idnits 2.17.1 draft-ietf-dnsop-rfc7816bis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 287 has weird spacing: '...ple.org exam...' == Line 304 has weird spacing: '...ple.org exam...' -- The document date (March 9, 2020) is 1508 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 6973 ** Obsolete normative reference: RFC 7816 (Obsoleted by RFC 9156) == Outdated reference: A later version (-03) exists of draft-wkumari-dnsop-hammer-01 Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Bortzmeyer 3 Internet-Draft AFNIC 4 Obsoletes: 7816 (if approved) R. Dolmans 5 Intended status: Standards Track NLnet Labs 6 Expires: September 10, 2020 P. Hoffman 7 ICANN 8 March 9, 2020 10 DNS Query Name Minimisation to Improve Privacy 11 draft-ietf-dnsop-rfc7816bis-04 13 Abstract 15 This document describes techniques called "QNAME minimisation" to 16 improve DNS privacy, where the DNS resolver no longer always sends 17 the full original QNAME to the upstream name server. This document 18 obsoletes RFC 7816. 20 This document is part of the IETF DNSOP (DNS Operations) Working 21 Group. The source of the document, as well as a list of open issues, 22 is at 24 NOTE FOR THE DNSOP WORKING GROUP: There is still much work to be done 25 in this draft. Future versions of this draft will contain 26 descriptions of different minimisation implementation choices that 27 have been made since the RFC 7816 first came out, as well as 28 deployment experience. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on September 10, 2020. 47 Copyright Notice 49 Copyright (c) 2020 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (https://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction and Background . . . . . . . . . . . . . . . . . 2 65 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 66 2. Description of QNAME Minimisation . . . . . . . . . . . . . . 3 67 2.1. Algorithm to Perform Aggressive Method QNAME Minimisation 5 68 3. QNAME Minimisation Examples . . . . . . . . . . . . . . . . . 6 69 4. Limit number of queries . . . . . . . . . . . . . . . . . . . 7 70 5. Operational Considerations . . . . . . . . . . . . . . . . . 8 71 6. Performance Considerations . . . . . . . . . . . . . . . . . 10 72 7. Alternative Methods for QNAME Minimisation . . . . . . . . . 10 73 8. Results of the Experimentation . . . . . . . . . . . . . . . 11 74 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11 75 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 11 76 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 77 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 78 11.2. Informative References . . . . . . . . . . . . . . . . . 13 79 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 15 80 Changes from RFC 7816 . . . . . . . . . . . . . . . . . . . . . . 15 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 83 1. Introduction and Background 85 The problem statement for this document and its predecessor [RFC7816] 86 is described in [I-D.bortzmeyer-dprive-rfc7626-bis]. The terminology 87 ("QNAME", "resolver", etc.) is defined in 88 [I-D.ietf-dnsop-terminology-bis]. This specific solution is not 89 intended to fully solve the DNS privacy problem; instead, it should 90 be viewed as one tool amongst many. 92 QNAME minimisation follows the principle explained in Section 6.1 of 93 [RFC6973]: the less data you send out, the fewer privacy problems 94 you have. 96 Before QNAME minimisation, when a resolver received the query "What 97 is the AAAA record for www.example.com?", it sent to the root 98 (assuming a resolver whose cache is empty) the very same question. 99 Sending the full QNAME to the authoritative name server was a 100 tradition, not a protocol requirement. In a conversation with the 101 author in January 2015, Paul Mockapetris explained that this 102 tradition comes from a desire to optimise the number of requests, 103 when the same name server is authoritative for many zones in a given 104 name (something that was more common in the old days, where the same 105 name servers served .com and the root) or when the same name server 106 is both recursive and authoritative (something that is strongly 107 discouraged now). Whatever the merits of this choice at this time, 108 the DNS is quite different now. 110 QNAME minimisation is compatible with the current DNS system and 111 therefore can easily be deployed. Because it is only a change to the 112 way that the resolver operates, it does not change the protocol. The 113 behaviour suggested here (minimising the amount of data sent in 114 QNAMEs from the resolver) is allowed by Section 5.3.3 of [RFC1034] or 115 Section 7.2 of [RFC1035]. 