idnits 2.17.1 draft-kristoff-dnsop-dns-tcp-requirements-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 13, 2017) is 2599 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2541 (Obsoleted by RFC 4641) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Domain Name System Operations J. Kristoff 3 Internet-Draft DePaul University 4 Intended status: Best Current Practice March 13, 2017 5 Expires: September 14, 2017 7 DNS Transport over TCP - Operational Requirements 8 draft-kristoff-dnsop-dns-tcp-requirements-02 10 Abstract 12 This document encourages the practice of permitting DNS messages to 13 be carried over TCP on the Internet. It also describes some of the 14 consequences of this behavior and the potential operational issues 15 that can arise when this best common practice is not upheld. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on September 14, 2017. 34 Copyright Notice 36 Copyright (c) 2017 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 53 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2.1. Uneven Transport Usage and Preference . . . . . . . . . . 3 55 2.2. Waiting for Large Messages and Reliability . . . . . . . 3 56 2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2.4. "Only Zone Tranfers Use TCP" . . . . . . . . . . . . . . 5 58 3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 5 59 4. Network and System Considerations . . . . . . . . . . . . . . 6 60 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 6 61 6. Standards Related to DNS Transport over TCP . . . . . . . . . 6 62 6.1. TODO - additional, relevant RFCs . . . . . . . . . . . . 6 63 6.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 6 64 6.3. IETF RFC 7766 - DNS Transport over TCP - Implementation 65 Requirements . . . . . . . . . . . . . . . . . . . . . . 7 66 6.4. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option . . . 7 67 6.5. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 7 68 6.6. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 7 69 6.7. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 7 70 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 71 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 72 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 73 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 74 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 75 10.2. Informative References . . . . . . . . . . . . . . . . . 9 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 78 1. Introduction 80 DNS messages may be delivered using UDP or TCP communications. While 81 most DNS transactions are carried over UDP, some operators have been 82 led to believe that any DNS over TCP traffic is unwanted or 83 unnecessary for general DNS operation. As usage and features have 84 evolved, TCP transport has become increasingly important for correct 85 and safe operation of the Internet DNS. Reflecting modern usage, the 86 DNS standards were recently updated to declare support for TCP is now 87 a required part of the DNS implementation specifications in 88 [RFC7766]. This document is the formal requirements equivalent for 89 the operational community, encouraging operators to ensure DNS over 90 TCP communications support is on par with DNS over UDP 91 communications. 93 1.1. Requirements Language 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 97 document are to be interpreted as described in RFC 2119 [RFC2119]. 99 2. Background 101 2.1. Uneven Transport Usage and Preference 103 In the original suite of DNS specifications, [RFC1034] and [RFC1035] 104 clearly specified that DNS messages could be carried in either UDP or 105 TCP, but they also made clear a preference for UDP as the transport 106 for queries in the general case. As stated in [RFC1035]: 108 "While virtual circuits can be used for any DNS activity, 109 datagrams are preferred for queries due to their lower overhead 110 and better performance." 112 Another early, important, and influential document, [RFC1123], 113 detailed the preference for UDP more explicitly: 115 "DNS resolvers and recursive servers MUST support UDP, and SHOULD 116 support TCP, for sending (non-zone-transfer) queries." 118 and further stipulated: 120 A name server MAY limit the resources it devotes to TCP queries, 121 but it SHOULD NOT refuse to service a TCP query just because it 122 would have succeeded with UDP. 124 Culminating in [RFC1536], DNS over TCP came to be associated 125 primarily with the zone transfer mechanism, while most DNS queries 126 and responses were seen as the dominion of UDP. 128 2.2. Waiting for Large Messages and Reliability 130 As stipulated in the original specifications, DNS messages over UDP 131 were restricted to a 512-byte message size. However, even while 132 [RFC1123] made a clear preference for UDP, it foresaw DNS over TCP 133 becoming more popular in the future: 135 "[...] it is also clear that some new DNS record types defined in 136 the future will contain information exceeding the 512 byte limit 137 that applies to UDP, and hence will require TCP. 139 At least two new, widely anticipated developments were set to elevate 140 the need for DNS over TCP transactions. The first was dynamic 141 updates defined in [RFC2136] and the second was the set of extensions 142 collectively known as DNSSEC originally specified in [RFC2541]. The 143 former suggested "requestors who require an accurate response code 144 must use TCP", while the later warned "[...] larger keys increase the 145 size of KEY and SIG RRs. This increases the chance of DNS UDP packet 146 overflow and the possible necessity for using higher overhead TCP in 147 responses." 