idnits 2.17.1 draft-song-atr-large-resp-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([ATR-Github]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 10, 2017) is 2413 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'Not-speak-TCP' is defined on line 292, but no explicit reference was found in the text == Unused Reference: 'SAC016' is defined on line 325, but no explicit reference was found in the text == Unused Reference: 'SAC035' is defined on line 328, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2671 (Obsoleted by RFC 6891) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force L. Song 3 Internet-Draft Beijing Internet Institute 4 Intended status: Informational September 10, 2017 5 Expires: March 14, 2018 7 ATR: Additional Truncated Response for Large DNS Response 8 draft-song-atr-large-resp-00 10 Abstract 12 As the increasing use of DNSSEC and IPv6, there are more public 13 evidence and concerns on IPv6 fragmentation issues due to larger DNS 14 payloads over IPv6. This memo introduces an simple improvement on 15 authoritative server by replying additional truncated response just 16 after the normal large response. 18 REMOVE BEFORE PUBLICATION: The source of the document with test 19 script is currently placed at GitHub [ATR-Github]. Comments and pull 20 request are welcome. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on March 14, 2018. 39 Copyright Notice 41 Copyright (c) 2017 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. EDNS0 and DNS TCP . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The ATR mechanism . . . . . . . . . . . . . . . . . . . . . . 4 59 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 60 5. Author's Commnets . . . . . . . . . . . . . . . . . . . . . . 6 61 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 6 62 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 63 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 66 1. Introduction 68 Large DNS response is identified as a issue for a long time. It has 69 been regarded mainly as a issue or limitation on authoritative server 70 (delegation) as [I-D.ietf-dnsop-respsize] introduced. As the 71 increasing use of DNSSEC and IPv6, there are more public evidence and 72 concerns on resolver's suffering due to packets dropping caused by 73 IPv6 fragmentation in DNS. 75 It is observed that some IPv6 network devices like firewalls 76 intentionally choose to drop the IPv6 packets with fragmentation 77 Headers[I-D.taylor-v6ops-fragdrop]. [RFC7872] reported more than 30% 78 drop rates for sending fragmented packets. Regarding IPv6 79 fragmentation issue due to larger DNS payloads in response, one 80 measurement [IPv6-frag-DNS] reported 37% of endpoints using 81 IPv6-capable DNS resolver can not receive a fragmented IPv6 response 82 over UDP. 84 Some workarounds and short-term solutions are proposed. One is to 85 continue to keep the response within a safe boundary, 512 octets for 86 IPv4 and 1232 octets for IPv6 (IPv6 MTU minus IPv6 header and UDP 87 header). It avoids fragmentation, but it requires TCP and UDP 88 applications to fit this limitation explicitly. Currently 89 coordination between IP layer and upper layer still do not go well. 90 For example the draft [I-D.andrews-tcp-and-ipv6-use-minmtu] viewed it 91 as a problem that TCP fails to respect IPV6_USE_MIN_MTU. 93 Still, some cases are hard to avoid, for example the coming KSK 94 rollover which will produce 1424 octets DNS response containing the 95 new key and signature. To encounter this problem, some root servers 96 (A, B, G and J) implemented countermeasures by truncating the 97 response once the large IPv6 packet surpasses 1280 octets 98 [root-stars]. But it is reported that 17% resolvers is not capable 99 to send query via TCP [IPv6-frag-DNS] (It is also possbile that the 100 middle boxes drop the tcp queries). It becomes a dilemma to choose 101 hurting the users who can not receive fragmentation or users without 102 TCP capacity. 104 To relieve the dilemma in short term, this memo introduces an small 105 improvement on DNS responding process by replying Additional 106 Truncated Response (ATR) just after the normal response. The 107 original design of ENDS0 and Truncation mechanism for Large response 108 are orthogonal. ATR intends to decouple the two. In ATR EDNS0 and 109 TCP fall-back can work independently according to Authoritative 110 server's requirement. 