idnits 2.17.1 draft-jabley-dnsop-refuse-any-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC1035, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). (Using the creation date from RFC1035, updated by this document, for RFC5378 checks: 1987-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 30, 2015) is 3130 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Abley 3 Internet-Draft Dyn, Inc. 4 Updates: 1035 (if approved) O. Gudmundsson 5 Intended status: Standards Track M. Majkowski 6 Expires: April 2, 2016 CloudFlare Inc. 7 September 30, 2015 9 Providing Minimal-Sized Responses to DNS Queries with QTYPE=ANY 10 draft-jabley-dnsop-refuse-any-00 12 Abstract 14 The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". 15 The operator of an authoritative DNS server might choose not to 16 respond to such queries for reasons of local policy, motivated by 17 security, performance or other reasons. 19 The DNS specification does not include specific guidance for the 20 behaviour of DNS servers or clients in this situation. This document 21 aims to provide such guidance. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on April 2, 2016. 40 Copyright Notice 42 Copyright (c) 2015 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. Motivations . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 4. General Approach . . . . . . . . . . . . . . . . . . . . . . . 6 61 5. Behaviour of DNS Responders . . . . . . . . . . . . . . . . . 7 62 6. Behaviour of DNS Initiators . . . . . . . . . . . . . . . . . 8 63 7. HINFO Considerations . . . . . . . . . . . . . . . . . . . . . 9 64 8. Changes to RFC 1035 . . . . . . . . . . . . . . . . . . . . . 10 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11 66 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 67 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 68 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 69 12.1. Normative References . . . . . . . . . . . . . . . . . . 14 70 12.2. Informative References . . . . . . . . . . . . . . . . . 14 71 Appendix A. Editorial Notes . . . . . . . . . . . . . . . . . . . 15 72 A.1. Venue . . . . . . . . . . . . . . . . . . . . . . . . . . 15 73 A.2. Change History . . . . . . . . . . . . . . . . . . . . . 15 74 A.2.1. draft-jabley-dnsop-ordered-answers-00 . . . . . . . . 15 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 77 1. Terminology 79 This document uses terminology specific to the Domain Name System 80 (DNS), descriptions of which can be found in 81 [I-D.ietf-dnsop-dns-terminology]. 83 In this document, "ANY Query" refers to a DNS query with QTYPE=ANY. 84 An "ANY Response" is a response to such a query. 86 In an exchange of DNS messages between two hosts, this document 87 refers to the host sending a DNS request as the initiator, and the 88 host sending a DNS response as the responder. 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this 92 document are to be interpreted as described in [RFC2119]. 94 2. Introduction 96 The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". 97 The operator of an authoritative DNS server might choose not to 98 respond to such queries for reasons of local policy, motivated by 99 security, performance or other reasons. 101 The DNS specification [RFC1034] [RFC1035] does not include specific 102 guidance for the behaviour of DNS servers or clients in this 103 situation. This document aims to provide such guidance. 105 3. Motivations 107 ANY queries are legitimately used for debugging and checking the 108 state of a DNS server for a particular owner name. ANY queries are 109 sometimes used as a attempt to reduce the number of queries needed to 110 get information, e.g. to obtain MX, A and AAAA RRSets for a mail 111 domain in a single query, although there is no documented guidance 112 available for this use case and some implementations have been 113 observed that appear not to function as perhaps their developers 114 expected. 116 ANY queries are also frequently used to exploit the amplification 117 potential of DNS servers using spoofed source addresses and UDP 118 transport (see [RFC5358]). Having the ability to return small 119 responses to such queries makes DNS servers less attractive 120 amplifiers. 122 ANY queries are sometimes used to help mine authoritative-only DNS 123 servers for zone data, since they return all RRSets for a particular 124 owner name. A DNS zone maintainer might prefer not to send 125 conventional ANY responses to reduce the potential for such 126 information leaks. 128 Some authoritative-only DNS server implementations require additional 129 processing in order to send a conventional ANY response, and avoiding 130 that processing expense may be desirable. 132 4. General Approach 134 This proposal provides a mechanism for an authority server to signal 135 that conventional ANY queries are not supported for a particular 136 QNAME, and to do so in such a way that is both compatible with and 137 triggers desirable behaviour by unmodified clients (e.g. DNS 138 resolvers). 140 Alternative proposals for dealing with ANY queries have been 141 discussed. One approach proposed using a new RCODE to signal that an 142 authortitaive server did not answer ANY queries in the standard way. 143 This approach was found to have an undesirable effect on both 144 resolvers and authoritative-only servers; resolvers receiving an 145 unknown RCODE caused them to re-send the same query to all available 146 authoritative servers, rather than suppress future such ANY queries 147 for the same QNAME. 149 This proposal avoids that outcome by returning a non-empty RRSet in 150 the ANY response, providing resolvers with something to cache and 151 effectively suppressing repeat queries to the same or different 152 authority servers. 154 This proposal makes use of the HINFO RRType rather than specifying a 155 new RRType. This is intended both to facilitate desired behaviour by 156 initators who might otherwise struggle to deal correctly with new 157 RRTypes, but also because in a general sense the signalling from 158 responder to initiator is providing some information about the 159 responding host, which seems in keeping with the originally-imagined 160 use of HINFO. See also Section 7. 