draft-ietf-dnsop-qname-minimisation-04.txt   draft-ietf-dnsop-qname-minimisation-05.txt 
Domain Name System Operations (dnsop) Working Group S. Bortzmeyer Domain Name System Operations (dnsop) Working Group S. Bortzmeyer
Internet-Draft AFNIC Internet-Draft AFNIC
Intended status: Experimental June 19, 2015 Intended status: Experimental August 1, 2015
Expires: December 21, 2015 Expires: February 2, 2016
DNS query name minimisation to improve privacy DNS query name minimisation to improve privacy
draft-ietf-dnsop-qname-minimisation-04 draft-ietf-dnsop-qname-minimisation-05
Abstract Abstract
This document describes one of the techniques that could be used to This document describes one of the techniques that could be used to
improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a
technique called "QNAME minimisation", where the DNS resolver no technique called "QNAME minimisation", where the DNS resolver no
longer sends the full original QNAME to the upstream name server. longer sends the full original QNAME to the upstream name server.
REMOVE BEFORE PUBLICATION Discussions of the document should take
place on the DNSOP working group mailing list [dnsop].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 21, 2015. This Internet-Draft will expire on February 2, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and background . . . . . . . . . . . . . . . . . 2 1. Introduction and background . . . . . . . . . . . . . . . . . 2
2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 3 2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 2
3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 4 3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 3
4. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Protocol and compatibility discussion . . . . . . . . . . . . 5
5. Operational considerations . . . . . . . . . . . . . . . . . 5 5. Operational considerations . . . . . . . . . . . . . . . . . 5
6. Performance considerations . . . . . . . . . . . . . . . . . 5 6. Performance considerations . . . . . . . . . . . . . . . . . 5
7. Security considerations . . . . . . . . . . . . . . . . . . . 6 7. Security considerations . . . . . . . . . . . . . . . . . . . 6
8. Implementation status - REMOVE BEFORE PUBLICATION . . . . . . 7 8. Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION 6
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 8
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Appendix A. An algorithm to find the zone cut . . . . . . . . . 9 Appendix A. An algorithm to find the zone cut . . . . . . . . . 9
Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10 Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction and background 1. Introduction and background
The problem statement is exposed in The problem statement is exposed in
[I-D.ietf-dprive-problem-statement] TODO: add a reference to the [I-D.ietf-dprive-problem-statement]. The terminology ("QNAME",
specific section when ietf-dprive-problem-statement will be published "resolver", etc) is also defined in this companion document. This
as RFC. The terminology ("QNAME", "resolver", etc) is also defined specific solution is not intended to fully solve the DNS privacy
in this companion document. This specific solution is not intended problem; instead, it should be viewed as one tool amongst many.
to fully solve the DNS privacy problem; instead, it should be viewed
as one tool amongst many.
It follows the principle explained in section 6.1 of [RFC6973]: the It follows the principle explained in section 6.1 of [RFC6973]: the
less data you send out, the fewer privacy problems you'll get. less data you send out, the fewer privacy problems you'll get.
Under current practice, when a resolver receives the query "What is Under current practice, when a resolver receives the query "What is
the AAAA record for www.example.com?", it sends to the root (assuming the AAAA record for www.example.com?", it sends to the root (assuming
a cold resolver, whose cache is empty) the very same question. a cold resolver, whose cache is empty) the very same question.
Sending the full QNAME to the authoritative name server is a Sending the full QNAME to the authoritative name server is a
tradition, not a protocol requirement. This tradition tradition, not a protocol requirement. This tradition
comes[mockapetris-history] from a desire to optimize the number of comes[mockapetris-history] from a desire to optimize the number of
skipping to change at page 4, line 15 skipping to change at page 4, line 10
3. Possible issues 3. Possible issues
QNAME minimisation is legal, since the original DNS RFC do not QNAME minimisation is legal, since the original DNS RFC do not
mandate sending the full QNAME. So, in theory, it should work mandate sending the full QNAME. So, in theory, it should work
without any problems. However, in practice, some problems may occur without any problems. However, in practice, some problems may occur
(see an analysis in [huque-qnamemin]). (see an analysis in [huque-qnamemin]).
Some broken name servers do not react properly to qtype=NS requests. Some broken name servers do not react properly to qtype=NS requests.
For instance, some authoritative name servers embedded in load For instance, some authoritative name servers embedded in load
balancers reply properly to A queries but send REFUSED to NS queries. balancers reply properly to A queries but send REFUSED to NS queries.