117 1.1. Terminology 119 A "cold" cache is one that is empty, having literally no entries in 120 it. A "warm" cache is one that has some entries in it. 122 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 123 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 124 "OPTIONAL" in this document are to be interpreted as described in BCP 125 14 [RFC2119] [RFC8174] when, and only when, they appear in all 126 capitals, as shown here. 128 2. Description of QNAME Minimisation 130 The idea behind QNAME minimisation is to minimise the amount of 131 privacy sensitive data sent from the DNS resolver to the 132 authoritative name server. This section describes the RECOMMENDED 133 way to do QNAME minimisation -- the way that maximises privacy 134 benefits. That algorithm is summarised in Section 2.1. 136 When a resolver is not able to answer a query from cache it has to 137 send a query to an authoritative nameserver. Traditionally these 138 queries would contain the full QNAME and the original QTYPE as 139 received in the client query. The full QNAME and original QTYPE are 140 only needed at the nameserver that is authoritative for the record 141 requested by the client. All other nameservers queried while 142 resolving the query only need to receive enough of the QNAME to be 143 able to answer with a delegation. The QTYPE in these queries is not 144 relevant, as the nameserver is not able to authoritatively answer the 145 records the client is looking for. Sending the full QNAME and 146 original QTYPE to these nameservers therefore exposes more privacy 147 sensitive data than necessary to resolve the client's request. A 148 resolver that implements QNAME minimisation changes the QNAME and 149 QTYPE in queries to authoritative nameserver that are not known to be 150 responsible for the original QNAME. These request are done with: 152 o a QTYPE selected by the resolver to hide the original QTYPE 154 o the QNAME that is the original QNAME, stripped to just one label 155 more than the longest matching domain name for which the 156 nameserver is known to be authoritative 158 This method is called the "aggressive method" in this document 159 because the resolver won't expose the original QTYPE to nameservers 160 that are not known to be responsible for the desired name. This 161 method is the safest from a privacy point of view, and is thus the 162 RECOMMENDED method for this document. Other methods are described in 163 Section 7. 165 Note that this document relaxes the recommendation to use the NS 166 QTYPE to hide the original QTYPE, as was specified in RFC7816. Using 167 the NS QTYPE is still allowed. The authority of NS records lies at 168 the child side. The parent side of the delegation will answer using 169 a referral, like it will do for queries with other QTYPEs. Using the 170 NS QTYPE therefore has no added value over other QTYPEs. 172 The QTYPE to use while minimising queries can be any possible data 173 TYPE RRTYPE ([RFC6895] Section 3.1) for which the authority always 174 lies below the zone cut (i.e. not DS, NSEC, NSEC3, OPT, TSIG, TKEY, 175 ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no relation 176 between the incoming QTYPE and the selection of the QTYPE to use 177 while minimising. A good candidate is to always use the A QTYPE as 178 this is the least likely to give issues at DNS software and 179 middleboxes that do not properly support all QTYPEs. The QTYPE=A 180 queries will also blend into traffic from non-minimising resolvers, 181 making it in some cases harder to observe that the resolver has QNAME 182 minimisation enabled. Using the QTYPE that occurs most in incoming 183 queries will slightly reduce the number of queries, as there is no 184 extra check needed for delegations on non-apex records. 186 The minimising resolver works perfectly when it knows the zone cut 187 (zone cuts are described in Section 6 of [RFC2181]). But zone cuts 188 do not necessarily exist at every label boundary. In the name 189 www.foo.bar.example, it is possible that there is a zone cut between 190 "foo" and "bar" but not between "bar" and "example". So, assuming 191 that the resolver already knows the name servers of example, when it 192 receives the query "What is the AAAA record of www.foo.bar.example?", 193 it does not always know where the zone cut will be. To find the 194 zone cut, it will query the example name servers for a record for 195 bar.example. It will get a non-referral answer, it has to query the 196 example name servers again with one more label, and so on. 197 (Section 2.1 describes this algorithm in deeper detail.) 