 1; 610 } 611 return $len; 612 } 614 sub arsect { 615 my ($sz_query, $nssect, $n_ns, $cond) = @_; 616 my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect); 617 $ansect = $sz_query + $sz_type + $sz_class; 618 $space = $sz_msg - $sz_header - $ansect - $nssect; 619 $n_a = atmost(int($space / $sz_rr_a), $n_ns); 620 $n_a_aaaa = atmost(int($space 621 / ($sz_rr_a + $sz_rr_aaaa)), $n_ns); 622 $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) 623 / $sz_rr_aaaa), $n_ns); 624 printf "For %s size query (%d byte):\n", $cond, $sz_query; 625 printf " only A is considered: "; 626 printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns); 627 printf " A and AAAA are considered: "; 628 printf "# of A+AAAA is %d (%s)\n", 629 $n_a_aaaa, &judge($n_a_aaaa, $n_ns); 630 printf " preferred-glue A is assumed: "; 631 printf "# of A is %d, # of AAAA is %d (%s)\n", 632 $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns); 633 } 635 sub judge { 636 my ($n, $n_ns) = @_; 637 return "green" if ($n >= $n_ns); 638 return "yellow" if ($n >= 2); 639 return "orange" if ($n == 1); 640 return "red"; 641 } 643 sub atmost { 644 my ($a, $b) = @_; 645 return 0 if ($a < 0); 646 return $b if ($a > $b); 647 return $a; 648 } 650 Appendix B. Editorial Notes 652 This section (and sub-sections) to be removed prior to publication. 654 B.1. Change History 656 15 Draft resurrected; Joe added as co-author; changed Paul's 657 affiliation. Minor wordsmithing to account for the passage of 658 time. Terminology section added. Added commentary on DNSSEC 659 impact on response sizes and EDNS support. 661 Authors' Addresses 663 Paul Vixie 664 Farsight Security, Inc. 665 155 Bovet Road, #476 666 San Mateo, CA 94402 667 USA 669 Phone: +1 650 489 7919 670 Email: vixie@farsightsecurity.com 672 Akira Kato 673 Keio University/WIDE Project 674 Graduate School of Media Design 675 4-1-1 Hiyoshi 676 Kohoku, Yokohama 223-8526 677 Japan 679 Phone: +81 45 564 2490 680 Email: kato@wide.ad.jp 682 Joe Abley 683 Dyn, Inc. 684 470 Moore Street 685 London, ON N6C 2C2 686 Canada 688 Phone: +1 519 670 9327 689 Email: jabley@dyn.com