112 ATR targets to relieve the hurt of resolver (both stub and recursive 113 resolver) from the position of server (both authoritative and 114 recursive server). It does not require any changes on resolver and 115 has a deploy-and-gain feature to encourage operators to implement it 116 to benefit their resolvers. 118 ATR can be also used as a measurement tool for those operators who 119 would like to know how much and which resolvers can not receive IPv6 120 fragmented response. They can turn on the ATR function occasionally 121 and record the TCP connection it received during the period. The 122 data may be helpful to do some fine-grained analysis between 123 different NS servers and provide ATR to specific group of resolvers. 125 Note that the methodology of ATR can be extended to support other 126 transport protocol like DNS over HTTP(s), DNS over QUIC, if they 127 become one optional transport for DNS. 129 2. EDNS0 and DNS TCP 131 DNS has an inherent mechanism defined in [RFC1035] to handle large 132 DNS response by indicating (set TrunCation bit) the resolver to fall 133 back to query via TCP. However, due to the fear of cost of TCP, TCP 134 fall-back in DNS was in negative position from the very beginning of 135 DNS. people had to seek another way to handle large DNS response. 137 EDNS(0) [RFC2671] was introduced as a cure for the issue of large DNS 138 response and TCP fall back firstly in 1999 and obsoleted by [RFC6891] 139 in 2013. The basic idea of EDNS(0) is to introduce a channel for 140 resolver and authoritative server to negotiate an appropriate DNS 141 payload size in end-to-end approach. 143 The intention of EDNS(0) is to avoid TCP fall back. So the use of 144 EDNS(0) make TCP fall-back rare, which in turn gives people a wrong 145 implication that EDNS(0) is more advanced than DNS TCP and DNS TCP is 146 not necessary if EDNS(0) is already supported for both resolver and 147 authoritative server. Plus the fear of "poor" TCP performance, DNS 148 TCP function is stripped even for modern DNS implementations. An 149 measurement study [Not-speak-TCP]showed that about 17% of resolvers 150 in the samples can not ask a query in TCP when they receive truncated 151 response. 153 Ironically today when TCP is recalled as a solutions to large DNS 154 response, the installed base of resolver without TCP function (or the 155 middle box stops DNS TCP connections) become a real issue which 156 should be consider. 158 3. The ATR mechanism 160 The ATR mechanism is very simple that it involves a ATR module in the 161 responding process of current DNS implementation . As show in the 162 following diagram the ATR module is right after truncation loop if 163 the packet is not going to be fragmented. 165 A DNS query +-------------+ +-------------+ 166 | | No | | Normal response 167 +------> Truncation +--------> ATR +-------------> 168 | loop | | Module | 169 | truncation? | | truncation? | 170 +-------------+ +-------------+ 171 yes| yes| +-----+ 172 | +---------+timer+----> 173 | +-----+ 174 | Truncated Response 175 +----------------------------> 176 Truncated Response 178 Figure 1: High-Level Testbed Components 180 The ATR responding process goes as follows: 182 o 1) When an authoritative server receives a query and enters the 183 responding process, it first go through the normal truncation loop 184 to see whether the size of response surpasses the EDNS0 payload 185 size. If yes, it ends up with responding a truncated packets. If 186 no, it enters the ATR module. 188 o 2) In ATR module, similar like truncation loop, the size of 189 response is compared with a fixed size. If the response of a 190 query is larger than a certain value, 1220 octets for example, the 191 server firstly sends the normal response and then coin a truncated 192 response with the same ID of the query. 194 o 3) The server can send the coined truncated response in not time. 195 But considering the possibility of network reordering, it is 196 suggested a timer to delay the second truncated response to around 197 10 millisecond which can be configured by local operation. 199 There are three cases when ATR are deployed in the authoritative 200 sever: 202 o Case 1: A resolver (or sub-resolver) will receive both the large 203 response and a very small truncated response in sequence. It will 204 happily accepts the first response and drop the second one because 205 the transaction is over. 207 o Case 2: In case a fragment is dropped in the middle, the resolver 208 will end up with only receiving the small truncated response. It 209 will retry using TCP in no time. 211 o Case 3: For those (probably 30%*17% of them) who can not speak TCP 212 and sitting behind a firewall stubbornly dropping fragments. Just 213 say good luck to them! 215 Especially regarding the coming KSK rollover, if the root server 216 implements ATR rather than setting IPv6-edns-size to 1220 octets, it 217 would be helpful for resolver without TCP capacity, because it still 218 has a fair chance to receive the large response. 