idnits 2.17.1 draft-ietf-dnsop-serve-stale-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC1034], [RFC1035], [RFC2181]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document updates RFC1034, but the abstract doesn't seem to directly say this. It does mention RFC1034 though, so this could be OK. -- The draft header indicates that this document updates RFC1035, but the abstract doesn't seem to directly say this. It does mention RFC1035 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC1034, updated by this document, for RFC5378 checks: 1987-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 16, 2019) is 1838 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 7719 (Obsoleted by RFC 8499) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSOP Working Group D. Lawrence 3 Internet-Draft Oracle 4 Updates: 1034, 1035 (if approved) W. Kumari 5 Intended status: Standards Track P. Sood 6 Expires: October 18, 2019 Google 7 April 16, 2019 9 Serving Stale Data to Improve DNS Resiliency 10 draft-ietf-dnsop-serve-stale-05 12 Abstract 14 This draft defines a method (serve-stale) for recursive resolvers to 15 use stale DNS data to avoid outages when authoritative nameservers 16 cannot be reached to refresh expired data. It updates the definition 17 of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear that 18 data can be kept in the cache beyond the TTL expiry and used for 19 responses when a refreshed answer is not readily available. One of 20 the motivations for serve-stale is to make the DNS more resilient to 21 DoS attacks, and thereby make them less attractive as an attack 22 vector. 24 Ed note 26 Text inside square brackets ([]) is additional background 27 information, answers to frequently asked questions, general musings, 28 etc. They will be removed before publication. This document is 29 being collaborated on in GitHub at . The most recent version of the document, open issues, etc 31 should all be available here. The authors gratefully accept pull 32 requests. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on October 18, 2019. 50 Copyright Notice 52 Copyright (c) 2019 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 68 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 70 4. Standards Action . . . . . . . . . . . . . . . . . . . . . . 4 71 5. Example Method . . . . . . . . . . . . . . . . . . . . . . . 4 72 6. Implementation Considerations . . . . . . . . . . . . . . . . 6 73 7. Implementation Caveats . . . . . . . . . . . . . . . . . . . 8 74 8. Implementation Status . . . . . . . . . . . . . . . . . . . . 9 75 9. EDNS Option . . . . . . . . . . . . . . . . . . . . . . . . . 10 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 77 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 78 12. NAT Considerations . . . . . . . . . . . . . . . . . . . . . 11 79 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 80 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 81 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 82 15.1. Normative References . . . . . . . . . . . . . . . . . . 11 83 15.2. Informative References . . . . . . . . . . . . . . . . . 12 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 86 1. Introduction 88 Traditionally the Time To Live (TTL) of a DNS resource record has 89 been understood to represent the maximum number of seconds that a 90 record can be used before it must be discarded, based on its 91 description and usage in [RFC1035] and clarifications in [RFC2181]. 93 This document proposes that the definition of the TTL be explicitly 94 expanded to allow for expired data to be used in the exceptional 95 circumstance that a recursive resolver is unable to refresh the 96 information. It is predicated on the observation that authoritative 97 answer unavailability can cause outages even when the underlying data 98 those servers would return is typically unchanged. 100 We describe a method below for this use of stale data, balancing the 101 competing needs of resiliency and freshness. 103 2. Terminology 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in BCP 108 14 [RFC2119] [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 For a comprehensive treatment of DNS terms, please see [RFC7719]. 113 3. Background 115 There are a number of reasons why an authoritative server may become 116 unreachable, including Denial of Service (DoS) attacks, network 117 issues, and so on. If the recursive server is unable to contact the 118 authoritative servers for a query but still has relevant data that 119 has aged past its TTL, that information can still be useful for 120 generating an answer under the metaphorical assumption that "stale 121 bread is better than no bread." 123 [RFC1035] Section 3.2.1 says that the TTL "specifies the time 124 interval that the resource record may be cached before the source of 125 the information should again be consulted", and Section 4.1.3 further 126 says the TTL, "specifies the time interval (in seconds) that the 127 resource record may be cached before it should be discarded." 