162 5. Behaviour of DNS Responders 164 A DNS responder which receives an ANY query MAY decline to provide a 165 conventional response, and instead send a response with a single 166 HINFO resource record in the answer section. The CPU field of the 167 HINFO RDATA SHOULD be set to RFCXXXX [note to RFC Editor, replace 168 with RFC number assigned to this document]. The OS field of the 169 HINFO RDATA SHOULD be set to the null string to minimise the size of 170 the response. 172 The TTL encoded for the HINFO RR SHOULD be chosen by the operator of 173 the DNS responder to be large enough to suppress frequent subsequent 174 ANY queries from the same initiator with the same QNAME, 175 understanding that a TTL that is too long might make policy changes 176 relating to ANY queries difficult to change in the future. The 177 specific value used is hence a familiar balance when choosing TTLs 178 for any RR in any zone, and should be specified according to local 179 policy. 181 If the DNS query includes DO=1 and the QNAME corresponds to a zone 182 that is known by the responder to be signed, valid RRSIG resource 183 records MAY be returned. However, the responder MAY return an 184 unsigned answer; a validating initiator that sends a subsequent 185 explicit query with QTYPE=HINFO will receive a signed proof that the 186 HINFO does not exist or a signed HINFO RRSet, either of which can be 187 cached to suppress repeated queries. 189 Except as described in this section, the DNS responder MUST follow 190 the standard algorithms when constructing a response. 192 6. Behaviour of DNS Initiators 194 XXX consider whether separate text here is required depending on 195 whether the initiator is a non-caching stub resolver or a caching 196 recursive resolver. 198 A DNS initator which sends a query with QTYPE=ANY and receives a 199 response containing an HINFO, as described in Section 5, MAY cache 200 the HINFO response in the normal way. Such cached HINFO resource 201 records SHOULD be retained in the cache following normal caching 202 semantics, as it would with any other response received from a DNS 203 responder. 205 A DNS initiator MAY suppress queries with QTYPE=ANY in the event that 206 the local cache contains a matching HINFO resource record with 207 RDATA.CPU as described in Section 5. 209 7. HINFO Considerations 211 In the case where a zone that contains HINFO RRSets is served from an 212 authority server that does not provide conventional ANY responses, it 213 is possible that the HINFO RRSet in an ANY response, once cached by 214 the initiator, might suppress subsequent queries from the same 215 initiator with QTYPE=HINFO. The use of HINFO in this proposal would 216 hence have effectively masked the HINFO RRSet present in the zone. 218 Authority-server operators who serve zones that rely upon 219 conventional use of the HINFO RRType might sensibly choose not to 220 deploy the mechanism described in this document. 222 The HINFO RRType is believed to be rarely used in the DNS at the time 223 of writing, based on observations made both at recursive servers and 224 authority servers. 226 8. Changes to RFC 1035 228 It is important to note that returning a subset of available RRSets 229 when processing an ANY query is legitimate and consistent with 230 [RFC1035]; ANY does not mean ALL. 232 This document describes optional behaviour for both DNS initators and 233 responders, and implementation of the guidance provided by this 234 document is OPTIONAL. 236 XXX more words here about any updates implied to RFC 1035, or delete 237 the section if it turns out that, in the final analysis, there are 238 none. 240 9. Security Considerations 242 Queries with QTYPE=ANY are frequently observed as part of reflection 243 attacks, since a relatively small query can be used to elicit a large 244 response; this is a desirable characteristic if the goal is to 245 maximise the amplification potential of a DNS server as part of a 246 volumetric attack. The ability of a DNS operator to suppress such 247 responses on a particular server makes that server a less useful 248 amplifier. 250 The optional behaviour described in this document to reduce the size 251 of responses to queries with QTYPE=ANY is compatible with the use of 252 DNSSEC by both initiator and responder. 254 10. IANA Considerations 256 This document has no IANA actions. 258 11. Acknowledgements 260 Your name here, etc. 262 12. References 264 12.1. Normative References 266 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 267 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 268 . 270 [RFC1035] Mockapetris, P., "Domain names - implementation and 271 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 272 November 1987, . 274 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 275 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 276 RFC2119, March 1997, 277 . 279 12.2. Informative References 281 [I-D.ietf-dnsop-dns-terminology] 282 Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 283 Terminology", draft-ietf-dnsop-dns-terminology-05 (work in 284 progress), September 2015. 286 [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive 287 Nameservers in Reflector Attacks", BCP 140, RFC 5358, 288 DOI 10.17487/RFC5358, October 2008, 289 . 291 Appendix A. Editorial Notes 293 This section (and sub-sections) to be removed prior to publication. 295 A.1. Venue 297 An appropriate forum for discussion of this draft is the dnsop 298 working group. 300 A.2. Change History 302 A.2.1. draft-jabley-dnsop-ordered-answers-00 304 Initial draft circulated for comment. 306 Authors' Addresses 308 Joe Abley 309 Dyn, Inc. 310 103-186 Albert Street 311 London, ON N6A 1M1 312 Canada 314 Phone: +1 519 670 9327 315 Email: jabley@dyn.com 317 Olafur Gudmundsson 318 CloudFlare Inc. 320 Email: olafur@cloudflare.com 322 Marek Majkowski 323 CloudFlare Inc. 325 Email: marek@cloudflare.com