220 As to case 2, there is one performance consideration on resolver 221 side. It is about how resolver react to ATR when it receives only 222 the truncated response. They can choose TCP right away or wait other 223 NS servers to respond. Normally the fragments are dropped in the 224 ASes along the path. A different NS server with different path may 225 avoid "bad" ASes. But in the extreme case, implementation may first 226 try UDP queries with all NS servers, but all fail due to the dropped 227 fragments. It may end up with "no servers could be reached" or 228 revert automatically to TCP which also introduce delay. So if 229 allowed by local policy, a diligent resolver can also emit queries 230 via both channels. 232 4. Security Considerations 234 There may be concerns on DDoS attack problem due to the fact that the 235 ATR introduces multiple responses from authoritative server. DNS 236 cookies [RFC7873] and RRL on authoritative may be possible solutions 238 5. Author's Commnets 240 REMOVE BEFORE PUBLICATION: 242 When drafting this proposal,there is a question in author's mind 243 about the benefit of ATR which may be too trivial to implement. 244 Resolver can retire many times(12 times for root) to other NS servers 245 if one path to particular server failed. The performance comparison 246 between retries with other NS server and ATR is hard to measure. But 247 it is still valuable in two cases: 249 1) For those server (like root) implemented or plan to implement 250 "always-truncation" for large packets, they can benefit from not 251 doing unnecessary TCP fall back. 253 2) For those area or countries where only one or two NS servers 254 instance are deployed (root in China for example), stick to the local 255 root server (with around 10ms latency for UDP and roughly around 30ms 256 for TCP) is better than select another NS server far away (with 257 around 200ms latency) 259 6. IANA considerations 261 No IANA registration work is required for the time being 263 7. Acknowledgments 265 8. References 267 [ATR-Github] 268 "XML source file and test script of DNS ATR", September 269 2017, . 271 [I-D.andrews-tcp-and-ipv6-use-minmtu] 272 Andrews, M., "TCP Fails To Respect IPV6_USE_MIN_MTU", 273 draft-andrews-tcp-and-ipv6-use-minmtu-04 (work in 274 progress), October 2015. 276 [I-D.ietf-dnsop-respsize] 277 Vixie, P., Kato, A., and J. Abley, "DNS Referral Response 278 Size Issues", draft-ietf-dnsop-respsize-15 (work in 279 progress), February 2014. 281 [I-D.taylor-v6ops-fragdrop] 282 Jaeggli, J., Colitti, L., Kumari, W., Vyncke, E., Kaeo, 283 M., and T. Taylor, "Why Operators Filter Fragments and 284 What It Implies", draft-taylor-v6ops-fragdrop-02 (work in 285 progress), December 2013. 287 [IPv6-frag-DNS] 288 "Dealing with IPv6 fragmentation in the DNS", August 2017, 289 . 292 [Not-speak-TCP] 293 "A Question of DNS Protocols", August 2013, 294 . 297 [RFC1035] Mockapetris, P., "Domain names - implementation and 298 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 299 November 1987, . 301 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 302 RFC 2671, DOI 10.17487/RFC2671, August 1999, 303 . 305 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 306 for DNS (EDNS(0))", STD 75, RFC 6891, 307 DOI 10.17487/RFC6891, April 2013, 308 . 310 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, 311 "Observations on the Dropping of Packets with IPv6 312 Extension Headers in the Real World", RFC 7872, 313 DOI 10.17487/RFC7872, June 2016, 314 . 316 [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) 317 Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, 318 . 320 [root-stars] 321 "Scoring the DNS Root Server System", November 2016, 322 . 325 [SAC016] ICANN Security and Stability Advisory Committee, "Testing 326 Firewalls for IPv6 and EDNS0 Support", 2007. 328 [SAC035] ICANN Security and Stability Advisory Committee, "DNSSEC 329 Impact on Broadband Routers and Firewalls", 2008. 331 Author's Address 333 Linjian Song 334 Beijing Internet Institute 335 Floor-2, Building-5, Digital Planet, Courtyard-58, Jing Hai Wu Lu, BDA 336 Beijing 101111 337 P. R. China 339 Email: songlinjian@gmail.com 340 URI: http://www.biigroup.com/