draft-ietf-dnsop-dns-tcp-requirements-00.txt   draft-ietf-dnsop-dns-tcp-requirements-01.txt 
Domain Name System Operations J. Kristoff Domain Name System Operations J. Kristoff
Internet-Draft DePaul University Internet-Draft DePaul University
Intended status: Best Current Practice D. Wessels Intended status: Best Current Practice D. Wessels
Expires: December 22, 2017 Verisign Expires: May 17, 2018 Verisign
June 20, 2017 November 13, 2017
DNS Transport over TCP - Operational Requirements DNS Transport over TCP - Operational Requirements
draft-ietf-dnsop-dns-tcp-requirements-00 draft-ietf-dnsop-dns-tcp-requirements-01
Abstract Abstract
This document encourages the practice of permitting DNS messages to This document encourages the practice of permitting DNS messages to
be carried over TCP on the Internet. It also describes some of the be carried over TCP on the Internet. It also describes some of the
consequences of this behavior and the potential operational issues consequences of this behavior and the potential operational issues
that can arise when this best common practice is not upheld. that can arise when this best common practice is not upheld.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 22, 2017. This Internet-Draft will expire on May 17, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Uneven Transport Usage and Preference . . . . . . . . . . 3 2.1. Uneven Transport Usage and Preference . . . . . . . . . . 3
2.2. Waiting for Large Messages and Reliability . . . . . . . 3 2.2. Waiting for Large Messages and Reliability . . . . . . . 4
2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. EDNS0 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.4. "Only Zone Tranfers Use TCP" . . . . . . . . . . . . . . 5 2.4. Fragmentation and Truncation . . . . . . . . . . . . . . 5
3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 5 2.5. "Only Zone Transfers Use TCP" . . . . . . . . . . . . . . 6
4. Network and System Considerations . . . . . . . . . . . . . . 6 3. DNS over TCP Requirements . . . . . . . . . . . . . . . . . . 6
5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 6 4. Network and System Considerations . . . . . . . . . . . . . . 7
5.1. DNS Wedgie . . . . . . . . . . . . . . . . . . . . . . . 6 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 7
5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 6 5.1. DNS Wedgie . . . . . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5.3. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . 8 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9
Appendix A. Standards Related to DNS Transport over TCP . . . . 10 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9
A.1. TODO - additional, relevant RFCs . . . . . . . . . . . . 10 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
A.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 9
A.3. IETF RFC 7766 - DNS Transport over TCP - Implementation 11.2. Informative References . . . . . . . . . . . . . . . . . 9
Requirements . . . . . . . . . . . . . . . . . . . . . . 11 Appendix A. Standards Related to DNS Transport over TCP . . . . 13
A.4. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option . . . 11 A.1. TODO - additional, relevant RFCs . . . . . . . . . . . . 13
A.5. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 11 A.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 13
A.6. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 11 A.3. IETF RFC 7720 - DNS Root Name Service Protocol and
A.7. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 12 Deployment Requirements . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 A.4. IETF RFC 7766 - DNS Transport over TCP - Implementation
Requirements . . . . . . . . . . . . . . . . . . . . . . 13
A.5. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option . . . 14
A.6. IETF RFC 7858 - Specification for DNS over Transport
Layer Security (TLS) . . . . . . . . . . . . . . . . . . 14
A.7. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 14
A.8. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 14
A.9. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 14
A.10. IETF RFC 8094 - DNS over Datagram Transport Layer
Security (DTLS) . . . . . . . . . . . . . . . . . . . . . 15
A.11. IETF RFC 8162 - Using Secure DNS to Associate
Certificates with Domain Names for S/MIME . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
DNS messages may be delivered using UDP or TCP communications. While DNS messages may be delivered using UDP or TCP communications. While
most DNS transactions are carried over UDP, some operators have been most DNS transactions are carried over UDP, some operators have been
led to believe that any DNS over TCP traffic is unwanted or led to believe that any DNS over TCP traffic is unwanted or
unnecessary for general DNS operation. As usage and features have unnecessary for general DNS operation. As usage and features have
evolved, TCP transport has become increasingly important for correct evolved, TCP transport has become increasingly important for correct
and safe operation of the Internet DNS. Reflecting modern usage, the and safe operation of the Internet DNS. Reflecting modern usage, the
DNS standards were recently updated to declare support for TCP is now DNS standards were recently updated to declare support for TCP is now
skipping to change at page 4, line 26 skipping to change at page 4, line 40
solidify its dominance for message transactions. solidify its dominance for message transactions.