149 Yet defying some expectations, DNS over TCP remained little used in 150 real traffic across the Internet. Dynamic updates saw little 151 deployment between autonomous networks. Around the time DNSSEC was 152 first defined, another new feature affecting DNS over UDP helped 153 solidify its dominance for message transactions. 155 2.3. EDNS0 157 In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0) 158 in [RFC2671]. This document standardized a way for communicating DNS 159 nodes to perform rudimentary capabilities negotiation. One such 160 capability written into the base specification and present in every 161 ENDS0 compatible message is the value of the maximum UDP payload size 162 the sender can support. This unsigned 16-bit field specifies in 163 bytes the maximum DNS MTU. In practice, typical values are a subset 164 of the 512 to 4096 byte range. EDNS0 was rapidly and widely deployed 165 over the next several years and numerous surveys have shown many 166 systems currently support larger UDP MTUs [CASTRO2010], [NETALYZR] 167 with EDNS0. 169 The natural effect of EDNS0 deployment meant large DNS messages would 170 be less reliant on TCP than they might otherwise have been. While a 171 nonneglible population of DNS systems lack EDNS0 or may still fall 172 back to TCP for some transactions, DNS over TCP transactions remain a 173 very small fraction of overall DNS traffic [VERISIGN]. Nevertheless, 174 some average increase in DNS message size, the continued development 175 of new DNS features and a denial of service mitigation technique (see 176 Section 9) have suggested that DNS over TCP transactions are as 177 important to the correct and safe operation of the Internet DNS as 178 ever, if not more so. Furthermore, there has been serious research 179 that has suggested connection-oriented DNS transactions may provide 180 security and privacy advantages over UDP transport [TDNS]. In fact, 181 [RFC7858], a Standards Track document is just this sort of 182 specification. Therefore, it might be desirable for network 183 operators to avoid artificially inhibiting the potential utility and 184 advances in the DNS such as these. 186 2.4. "Only Zone Tranfers Use TCP" 188 Even while many in the DNS community expect DNS over TCP transactions 189 to occur without interference, in practice there has been a long held 190 belief by some operators, particularly for security-related reasons, 191 to the contrary [CHES94], [DJBDNS]. A popular meme has also held the 192 imagination of some that DNS over TCP is only ever used for zone 193 transfers and is generally unnecessary otherwise, with filtering all 194 DNS over TCP traffic even described as a best practice. Arguably any 195 exposed Internet service poses some risk, but this reasoning is often 196 invalid. 198 3. DNS over TCP Requirements 200 Section 6.1.3.2 in [RFC1123] is updated: All general-purpose DNS 201 servers MUST be able to service both UDP and TCP queries. 203 o Authoritative servers MUST service TCP queries so that they do not 204 limit the size of responses to what fits in a single UDP packet. 206 o Recursive servers (or forwarders) MUST service TCP queries so that 207 they do not prevent large responses from a TCP-capable server from 208 reaching its TCP-capable clients. 210 Regarding the choice of limiting the resources a server devotes to 211 queries, Section 6.1.3.2 in [RFC1123] also says: 213 A name server MAY limit the resources it devotes to TCP queries, 214 but it SHOULD NOT refuse to service a TCP query just because it 215 would have succeeded with UDP. 217 This requirement is hereby updated: A name server MAY limit the the 218 resources it devotes to queries, but it MUST NOT refuse to service a 219 query just because it would have succeeded with another transport 220 protocol. 222 DNS over TCP filtering is considered harmful in the general case. 223 DNS resolver and server operators MUST provide DNS service over both 224 UDP and TCP transports. Likewise, network operators MUST allow DNS 225 service over both UDP and TCP transports. It must be acknowledged 226 that DNS over TCP service can pose operational challenges that are 227 not present when running DNS over UDP alone. However, it is the aim 228 of this document to argue that the potential damage incurred by 229 prohibiting DNS over TCP service is more detrimental to the continued 230 utility and success of the DNS than when its usage is allowed. 