draft-wkumari-dnsop-multiple-responses-04.txt   draft-wkumari-dnsop-multiple-responses-05.txt 
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Standards Track Z. Yan Intended status: Standards Track Z. Yan
Expires: January 4, 2018 CNNIC Expires: January 4, 2018 CNNIC
W. Hardaker W. Hardaker
USC/ISI USC/ISI
D. Lawrence
Akamai Technologies
July 3, 2017 July 3, 2017
Returning extra answers in DNS responses. Returning extra answers in DNS responses.
draft-wkumari-dnsop-multiple-responses-04 draft-wkumari-dnsop-multiple-responses-05
Abstract Abstract
This document (re)introduces the ability to provide multiple answers This document (re)introduces the ability to provide multiple answers
in a DNS response. This is especially useful as, in many cases, the in a DNS response. This is especially useful as, in many cases, the
entity making the request has no a prori knowledge of what other entity making the request has no a prori knowledge of what other
questions it will need to ask. questions it will need to ask.
Status of This Memo Status of This Memo
skipping to change at page 2, line 25 skipping to change at page 2, line 27
5.1. File Format . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. File Format . . . . . . . . . . . . . . . . . . . . . . . 5
5.2. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 5 5.2. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 5
6. Signaling support . . . . . . . . . . . . . . . . . . . . . . 6 6. Signaling support . . . . . . . . . . . . . . . . . . . . . . 6
7. Stub-Resolver Considerations . . . . . . . . . . . . . . . . 6 7. Stub-Resolver Considerations . . . . . . . . . . . . . . . . 6
8. Use of Additional information . . . . . . . . . . . . . . . . 6 8. Use of Additional information . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
10. Security Considerations . . . . . . . . . . . . . . . . . . . 7 10. Security Considerations . . . . . . . . . . . . . . . . . . . 7
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
12. Normative References . . . . . . . . . . . . . . . . . . . . 7 12. Normative References . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
In many cases a name being resolved in the DNS provides the reason In many cases a name being resolved in the DNS provides the reason
behind why the name is being resolved. This may allow the behind why the name is being resolved. This may allow the
authoritative nameserver to predict what other answers a recursive authoritative nameserver to predict what other answers a recursive
resolver will soon query for. By providing multiple answers in the resolver will soon query for. By providing multiple answers in the
response, the authoritative name server operator can assist a caching response, the authoritative name server operator can assist a caching
recursive resolver in pre-populating its cache before a stub resolver recursive resolver in pre-populating its cache before a stub resolver
or other client asks for the subsequent queries. Apart from or other client asks for the subsequent queries. Apart from
skipping to change at page 4, line 11 skipping to change at page 4, line 11
published, there *will* be ubiquitous DNSSEC :-) ], a validating published, there *will* be ubiquitous DNSSEC :-) ], a validating
resolver can validate, authenticate and trust the records in the resolver can validate, authenticate and trust the records in the
additional information. additional information.
3. Terminology 3. Terminology
Additional records Additional records are records that the Additional records Additional records are records that the
authoritative nameserver has included in the Additional section. authoritative nameserver has included in the Additional section.
EXTRA Resource Record The EXTRA resource record (defined below) EXTRA Resource Record The EXTRA resource record (defined below)
carries a list fo additional records to send. carries a list of additional records to send.
Primary query A Primary query (or primary question) is a QNAME that Primary query A Primary query (or primary question) is a QNAME that
the name server operator would like to return additional answers the name server operator would like to return additional answers
for. for.
Supporting DNSSEC information Supporting DNSSEC information is the Supporting DNSSEC information Supporting DNSSEC information is the
DNSSEC RRSIGs that prove the authenticity of the Additional DNSSEC RRSIGs that prove the authenticity of the Additional
records. records.
