draft-ietf-dnsop-qname-minimisation-08.txt   draft-ietf-dnsop-qname-minimisation-09.txt 
Domain Name System Operations (dnsop) Working Group S. Bortzmeyer Domain Name System Operations (dnsop) Working Group S. Bortzmeyer
Internet-Draft AFNIC Internet-Draft AFNIC
Intended status: Experimental November 29, 2015 Intended status: Experimental January 8, 2016
Expires: June 1, 2016 Expires: July 11, 2016
DNS query name minimisation to improve privacy DNS query name minimisation to improve privacy
draft-ietf-dnsop-qname-minimisation-08 draft-ietf-dnsop-qname-minimisation-09
Abstract Abstract
This document describes a technique to improve DNS privacy, a This document describes a technique to improve DNS privacy, a
technique called "QNAME minimisation", where the DNS resolver no technique called "QNAME minimisation", where the DNS resolver no
longer sends the full original QNAME to the upstream name server. longer sends the full original QNAME to the upstream name server.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 1, 2016. This Internet-Draft will expire on July 11, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and background . . . . . . . . . . . . . . . . . 2 1. Introduction and background . . . . . . . . . . . . . . . . . 2
2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 3 2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 3
3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 4 3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol and compatibility discussion . . . . . . . . . . . . 5 4. Protocol and compatibility discussion . . . . . . . . . . . . 5
5. Operational considerations . . . . . . . . . . . . . . . . . 5 5. Operational considerations . . . . . . . . . . . . . . . . . 5
6. Performance considerations . . . . . . . . . . . . . . . . . 6 6. Performance considerations . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. On the experimentation . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION 7 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
11.1. Normative References . . . . . . . . . . . . . . . . . . 8 11.1. Normative References . . . . . . . . . . . . . . . . . . 7
11.2. Informative References . . . . . . . . . . . . . . . . . 8 11.2. Informative References . . . . . . . . . . . . . . . . . 8
11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Appendix A. An algorithm to perform QNAME minimisation in Appendix A. An algorithm to perform QNAME minimisation . . . . . 9
presence of zone cuts . . . . . . . . . . . . . . . 10
Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10 Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction and background 1. Introduction and background
The problem statement is exposed in [RFC7626]. The terminology The problem statement is described in [RFC7626]. The terminology
("QNAME", "resolver", etc) is also defined in this companion ("QNAME", "resolver", etc) is also defined in this companion
document. This specific solution is not intended to fully solve the document. This specific solution is not intended to fully solve the
DNS privacy problem; instead, it should be viewed as one tool amongst DNS privacy problem; instead, it should be viewed as one tool amongst
many. many.
It follows the principle explained in section 6.1 of [RFC6973]: the QNAME minimisation follows the principle explained in section 6.1 of
less data you send out, the fewer privacy problems you have. [RFC6973]: the less data you send out, the fewer privacy problems you
have.
Currently, when a resolver receives the query "What is the AAAA Currently, when a resolver receives the query "What is the AAAA
record for www.example.com?", it sends to the root (assuming a cold record for www.example.com?", it sends to the root (assuming a cold
resolver, whose cache is empty) the very same question. Sending the resolver, whose cache is empty) the very same question. Sending the
full QNAME to the authoritative name server is a tradition, not a full QNAME to the authoritative name server is a tradition, not a
protocol requirement. This tradition comes [mockapetris-history] protocol requirement. This tradition comes [mockapetris-history]
from a desire to optimize the number of requests, when the same name from a desire to optimize the number of requests, when the same name
server is authoritative for many zones in a given name (something server is authoritative for many zones in a given name (something
which was more common in the old days, where the same name servers which was more common in the old days, where the same name servers
served .com and the root) or when the same name server is both served .com and the root) or when the same name server is both
skipping to change at page 4, line 16 skipping to change at page 4, line 16
QNAME minimisation is legal, since the original DNS RFC do not QNAME minimisation is legal, since the original DNS RFC do not
mandate sending the full QNAME. So, in theory, it should work mandate sending the full QNAME. So, in theory, it should work
without any problems. However, in practice, some problems may occur without any problems. However, in practice, some problems may occur
(see an analysis in [huque-qnamemin] and an interesting discussion in (see an analysis in [huque-qnamemin] and an interesting discussion in
[huque-qnamestorify]). [huque-qnamestorify]).
Some broken name servers do not react properly to qtype=NS requests. Some broken name servers do not react properly to qtype=NS requests.