199 TODO what to do if the resolver forwards? Unbound disables QNAME 200 minimisation in that case, since the forwarder will see everything, 201 anyway. What should a minimising resolver do when forwarding the 202 request to a forwarder, not to an authoritative name server? Send 203 the full qname? Minimises? (But how since the resolver does not 204 know the zone cut?) 206 2.1. Algorithm to Perform Aggressive Method QNAME Minimisation 208 This algorithm performs name resolution with aggressive method QNAME 209 minimisation in the presence of zone cuts that are not yet known. 211 Although a validating resolver already has the logic to find the 212 zone cuts, implementers of other resolvers may want to use this 213 algorithm to locate the zone cuts. 215 (0) If the query can be answered from the cache, do so; otherwise, 216 iterate as follows: 218 (1) Get the closest delegation point that can be used for the 219 original QNAME/QTYPE combination from the cache. 221 (1a) For queries with QTYPE=DS this is the NS RRset with the 222 owner matching the most labels with the QNAME stripped by 223 one label. The QNAME will be a subdomain of (but not equal 224 to) this NS RRset. Call this ANCESTOR. 226 (1b) For queries with other original QTYPEs this is the NS RRset 227 with the owner matching the most labels with the QNAME. The 228 QNAME will be equal to or a subdomain of this NS RRset. 229 Call this ANCESTOR. 231 (2) Initialise CHILD to the same as ANCESTOR. 233 (3) If CHILD is the same as the QNAME, or if the CHILD is one label 234 shorter than the QNAME and the original QTYPE is DS, resolve the 235 original query using ANCESTOR's name servers, and finish. 237 (4) Otherwise, add a label from the QNAME to the start of CHILD. 239 (5) Look for a negative cache entry for the NS RRset at CHILD. If 240 this entry is for an NXDOMAIN and the resolver has support for 241 RFC8020 the NXDOMAIN can be used in response to the original 242 query, and stop. If the entry is for a NOERROR/NODATA answer go 243 back to step 3 245 (6) Query for CHILD with the minimised QTYPE using ANCESTOR's 246 name servers. The response can be: 248 (6a) A referral. Cache the NS RRset from the authority section, 249 and go back to step 1. 251 (6b) A NOERROR answer. Cache this answer, and go back to step 3. 253 (6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response 254 to the original query, and stop. 256 (6d) An answer with another RCODE, or no answer. Try another 257 name server at the same delegation point. Stop if none of 258 them are able to return a valid answer 260 3. QNAME Minimisation Examples 262 For example, a resolver receives a request to resolve 263 foo.bar.baz.example. Assume that the resolver already knows that 264 ns1.nic.example is authoritative for .example, and that the resolver 265 does not know a more specific authoritative name server. It will 266 send the query with QNAME=baz.example and the QTYPE selected to hide 267 the original QTYPE to ns1.nic.example. 269 Here are more detailed examples of queries with the aggressive method 270 of QNAME minimisation: 272 Cold cache, traditional resolution algorithm without QNAME 273 minimisation, request for MX record of a.b.example.org: 275 QTYPE QNAME TARGET NOTE 276 MX a.b.example.org root nameserver 277 MX a.b.example.org org nameserver 278 MX a.b.example.org example.org nameserver 280 Cold cache, aggressive QNAME minimisation method, request for MX 281 record of a.b.example.org, using the A QTYPE to hide the original 282 QTYPE: 284 QTYPE QNAME TARGET NOTE 285 A org root nameserver 286 A example.org org nameserver 287 A b.example.org example.org nameserver 288 A a.b.example.org example.org nameserver "a" may be delegated 289 MX a.b.example.org example.org nameserver 291 Note that in above example one query would have been saved if the 292 incoming QTYPE would have been the same as the QTYPE selected by the 293 resolver to hide the original QTYPE. Only one query needed with as 294 QTYPE a.b.example.org would have been needed if the original QTYPE 295 would have been A. Using the most used QTYPE to hide the original 296 QTYPE therefore slightly reduces the number of outgoing queries. 