2.3. EDNS0 2.3. EDNS0
In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0) In 1999 the IETF published the Extension Mechanisms for DNS (EDNS0)
in [RFC2671]. This document standardized a way for communicating DNS in [RFC2671]. This document standardized a way for communicating DNS
nodes to perform rudimentary capabilities negotiation. One such nodes to perform rudimentary capabilities negotiation. One such
capability written into the base specification and present in every capability written into the base specification and present in every
ENDS0 compatible message is the value of the maximum UDP payload size ENDS0 compatible message is the value of the maximum UDP payload size
the sender can support. This unsigned 16-bit field specifies in the sender can support. This unsigned 16-bit field specifies in
bytes the maximum DNS MTU. In practice, typical values are a subset bytes the maximum (possibly fragmented) DNS message size a node is
of the 512 to 4096 byte range. EDNS0 was rapidly and widely deployed capable of receiving. In practice, typical values are a subset of
over the next several years and numerous surveys have shown many the 512 to 4096 byte range. EDNS0 became widely deployed over the
systems currently support larger UDP MTUs [CASTRO2010], [NETALYZR] next several years and numerous surveys have shown many systems
with EDNS0. currently support larger UDP MTUs [CASTRO2010], [NETALYZR] with
EDNS0.
The natural effect of EDNS0 deployment meant large DNS messages would The natural effect of EDNS0 deployment meant DNS messages larger than
be less reliant on TCP than they might otherwise have been. While a 512 bytes would be less reliant on TCP than they might otherwise have
nonneglible population of DNS systems lack EDNS0 or may still fall been. While a non-negligible population of DNS systems lack EDNS0 or
back to TCP for some transactions, DNS over TCP transactions remain a may still fall back to TCP for some transactions, DNS over TCP
very small fraction of overall DNS traffic [VERISIGN]. Nevertheless, transactions remain a very small fraction of overall DNS traffic
some average increase in DNS message size, the continued development [VERISIGN].
of new DNS features and a denial of service mitigation technique (see
Section 8) have suggested that DNS over TCP transactions are as
important to the correct and safe operation of the Internet DNS as
ever, if not more so. Furthermore, there has been serious research
that has suggested connection-oriented DNS transactions may provide
security and privacy advantages over UDP transport [TDNS]. In fact,
[RFC7858], a Standards Track document is just this sort of
specification. Therefore, it might be desirable for network
operators to avoid artificially inhibiting the potential utility and
advances in the DNS such as these.
2.4. "Only Zone Tranfers Use TCP" 2.4. Fragmentation and Truncation
Although EDNS0 provides a way for endpoints to signal support for DNS
messages exceeding 512 bytes, the realities of today's Internet mean
large messages do not always get through. Any IP packet whose size
exceeds the MTU of a link it transits will be fragmented and then
reassembled by the receiving host. Unfortunately, it is not uncommon
for middleboxes and firewalls to block IP fragments. If one or more
fragments do not arrive, the application does not receive the message
and the request times out.
For IPv4-connected hosts, the de-facto MTU is the Ethernet payload
size of 1500 bytes. This means that the largest unfragmented UDP DNS
message that can be sent over IPv4 is 1472 bytes. For IPv6 the
situation is a little more complicated. First, IPv6 headers are 40
bytes (versus 20 in IPv4). Second, it seems as though some people
have mis-interpreted IPv6's required minimum MTU of 1280 as a
required maximum. Third, fragmentation in IPv6 can only be done by
the host originating the packet. The need to fragment is conveyed in
an ICMPv6 "packet too big" message. The originating host indicates a
fragmented packet with IPv6 extension headers. Unfortunately, it is
quite common for both ICMPv6 and IPv6 extension headers to be blocked
by middleboxes. According to [HUSTON] some 35% of IPv6-capable
recursive resolvers are unable to receive a fragmented IPv6 packet.
The practical consequence of all this is that DNS requestors must be
prepared to retry queries with different EDNS0 maximum message size
values. Administrators of BIND are likely to be familiar with seeing
"success resolving ... after reducing the advertised EDNS0 UDP packet
size to 512 octets" in their system logs.
Often, reducing the EDNS0 UDP packet size leads to a successful
response. That is, the necessary data fits within the smaller packet
size. However, when the data does not fit, the server sets the
truncated flag in its response, indicating the client should retry
over TCP to receive the whole response. This is undesirable from the
client's point of view because it adds more latency, and potentially
undesirable from the server's point of view due to the increased
resource requirements of TCP.