For instance, some authoritative name servers embedded in load For instance, some authoritative name servers embedded in load
balancers reply properly to A queries but send REFUSED to NS queries. balancers reply properly to A queries but send REFUSED to NS queries.
This behaviour is a gross protocol violation, and there is no need to This behaviour is a protocol violation, and there is no need to stop
stop improving the DNS because of such brokenness. However, QNAME improving the DNS because of such behaviour. However, QNAME
minimisation may still work with such domains since they are only minimisation may still work with such domains since they are only
leaf domains (no need to send them NS requests). Such setup breaks leaf domains (no need to send them NS requests). Such setup breaks
more than just QNAME minimisation. It breaks negative answers, since more than just QNAME minimisation. It breaks negative answers, since
the servers don't return the correct SOA, and it also breaks anything the servers don't return the correct SOA, and it also breaks anything
dependent upon NS and SOA records existing at the top of the zone. dependent upon NS and SOA records existing at the top of the zone.
Another way to deal with such broken name servers would be to try Another way to deal with such incorrect name servers would be to try
with QTYPE=A requests (A being chosen because it is the most common with QTYPE=A requests (A being chosen because it is the most common
and hence a qtype which will be always accepted, while a qtype NS may and hence a qtype which will be always accepted, while a qtype NS may
ruffle the feathers of some middleboxes). Instead of querying name ruffle the feathers of some middleboxes). Instead of querying name
servers with a query "NS example.com", we could use "A _.example.com" servers with a query "NS example.com", we could use "A _.example.com"
and see if we get a referral. and see if we get a referral.
A problem can also appear when a name server does not react properly A problem can also appear when a name server does not react properly
to ENT (Empty Non-Terminals). If ent.example.com has no resource to ENT (Empty Non-Terminals). If ent.example.com has no resource
records but foobar.ent.example.com does, then ent.example.com is an records but foobar.ent.example.com does, then ent.example.com is an
ENT. A query, whatever the qtype, for ent.example.com must return ENT. A query, whatever the qtype, for ent.example.com must return
NODATA (NOERROR / ANSWER: 0). However, some broken name servers NODATA (NOERROR / ANSWER: 0). However, some name servers incorrectly
return NXDOMAIN for ENTs. If a resolver queries only return NXDOMAIN for ENTs. If a resolver queries only
foobar.ent.example.com, everything will be OK but, if it implements foobar.ent.example.com, everything will be OK but, if it implements
QNAME minimisation, it may query ent.example.com and get a NXDOMAIN. QNAME minimisation, it may query ent.example.com and get a NXDOMAIN.
See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad
consequences of this brokenness. consequences of this bad behaviour.
A possible solution, currently implemented in Knot, is to retry with A possible solution, currently implemented in Knot, is to retry with
the full query when you receive a NXDOMAIN. It works but it is not the full query when you receive a NXDOMAIN. It works but it is not
ideal for privacy. ideal for privacy.
Other strange and non-conformant practices may pose a problem: there Other practices that do not conform to the DNS protocol standards may
is a common DNS anti-pattern used by low-end web hosters that also do pose a problem: there is a common DNS trick used by some Web hosters
DNS hosting that exploits the fact that the DNS protocol (pre-DNSSEC) that also do DNS hosting that exploits the fact that the DNS protocol
allows certain serious misconfigurations, such as parent and child (pre-DNSSEC) allows certain serious misconfigurations, such as parent
zones disagreeing on the location of a zone cut. Basically, they and child zones disagreeing on the location of a zone cut.
have a single zone with wildcards for each TLD like: Basically, they have a single zone with wildcards for each TLD like:
*.example. 60 IN A 192.0.2.6 *.example. 60 IN A 192.0.2.6
(It is not known why they don't just wildcard all of "*." and be done (They could just wildcard all of "*.", which would be sufficient. We
with it.) don't know why they don't do it.)
This lets them turn up many web hosting customers without having to This lets them have many Web hosting customers without having to
configure thousands of individual zones on their nameservers. They configure thousands of individual zones on their nameservers. They
just tell the prospective customer to point their NS records at the just tell the prospective customer to point their NS records at the
hoster's nameservers, and the Web hoster doesn't have to provision hoster's nameservers, and the Web hoster doesn't have to provision
anything in order to make the customer's domain resolve. NS queries anything in order to make the customer's domain resolve. NS queries
to the hoster will therefore not give the right result, which may to the hoster will therefore not give the right result, which may
endanger QNAME minimisation (it will be a problem for DNSSEC, too). endanger QNAME minimisation (it will be a problem for DNSSEC, too).