298 Warm cache with only org delegation known, (example.org's NS RRset is 299 not known), aggressive QNAME minimisation method, request for MX 300 record of a.b.example.org, using A QTYPE to hide the original QTYPE: 302 QTYPE QNAME TARGET NOTE 303 A example.org org nameserver 304 A b.example.org example.org nameserver 305 A a.b.example.org example.org nameserver "a" may be delegated 306 MX a.b.example.org example.org nameserver 308 4. Limit number of queries 310 When using QNAME minimisation the number of labels in the received 311 QNAME can influence the number of queries sent from the resolver. 312 This opens an attack vector and can decrease performance. Resolvers 313 supporting QNAME minimisation should implement a mechanism to limit 314 the number of outgoing queries per user request. 316 Take for example an incoming QNAME with many labels, like 317 www.host.group.department.example.com, where 318 host.group.department.example.com is hosted on example.com's 319 name servers. Assume a resolver that knows only the name servers of 320 example.com. Without QNAME minimisation, it would send these 321 example.com name servers a query for 322 www.host.group.department.example.com and immediately get a specific 323 referral or an answer, without the need for more queries to probe for 324 the zone cut. For such a name, a cold resolver with QNAME 325 minimisation will, depending on how QNAME minimisation is 326 implemented, send more queries, one per label. Once the cache is 327 warm, there will be no difference with a traditional resolver. 328 Actual testing is described in [Huque-QNAME-Min]. Such deep domains 329 are especially common under ip6.arpa. 331 This behaviour can be exploited by sending queries with a large 332 number of labels in the QNAME that will be answered using a wildcard 333 record. Take for example a record for *.example.com, hosted on 334 example.com's name servers. An incoming query containing a QNAME 335 with more than 100 labels, ending in example.com, will result in a 336 query per label. By using random labels the attacker can bypass the 337 cache and always require the resolver to send many queries upstream. 338 Note that [RFC8198] can limit this attack in some cases. 340 One mechanism to reduce this attack vector is by appending more than 341 one label per iteration for QNAMEs with a large number of labels. To 342 do this a maximum number of QNAME minimisation iterations has to be 343 selected (MAX_MINIMISE_COUNT), a good value is 10. Optionally a 344 value for the number of queries that should only have one label 345 appended can be selected (MINIMISE_ONE_LAB), a good value is 4. The 346 assumption here is that the number of labels on delegations higher in 347 the hierarchy are rather small, therefore not exposing too may labels 348 early on has the most privacy benefit. 350 When a resolver needs to send out a query if will look for the 351 closest known delegation point in its cache. The number of QNAME 352 minimisation iterations is the difference between this closest 353 nameserver and the incoming QNAME. The first MINIMISE_ONE_LAB 354 iterations will be handles as described in Section 2. The number of 355 labels that are not exposed yet now need to be divided over the 356 iterations that are left (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). 357 The remainder of the division should be added to the last iterations. 358 For example, when resolving a QNAME with 18 labels, the number of 359 labels added per iteration are: 1,1,1,1,2,2,2,2,3,3. 361 5. Operational Considerations 363 TODO may be remove the whole section now that it is no longer 364 experimental? 366 QNAME minimisation is legal, since the original DNS RFCs do not 367 mandate sending the full QNAME. So, in theory, it should work 368 without any problems. However, in practice, some problems may occur 369 (see [Huque-QNAME-Min] for an analysis and [Huque-QNAME-Discuss] for 370 an interesting discussion on this topic). 372 Note that the aggressive method described in this document prevents 373 authoritative servers other than the server for a full name from 374 seeing information about the relative use of the various QTYPEs. 375 That information may be interesting for researchers (for instance, if 376 they try to follow IPv6 deployment by counting the percentage of AAAA 377 vs. A queries). 