The issues around fragmentation, truncation, and TCP are driving
certain implementation and policy decisions in the DNS. Notably,
Cloudflare implemented what it calls "DNSSEC black lies" [CLOUDFLARE]
and uses ECDSA algorithms, such that their signed responses fit
easily in 512 bytes. The KSK Rollover design team [DESIGNTEAM] spent
a lot of time thinking and worrying about response sizes. There is
growing sentiment in the DNSSEC community that RSA key sizes beyond
2048-bits are impractical and that critical infrastructure zones
should transition to elliptic curve algorithms to keep response sizes
manageable.
2.5. "Only Zone Transfers Use TCP"
There are many in the DNS community who configure DNS over TCP There are many in the DNS community who configure DNS over TCP
services and expect DNS over TCP transactions to occur without services and expect DNS over TCP transactions to occur without
interference. However there has also been a long held belief by some interference. However there has also been a long held belief by some
operators, particularly for security-related reasons, that DNS over operators, particularly for security-related reasons, that DNS over
TCP services should be purposely limited or not provided at all TCP services should be purposely limited or not provided at all
[CHES94], [DJBDNS]. A popular meme has also held the imagination of [CHES94], [DJBDNS]. A popular meme has also held the imagination of
some that DNS over TCP is only ever used for zone transfers and is some that DNS over TCP is only ever used for zone transfers and is
generally unnecessary otherwise, with filtering all DNS over TCP generally unnecessary otherwise, with filtering all DNS over TCP
traffic even described as a best practice. traffic even described as a best practice.
skipping to change at page 5, line 27 skipping to change at page 6, line 29
The position on restricting DNS over TCP had some justification given The position on restricting DNS over TCP had some justification given
that historic implementations of DNS nameservers provided very little that historic implementations of DNS nameservers provided very little
in the way of TCP connection management (for example see in the way of TCP connection management (for example see
Section 6.1.2 of [RFC7766] for more details). However modern Section 6.1.2 of [RFC7766] for more details). However modern
standards and implementations are moving to align with the more standards and implementations are moving to align with the more
sophisticated TCP management techniques employed by, for example, sophisticated TCP management techniques employed by, for example,
HTTP(S) servers and load balancers. HTTP(S) servers and load balancers.
3. DNS over TCP Requirements 3. DNS over TCP Requirements
An average increase in DNS message size, the continued development of
new DNS features and a denial of service mitigation technique (see
Section 9) have suggested that DNS over TCP transactions are as
important to the correct and safe operation of the Internet DNS as
ever, if not more so. Furthermore, there has been serious research
that has suggested connection-oriented DNS transactions may provide
security and privacy advantages over UDP transport [TDNS]. In fact,
[RFC7858], a Standards Track document is just this sort of
specification. Therefore, it might be desirable for network
operators to avoid artificially inhibiting the potential utility and
advances in the DNS such as these.
Section 6.1.3.2 in [RFC1123] is updated: All general-purpose DNS Section 6.1.3.2 in [RFC1123] is updated: All general-purpose DNS
servers MUST be able to service both UDP and TCP queries. servers MUST be able to service both UDP and TCP queries.
o Authoritative servers MUST service TCP queries so that they do not o Authoritative servers MUST service TCP queries so that they do not
limit the size of responses to what fits in a single UDP packet. limit the size of responses to what fits in a single UDP packet.
o Recursive servers (or forwarders) MUST service TCP queries so that o Recursive servers (or forwarders) MUST service TCP queries so that
they do not prevent large responses from a TCP-capable server from they do not prevent large responses from a TCP-capable server from
reaching its TCP-capable clients. reaching its TCP-capable clients.
skipping to change at page 5, line 49 skipping to change at page 7, line 17
A name server MAY limit the resources it devotes to TCP queries, A name server MAY limit the resources it devotes to TCP queries,
but it SHOULD NOT refuse to service a TCP query just because it but it SHOULD NOT refuse to service a TCP query just because it
would have succeeded with UDP. would have succeeded with UDP.
This requirement is hereby updated: A name server MAY limit the the This requirement is hereby updated: A name server MAY limit the the
resources it devotes to queries, but it MUST NOT refuse to service a resources it devotes to queries, but it MUST NOT refuse to service a
query just because it would have succeeded with another transport query just because it would have succeeded with another transport
protocol. protocol.
DNS over TCP filtering is considered harmful in the general case. Filtering of DNS over TCP is considered harmful in the general case.