4. Protocol and compatibility discussion 4. Protocol and compatibility discussion
QNAME minimisation is compatible with the current DNS system and QNAME minimisation is compatible with the current DNS system and
skipping to change at page 6, line 42 skipping to change at page 6, line 42
.example nameservers a query for .example nameservers a query for
www.host.group.department.example.com and immediately get a specific www.host.group.department.example.com and immediately get a specific
referral or an answer, without the need for more queries to probe for referral or an answer, without the need for more queries to probe for
the zone cut. For such a name, a cold resolver with QNAME the zone cut. For such a name, a cold resolver with QNAME
minimisation will, depending how QNAME minimisation is implemented, minimisation will, depending how QNAME minimisation is implemented,
send more queries, one per label. Once the cache is warm, there will send more queries, one per label. Once the cache is warm, there will
be no difference with a traditional resolver. Actual testing is be no difference with a traditional resolver. Actual testing is
described in [huque-qnamemin]. Such deep domains are specially described in [huque-qnamemin]. Such deep domains are specially
common under ip6.arpa. common under ip6.arpa.
7. IANA Considerations 7. On the experimentation
This document has status "Experimental". Since the beginning of time
(or DNS), the fully qualified host name was always sent to the
authoritative name servers. There was a concern that changing this
behavior may engage the Law of Unintended Consequences. Hence this
status.
The idea about the experiment is to observe QNAME minimisation in
action with multiple resolvers, various authoritative name servers,
etc.
8. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
8. Security Considerations 9. Security Considerations
QNAME minimisation's benefits are clear in the case where you want to QNAME minimisation's benefits are clear in the case where you want to
decrease exposure to the authoritative name server. But minimising decrease exposure to the authoritative name server. But minimising
the amount of data sent also, in part, addresses the case of a wire the amount of data sent also, in part, addresses the case of a wire
sniffer as well as the case of privacy invasion by the servers. sniffer as well as the case of privacy invasion by the servers.
(Encryption is of course a better defense against wire sniffers but, (Encryption is of course a better defense against wire sniffers but,
unlike QNAME minimisation, it changes the protocol and cannot be unlike QNAME minimisation, it changes the protocol and cannot be
deployed unilaterally. Also, the effect of QNAME minimisation on deployed unilaterally. Also, the effect of QNAME minimisation on
wire sniffers depends on whether the sniffer is, on the DNS path.) wire sniffers depends on whether the sniffer is, on the DNS path.)
QNAME minimisation offers zero protection against the recursive QNAME minimisation offers zero protection against the recursive
resolver, which still sees the full request coming from the stub resolver, which still sees the full request coming from the stub
resolver. resolver.
All the alternatives mentioned in Appendix B decrease privacy in the All the alternatives mentioned in Appendix B decrease privacy in the
hope of improving performance. They must not be used if you want the hope of improving performance. They must not be used if you want the
maximum privacy. maximum privacy.
9. Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC6982].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to [RFC6982], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
As of today, no production resolver implements QNAME minimisation but
it has been publically announced for the future Knot DNS resolver [1]
which is now in beta mode [2] (with QNAME minimisation actually
working). For Unbound, see ticket 648 [3] and for PowerDNS [4].
The algorithm to find the zone cuts described in Appendix A is
implemented with QNAME minimisation in the sample code zonecut.go
[5]. It is also implemented, for a much longer time, in an option of
dig, "dig +trace", but without QNAME minimisation.
Another implementation was done by Shumon Huque for testing, and is
described in [huque-qnamemin].
10. Acknowledgments 10. Acknowledgments
Thanks to Olaf Kolkman for the original idea during a KLM flight from Thanks to Olaf Kolkman for the original idea during a KLM flight from
Amsterdam to Vancouver, although the concept is probably much older Amsterdam to Vancouver, although the concept is probably much older
[6]. Thanks for Shumon Huque and Marek Vavrusa for implementation [1]. Thanks for Shumon Huque and Marek Vavrusa for implementation
and testing. Thanks to Mark Andrews and Francis Dupont for the and testing. Thanks to Mark Andrews and Francis Dupont for the
interesting discussions. Thanks to Brian Dickson, Warren Kumari, interesting discussions. Thanks to Brian Dickson, Warren Kumari,
Evan Hunt and David Conrad for remarks and suggestions. Thanks to Evan Hunt and David Conrad for remarks and suggestions. Thanks to
Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone
cut algorithm in Appendix A and for discussion of the algorithm. cut algorithm in Appendix A and for discussion of the algorithm.