Stub Resolver The term "Stub Resolver" is used in this document to Stub Resolver The term "Stub Resolver" is used in this document to
skipping to change at page 5, line 38 skipping to change at page 5, line 38
The entries in the EXTRA list are ordered. An authoritative The entries in the EXTRA list are ordered. An authoritative
nameserver SHOULD insert the records in the order listed when filling nameserver SHOULD insert the records in the order listed when filling
the response packet. This is to allow the operator to express a the response packet. This is to allow the operator to express a
preference in case all the records will not fit in the response. The preference in case all the records will not fit in the response. The
TTL of the records added to the Additional section are MUST be the TTL of the records added to the Additional section are MUST be the
same as if queried directly. same as if queried directly.
In some cases a zone content administrator might not know what all In some cases a zone content administrator might not know what all
additional records clients need. For example, the owner of additional records clients need. For example, the owner of
www.example.com may have outsourced his DNS operations to a third www.example.com may have outsourced his DNS operations to a third
party. DNS administrators may be able to mine their query logs, and party, and / or the DNS operator might not interact with the web
see that, in a large majority of cases, a recursive server asks for development team. DNS server operators may use tools to mine their
foo.example.com and then very soon after asks for bar.example.com, query logs for records to include. For example, if, in a large
and so may decide to optimize this by opportunistically returning bar majority of cases, a recursive server asks for foo.example.com and
when queried for foo. This functionality could also be included in then very soon after asks for bar.example.com, it may make sense to
the authoritative name server software itself, but discussions of optimize this by opportunistically returning bar when queried for
these are outside the scope of this document. foo. This functionality could also be included in the authoritative
name server software itself. The exact mechanisms and heuristics
used for this are not discussed in this document.
5.2. Wire Format 5.2. Wire Format
The wire format of the EXTRA RR is the same as the wire format for a The wire format of the EXTRA RR is the same as the wire format for a
TXT RR: TXT RR:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA / / TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Where TXT-DATA is one or more <character-string>s. Where TXT-DATA is one or more <character-string>s.
The EXTRA RR has RR type TBD [RFC Editor: insert the IANA assigned The EXTRA RR has RR type TBD [RFC Editor: insert the IANA assigned
value and delete this note] value and delete this note]
6. Signaling support 6. Signaling support
Recursive Resolvers (or other DNS clients) that support EXTRA records Recursive Resolvers (or other DNS clients) that support EXTRA records
MAY signal this by setting the OPT record's EXTRA bit (bit NN [TBD: MAY signal this by setting the OPT record's EXTRA bit (bit NN [TBD:
assigned by IANA] in the EDNS0 extension header to 1. assigned by IANA] in the EDNS0 extension header to 1).
7. Stub-Resolver Considerations 7. Stub-Resolver Considerations
No modifications need to be made to stub-resolvers to get the No modifications need to be made to stub-resolvers to get the
predominate benefit of this protocol, since the majority of the speed predominate benefit of this protocol, since the majority of the speed
gain will take place between the validating recursive resolver and gain will take place between the validating recursive resolver and
the authoritative name server. However, stub resolvers may choose to the authoritative name server. However, stub resolvers may choose to
support this technique, and / or may query directly for the EXTRA RR support this technique, and / or may query directly for the EXTRA RR
if it wants to pre-query for data that will likely be needed in the if it wants to pre-query for data that will likely be needed in the
process of supporting its application. process of supporting applications.
8. Use of Additional information 8. Use of Additional information
When receiving additional records in the additional section, a When deciding to use additional records in the additional section, a
resolver follows certain rules: resolver must follow certain rules:
1. Additional records MUST be validated before being used. 1. Additional records MUST be validated before being used.
2. Additional records SHOULD have lower priority in the cache than 2. Additional records SHOULD have lower priority in the cache than
answers received because they were requested. This is to help answers received because they were requested. This is to help
evict Additional records from the cache first (to help prevent evict Additional records from the cache first (to help prevent
cache filling attacks). cache filling attacks).
3. Recursive resolvers MAY choose to ignore Additional records for 3. Recursive resolvers MAY choose to ignore Additional records for
any reason, including CPU or cache space concerns, phase of the any reason, including CPU or cache space concerns, phase of the
moon, etc. It may choose to accept all, some or none of the moon, etc. It may choose to accept all, some or none of the
Additional records. Additional records.