DNS resolver and server operators MUST provide DNS service over both DNS resolver and server operators MUST provide DNS service over both
UDP and TCP transports. Likewise, network operators MUST allow DNS UDP and TCP transports. Likewise, network operators MUST allow DNS
service over both UDP and TCP transports. It must be acknowledged service over both UDP and TCP transports. It must be acknowledged
that DNS over TCP service can pose operational challenges that are that DNS over TCP service can pose operational challenges that are
not present when running DNS over UDP alone. However, it is the aim not present when running DNS over UDP alone, and vice-versa.
of this document to argue that the potential damage incurred by However, it is the aim of this document to argue that the potential
prohibiting DNS over TCP service is more detrimental to the continued damage incurred by prohibiting DNS over TCP service is more
utility and success of the DNS than when its usage is allowed. detrimental to the continued utility and success of the DNS than when
its usage is allowed.
4. Network and System Considerations 4. Network and System Considerations
TODO: refer to IETF RFC 7766 connection handling discussion, various TODO: refer to IETF RFC 7766 connection handling discussion, various
TCP hardening documents, network operator protocol and traffic best TCP hardening documents, network operator protocol and traffic best
practices, etc. practices, etc.
5. DNS over TCP Filtering Risks 5. DNS over TCP Filtering Risks
Networks that filter DNS over TCP risk losing access to significant Networks that filter DNS over TCP risk losing access to significant
or important pieces of the DNS name space. For a variety of reasons or important pieces of the DNS name space. For a variety of reasons
a DNS answer may require a DNS over TCP query. This may include a DNS answer may require a DNS over TCP query. This may include
large message sizes, lack of EDNS0 support, DDoS mitigation large message sizes, lack of EDNS0 support, DDoS mitigation
techniques, or perhaps some future capability that is as yet techniques, or perhaps some future capability that is as yet
unforeseen will also demand TCP transport. unforeseen will also demand TCP transport.
For example, both [RFC7901] and [draft-extra-answers] describe
latency-avoiding techniques that send extra data in DNS responses.
This makes the responses larger and potentially damaging in DDoS
reflection attacks. The former mandates the use of TCP or DNS
Cookies ([RFC7873]) and the latter offers it as a possibility in
Security Considerations.
Even if any or all particular answers have consistently been returned Even if any or all particular answers have consistently been returned
successfully with UDP in the past, this continued behavior cannot be successfully with UDP in the past, this continued behavior cannot be
guaranteed when DNS messages are exchanged between autonomous guaranteed when DNS messages are exchanged between autonomous
systems. Therefore, filtering of DNS over TCP is considered harmful systems. Therefore, filtering of DNS over TCP is considered harmful
and contrary to the safe and successful operation of the Internet. and contrary to the safe and successful operation of the Internet.
This section enumerates some of the known risks we know about at the This section enumerates some of the known risks we know about at the
time of this writing when networks filter DNS over TCP. time of this writing when networks filter DNS over TCP.
5.1. DNS Wedgie 5.1. DNS Wedgie
Networks that filter DNS over TCP may inadvertently cause problems Networks that filter DNS over TCP may inadvertently cause problems
for third party resolvers as experienced by [TOYAMA]. If for for third party resolvers as experienced by [TOYAMA]. If for
instance a resolver receives a truncated answer from a server, but if instance a resolver receives a truncated answer from a server, but
when the resolver resends the query using TCP and the TCP response when the resolver resends the query using TCP and the TCP response
never arrives, not only will full answer be unavailable, but the never arrives, not only will full answer be unavailable, but the
resolver will incur the full extent of TCP retransmissions and time resolver will incur the full extent of TCP retransmissions and time
outs. This situation might place extreme strain on resolver outs. This situation might place extreme strain on resolver
resources. If the nunber and frequency of these truncated answers resources. If the number and frequency of these truncated answers
are sufficiently high, we refer to the steady-state of lost resources are sufficiently high, we refer to the steady-state of lost resources
as a result a "DNS" wedgie". A DNS wedgie is often not easily or as a result a "DNS" wedgie". A DNS wedgie is often not easily or
completely mitigated by the affected DNS resolver operator. completely mitigated by the affected DNS resolver operator.