Thanks to Paul Vixie for pointing out that there are practical Thanks to Paul Vixie for pointing out that there are practical
advantages (besides privacy) to QNAME minimisation. Thanks to advantages (besides privacy) to QNAME minimisation. Thanks to
Phillip Hallam-Baker for the fallback on A queries, to deal with Phillip Hallam-Baker for the fallback on A queries, to deal with
broken servers. Thanks to Robert Edmonds for an interesting anti- broken servers. Thanks to Robert Edmonds for an interesting anti-
pattern. pattern.
skipping to change at page 8, line 49 skipping to change at page 8, line 25
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
DOI 10.17487/RFC7626, August 2015, DOI 10.17487/RFC7626, August 2015,
<http://www.rfc-editor.org/info/rfc7626>. <http://www.rfc-editor.org/info/rfc7626>.
11.2. Informative References 11.2. Informative References
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
<http://www.rfc-editor.org/info/rfc2181>. <http://www.rfc-editor.org/info/rfc2181>.
[RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", RFC 6982, DOI
10.17487/RFC6982, July 2013,
<http://www.rfc-editor.org/info/rfc6982>.
[I-D.wkumari-dnsop-hammer] [I-D.wkumari-dnsop-hammer]
Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly
Automated Method for Maintaining Expiring Records", draft- Automated Method for Maintaining Expiring Records", draft-
wkumari-dnsop-hammer-01 (work in progress), July 2014. wkumari-dnsop-hammer-01 (work in progress), July 2014.
[I-D.vixie-dnsext-resimprove] [I-D.vixie-dnsext-resimprove]
Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS
Resolvers for Resiliency, Robustness, and Responsiveness", Resolvers for Resiliency, Robustness, and Responsiveness",
draft-vixie-dnsext-resimprove-00 (work in progress), June draft-vixie-dnsext-resimprove-00 (work in progress), June
2010. 2010.
skipping to change at page 9, line 36 skipping to change at page 9, line 7
Huque, S., "Query name minimization and authoritative Huque, S., "Query name minimization and authoritative
server behavior", May 2015, <https://indico.dns- server behavior", May 2015, <https://indico.dns-
oarc.net/event/21/contribution/9>. oarc.net/event/21/contribution/9>.
[huque-qnamestorify] [huque-qnamestorify]
Huque, S., "Qname Minimization @ DNS-OARC", May 2015, Huque, S., "Qname Minimization @ DNS-OARC", May 2015,
<https://storify.com/shuque/qname-minimization-dns-oarc>. <https://storify.com/shuque/qname-minimization-dns-oarc>.
11.3. URIs 11.3. URIs
[1] https://ripe70.ripe.net/presentations/121-knot-resolver- [1] https://lists.dns-oarc.net/pipermail/dns-
ripe70.pdf
[2] https://storify.com/KnotDNS/knot-dns-recursive-beta
[3] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=648
[4] https://github.com/PowerDNS/pdns/issues/2311
[5] https://github.com/bortzmeyer/my-IETF-work/blob/master/draft-
ietf-dnsop-QNAME-minimisation/zonecut.go
[6] https://lists.dns-oarc.net/pipermail/dns-
operations/2010-February/005003.html operations/2010-February/005003.html
Appendix A. An algorithm to perform QNAME minimisation in presence of Appendix A. An algorithm to perform QNAME minimisation
zone cuts
This algorithm performs name resolution with QNAME minimisation in
presence of not-yet-known zone cuts.
Although a validating resolver already has the logic to find the zone Although a validating resolver already has the logic to find the zone
cut, other resolvers may be interested by this algorithm to follow in cut, other resolvers may be interested by this algorithm to follow in
order to locate this cut: order to locate the cuts. This is just a possible help for
implementors, it is not intended to be normative:
(0) If the query can be answered from the cache, do so, otherwise (0) If the query can be answered from the cache, do so, otherwise
iterate as follows: iterate as follows:
(1) Find closest enclosing NS RRset in your cache. The owner of (1) Find closest enclosing NS RRset in your cache. The owner of
this NS RRset will be a suffix of the QNAME - the longest suffix this NS RRset will be a suffix of the QNAME - the longest suffix
of any NS RRset in the cache. Call this ANCESTOR. of any NS RRset in the cache. Call this ANCESTOR.
(2) Initialize CHILD to the same as ANCESTOR. (2) Initialize CHILD to the same as ANCESTOR.
 End of changes. 24 change blocks. 
90 lines changed or deleted 53 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/