379 Some broken name servers do not react properly to QTYPE=NS requests. 380 For instance, some authoritative name servers embedded in load 381 balancers reply properly to A queries but send REFUSED to NS queries. 382 This behaviour is a protocol violation, and there is no need to stop 383 improving the DNS because of such behaviour. Such a setup breaks 384 more than just QNAME minimisation. It breaks negative answers, since 385 the servers don't return the correct SOA, and it also breaks anything 386 dependent upon NS and SOA records existing at the top of the zone. 387 Note that this document relaxes the recommendation to use the NS 388 QTYPE. 390 A problem can also appear when a name server does not react properly 391 to ENTs (Empty Non-Terminals). If ent.example.com has no resource 392 records but foobar.ent.example.com does, then ent.example.com is an 393 ENT. Whatever the QTYPE, a query for ent.example.com must return 394 NODATA (NOERROR / ANSWER: 0). However, some name servers incorrectly 395 return NXDOMAIN for ENTs. If a resolver queries only 396 foobar.ent.example.com, everything will be OK, but if it implements 397 QNAME minimisation, it may query ent.example.com and get an NXDOMAIN. 398 See also Section 3 of [DNS-Res-Improve] for the other bad 399 consequences of this bad behaviour. 401 A possible solution, currently implemented in Knot or Unbound, is to 402 retry with the full query when you receive an NXDOMAIN. It works, 403 but it is not ideal for privacy. 405 Other practices that do not conform to the DNS protocol standards may 406 pose a problem: there is a common DNS trick used by some web hosters 407 that also do DNS hosting that exploits the fact that the DNS protocol 408 (pre-DNSSEC) allows certain serious misconfigurations, such as parent 409 and child zones disagreeing on the location of a zone cut. 410 Basically, they have a single zone with wildcards for each TLD, like: 412 *.example. 60 IN A 192.0.2.6 414 (They could just wildcard all of "*.", which would be sufficient. It 415 is impossible to tell why they don't do it.) 417 This lets them have many web-hosting customers without having to 418 configure thousands of individual zones on their name servers. They 419 just tell the prospective customer to point their NS records at the 420 hoster's name servers, and the web hoster doesn't have to provision 421 anything in order to make the customer's domain resolve. NS queries 422 to the hoster will therefore not give the right result, which may 423 endanger QNAME minimisation (it will be a problem for DNSSEC, too). 424 Note that this document relaxes the NS QTYPE recommendation. 426 6. Performance Considerations 428 The main goal of QNAME minimisation is to improve privacy by sending 429 less data. However, it may have other advantages. For instance, if 430 a resolver sends a root name server queries for A.example followed by 431 B.example followed by C.example, the result will be three NXDOMAINs, 432 since .example does not exist in the root zone. When using QNAME 433 minimisation, the resolver would send only one question (for .example 434 itself) to which they could answer NXDOMAIN. The resolver can cache 435 this answer and use it as to prove that nothing below .example exists 436 ([RFC8020]). A resolver now knows a priori that neither B.example 437 nor C.example exist. Thus, in this common case, the total number of 438 upstream queries under QNAME minimisation could counterintuitively be 439 less than the number of queries under the traditional iteration (as 440 described in the DNS standard). 442 QNAME minimisation may also improve lookup performance for TLD 443 operators. For a TLD that is delegation-only, a two-label QNAME 444 query may be optimal for finding the delegation owner name, depending 445 on the way domain matching is implemented. 447 QNAME minimisation can increase the number of queries based on the 448 incoming QNAME. This is described in Section 4. 450 7. Alternative Methods for QNAME Minimisation 452 One useful optimisation may be, in the spirit of the HAMMER idea 453 [HAMMER], The resolver can probe in advance for the introduction of 454 zone cuts where none previously existed to confirm their continued 455 absence or to discover them. 457 To reduce the number of queries (an issue described in Section 4), a 458 resolver could always use full name queries when the cache is cold 459 and then to move to the aggressive method of QNAME minimisation when 460 the cache is warm. (Precisely defining what is "warm" or "cold" is 461 left to the implementer). This will decrease the privacy for initial 462 queries but will guarantee no degradation of performance. 