129 A natural English interpretation of these remarks would seem to be 130 clear enough that records past their TTL expiration must not be used. 131 However, [RFC1035] predates the more rigorous terminology of 132 [RFC2119] which softened the interpretation of "may" and "should". 134 [RFC2181] aimed to provide "the precise definition of the Time to 135 Live", but in Section 8 was mostly concerned with the numeric range 136 of values and the possibility that very large values should be 137 capped. (It also has the curious suggestion that a value in the 138 range 2147483648 to 4294967295 should be treated as zero.) It closes 139 that section by noting, "The TTL specifies a maximum time to live, 140 not a mandatory time to live." This is again not [RFC2119]-normative 141 language, but does convey the natural language connotation that data 142 becomes unusable past TTL expiry. 144 Several major recursive resolver operators currently use stale data 145 for answers in some way, including Akamai (in three different 146 resolver implementations), BIND, Knot, OpenDNS, and Unbound. Apple 147 MacOS can also use stale data as part of the Happy Eyeballs 148 algorithms in mDNSResponder. The collective operational experience 149 is that it provides significant benefit with minimal downside. 151 4. Standards Action 153 The definition of TTL in [RFC1035] Sections 3.2.1 and 4.1.3 is 154 amended to read: 156 TTL a 32-bit unsigned integer number of seconds that specifies the 157 duration that the resource record MAY be cached before the source 158 of the information MUST again be consulted. Zero values are 159 interpreted to mean that the RR can only be used for the 160 transaction in progress, and should not be cached. Values SHOULD 161 be capped on the orders of days to weeks, with a recommended cap 162 of 604,800 seconds. If the data is unable to be authoritatively 163 refreshed when the TTL expires, the record MAY be used as though 164 it is unexpired. 166 Interpreting values which have the high order bit set as being 167 positive, rather than 0, is a change from [RFC2181]. Suggesting a 168 cap of seven days, rather than the 68 years allowed by [RFC2181], 169 reflects the current practice of major modern DNS resolvers. 171 When returning a response containing stale records, the recursive 172 resolver MUST set the TTL of each expired record in the message to a 173 value greater than 0, with 30 seconds RECOMMENDED. 175 Answers from authoritative servers that have a DNS Response Code of 176 either 0 (NoError) or 3 (NXDomain) and the Authoritative Answers (AA) 177 bit set MUST be considered to have refreshed the data at the 178 resolver. Answers from authoritative servers that have any other 179 response code SHOULD be considered a failure to refresh the data and 180 therefor leave any previous state intact. 182 5. Example Method 184 There is conceivably more than one way a recursive resolver could 185 responsibly implement this resiliency feature while still respecting 186 the intent of the TTL as a signal for when data is to be refreshed. 188 In this example method four notable timers drive considerations for 189 the use of stale data, as follows: 191 o A client response timer, which is the maximum amount of time a 192 recursive resolver should allow between the receipt of a 193 resolution request and sending its response. 195 o A query resolution timer, which caps the total amount of time a 196 recursive resolver spends processing the query. 198 o A failure recheck timer, which limits the frequency at which a 199 failed lookup will be attempted again. 201 o A maximum stale timer, which caps the amount of time that records 202 will be kept past their expiration. 204 Most recursive resolvers already have the query resolution timer, and 205 effectively some kind of failure recheck timer. The client response 206 timer and maximum stale timer are new concepts for this mechanism. 208 When a request is received by the recursive resolver, it should start 209 the client response timer. This timer is used to avoid client 210 timeouts. It should be configurable, with a recommended value of 1.8 211 seconds as being just under a common timeout value of 2 seconds while 212 still giving the resolver a fair shot at resolving the name. 214 The resolver then checks its cache for any unexpired data that 215 satisfies the request and of course returns them if available. If it 216 finds no relevant unexpired data and the Recursion Desired flag is 217 not set in the request, it should immediately return the response 218 without consulting the cache for expired records. Typically this 219 response would be a referral to authoritative nameservers covering 220 the zone, but the specifics are implementation dependent. 222 If iterative lookups will be done, then the failure recheck timer is 223 consulted. Attempts to refresh from non-responsive or otherwise 224 failing authoritative nameservers are recommended to be done no more 225 frequently than every 30 seconds. If this request was received 226 within this period, the cache may be immediately consulted for stale 227 data to satisfy the request. 