REMOVE THIS SENTENCE BEFORE PUBLICATION: As an example of today, look This behaviour is a gross protocol violation, and there is no need to
at www.ratp.fr (not ratp.fr). This behaviour is a gross protocol stop improving the DNS because of such brokenness. However, QNAME
violation, and there is no need to stop improving the DNS because of minimisation may still work with such domains since they are only
such brokenness. However, QNAME minimisation may still work with leaf domains (no need to send them NS requests). Such setup breaks
such domains since they are only leaf domains (no need to send them more than just QNAME minimisation. It breaks negative answers, since
NS requests). Such setup breaks more than just QNAME minimisation. the servers don't return the correct SOA, and it also breaks anything
It breaks negative answers, since the servers don't return the dependent upon NS and SOA records existing at the top of the zone.
correct SOA, and it also breaks anything dependent upon NS and SOA
records existing at the top of the zone. Another way to deal with such broken name servers would be to try
with QTYPE=A requests (A being chosen because it is the most common
and hence a qtype which will be always accepted, while a qtype NS may
ruffle the feathers of some middleboxes). Instead of querying name
servers with a query "NS example.com", we could use "A _.example.com"
and see if we get a referral.
A problem can also appear when a name server does not react properly A problem can also appear when a name server does not react properly
to ENT (Empty Non-Terminals). If ent.example.com has no resource to ENT (Empty Non-Terminals). If ent.example.com has no resource
records but foobar.ent.example.com does, then ent.example.com is an records but foobar.ent.example.com does, then ent.example.com is an
ENT. A query, whatever the qtype, for ent.example.com must return ENT. A query, whatever the qtype, for ent.example.com must return
NODATA (NOERROR / ANSWER: 0). However, some broken name servers NODATA (NOERROR / ANSWER: 0). However, some broken name servers
return NXDOMAIN for ENTs. REMOVE THIS SENTENCE BEFORE PUBLICATION: return NXDOMAIN for ENTs. If a resolver queries only
As an example of today, look at com.akadns.net or www.upenn.edu with
its delegations to Akamai. If a resolver queries only
foobar.ent.example.com, everything will be OK but, if it implements foobar.ent.example.com, everything will be OK but, if it implements
QNAME minimisation, it may query ent.example.com and get a NXDOMAIN. QNAME minimisation, it may query ent.example.com and get a NXDOMAIN.
See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad
consequences of this brokenness. consequences of this brokenness.
Another way to deal with such broken name servers would be to try
with QTYPE=A requests (A being chosen because it is the most common
and hence a qtype which will be always accepted, while a qtype NS may
ruffle the feathers of some middleboxes). Instead of querying name
servers with a query "NS example.com", we could use "A _.example.com"
and see if we get a referral.
Other strange and non-conformant practices may pose a problem: there Other strange and non-conformant practices may pose a problem: there
is a common DNS anti-pattern used by low-end web hosters that also do is a common DNS anti-pattern used by low-end web hosters that also do
DNS hosting that exploits the fact that the DNS protocol (pre-DNSSEC) DNS hosting that exploits the fact that the DNS protocol (pre-DNSSEC)
allows certain serious misconfigurations, such as parent and child allows certain serious misconfigurations, such as parent and child
zones disagreeing on the location of a zone cut. Basically, they zones disagreeing on the location of a zone cut. Basically, they
have a single zone with wildcards for each TLD like: have a single zone with wildcards for each TLD like:
*.example. 60 IN A 192.0.2.6 *.example. 60 IN A 192.0.2.6
(It is not known why they don't just wildcard all of "*." and be done (It is not known why they don't just wildcard all of "*." and be done
with it.) with it.)
This lets them turn up many web hosting customers without having to This lets them turn up many web hosting customers without having to
configure thousands of individual zones on their nameservers. They configure thousands of individual zones on their nameservers. They
just tell the prospective customer to point their NS records at the just tell the prospective customer to point their NS records at the
hoster's nameservers, and the Web hoster doesn't have to provision hoster's nameservers, and the Web hoster doesn't have to provision
anything in order to make the customer's domain resolve. NS queries anything in order to make the customer's domain resolve. NS queries
to the hoster will therefore do not give the right result, which may to the hoster will therefore do not give the right result, which may
endanger QNAME minimisation (it will be a problem for DNSSEC, too). endanger QNAME minimisation (it will be a problem for DNSSEC, too).
skipping to change at page 5, line 15 skipping to change at page 5, line 8
with it.) with it.)
This lets them turn up many web hosting customers without having to This lets them turn up many web hosting customers without having to
configure thousands of individual zones on their nameservers. They configure thousands of individual zones on their nameservers. They
just tell the prospective customer to point their NS records at the just tell the prospective customer to point their NS records at the
hoster's nameservers, and the Web hoster doesn't have to provision hoster's nameservers, and the Web hoster doesn't have to provision
anything in order to make the customer's domain resolve. NS queries anything in order to make the customer's domain resolve. NS queries
to the hoster will therefore do not give the right result, which may to the hoster will therefore do not give the right result, which may
endanger QNAME minimisation (it will be a problem for DNSSEC, too). endanger QNAME minimisation (it will be a problem for DNSSEC, too).
