idnits 2.17.1 draft-jabley-dnsop-refuse-any-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC1035, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). (Using the creation date from RFC1035, updated by this document, for RFC5378 checks: 1987-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 12, 2015) is 3118 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Abley 3 Internet-Draft Dyn, Inc. 4 Updates: 1035 (if approved) O. Gudmundsson 5 Intended status: Standards Track M. Majkowski 6 Expires: April 14, 2016 CloudFlare Inc. 7 October 12, 2015 9 Providing Minimal-Sized Responses to DNS Queries with QTYPE=ANY 10 draft-jabley-dnsop-refuse-any-01 12 Abstract 14 The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". 15 The operator of an authoritative DNS server might choose not to 16 respond to such queries for reasons of local policy, motivated by 17 security, performance or other reasons. 19 The DNS specification does not include specific guidance for the 20 behaviour of DNS servers or clients in this situation. This document 21 aims to provide such guidance. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on April 14, 2016. 40 Copyright Notice 42 Copyright (c) 2015 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. Motivations . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 4. General Approach . . . . . . . . . . . . . . . . . . . . . . . 6 61 5. Behaviour of DNS Responders . . . . . . . . . . . . . . . . . 7 62 6. Behaviour of DNS Initiators . . . . . . . . . . . . . . . . . 8 63 7. HINFO Considerations . . . . . . . . . . . . . . . . . . . . . 9 64 8. Changes to RFC 1035 . . . . . . . . . . . . . . . . . . . . . 10 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11 66 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 67 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 68 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 69 12.1. Normative References . . . . . . . . . . . . . . . . . . 14 70 12.2. Informative References . . . . . . . . . . . . . . . . . 14 71 Appendix A. Editorial Notes . . . . . . . . . . . . . . . . . . . 15 72 A.1. Venue . . . . . . . . . . . . . . . . . . . . . . . . . . 15 73 A.2. Change History . . . . . . . . . . . . . . . . . . . . . 15 74 A.2.1. draft-jabley-dnsop-refuse-any-01 . . . . . . . . . . . 15 75 A.2.2. draft-jabley-dnsop-refuse-any-00 . . . . . . . . . . . 15 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 78 1. Terminology 80 This document uses terminology specific to the Domain Name System 81 (DNS), descriptions of which can be found in 82 [I-D.ietf-dnsop-dns-terminology]. 84 In this document, "ANY Query" refers to a DNS query with QTYPE=ANY. 85 An "ANY Response" is a response to such a query. 87 In an exchange of DNS messages between two hosts, this document 88 refers to the host sending a DNS request as the initiator, and the 89 host sending a DNS response as the responder. 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this 93 document are to be interpreted as described in [RFC2119]. 95 2. Introduction 97 The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". 98 The operator of an authoritative DNS server might choose not to 99 respond to such queries for reasons of local policy, motivated by 100 security, performance or other reasons. 102 The DNS specification [RFC1034] [RFC1035] does not include specific 103 guidance for the behaviour of DNS servers or clients in this 104 situation. This document aims to provide such guidance. 106 3. Motivations 108 ANY queries are legitimately used for debugging and checking the 109 state of a DNS server for a particular owner name. ANY queries are 110 sometimes used as a attempt to reduce the number of queries needed to 111 get information, e.g. to obtain MX, A and AAAA RRSets for a mail 112 domain in a single query, although there is no documented guidance 113 available for this use case and some implementations have been 114 observed that appear not to function as perhaps their developers 115 expected. 117 ANY queries are also frequently used to exploit the amplification 118 potential of DNS servers using spoofed source addresses and UDP 119 transport (see [RFC5358]). Having the ability to return small 120 responses to such queries makes DNS servers less attractive 121 amplifiers. 123 ANY queries are sometimes used to help mine authoritative-only DNS 124 servers for zone data, since they return all RRSets for a particular 125 owner name. A DNS zone maintainer might prefer not to send full ANY 126 responses to reduce the potential for such information leaks. 128 Some authoritative-only DNS server implementations require additional 129 processing in order to send a conventional ANY response, and avoiding 130 that processing expense may be desirable. 132 4. General Approach 134 This proposal provides a mechanism for an authority server to signal 135 that conventional ANY queries are not supported for a particular 136 QNAME, and to do so in such a way that is both compatible with and 137 triggers desirable behaviour by unmodified clients (e.g. DNS 138 resolvers). 140 Alternative proposals for dealing with ANY queries have been 141 discussed. One approach proposed using a new RCODE to signal that an 142 authortitaive server did not answer ANY queries in the standard way. 143 This approach was found to have an undesirable effect on both 144 resolvers and authoritative-only servers; resolvers receiving an 145 unknown RCODE caused them to re-send the same query to all available 146 authoritative servers, rather than suppress future such ANY queries 147 for the same QNAME. 149 This proposal avoids that outcome by returning a non-empty RRSet in 150 the ANY response, providing resolvers with something to cache and 151 effectively suppressing repeat queries to the same or different 152 authority servers. 154 This proposal specifies two different modes of behaviour by DNS 155 responders, and operators are free to choose whichever mechanism best 156 suits their environment. 158 1. A DNS responder may choose to search for an owner name that 159 matches the QNAME and, if that name owns multiple RRs, return 160 just one of them. 162 2. A DNS responder for whom a search for an owner name with an 163 existing resource record is expensive may instead synthesise an 164 HINFO resource record and return that instead. See Section 7 for 165 discussion of the use of HINFO. 