5.2. DNS Root Zone KSK Rollover 5.2. DNS Root Zone KSK Rollover
Recent plans for a new root zone DNSSEC KSK have highlighted a Recent plans for a new root zone DNSSEC KSK have highlighted a
potential problem in retrieving the keys.[LEWIS] Some packets in the potential problem in retrieving the keys.[LEWIS] Some packets in the
KSK rollover process will be larger than 1280 bytes, the IPv6 minimum KSK rollover process will be larger than 1280 bytes, the IPv6 minimum
MTU for links carrying IPv6 traffic.[RFC2460] While studies have MTU for links carrying IPv6 traffic.[RFC2460] While studies have
shown that problems due to fragment filtering or an inability to shown that problems due to fragment filtering or an inability to
generate and receive these larger messages are negible, any DNS generate and receive these larger messages are negligible, any DNS
server that is unable to receive large DNS over UDP messages or server that is unable to receive large DNS over UDP messages or
perform DNS over TCP may experience severe disruption of DNS service perform DNS over TCP may experience severe disruption of DNS service
if performing DNSSEC validation. if performing DNSSEC validation.
6. Acknowledgements 5.3. DNS-over-TLS
TODO: DNS-over-TLS
6. Logging and Monitoring
TODO: Developers of applications that log or monitor DNS are advised
to not ignore TCP because it is hard. Also be prepared for
connection reuse, pipelining, and out-of-order responses. If using
packet-based (e.g. libpcap) collection techniques, the application
must be prepared to implement/perform TCP segment reassembly.
7. Acknowledgments
This document was initially motivated by feedback from students who This document was initially motivated by feedback from students who
pointed out that they were hearing contradictory information about pointed out that they were hearing contradictory information about
filtering DNS over TCP messages. Thanks in particular to a teaching filtering DNS over TCP messages. Thanks in particular to a teaching
colleague, JPL, who perhaps unknowingly encouraged the initial colleague, JPL, who perhaps unknowingly encouraged the initial
research into the differences of what the community has historically research into the differences of what the community has historically
said and did. Thanks to all the NANOG 63 attendees who provided said and did. Thanks to all the NANOG 63 attendees who provided
feedback to an early talk on this subject. feedback to an early talk on this subject.
The following individuals provided an array of feedback to help The following individuals provided an array of feedback to help
improve this document: Sara Dickinson, Bob Harold, Tatuya Jinmei, and improve this document: Sara Dickinson, Bob Harold, Tatuya Jinmei, and
Paul Hoffman. The authors are indebted to their contributions. Any Paul Hoffman. The authors are indebted to their contributions. Any
remaining errors or imperfections are the sole responsbility of the remaining errors or imperfections are the sole responsibility of the
document authors. document authors.
7. IANA Considerations 8. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
8. Security Considerations 9. Security Considerations
Ironically, returning truncated DNS over UDP answers in order to Ironically, returning truncated DNS over UDP answers in order to
induce a client query to switch to DNS over TCP has become a common induce a client query to switch to DNS over TCP has become a common
response to source address spoofed, DNS denial-of-service attacks response to source address spoofed, DNS denial-of-service attacks
[RRL]. Historically, operators have been wary of TCP-based attacks, [RRL]. Historically, operators have been wary of TCP-based attacks,
but in recent years, UDP-based flooding attacks have proven to be the but in recent years, UDP-based flooding attacks have proven to be the
most common protocol attack on the DNS. Nevertheless, a high rate of most common protocol attack on the DNS. Nevertheless, a high rate of
short-lived DNS transactions over TCP may pose challenges. While short-lived DNS transactions over TCP may pose challenges. While
many operators have provided DNS over TCP service for many years many operators have provided DNS over TCP service for many years
without duress, past experience is no guarantee of future success. without duress, past experience is no guarantee of future success.
DNS over TCP is not unlike many other Internet TCP services. TCP DNS over TCP is not unlike many other Internet TCP services. TCP
threats and many mitigation strategies have been well documented in a threats and many mitigation strategies have been well documented in a
series of documents such as [RFC4953], [RFC4987], [RFC5927], and series of documents such as [RFC4953], [RFC4987], [RFC5927], and
[RFC5961]. [RFC5961].
9. References 10. Privacy Considerations
9.1. Normative References 11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
9.2. Informative References 11.2. Informative References
[CASTRO2010] [CASTRO2010]
Castro, S., Zhang, M., John, W., Wessels, D., and k. Castro, S., Zhang, M., John, W., Wessels, D., and k.
claffy, "Understanding and preparing for DNS evolution", claffy, "Understanding and preparing for DNS evolution",
2010. 2010.
[CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet [CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet
Security: Repelling the Wily Hacker", 1994. Security: Repelling the Wily Hacker", 1994.
[CLOUDFLARE]
Grant, D., "Economical With The Truth: Making DNSSEC
Answers Cheap", June 2016,
<https://blog.cloudflare.com/black-lies/>.