4. Discussion 4. Protocol and compatibility discussion
QNAME minimisation is compatible with the current DNS system and QNAME minimisation is compatible with the current DNS system and
therefore can easily be deployed; since it is a unilateral change to therefore can easily be deployed; since it is a unilateral change to
the resolver, it does not change the protocol. (Because it is an the resolver, it does not change the protocol. (Because it is an
unilateral change, resolver implementers may do QNAME minimisation in unilateral change, resolver implementers may do QNAME minimisation in
slightly different ways, see the appendices for examples.) slightly different ways, see the appendices for examples.)
One should note that the behaviour suggested here (minimising the One should note that the behaviour suggested here (minimising the
amount of data sent in QNAMEs from the resolver) is NOT forbidden by amount of data sent in QNAMEs from the resolver) is NOT forbidden by
the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). As said in the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). As said in
skipping to change at page 6, line 31 skipping to change at page 6, line 24
www.host.group.department.example.com where www.host.group.department.example.com where
host.group.department.example.com is hosted on example.com's name host.group.department.example.com is hosted on example.com's name
servers). Let's assume a resolver which knows only the name servers servers). Let's assume a resolver which knows only the name servers
of .example. Without QNAME minimisation, it would send these of .example. Without QNAME minimisation, it would send these
.example nameservers a query for .example nameservers a query for
www.host.group.department.example.com and immediately get a specific www.host.group.department.example.com and immediately get a specific
referral or an answer, without the need for more queries to probe for referral or an answer, without the need for more queries to probe for
the zone cut. For such a name, a cold resolver with QNAME the zone cut. For such a name, a cold resolver with QNAME
minimisation will, depending how QNAME minimisation is implemented, minimisation will, depending how QNAME minimisation is implemented,
send more queries, one per label. Once the cache is warm, there will send more queries, one per label. Once the cache is warm, there will
be no difference with a traditional resolver. A possible solution is be no difference with a traditional resolver. Actual testing is
to always use the traditional algorithm when the cache is cold and described in [huque-qnamemin]. Such deep domains are specially
then to move to QNAME minimisation. This will decrease the privacy a
bit but will guarantee no degradation of performance. Actual testing
is described in [huque-qnamemin]. Such deep domains are specially
common under ip6.arpa. common under ip6.arpa.
7. Security considerations 7. Security considerations
QNAME minimisation's benefits are clear in the case where you want to QNAME minimisation's benefits are clear in the case where you want to
decrease exposure to the authoritative name server. But minimising decrease exposure to the authoritative name server. But minimising
the amount of data sent also, in part, addresses the case of a wire the amount of data sent also, in part, addresses the case of a wire
sniffer as well the case of privacy invasion by the servers. sniffer as well the case of privacy invasion by the servers.
(Encryption is of course a better defense against wire sniffers but, (Encryption is of course a better defense against wire sniffers but,
unlike QNAME minimisation, it changes the protocol and cannot be unlike QNAME minimisation, it changes the protocol and cannot be
deployed unilaterally. Also, the effect of QNAME minimisation on deployed unilaterally. Also, the effect of QNAME minimisation on
wire sniffers depend on whether the sniffer is, on the DNS path.) wire sniffers depend on whether the sniffer is, on the DNS path.)
QNAME minimisation offers zero protection against the recursive QNAME minimisation offers zero protection against the recursive
resolver, which still sees the full request coming from the stub resolver, which still sees the full request coming from the stub
resolver. resolver.
8. Implementation status - REMOVE BEFORE PUBLICATION All the alternatives mentioned in Appendix B decrease privacy in the
hope of improving performances. They must not be used if you want
the maximum privacy.
8. Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION
This section records the status of known implementations of the This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC6982]. Internet-Draft, and is based on a proposal described in [RFC6982].
The description of implementations in this section is intended to The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may features. Readers are advised to note that other implementations may
exist. exist.
skipping to change at page 7, line 41 skipping to change at page 7, line 36
The algorithm to find the zone cuts described in Appendix A is The algorithm to find the zone cuts described in Appendix A is
implemented with QNAME minimisation in the sample code zonecut.go implemented with QNAME minimisation in the sample code zonecut.go
[4]. It is also implemented, for a much longer time, in an option of [4]. It is also implemented, for a much longer time, in an option of
dig, "dig +trace", but without QNAME minimisation. dig, "dig +trace", but without QNAME minimisation.
Another implementation was done by Shumon Huque for testing, and is Another implementation was done by Shumon Huque for testing, and is
described in [huque-qnamemin]. described in [huque-qnamemin].