229 Outside the period of the failure recheck timer, the resolver should 230 start the query resolution timer and begin the iterative resolution 231 process. This timer bounds the work done by the resolver when 232 contacting external authorities, and is commonly around 10 to 30 233 seconds. If this timer expires on an attempted lookup that is still 234 being processed, the resolution effort is abandoned. 236 If the answer has not been completely determined by the time the 237 client response timer has elapsed, the resolver should then check its 238 cache to see whether there is expired data that would satisfy the 239 request. If so, it adds that data to the response message with a TTL 240 greater than 0 per Section 4. The response is then sent to the 241 client while the resolver continues its attempt to refresh the data. 243 When no authorities are able to be reached during a resolution 244 attempt, the resolver should attempt to refresh the delegation and 245 restart the iterative lookup process with the remaining time on the 246 query resolution timer. This resumption should be done only once 247 during one resolution effort. 249 Outside the resolution process, the maximum stale timer is used for 250 cache management and is independent of the query resolution process. 251 This timer is conceptually different from the maximum cache TTL that 252 exists in many resolvers, the latter being a clamp on the value of 253 TTLs as received from authoritative servers and recommended to be 7 254 days in the TTL definition above. The maximum stale timer should be 255 configurable, and defines the length of time after a record expires 256 that it should be retained in the cache. The suggested value is 257 between 1 and 3 days. 259 6. Implementation Considerations 261 This document mainly describes the issues behind serving stale data 262 and intentionally does not provide a formal algorithm. The concept 263 is not overly complex, and the details are best left to resolver 264 authors to implement in their codebases. The processing of serve- 265 stale is a local operation, and consistent variables between 266 deployments are not needed for interoperability. However, we would 267 like to highlight the impact of various implementation choices, 268 starting with the timers involved. 270 The most obvious of these is the maximum stale timer. If this 271 variable is too large it could cause excessive cache memory usage, 272 but if it is too small, the serve-stale technique becomes less 273 effective, as the record may not be in the cache to be used if 274 needed. Shorter values, even less than a day, can effectively handle 275 the vast majority of outages. Longer values, as much as a week, give 276 time for monitoring systems to notice a resolution problem and for 277 human intervention to fix it; operational experience has been that 278 sometimes the right people can be hard to track down and 279 unfortunately slow to remedy the situation. 281 Increased memory consumption could be mitigated by prioritizing 282 removal of stale records over non-expired records during cache 283 exhaustion. Implementations may also wish to consider whether to 284 track the names in requests for their last time of use or their 285 popularity, using that as an additional factor when considering cache 286 eviction. A feature to manually flush only stale records could also 287 be useful. 289 The client response timer is another variable which deserves 290 consideration. If this value is too short, there exists the risk 291 that stale answers may be used even when the authoritative server is 292 actually reachable but slow; this may result in sub-optimal answers 293 being returned. Conversely, waiting too long will negatively impact 294 user experience. 296 The balance for the failure recheck timer is responsiveness in 297 detecting the renewed availability of authorities versus the extra 298 resource use for resolution. If this variable is set too large, 299 stale answers may continue to be returned even after the 300 authoritative server is reachable; per [RFC2308], Section 7, this 301 should be no more than five minutes. If this variable is too small, 302 authoritative servers may be rapidly hit with a significant amount of 303 traffic when they become reachable again. 305 Regarding the TTL to set on stale records in the response, 306 historically TTLs of zero seconds have been problematic for some 307 implementations, and negative values can't effectively be 308 communicated to existing software. Other very short TTLs could lead 309 to congestive collapse as TTL-respecting clients rapidly try to 310 refresh. The recommended value of 30 seconds not only sidesteps 311 those potential problems with no practical negative consequences, it 312 also rate limits further queries from any client that honors the TTL, 313 such as a forwarding resolver. 