464 Another possible algorithm, not fully studied at this time, could be 465 to "piggyback" on the traditional resolution code. At startup, it 466 sends traditional full QNAMEs and learns the zone cuts from the 467 referrals received, then switches to NS queries asking only for the 468 minimum domain name. This leaks more data but could require fewer 469 changes in the existing resolver codebase. 471 8. Results of the Experimentation 473 Many (open source) resolvers now support QNAME minimisation. The 474 lessons learned from implementing QNAME minimisation are used to 475 create this new revision. 477 Data from DNSThought [dnsthought-qnamemin] shows that 47% of the 478 tested resolvers support QNAME minimisation in some way. 480 Academic research has been performed on QNAME minimisation 481 [devries-qnamemin]. This work shows that QNAME minimisation in 482 relaxed mode causes almost no problems. The paper recommends using 483 the A QTYPE, and limiting the number of queries in some way. 485 9. Security Considerations 487 QNAME minimisation's benefits are clear in the case where you want to 488 decrease exposure to the authoritative name server. But minimising 489 the amount of data sent also, in part, addresses the case of a wire 490 sniffer as well as the case of privacy invasion by the servers. 491 (Encryption is of course a better defense against wire sniffers, but, 492 unlike QNAME minimisation, it changes the protocol and cannot be 493 deployed unilaterally. Also, the effect of QNAME minimisation on 494 wire sniffers depends on whether the sniffer is on the DNS path.) 496 QNAME minimisation offers zero protection against the recursive 497 resolver, which still sees the full request coming from the stub 498 resolver. 500 All the alternatives mentioned in Section 7 decrease privacy in the 501 hope of improving performance. They must not be used if you want 502 maximum privacy. 504 10. Implementation Status 506 \[\[ Note to RFC Editor: Remove this entire section, and the 507 reference to RFC 7942, before publication. \]\] 509 This section records the status of known implementations of the 510 protocol defined by this specification at the time of posting of this 511 Internet-Draft, and is based on a proposal described in [RFC7942]. 512 The description of implementations in this section is intended to 513 assist the IETF in its decision processes in progressing drafts to 514 RFCs. Please note that the listing of any individual implementation 515 here does not imply endorsement by the IETF. Furthermore, no effort 516 has been spent to verify the information presented here that was 517 supplied by IETF contributors. This is not intended as, and must not 518 be construed to be, a catalog of available implementations or their 519 features. Readers are advised to note that other implementations may 520 exist. 522 According to [RFC7942], "this will allow reviewers and working groups 523 to assign due consideration to documents that have the benefit of 524 running code, which may serve as evidence of valuable experimentation 525 and feedback that have made the implemented protocols more mature. 526 It is up to the individual working groups to use this information as 527 they see fit". 529 Unbound has had a QNAME minimisation feature since version 1.5.7, 530 December 2015, (see [Dolmans-Unbound]) and it has had QNAME 531 minimisation turned default since version 1.7.2, June 2018. It has 532 two modes set by the "qname-minimisation-strict" configuration 533 option. In strict mode (option set to "yes"), there is no workaround 534 for broken authoritative name servers. In lax mode, Unbound retries 535 when there is a NXDOMAIN response from the minimised query, unless 536 the domain is DNSSEC signed. Since November 2016, Unbound uses only 537 queries for the A RRtype and not the NS RRtype. Unbound limits the 538 number of queries in the way proposed in Section 4. 540 Knot Resolver has had a QNAME minimisation feature since version 541 1.0.0, May 2016, and it is activated by default 543 TODO, how does knot limit queries? How does knot handle NXDOMAIN on 544 ENT? Which QTYPE does knot use to hide the incoming QTYPE? 