9. IANA Considerations 9. IANA Considerations
This document contains the following IANA assignment requirements: This document contains the following IANA assignment requirements:
1. The EXTRA bit discussed in Section 6 needs to be allocated. 1. The EXTRA bit discussed in Section 6 needs to be allocated. [ Ed:
This section to be completed later ]
10. Security Considerations 10. Security Considerations
Additional records will make DNS responses even larger than they are Additional records will make DNS responses even larger than they are
currently, leading to larger records that can be used in DNS currently, leading to larger records that can be used in DNS
reflection attacks. One could mitigate this by only serving reflection attacks. One could mitigate this by only serving
responses to EXTRA requests over TCP or when using Cookies [RFC5395], responses to EXTRA requests over TCP or when using Cookies [RFC5395],
although there is no easy way to signal this to a client other than although there is no easy way to signal this to a client other than
through the use of the truncate bit. through the use of the truncate bit.
skipping to change at page 7, line 30 skipping to change at page 7, line 30
itself under attack or its CPU resources are otherwise over- itself under attack or its CPU resources are otherwise over-
committed. committed.
This specification requires that the all of the Additional records This specification requires that the all of the Additional records
are signed, and all necessary DNSSEC information for validation be are signed, and all necessary DNSSEC information for validation be
included to avoid cache poisoning attacks. included to avoid cache poisoning attacks.
11. Acknowledgements 11. Acknowledgements
The authors to thank Mark Andrews, John Dickinson, Kazunori Fujiwara, The authors to thank Mark Andrews, John Dickinson, Kazunori Fujiwara,
Bob Harold, John Heidemann, Tony Finch. Bob Harold, John Heidemann, and Tony Finch. The authors apologize in
advance for others who contributed, but who we managed to forget.
12. Normative References 12. Normative References
[Ref.Bellovin] [Ref.Bellovin]
Bellovin, S., "Using the Domain Name System for System Bellovin, S., "Using the Domain Name System for System
Break-Ins", 1995, Break-Ins", 1995,
<https://www.cs.columbia.edu/~smb/papers/dnshack.pdf>. <https://www.cs.columbia.edu/~smb/papers/dnshack.pdf>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
skipping to change at page 8, line 21 skipping to change at page 8, line 21
2012, <http://www.rfc-editor.org/info/rfc6555>. 2012, <http://www.rfc-editor.org/info/rfc6555>.
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
<http://www.rfc-editor.org/info/rfc7873>. <http://www.rfc-editor.org/info/rfc7873>.
Appendix A. Changes / Author Notes. Appendix A. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
From -04 to -05:
o In the deadline rush, Warren forgot to add Tale. Fixed.
o Some more text fixups and clarifications.
From -03 to -04: From -03 to -04:
o Some additional text explaining how this differs from solutions o Some additional text explaining how this differs from solutions
which include muiltiple queries (you don't know what to ask until which include multiple queries (you don't know what to ask until
you have received some answers). you have received some answers).
From -02 to -03: From -02 to -03:
o Sat down and rewrote and cleaned up large sections of text. o Sat down and rewrote and cleaned up large sections of text.
o Changed name of RR from Additional to EXTRA (the term "Additional" o Changed name of RR from Additional to EXTRA (the term "Additional"
is overloaded in general) is overloaded in general)
o Clarified that stub resolvers and other clients MAY use this o Clarified that stub resolvers and other clients MAY use this
skipping to change at line 395 skipping to change at page 9, line 30
Email: yanzhiwei@cnnic.cn Email: yanzhiwei@cnnic.cn
Wes Hardaker Wes Hardaker
USC/ISI USC/ISI
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
US US
Email: ietf@hardakers.net Email: ietf@hardakers.net
David C Lawrence
Akamai Technologies
150 Broadway
Cambridge, MA 02142-1054
US
Email: tale@akamai.com
 End of changes. 13 change blocks. 
17 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/