167 5. Behaviour of DNS Responders 169 A DNS responder which receives an ANY query MAY decline to provide a 170 conventional response, and MAY instead send a response with a single 171 RRSet in the answer section. 173 The RRSet returned in the answer section of the response MAY be a 174 single RRSet owned by the name specified in the QNAME. Where 175 mulitple RRSets exist, the responder MAY choose a small one to reduce 176 its amplification potential. 178 If there is no CNAME present at the owner name matching the QNAME, 179 the resource record returned in the response MAY instead synthesised, 180 in which case a single HINFO resource record should be returned. The 181 CPU field of the HINFO RDATA SHOULD be set to RFCXXXX [note to RFC 182 Editor, replace with RFC number assigned to this document]. The OS 183 field of the HINFO RDATA SHOULD be set to the null string to minimise 184 the size of the response. 186 The TTL encoded for a synthesised RR SHOULD be chosen by the operator 187 of the DNS responder to be large enough to suppress frequent 188 subsequent ANY queries from the same initiator with the same QNAME, 189 understanding that a TTL that is too long might make policy changes 190 relating to ANY queries difficult to change in the future. The 191 specific value used is hence a familiar balance when choosing TTLs 192 for any RR in any zone, and should be specified according to local 193 policy. 195 If the DNS query includes DO=1 and the QNAME corresponds to a zone 196 that is known by the responder to be signed, a valid RRSIG for the 197 RRSets in the answer section MUST be returned. 199 Except as described in this section, the DNS responder MUST follow 200 the standard algorithms when constructing a response. 202 6. Behaviour of DNS Initiators 204 XXX consider whether separate text here is required depending on 205 whether the initiator is a non-caching stub resolver or a caching 206 recursive resolver. 208 A DNS initator which sends a query with QTYPE=ANY and receives a 209 response containing an HINFO, as described in Section 5, MAY cache 210 the HINFO response in the normal way. Such cached HINFO resource 211 records SHOULD be retained in the cache following normal caching 212 semantics, as it would with any other response received from a DNS 213 responder. 215 A DNS initiator MAY suppress queries with QTYPE=ANY in the event that 216 the local cache contains a matching HINFO resource record with 217 RDATA.CPU field, as described in Section 5. 219 7. HINFO Considerations 221 In the case where a zone that contains HINFO RRSets is served from an 222 authority server that does not provide conventional ANY responses, it 223 is possible that the HINFO RRSet in an ANY response, once cached by 224 the initiator, might suppress subsequent queries from the same 225 initiator with QTYPE=HINFO. The use of HINFO in this proposal would 226 hence have effectively masked the HINFO RRSet present in the zone. 228 Authority-server operators who serve zones that rely upon 229 conventional use of the HINFO RRType might sensibly choose not to 230 deploy the mechanism described in this document. 232 The HINFO RRType is believed to be rarely used in the DNS at the time 233 of writing, based on observations made both at recursive servers and 234 authority servers. 236 8. Changes to RFC 1035 238 It is important to note that returning a subset of available RRSets 239 when processing an ANY query is legitimate and consistent with 240 [RFC1035]; ANY does not mean ALL. 242 This document describes optional behaviour for both DNS initators and 243 responders, and implementation of the guidance provided by this 244 document is OPTIONAL. 246 9. Security Considerations 248 Queries with QTYPE=ANY are frequently observed as part of reflection 249 attacks, since a relatively small query can be used to elicit a large 250 response; this is a desirable characteristic if the goal is to 251 maximise the amplification potential of a DNS server as part of a 252 volumetric attack. The ability of a DNS operator to suppress such 253 responses on a particular server makes that server a less useful 254 amplifier. 256 The optional behaviour described in this document to reduce the size 257 of responses to queries with QTYPE=ANY is compatible with the use of 258 DNSSEC by both initiator and responder. 260 10. IANA Considerations 262 This document has no IANA actions. 264 11. Acknowledgements 266 Evan Hunt and David Lawrence provided valuable observations. 268 12. References 270 12.1. Normative References 272 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 273 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 274 . 276 [RFC1035] Mockapetris, P., "Domain names - implementation and 277 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 278 November 1987, . 280 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 281 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 282 RFC2119, March 1997, 283 . 285 12.2. Informative References 287 [I-D.ietf-dnsop-dns-terminology] 288 Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 289 Terminology", draft-ietf-dnsop-dns-terminology-05 (work in 290 progress), September 2015. 292 [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive 293 Nameservers in Reflector Attacks", BCP 140, RFC 5358, 294 DOI 10.17487/RFC5358, October 2008, 295 . 297 Appendix A. Editorial Notes 299 This section (and sub-sections) to be removed prior to publication. 301 A.1. Venue 303 An appropriate forum for discussion of this draft is the dnsop 304 working group. 306 A.2. Change History 308 A.2.1. draft-jabley-dnsop-refuse-any-01 310 Make signing of RRSets in answers from signed zones mandatory. 312 Document the option of returning an existing RRSet in place of a 313 synthesised one. 315 A.2.2. draft-jabley-dnsop-refuse-any-00 317 Initial draft circulated for comment. 319 Authors' Addresses 321 Joe Abley 322 Dyn, Inc. 323 103-186 Albert Street 324 London, ON N6A 1M1 325 Canada 327 Phone: +1 519 670 9327 328 Email: jabley@dyn.com 330 Olafur Gudmundsson 331 CloudFlare Inc. 333 Email: olafur@cloudflare.com 335 Marek Majkowski 336 CloudFlare Inc. 338 Email: marek@cloudflare.com