[DESIGNTEAM]
Design Team Report, "Root Zone KSK Rollover Plan",
December 2015, <https://www.iana.org/reports/2016/
root-ksk-rollover-design-20160307.pdf>.
[DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002, [DJBDNS] D.J. Bernstein, "When are TCP queries sent?", 2002,
<https://cr.yp.to/djbdns/tcp.html#why>. <https://cr.yp.to/djbdns/tcp.html#why>.
[draft-extra-answers]
Kumari, W., Yan, Z., Hardaker, W., and D. Lawrence,
"Returning extra answers in DNS responses.", draft-
wkumari-dnsop-multiple-responses-05 (work in progress),
July 2017.
[HUSTON] Huston, G., "Dealing with IPv6 fragmentation in the DNS",
August 2017, <https://blog.apnic.net/2017/08/22/
dealing-ipv6-fragmentation-dns/>.
[LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74 Budapest, [LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74 Budapest,
Hungary, May 2017. Hungary, May 2017, <https://ripe74.ripe.net/
presentations/25-RIPE74-lewis-submission.pdf>.
[NETALYZR] [NETALYZR]
Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson, Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson,
"Netalyzr: Illuminating The Edge Network", 2010. "Netalyzr: Illuminating The Edge Network", 2010.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, Application and Support", STD 3, RFC 1123,
DOI 10.17487/RFC1123, October 1989, DOI 10.17487/RFC1123, October 1989,
<http://www.rfc-editor.org/info/rfc1123>. <https://www.rfc-editor.org/info/rfc1123>.
[RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S.
Miller, "Common DNS Implementation Errors and Suggested Miller, "Common DNS Implementation Errors and Suggested
Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993, Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993,
<http://www.rfc-editor.org/info/rfc1536>. <https://www.rfc-editor.org/info/rfc1536>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<http://www.rfc-editor.org/info/rfc2136>. <https://www.rfc-editor.org/info/rfc2136>.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <http://www.rfc-editor.org/info/rfc2460>. December 1998, <https://www.rfc-editor.org/info/rfc2460>.
[RFC2541] Eastlake 3rd, D., "DNS Security Operational [RFC2541] Eastlake 3rd, D., "DNS Security Operational
Considerations", RFC 2541, DOI 10.17487/RFC2541, March Considerations", RFC 2541, DOI 10.17487/RFC2541, March
1999, <http://www.rfc-editor.org/info/rfc2541>. 1999, <https://www.rfc-editor.org/info/rfc2541>.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, DOI 10.17487/RFC2671, August 1999, RFC 2671, DOI 10.17487/RFC2671, August 1999,
<http://www.rfc-editor.org/info/rfc2671>. <https://www.rfc-editor.org/info/rfc2671>.
[RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks",
RFC 4953, DOI 10.17487/RFC4953, July 2007, RFC 4953, DOI 10.17487/RFC4953, July 2007,
<http://www.rfc-editor.org/info/rfc4953>. <https://www.rfc-editor.org/info/rfc4953>.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007,
<http://www.rfc-editor.org/info/rfc4987>. <https://www.rfc-editor.org/info/rfc4987>.
[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
DOI 10.17487/RFC5927, July 2010, DOI 10.17487/RFC5927, July 2010,
<http://www.rfc-editor.org/info/rfc5927>. <https://www.rfc-editor.org/info/rfc5927>.
[RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's [RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Robustness to Blind In-Window Attacks", RFC 5961, Robustness to Blind In-Window Attacks", RFC 5961,
DOI 10.17487/RFC5961, August 2010, DOI 10.17487/RFC5961, August 2010,
<http://www.rfc-editor.org/info/rfc5961>. <https://www.rfc-editor.org/info/rfc5961>.
[RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS", [RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS",
RFC 7477, DOI 10.17487/RFC7477, March 2015, RFC 7477, DOI 10.17487/RFC7477, March 2015,
<http://www.rfc-editor.org/info/rfc7477>. <https://www.rfc-editor.org/info/rfc7477>.
[RFC7720] Blanchet, M. and L-J. Liman, "DNS Root Name Service
Protocol and Deployment Requirements", BCP 40, RFC 7720,
DOI 10.17487/RFC7720, December 2015,
<https://www.rfc-editor.org/info/rfc7720>.
[RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
D. Wessels, "DNS Transport over TCP - Implementation D. Wessels, "DNS Transport over TCP - Implementation
Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016,
<http://www.rfc-editor.org/info/rfc7766>. <https://www.rfc-editor.org/info/rfc7766>.
[RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The
edns-tcp-keepalive EDNS0 Option", RFC 7828, edns-tcp-keepalive EDNS0 Option", RFC 7828,
DOI 10.17487/RFC7828, April 2016, DOI 10.17487/RFC7828, April 2016,
<http://www.rfc-editor.org/info/rfc7828>. <https://www.rfc-editor.org/info/rfc7828>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <http://www.rfc-editor.org/info/rfc7858>. 2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
<http://www.rfc-editor.org/info/rfc7873>. <https://www.rfc-editor.org/info/rfc7873>.
[RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901,
DOI 10.17487/RFC7901, June 2016, DOI 10.17487/RFC7901, June 2016,
<http://www.rfc-editor.org/info/rfc7901>. <https://www.rfc-editor.org/info/rfc7901>.
[RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy, [RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy,
"DNSSEC Roadblock Avoidance", BCP 207, RFC 8027, "DNSSEC Roadblock Avoidance", BCP 207, RFC 8027,
DOI 10.17487/RFC8027, November 2016, DOI 10.17487/RFC8027, November 2016,
<http://www.rfc-editor.org/info/rfc8027>. <https://www.rfc-editor.org/info/rfc8027>.
[RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
Transport Layer Security (DTLS)", RFC 8094,
DOI 10.17487/RFC8094, February 2017,
<https://www.rfc-editor.org/info/rfc8094>.
[RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to
Associate Certificates with Domain Names for S/MIME",
RFC 8162, DOI 10.17487/RFC8162, May 2017,
<https://www.rfc-editor.org/info/rfc8162>.
[RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting [RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting
(DNS RRL)", ISC-TN 2012-1 Draft1, April 2012. (DNS RRL)", ISC-TN 2012-1 Draft1, April 2012.
[TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N. [TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N.
Somaiya, "Connection-oriented DNS to Improve Privacy and Somaiya, "Connection-oriented DNS to Improve Privacy and
Security", 2015. Security", 2015.
[TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and [TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and
K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache
skipping to change at page 11, line 4 skipping to change at page 13, line 27
Appendix A. Standards Related to DNS Transport over TCP Appendix A. Standards Related to DNS Transport over TCP
This section enumerates all known IETF RFC documents that are This section enumerates all known IETF RFC documents that are
currently of status standard, informational, best common practice or currently of status standard, informational, best common practice or
experimental and either implicitly or explicitly make assumptions or experimental and either implicitly or explicitly make assumptions or
statements about the use of TCP as a transport for the DNS germane to statements about the use of TCP as a transport for the DNS germane to
this document. this document.
A.1. TODO - additional, relevant RFCs A.1. TODO - additional, relevant RFCs
A.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS A.2. IETF RFC 7477 - Child-to-Parent Synchronization in DNS
This standards track document [RFC7477] specifies a RRType and This standards track document [RFC7477] specifies a RRType and
protocol to signal and synchronize NS, A, and AAAA resource record protocol to signal and synchronize NS, A, and AAAA resource record
changes from a child to parent zone. Since this protocol may require changes from a child to parent zone. Since this protocol may require
multiple requests and responses, it recommends utilizing DNS over TCP multiple requests and responses, it recommends utilizing DNS over TCP
to ensure the conversation takes place between a consistent pair of to ensure the conversation takes place between a consistent pair of
end nodes. end nodes.
A.3. IETF RFC 7766 - DNS Transport over TCP - Implementation A.3. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment
Requirements
This best current practice[RFC7720] declares root name service "MUST
support UDP [RFC768] and TCP [RFC793] transport of DNS queries and
responses."
A.4. IETF RFC 7766 - DNS Transport over TCP - Implementation
Requirements Requirements
The standards track document [RFC7766] might be considered the direct The standards track document [RFC7766] might be considered the direct
ancestor of this operational requirements document. The ancestor of this operational requirements document. The
implementation requirements document codifies mandatory support for implementation requirements document codifies mandatory support for
DNS over TCP in compliant DNS software. DNS over TCP in compliant DNS software.
A.4. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option A.5. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option
This standards track document [RFC7828] defines an EDNS0 option to This standards track document [RFC7828] defines an EDNS0 option to
negotiate an idle timeout value for long-lived DNS over TCP negotiate an idle timeout value for long-lived DNS over TCP
connections. Consequently, this document is only applicable and connections. Consequently, this document is only applicable and
relevant to DNS over TCP sessions and between implementations that relevant to DNS over TCP sessions and between implementations that
support this option. support this option.
