idnits 2.17.1 draft-koch-dnsop-resolver-priming-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 296. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 307. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 314. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 320. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 26, 2007) is 6269 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2181' is defined on line 217, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2671 (Obsoleted by RFC 6891) == Outdated reference: A later version (-05) exists of draft-koch-dns-glue-clarifications-02 == Outdated reference: A later version (-02) exists of draft-larson-dnsop-trust-anchor-00 -- Obsolete informational reference (is this intentional?): RFC 2870 (Obsoleted by RFC 7720) Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Koch 3 Internet-Draft DENIC eG 4 Expires: August 30, 2007 February 26, 2007 6 Initializing a DNS Resolver with Priming Queries 7 draft-koch-dnsop-resolver-priming-00 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on August 30, 2007. 34 Copyright Notice 36 Copyright (C) The IETF Trust (2007). 38 Abstract 40 This document describes the initial queries a DNS resolver is 41 supposed to emit to initialize its cache with a current NS RRSet for 42 the root zone as well as the necessary address information. 44 1. Introduction 46 Domain Name System (DNS) resolvers need a starting point to resolve 47 queries. [RFC1034], section 5.3.2, defines the SBELT structure in a 48 full resolver as: 50 ``a "safety belt" structure of the same form as SLIST, which is 51 initialized from a configuration file, and lists servers which 52 should be used when the resolver doesn't have any local 53 information to guide name server selection. The match count will 54 be -1 to indicate that no labels are known to match.'' 56 Section 5.3.3 of [RFC1034] adds 58 ``the usual choice is two of the root servers and two of the 59 servers for the host's domain'' 61 Today's practice generally seperates serving and resolving 62 functionality, so the servers ``for the host's domain'' might no 63 longer be an appropriate choice, even if they were only intended to 64 resolve ``local'' names, especially since the SBELT structure does 65 not distinguish between local and global information. In addition, 66 DNS server implementations have for a long time been seeded with not 67 only two but an exhaustive list of the root servers' addresses. This 68 list is either supplied as a configuration file (root "hints", an 69 excerpt of the DNS root zone) or even compiled into the software. 71 The list of root name servers has been rather stable over the last 72 ten years. After the last four servers had been added and moved to 73 their final (network) destinations in 1997, there have been only 74 three address changes affecting the L, J, and B servers. Research is 75 available for B [Mann2006] and J [BLKT2004], which shows that several 76 months or even years after the change had become effective, traffic 77 is still received on the old addresses. Therefore it is important 78 that resolvers be able to cope with change, even without relying upon 79 updates to be applied by their operator. 81 The recent work by the ICANN SSAC and RSSAC committees, [SSAC016] and 82 [SSAC017], aiming at adding AAAA RRs for the root name servers' 83 names, deals with priming queries and so does a draft on DNSSEC Trust 84 Anchor maintenance [I-D.larson-dnsop-trust-anchor]. However, it 85 turned out that despite having been practiced for a long time, 86 priming queries have not yet been documented as an important resolver 87 feature. 89 The following sections cover parameters of both the priming query and 90 the response to be sent by a root name server. 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 94 document are to be interpreted as described in [RFC2119]. 96 Comments should be sent to the IETF DNSOP WG mailing list. 98 2. Parameters of a Priming Query 100 This document only deals with QCLASS IN. A priming query SHOULD use 101 a QNAME of "." and a QTYPE of NS. It SHOULD also use EDNS0 [RFC2671] 102 and announce and handle a reassembly size of at least 1024 octets 103 [RFC3226]. 105 A priming query MUST be sent over UDP (section 6.1.3.2 of [RFC1123]). 106 The RD bit MUST NOT be set in the query. 108 2.1. Target Selection 110 A resolver MUST select the target for a priming query randomly from 111 its list of available addresses and it MUST ensure that all targets 112 are selected with equal probability even upon startup. For resending 113 the priming query to a different server the random selection SHOULD 114 also be used. 116 2.2. DNSSEC with Priming Queries 118 The resolver MAY choose to use DNSSEC OK [RFC4033], in which case it 119 MUST announce and handle a message size of at least 1220 octets. 121 Discussion: Delegations in referral responses are not signed, so 122 following this model there would be no need to require a signed root 123 NS RRSet and, equally important, signed A and AAAA RRSet for the root 124 name servers' names. On the other hand, a poisoned priming response 125 could drastically influence the resolver's operations. If the 126 priming response should be secured by DNSSEC, then it should also be 127 self contained, i.e., the whole validation chain should be present in 128 the priming response. This might call for a different naming scheme 129 (see section 5.1 of [I-D.koch-dns-glue-clarifications]). 131 2.3. Repeating Priming Queries 133 A resolver SHOULD NOT originate a priming query more often than once 134 per day (or whenever it starts). It SHOULD adhere to the TTL values 135 given in the priming response. {May be useful to proactively re-prime 136 before the old root NS RRSet expires from the cache.} 138 3. Expected Properties of a Priming Response 140 The response can be expected to have an RCODE of NOERROR and the AA 141 bit set. Also, there should be an NS RRSet in the answer section 142 (since the NS RRSet originates from the root zone), an empty 143 authority section and an additional section with A and AAAA RRSets 144 for the root name servers pointed at by the NS RRSet. {Note that the 145 number 13 does not appear here. It might be necessary to consider 146 "internal" root server setups in split DNS configurations.