232 4. Network and System Considerations 234 TODO: refer to IETF RFC 7766 connection handling discussion, various 235 TCP hardening documents, network operator protocol and traffic best 236 practices, etc. 238 5. DNS over TCP Filtering Risks 240 Networks that filter DNS over TCP may inadvertently cause problems 241 for third party resolvers as experienced by [TOYAMA]. If for 242 instance a resolver receives a truncated answer from a server, but if 243 when the resolver resends the query using TCP and the TCP response 244 never arrives, the resolver will incur the full extent of TCP 245 retransmissions and time outs. 247 Networks that filter DNS over TCP risk losing access to significant 248 or important pieces of the DNS name space. For a variety of reasons 249 a DNS answer may require a DNS over TCP query. This may include 250 large message sizes, lack of EDNS0 support, DDoS mitigation 251 techniques, or perhaps some future capability that is as yet 252 unforeseen will also demand TCP transport. 254 Even if any or all particular answers have consistently been returned 255 successfully with UDP in the past, this continued behavior cannot be 256 guaranteed when DNS messages are exchanged between autonomous 257 systems. Therefore, filtering of DNS over TCP is considered harmful 258 and contrary to the safe and successful operation of the Internet. 260 6. Standards Related to DNS Transport over TCP 262 This section enumerates all known IETF RFC documents that are 263 currently of status standard, informational, best common practice or 264 experimental and either implicitly or explicitly make assumptions or 265 statements about the use of TCP as a transport for the DNS germane to 266 this document. 268 6.1. TODO - additional, relevant RFCs 270 6.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS 272 This standards track document [RFC7477] specifies a RRType and 273 protocol to signal and synchronize NS, A, and AAAA resource record 274 changes from a child to parent zone. Since this protocol may require 275 multiple requests and responses, it recommends utilizing DNS over TCP 276 to ensure the conversation takes place between a consistent pair of 277 end nodes. 279 6.3. IETF RFC 7766 - DNS Transport over TCP - Implementation 280 Requirements 282 The standards track document [RFC7766] is might be considered the 283 direct ancestor of this operational requirements document. The 284 implementation requirements document codifies mandatory support for 285 DNS over TCP in compliant DNS software. 287 6.4. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option 289 This standards track document [RFC7828] defines an EDNS0 option to 290 negotiate an idle timeout value for long-lived DNS over TCP 291 connections. Consequently, this document is only applicable and 292 relevant to DNS over TCP sessions and between implementations that 293 support this option. 295 6.5. IETF RFC 7873 - Domain Name System (DNS) Cookies 297 This standards track document [RFC7873] describes an EDNS0 option to 298 provide additional protection against query and answer forgery. This 299 specification mentions DNS over TCP as a reasonable fallback 300 mechanism when DNS Cookies are not available. The specification does 301 make mention of DNS over TCP processing in two specific situations. 302 In one, when a server receives only a client cookie in a request, the 303 server should consider whether the request arrived over TCP and if 304 so, it should consider accept TCP as sufficient to authenticate the 305 request and respond accordingly. In another, when a client receives 306 a BADCOOKIE reply using a fresh server cookie, the client should 307 retry using TCP as the transport. 309 6.6. IETF RFC 7901 - CHAIN Query Requests in DNS 311 This experimental specification [RFC7901] describes an EDNS0 option 312 that can be used by a security-aware validating resolver to request 313 and obtain a complete DNSSEC validation path for any single query. 314 This document requires the use of DNS over TCP or a source IP address 315 verified transport mechanism such as EDNS-COOKIE.[RFC7873] 317 6.7. IETF RFC 8027 - DNSSEC Roadblock Avoidance 319 This document [RFC8027] details observed problems with DNSSEC 320 deployment and mitigation techniques. Network traffic blocking and 321 restrictions, including DNS over TCP messages, are highlighted as one 322 reason for DNSSEC deployment issues. While this document suggests 323 these sorts of problems are due to "non-compliant infrastructure" and 324 is of type BCP, the scope of the document is limited to detection and 325 mitigation techniques to avoid so-called DNSSEC roadblocks. 327 7. Acknowledgements 329 This document was initially motivated by feedback from students who 330 pointed out that they were hearing contradictory information about 331 filtering DNS over TCP messages. Thanks in particular to my teaching 332 colleague, JPL, who perhaps unknowingly encouraged the initial 333 research into the differences of what the IETF community has 334 historically said and did. Thanks to all the NANOG 63 attendees who 335 provided feedback to an early talk on this subject. 337 The following individuals provided an array of feedback to help 338 improve this document: Bob Harold, Paul Hoffman, and Sara Dickinson. 