315 Another implementation consideration is the use of stale nameserver 316 addresses for lookups. This is mentioned explicitly because, in some 317 resolvers, getting the addresses for nameservers is a separate path 318 from a normal cache lookup. If authoritative server addresses are 319 not able to be refreshed, resolution can possibly still be successful 320 if the authoritative servers themselves are up. For instance, 321 consider an attack on a top-level domain that takes its nameservers 322 offline; serve-stale resolvers that had expired glue addresses for 323 subdomains within that TLD would still be able to resolve names 324 within those subdomains, even those it had not previously looked up. 326 The directive in Section 4 that only NoError and NXDomain responses 327 should invalidate any previously associated answer stems from the 328 fact that no other RCODEs which a resolver normally encounters makes 329 any assertions regarding the name in the question or any data 330 associated with it. This comports with existing resolver behavior 331 where a failed lookup (say, during pre-fetching) doesn't impact the 332 existing cache state. Some authoritative servers operators have said 333 that they would prefer stale answers to be used in the event that 334 their servers are responding with errors like ServFail instead of 335 giving true authoritative answers. Implementers MAY decide to return 336 stale answers in this situation. 338 Since the goal of serve-stale is to provide resiliency for all 339 obvious errors to refresh data, these other RCODEs are treated as 340 though they are equivalent to not getting an authoritative response. 341 Although NXDomain for a previously existing name might well be an 342 error, it is not handled that way because there is no effective way 343 to distinguish operator intent for legitimate cases versus error 344 cases. 346 During discussion in dnsop it was suggested that Refused from all 347 authorities should be treated, from a serve-stale perspective, as 348 though it were equivalent to NXDomain because it represents an 349 explicit signal to take down the zone from servers that still have 350 the zone's delegation pointed to them. Refused, however, is also 351 overloaded to mean multiple possible failures which could represent 352 transient configuration failures. Operational experience has shown 353 that purposely returning Refused is a poor way to achieve an explicit 354 takedown of a zone compared to either updating the delegation or 355 returning NXDomain with a suitable SOA for extended negative caching. 356 Implementers MAY nonetheless consider whether to treat all 357 authorities returning Refused as preempting the use of stale data. 359 7. Implementation Caveats 361 Stale data is used only when refreshing has failed in order to adhere 362 to the original intent of the design of the DNS and the behaviour 363 expected by operators. If stale data were to always be used 364 immediately and then a cache refresh attempted after the client 365 response has been sent, the resolver would frequently be sending data 366 that it would have had no trouble refreshing. As modern resolvers 367 use techniques like pre-fetching and request coalescing for 368 efficiency, it is not necessary that every client request needs to 369 trigger a new lookup flow in the presence of stale data, but rather 370 that a good-faith effort has been recently made to refresh the stale 371 data before it is delivered to any client. 373 It is important to continue the resolution attempt after the stale 374 response has been sent, until the query resolution timeout, because 375 some pathological resolutions can take many seconds to succeed as 376 they cope with unavailable servers, bad networks, and other problems. 377 Stopping the resolution attempt when the response with expired data 378 has been sent would mean that answers in these pathological cases 379 would never be refreshed. 381 The continuing prohibition against using data with a 0 second TTL 382 beyond the current transaction explicitly extends to it being 383 unusable even for stale fallback, as it is not to be cached at all. 385 Be aware that Canonical Name (CNAME) records mingled in the expired 386 cache with other records at the same owner name can cause surprising 387 results. This was observed with an initial implementation in BIND 388 when a hostname changed from having an IPv4 Address (A) record to a 389 CNAME. The version of BIND being used did not evict other types in 390 the cache when a CNAME was received, which in normal operations is 391 not a significant issue. However, after both records expired and the 392 authorities became unavailable, the fallback to stale answers 393 returned the older A instead of the newer CNAME. 395 8. Implementation Status 397 [RFC Editor: per RFC 6982 this section should be removed prior to 398 publication.] 400 The algorithm described in Section 5 was originally implemented as a 401 patch to BIND 9.7.0. It has been in production on Akamai's 402 production network since 2011, and effectively smoothed over 403 transient failures and longer outages that would have resulted in 404 major incidents. The patch was contributed to Internet Systems 405 Consortium and the functionality is now available in BIND 9.12 via 406 the options stale-answer-enable, stale-answer-ttl, and max-stale-ttl. 408 Unbound has a similar feature for serving stale answers, but will 409 respond with stale data immediately if it has recently tried and 410 failed to refresh the answer by pre-fetching. 