} 148 3.1. Use of the Priming Response 150 A resolver MAY use the priming response as it would use any other 151 data fed to its cachhe. However, it SHOULD NOT use the SBELT 152 information directly in any responses it hands out. 154 3.2. Completeness of the Response 156 A resolver SHOULD consider the address information found in the 157 additional section complete for any particular server that appears at 158 all. In other words: if the additional section only has an A RRSet 159 for a server, the resolver SHOULD assume that no AAAA RRSet exists. 160 {This is a strawman only. TTL synchronization is an issue here.} 162 4. Root Name Server Requirements 164 The operational requirements for root name servers are described in 165 [RFC2870]. 167 All DNS root name servers need to be able to provide for all 168 addresses of all root name servers. This can easily achieved by 169 making all root name servers authoritative for the zone containing 170 the servers' names. {At the time of writing, all but one root name 171 server were authoritative for ROOT-SERVERS.NET.} 173 If the response packet does not provide for more than 512 octets due 174 to lack of EDNS0 support, AAAA RRSets should be omitted from the 175 response. {What to do with small payloads indicated by EDNS0 is open 176 to discussion.} 178 5. Security Considerations 180 This document deals with priming a DNS resolver's cache. The usual 181 DNS caveats apply. Use of DNSSEC with priming queries is discussed 182 in section 2.2 184 Spoofing a response to a priming query can be used to redirect all 185 queries originating from a victim resolver, therefore any difference 186 between the inital SBELT list and the priming response SHOULD be 187 brought to the operators' attention. There is also a chance that the 188 random target selection choses the address of a retired root name 189 server. Operational measures to prevent reuse of these addresses are 190 out of the scope of this document. 192 {This section needs more work.} 194 6. IANA Considerations 196 This document does not propose any new IANA registry nor does it ask 197 for any allocation from an existing IANA registry. 199 However, this document deals with requirements for the root zone and 200 root server operations. 202 {This section needs more work.} 204 7. References 206 7.1. Normative References 208 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 209 STD 13, RFC 1034, November 1987. 211 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 212 and Support", STD 3, RFC 1123, October 1989. 214 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 215 Requirement Levels", BCP 14, RFC 2119, March 1997. 217 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 218 Specification", RFC 2181, July 1997. 220 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 221 RFC 2671, August 1999. 223 [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver 224 message size requirements", RFC 3226, December 2001. 226 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 227 Rose, "DNS Security Introduction and Requirements", 228 RFC 4033, March 2005. 230 7.2. Informative References 232 [BLKT2004] 233 Barber, P., Larson, M., Kosters, M., and P. Toscano, "Life 234 and Times of J-Root", NANOG 32, October 2004. 236 [I-D.koch-dns-glue-clarifications] 237 Koch, P., "DNS Glue RR Survey and Terminology 238 Clarification", draft-koch-dns-glue-clarifications-02 239 (work in progress), October 2006. 241 [I-D.larson-dnsop-trust-anchor] 242 Larson, M. and O. Gudmundsson, "DNSSEC Trust Anchor 243 Configuration and Maintenance", 244 draft-larson-dnsop-trust-anchor-00 (work in progress), 245 January 2007. 247 [Mann2006] 248 Manning, B., "persistent queries and phantom nameservers", 249 WIDE/CAIDA Workshop , October 2006. 251 [RFC2870] Bush, R., Karrenberg, D., Kosters, M., and R. Plzak, "Root 252 Name Server Operational Requirements", BCP 40, RFC 2870, 253 June 2000. 255 [SSAC016] ICANN Security and Stability Advisory Committee, "Testing 256 Firewalls for IPv6 and EDNS0 Support", SSAC 016, 257 January 2007. 259 [SSAC017] ICANN Security and Stability Advisory Committee, "Testing 260 Recursive Name Servers for IPv6 and EDNS0 Support", 261 SSAC 017, February 2007. 263 Appendix A. Document Revision History 265 This section is to be removed should the draft be published. 267 A.1. Initial Document 269 First draft 271 Author's Address 273 Peter Koch 274 DENIC eG 275 Wiesenhuettenplatz 26 276 Frankfurt 60329 277 DE 279 Phone: +49 69 27235 0 280 Email: pk@DENIC.DE 282 Full Copyright Statement 284 Copyright (C) The IETF Trust (2007). 286 This document is subject to the rights, licenses and restrictions 287 contained in BCP 78, and except as set forth therein, the authors 288 retain all their rights. 290 This document and the information contained herein are provided on an 291 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 292 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 293 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 294 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 295 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 296 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 298 Intellectual Property 300 The IETF takes no position regarding the validity or scope of any 301 Intellectual Property Rights or other rights that might be claimed to 302 pertain to the implementation or use of the technology described in 303 this document or the extent to which any license under such rights 304 might or might not be available; nor does it represent that it has 305 made any independent effort to identify any such rights. Information 306 on the procedures with respect to rights in RFC documents can be 307 found in BCP 78 and BCP 79. 309 Copies of IPR disclosures made to the IETF Secretariat and any 310 assurances of licenses to be made available, or the result of an 311 attempt made to obtain a general license or permission for the use of 312 such proprietary rights by implementers or users of this 313 specification can be obtained from the IETF on-line IPR repository at 314 http://www.ietf.org/ipr. 316 The IETF invites any interested party to bring to its attention any 317 copyrights, patents or patent applications, or other proprietary 318 rights that may cover technology that may be required to implement 319 this standard. Please address the information to the IETF at 320 ietf-ipr@ietf.org. 322 Acknowledgment 324 Funding for the RFC Editor function is provided by the IETF 325 Administrative Support Activity (IASA).