9. Acknowledgments 9. Acknowledgments
Thanks to Olaf Kolkman for the original idea although the concept is Thanks to Olaf Kolkman for the original idea during a KLM flight from
probably much older [5]. Thanks for Shumon Huque for implementation Amsterdam to Vancouver, although the concept is probably much older
[5]. Thanks for Shumon Huque and Marek Vavrusa for implementation
and testing. Thanks to Mark Andrews and Francis Dupont for the and testing. Thanks to Mark Andrews and Francis Dupont for the
interesting discussions. Thanks to Brian Dickson, Warren Kumari, interesting discussions. Thanks to Brian Dickson, Warren Kumari,
Evan Hunt and David Conrad for remarks and suggestions. Thanks to Evan Hunt and David Conrad for remarks and suggestions. Thanks to
Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone
cut algorithm in Appendix A and for discussion of the algorithm. cut algorithm in Appendix A and for discussion of the algorithm.
Thanks to Paul Vixie for pointing out that there are practical Thanks to Paul Vixie for pointing out that there are practical
advantages (besides privacy) to QNAME minimisation. Thanks to advantages (besides privacy) to QNAME minimisation. Thanks to
Phillip Hallam-Baker for the fallback on A queries, to deal with Phillip Hallam-Baker for the fallback on A queries, to deal with
broken servers. Thanks to Robert Edmonds for an interesting anti- broken servers. Thanks to Robert Edmonds for an interesting anti-
pattern. pattern.
skipping to change at page 8, line 44 skipping to change at page 8, line 44
Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly
Automated Method for Maintaining Expiring Records", draft- Automated Method for Maintaining Expiring Records", draft-
wkumari-dnsop-hammer-01 (work in progress), July 2014. wkumari-dnsop-hammer-01 (work in progress), July 2014.
[I-D.vixie-dnsext-resimprove] [I-D.vixie-dnsext-resimprove]
Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS
Resolvers for Resiliency, Robustness, and Responsiveness", Resolvers for Resiliency, Robustness, and Responsiveness",
draft-vixie-dnsext-resimprove-00 (work in progress), June draft-vixie-dnsext-resimprove-00 (work in progress), June
2010. 2010.
[dnsop] IETF, , "The DNSOP working group of IETF", March 2014,
<https://datatracker.ietf.org/wg/dnsop/charter/>.
[mockapetris-history] [mockapetris-history]
Mockapetris, P., "Private discussion", January 2015. Mockapetris, P., "Private discussion", January 2015.
[kaliski-minimum] [kaliski-minimum]
Kaliski, B., "Minimum Disclosure: What Information Does a Kaliski, B., "Minimum Disclosure: What Information Does a
Name Server Need to Do Its Job?", March 2015, Name Server Need to Do Its Job?", March 2015,
<http://blogs.verisigninc.com/blog/entry/ <http://blogs.verisigninc.com/blog/entry/
minimum_disclosure_what_information_does>. minimum_disclosure_what_information_does>.
[huque-qnamemin] [huque-qnamemin]
skipping to change at page 11, line 5 skipping to change at page 10, line 49
information about the relative use of the various QTYPEs, which may information about the relative use of the various QTYPEs, which may
be interesting for researchers (for instance if they try to follow be interesting for researchers (for instance if they try to follow
IPv6 deployment by counting the percentage of AAAA vs. A queries). A IPv6 deployment by counting the percentage of AAAA vs. A queries). A
variant of QNAME minimisation would be to keep the original QTYPE. variant of QNAME minimisation would be to keep the original QTYPE.
Another useful optimisation may be, in the spirit of the HAMMER idea Another useful optimisation may be, in the spirit of the HAMMER idea
[I-D.wkumari-dnsop-hammer] to probe in advance for the introduction [I-D.wkumari-dnsop-hammer] to probe in advance for the introduction
of zone cuts where none previously existed (i.e. confirm their of zone cuts where none previously existed (i.e. confirm their
continued absence, or discover them.) continued absence, or discover them.)
To address the "number of queries" issue, described in Section 6, a
possible solution is to always use the traditional algorithm when the
cache is cold and then to move to QNAME minimisation. This will
decrease the privacy but will guarantee no degradation of
performance.
Author's Address Author's Address
Stephane Bortzmeyer Stephane Bortzmeyer
AFNIC AFNIC
1, rue Stephenson 1, rue Stephenson
Montigny-le-Bretonneux 78180 Montigny-le-Bretonneux 78180
France France
Phone: +33 1 39 30 83 46 Phone: +33 1 39 30 83 46
Email: bortzmeyer+ietf@nic.fr Email: bortzmeyer+ietf@nic.fr
 End of changes. 18 change blocks. 
48 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/