412 Knot Resolver has a demo module here: https://knot- 413 resolver.readthedocs.io/en/stable/modules.html#serve-stale 415 Details of Apple's implementation are not currently known. 417 In the research paper "When the Dike Breaks: Dissecting DNS Defenses 418 During DDoS" [DikeBreaks], the authors detected some use of stale 419 answers by resolvers when authorities came under attack. Their 420 research results suggest that more widespread adoption of the 421 technique would significantly improve resiliency for the large number 422 of requests that fail or experience abnormally long resolution times 423 during an attack. 425 9. EDNS Option 427 During the discussion of serve-stale in the IETF dnsop working group, 428 it was suggested that an EDNS option should be available to either 429 explicitly opt-in to getting data that is possibly stale, or at least 430 as a debugging tool to indicate when stale data has been used for a 431 response. 433 The opt-in use case was rejected as the technique was meant to be 434 immediately useful in improving DNS resiliency for all clients. 436 The reporting case was ultimately also rejected as working group 437 participants determined that even the simpler version of a proposed 438 option was still too much bother to implement for too little 439 perceived value. 441 10. Security Considerations 443 The most obvious security issue is the increased likelihood of DNSSEC 444 validation failures when using stale data because signatures could be 445 returned outside their validity period. This would only be an issue 446 if the authoritative servers are unreachable, the only time the 447 techniques in this document are used, and thus does not introduce a 448 new failure in place of what would have otherwise been success. 450 Additionally, bad actors have been known to use DNS caches to keep 451 records alive even after their authorities have gone away. This 452 potentially makes that easier, although without introducing a new 453 risk. 455 In [CloudStrife] it was demonstrated how stale DNS data, namely 456 hostnames pointing to addresses that are no longer in use by the 457 owner of the name, can be used to co-opt security such as to get 458 domain-validated certificates fraudulently issued to an attacker. 459 While this RFC does not create a new vulnerability in this area, it 460 does potentially enlarge the window in which such an attack could be 461 made. An obvious mitigation is that not only should a certificate 462 authority not use a resolver that has this feature enabled, it should 463 probably not use a caching resolver at all and instead fully look up 464 each name freshly from the root. 466 11. Privacy Considerations 468 This document does not add any practical new privacy issues. 470 12. NAT Considerations 472 The method described here is not affected by the use of NAT devices. 474 13. IANA Considerations 476 There are no IANA considerations. 478 14. Acknowledgements 480 The authors wish to thank Robert Edmonds, Tony Finch, Bob Harold, 481 Tatuya Jinmei, Matti Klock, Jason Moreau, Giovane Moura, Jean Roy, 482 Mukund Sivaraman, Davey Song, Paul Vixie, Ralf Weber and Paul Wouters 483 for their review and feedback. 485 15. References 487 15.1. Normative References 489 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 490 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 491 . 493 [RFC1035] Mockapetris, P., "Domain names - implementation and 494 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 495 November 1987, . 497 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 498 Requirement Levels", BCP 14, RFC 2119, 499 DOI 10.17487/RFC2119, March 1997, 500 . 502 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 503 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 504 . 506 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 507 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 508 . 510 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 511 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 512 May 2017, . 514 15.2. Informative References 516 [CloudStrife] 517 Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., and G. 518 Vigna, "Cloud Strife: Mitigating the Security Risks of 519 Domain-Validated Certificates", ACM 2018 Applied 520 Networking Research Workshop, DOI 10.1145/3232755.3232859, 521 July 2018, . 525 [DikeBreaks] 526 Moura, G., Heidemann, J., Mueller, M., Schmidt, R., and M. 527 Davids, "When the Dike Breaks: Dissecting DNS Defenses 528 During DDos", ACM 2018 Internet Measurement Conference, 529 DOI 10.1145/3278532.3278534, October 2018, 530 . 532 [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 533 Terminology", RFC 7719, DOI 10.17487/RFC7719, December 534 2015, . 536 Authors' Addresses 538 David C Lawrence 539 Oracle 541 Email: tale@dd.org 543 Warren "Ace" Kumari 544 Google 545 1600 Amphitheatre Parkway 546 Mountain View CA 94043 547 USA 549 Email: warren@kumari.net 551 Puneet Sood 552 Google 554 Email: puneets@google.com