339 The author is indebted to their contributions. Any remaining errors 340 or imperfections are the sole responsbility of the document author. 342 8. IANA Considerations 344 This memo includes no request to IANA. 346 9. Security Considerations 348 Ironically, returning truncated DNS over UDP answers in order to 349 induce a client query to switch to DNS over TCP has become a common 350 response to source address spoofed, DNS denial-of-service attacks 351 [RRL]. Historically, operators have been wary of TCP-based attacks, 352 but in recent years, UDP-based flooding attacks have proven to be the 353 most common protocol attack on the DNS. Nevertheless, a high rate of 354 short-lived DNS transactions over TCP may pose challenges. While 355 many operators have provided DNS over TCP service for many years 356 without duress, past experience is no guarantee of future success. 358 DNS over TCP is not unlike many other Internet TCP services. TCP 359 threats and many mitigation strategies have been well documented in a 360 series of documents such as [RFC4953], [RFC4987], [RFC5927], and 361 [RFC5961]. 363 10. References 365 10.1. Normative References 367 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 368 Requirement Levels", BCP 14, RFC 2119, 369 DOI 10.17487/RFC2119, March 1997, 370 . 372 10.2. Informative References 374 [CASTRO2010] 375 Castro, S., Zhang, M., John, W., Wessels, D., and k. 376 claffy, "Understanding and preparing for DNS evolution", 377 2010. 379 [CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet 380 Security: Repelling the Wily Hacker", 1994. 382 [DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002, 383 . 385 [NETALYZR] 386 Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson, 387 "Netalyzr: Illuminating The Edge Network", 2010. 389 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 390 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 391 . 393 [RFC1035] Mockapetris, P., "Domain names - implementation and 394 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 395 November 1987, . 397 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - 398 Application and Support", STD 3, RFC 1123, 399 DOI 10.17487/RFC1123, October 1989, 400 . 402 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. 403 Miller, "Common DNS Implementation Errors and Suggested 404 Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993, 405 . 407 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 408 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 409 RFC 2136, DOI 10.17487/RFC2136, April 1997, 410 . 412 [RFC2541] Eastlake 3rd, D., "DNS Security Operational 413 Considerations", RFC 2541, DOI 10.17487/RFC2541, March 414 1999, . 416 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 417 RFC 2671, DOI 10.17487/RFC2671, August 1999, 418 . 420 [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", 421 RFC 4953, DOI 10.17487/RFC4953, July 2007, 422 . 424 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 425 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 426 . 428 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, 429 DOI 10.17487/RFC5927, July 2010, 430 . 432 [RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's 433 Robustness to Blind In-Window Attacks", RFC 5961, 434 DOI 10.17487/RFC5961, August 2010, 435 . 437 [RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS", 438 RFC 7477, DOI 10.17487/RFC7477, March 2015, 439 . 441 [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 442 D. Wessels, "DNS Transport over TCP - Implementation 443 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 444 . 446 [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The 447 edns-tcp-keepalive EDNS0 Option", RFC 7828, 448 DOI 10.17487/RFC7828, April 2016, 449 . 451 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 452 and P. Hoffman, "Specification for DNS over Transport 453 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 454 2016, . 456 [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) 457 Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, 458 . 460 [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, 461 DOI 10.17487/RFC7901, June 2016, 462 . 464 [RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy, 465 "DNSSEC Roadblock Avoidance", BCP 207, RFC 8027, 466 DOI 10.17487/RFC8027, November 2016, 467 . 469 [RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting 470 (DNS RRL)", ISC-TN 2012-1 Draft1, April 2012. 472 [TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N. 473 Somaiya, "Connection-oriented DNS to Improve Privacy and 474 Security", 2015. 476 [TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and 477 K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache 478 Servers", NANOG 32 Reston, VA USA, 2004. 480 [VERISIGN] 481 Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in 482 Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los 483 Angeles, 2014. 485 Author's Address 487 John Kristoff 488 DePaul University 489 Chicago, IL 490 US 492 Phone: +1 312 493 0305 493 Email: jtk@depaul.edu