546 BIND has had a QNAME minimisation feature since unstable development 547 version 9.13.2, July 2018. It currently has several modes, with or 548 without workarounds for broken authoritative name servers. 550 TODO, how does bind limit queries? How does bind handle NXDOMAIN on 551 ENT? Which QTYPE does bind use to hide the incoming QTYPE? 553 TODO: add powerdns. They now also support QNAME minimisation. 555 TODO: are there closed source implementations? 557 11. References 559 11.1. Normative References 561 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 562 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 563 . 565 [RFC1035] Mockapetris, P., "Domain names - implementation and 566 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 567 November 1987, . 569 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 570 Requirement Levels", BCP 14, RFC 2119, 571 DOI 10.17487/RFC2119, March 1997, 572 . 574 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 575 Morris, J., Hansen, M., and R. Smith, "Privacy 576 Considerations for Internet Protocols", RFC 6973, 577 DOI 10.17487/RFC6973, July 2013, 578 . 580 [RFC7816] Bortzmeyer, S., "DNS Query Name Minimisation to Improve 581 Privacy", RFC 7816, DOI 10.17487/RFC7816, March 2016, 582 . 584 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 585 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 586 May 2017, . 588 11.2. Informative References 590 [devries-qnamemin] 591 "A First Look at QNAME Minimization in the Domain Name 592 System", March 2019, 593 . 596 [DNS-Res-Improve] 597 Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS 598 Resolvers for Resiliency, Robustness, and Responsiveness", 599 Work in Progress, draft-vixie-dnsext-resimprove-00, June 600 2010. 602 [dnsthought-qnamemin] 603 "DNSThought QNAME minimisation results. Using Atlas 604 probes", March 2020, 605 . 607 [Dolmans-Unbound] 608 Dolmans, R., "Unbound QNAME minimisation @ DNS-OARC", 609 March 2016, . 613 [HAMMER] Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly 614 Automated Method for Maintaining Expiring Records", Work 615 in Progress, draft-wkumari-dnsop-hammer-01, July 2014. 617 [Huque-QNAME-Discuss] 618 Huque, S., "Qname Minimization @ DNS-OARC", May 2015, 619 . 621 [Huque-QNAME-Min] 622 Huque, S., "Query name minimization and authoritative 623 server behavior", May 2015, 624 . 626 [I-D.bortzmeyer-dprive-rfc7626-bis] 627 Bortzmeyer, S. and S. Dickinson, "DNS Privacy 628 Considerations", draft-bortzmeyer-dprive-rfc7626-bis-02 629 (work in progress), January 2019. 631 [I-D.ietf-dnsop-terminology-bis] 632 Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 633 Terminology", draft-ietf-dnsop-terminology-bis-14 (work in 634 progress), September 2018. 636 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 637 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 638 . 640 [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA 641 Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, 642 April 2013, . 644 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 645 Code: The Implementation Status Section", BCP 205, 646 RFC 7942, DOI 10.17487/RFC7942, July 2016, 647 . 649 [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is 650 Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020, 651 November 2016, . 653 [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of 654 DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, 655 July 2017, . 657 Acknowledgments 659 TODO (refer to 7816) 661 Changes from RFC 7816 663 Changed in -04 665 o Start structure for implementation section 667 o Add clarification why the used QTYPE does not matter 669 o Make algorithm DS QTYPE compatible 671 Changed in -03 673 o Drop recommendation to use the NS QTYPE to hide the incoming QTYPE 675 o Describe DoS attach vector for QNAME with large number of labels, 676 and propose a mitigation. 678 o Simplify examples and change qname to a.b.example.com to show the 679 change in number of queries. 681 Changed in -00, -01, and -02 683 o Made changes to deal with errata #4644 685 o Changed status to be on standards track 687 o Major reorganization 689 Authors' Addresses 691 Stephane Bortzmeyer 692 AFNIC 693 1, rue Stephenson 694 Montigny-le-Bretonneux 78180 695 France 697 Phone: +33 1 39 30 83 46 698 Email: bortzmeyer+ietf@nic.fr 699 URI: https://www.afnic.fr/ 700 Ralph Dolmans 701 NLnet Labs 703 Email: ralph@nlnetlabs.nl 705 Paul Hoffman 706 ICANN 708 Email: paul.hoffman@icann.org