A.5. IETF RFC 7873 - Domain Name System (DNS) Cookies A.6. IETF RFC 7858 - Specification for DNS over Transport Layer
Security (TLS)
This standards track document [RFC7858] defines a method for putting
DNS messages into a TCP-based encrypted channel using TLS. This
specification is noteworthy for explicitly targetting the stub-to-
recursive traffic, but does not preclude its application from
recursive-to-authoritative traffic.
A.7. IETF RFC 7873 - Domain Name System (DNS) Cookies
This standards track document [RFC7873] describes an EDNS0 option to This standards track document [RFC7873] describes an EDNS0 option to
provide additional protection against query and answer forgery. This provide additional protection against query and answer forgery. This
specification mentions DNS over TCP as a reasonable fallback specification mentions DNS over TCP as a reasonable fallback
mechanism when DNS Cookies are not available. The specification does mechanism when DNS Cookies are not available. The specification does
make mention of DNS over TCP processing in two specific situations. make mention of DNS over TCP processing in two specific situations.
In one, when a server receives only a client cookie in a request, the In one, when a server receives only a client cookie in a request, the
server should consider whether the request arrived over TCP and if server should consider whether the request arrived over TCP and if
so, it should consider accepting TCP as sufficient to authenticate so, it should consider accepting TCP as sufficient to authenticate
the request and respond accordingly. In another, when a client the request and respond accordingly. In another, when a client
receives a BADCOOKIE reply using a fresh server cookie, the client receives a BADCOOKIE reply using a fresh server cookie, the client
should retry using TCP as the transport. should retry using TCP as the transport.
A.6. IETF RFC 7901 - CHAIN Query Requests in DNS A.8. IETF RFC 7901 - CHAIN Query Requests in DNS
This experimental specification [RFC7901] describes an EDNS0 option This experimental specification [RFC7901] describes an EDNS0 option
that can be used by a security-aware validating resolver to request that can be used by a security-aware validating resolver to request
and obtain a complete DNSSEC validation path for any single query. and obtain a complete DNSSEC validation path for any single query.
This document requires the use of DNS over TCP or a source IP address This document requires the use of DNS over TCP or a source IP address
verified transport mechanism such as EDNS-COOKIE.[RFC7873] verified transport mechanism such as EDNS-COOKIE.[RFC7873]
A.7. IETF RFC 8027 - DNSSEC Roadblock Avoidance A.9. IETF RFC 8027 - DNSSEC Roadblock Avoidance
This document [RFC8027] details observed problems with DNSSEC This document [RFC8027] details observed problems with DNSSEC
deployment and mitigation techniques. Network traffic blocking and deployment and mitigation techniques. Network traffic blocking and
restrictions, including DNS over TCP messages, are highlighted as one restrictions, including DNS over TCP messages, are highlighted as one
reason for DNSSEC deployment issues. While this document suggests reason for DNSSEC deployment issues. While this document suggests
these sorts of problems are due to "non-compliant infrastructure" and these sorts of problems are due to "non-compliant infrastructure" and
is of type BCP, the scope of the document is limited to detection and is of type BCP, the scope of the document is limited to detection and
mitigation techniques to avoid so-called DNSSEC roadblocks. mitigation techniques to avoid so-called DNSSEC roadblocks.
A.10. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS)
This experimental specification [RFC8094] details a protocol that
uses a datagram transport (UDP), but stipulates that "DNS clients and
servers that implement DNS over DTLS MUST also implement DNS over TLS
in order to provide privacy for clients that desire Strict Privacy
[...]". This requirement implies DNS over TCP must be supported in
case the message size is larger than the path MTU.
A.11. IETF RFC 8162 - Using Secure DNS to Associate Certificates with
Domain Names for S/MIME
This experimental specification [RFC8162] describes a technique to
authenticate user X.509 certificates in an S/MIME system via the DNS.
The document points out that the new experimental resource record
types are expected to carry large payloads, resulting in the
suggestion that "applications SHOULD use TCP -- not UDP -- to perform
queries for the SMIMEA resource record."
Authors' Addresses Authors' Addresses
John Kristoff John Kristoff
DePaul University DePaul University
Chicago, IL 60604 Chicago, IL 60604
US US
Phone: +1 312 493 0305 Phone: +1 312 493 0305
Email: jtk@depaul.edu Email: jtk@depaul.edu
URI: https://aharp.iorc.depaul.edu URI: https://aharp.iorc.depaul.edu
 End of changes. 54 change blocks. 
92 lines changed or deleted 252 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/