rfc9609xml2.original.xml | rfc9609.xml | |||
---|---|---|---|---|
<?xml version='1.0'?> | <?xml version='1.0' encoding='UTF-8'?> | |||
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" []> | ||||
<?rfc comments='yes'?> | ||||
<?rfc inline='no'?> | ||||
<?rfc compact='yes'?> | ||||
<?rfc editing='no'?> | ||||
<?rfc linkmailto='no'?> | ||||
<?rfc symrefs='yes'?> | ||||
<?rfc sortrefs='yes'?> | ||||
<?rfc subcompact='no'?> | ||||
<?rfc toc='yes'?> | ||||
<?rfc tocindent='no'?> | ||||
<rfc docName="draft-ietf-dnsop-rfc8109bis-07" ipr="trust200902" category="bcp" o | ||||
bsoletes="8109" consensus="yes" | ||||
xmlns:xi="http://www.w3.org/2001/XInclude"> | ||||
<front> | ||||
<title abbrev="DNS Priming Queries">Initializing a DNS Resolver with Priming Que | <!-- pre-edited by ST 09/04/24 --> | |||
ries</title> | <!-- formatted by MC 09/12/24 --> | |||
<author initials='P.' surname='Koch' fullname='Peter Koch'> | <!-- reference review by TH 10/01/24 --> | |||
<organization>DENIC eG</organization> | ||||
<address> | ||||
<postal> | ||||
<street>Kaiserstrasse 75-77</street> | ||||
<city>Frankfurt</city> <code>60329</code> | ||||
<country>Germany</country> | ||||
</postal> | ||||
<phone>+49 69 27235 0</phone> | ||||
<email>pk@DENIC.DE</email> | ||||
</address> | ||||
</author> | ||||
<author initials='M.' surname='Larson' fullname='Matt Larson'> | <!DOCTYPE rfc [ | |||
<organization>ICANN</organization> | <!ENTITY nbsp " "> | |||
<address> | <!ENTITY zwsp "​"> | |||
<email>matt.larson@icann.org</email> | <!ENTITY nbhy "‑"> | |||
</address> | <!ENTITY wj "⁠"> | |||
</author> | ]> | |||
<author initials='P.' surname='Hoffman' fullname='Paul Hoffman'> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-dnsop-rfc810 | |||
<organization>ICANN</organization> | 9bis-07" number="9609" ipr="trust200902" category="bcp" obsoletes="8109" consens | |||
<address> | us="true" updates="" submissionType="IETF" xml:lang="en" symRefs="true" sortRefs | |||
<email>paul.hoffman@icann.org</email> | ="true" tocInclude="true" version="3"> | |||
</address> | ||||
</author> | ||||
<date /> | <front> | |||
<title abbrev="DNS Priming Queries">Initializing a DNS Resolver with Priming | ||||
Queries</title> | ||||
<seriesInfo name="RFC" value="9609"/> | ||||
<seriesInfo name="BCP" value="209"/> | ||||
<author initials="P." surname="Koch" fullname="Peter Koch"> | ||||
<organization>DENIC eG</organization> | ||||
<address> | ||||
<postal> | ||||
<street>Kaiserstrasse 75-77</street> | ||||
<city>Frankfurt</city> | ||||
<code>60329</code> | ||||
<country>Germany</country> | ||||
</postal> | ||||
<phone>+49 69 27235 0</phone> | ||||
<email>pk@DENIC.DE</email> | ||||
</address> | ||||
</author> | ||||
<author initials="M." surname="Larson" fullname="Matt Larson"> | ||||
<organization>ICANN</organization> | ||||
<address> | ||||
<email>matt.larson@icann.org</email> | ||||
</address> | ||||
</author> | ||||
<author initials="P." surname="Hoffman" fullname="Paul Hoffman"> | ||||
<organization>ICANN</organization> | ||||
<address> | ||||
<email>paul.hoffman@icann.org</email> | ||||
</address> | ||||
</author> | ||||
<date month="December" year="2024"/> | ||||
<area>OPS</area> | ||||
<workgroup>dnsop</workgroup> | ||||
<abstract> | <keyword>DNS caching</keyword> | |||
<keyword>root zone</keyword> | ||||
<t>This document describes the queries that a DNS resolver should emit to initia | <abstract> | |||
lize its | <t>This document describes the queries that a DNS resolver should emit to | |||
initialize its | ||||
cache. The result is that the resolver gets both a current NS resource record se t (RRset) for the root | cache. The result is that the resolver gets both a current NS resource record se t (RRset) for the root | |||
zone and the necessary address information for reaching the root servers.</t> | zone and the necessary address information for reaching the root servers.</t> | |||
<t>This document obsoletes RFC 8109.</t> | ||||
<t>This document, when published, obsoletes RFC 8109. | </abstract> | |||
See <xref target="changes"/> for the list of changes from RFC 8109.</t> | </front> | |||
<middle> | ||||
</abstract> | <section numbered="true" toc="default"> | |||
<name>Introduction</name> | ||||
</front> | <t>Recursive DNS resolvers need a starting point to resolve queries. <xref | |||
target="RFC1034" format="default"/> describes a common scenario for recursive r | ||||
<middle> | esolvers: They | |||
<section title='Introduction'> | ||||
<t>Recursive DNS resolvers need a starting point to resolve queries. <xref | ||||
target='RFC1034'/> describes a common scenario for recursive resolvers: they | ||||
begin with an empty cache and some configuration for finding the names and | begin with an empty cache and some configuration for finding the names and | |||
addresses of the DNS root servers. <xref target='RFC1034'/> describes that | addresses of the DNS root servers. <xref target="RFC1034" format="default"/> des cribes that | |||
configuration as a list of servers that will give authoritative answers to queri es | configuration as a list of servers that will give authoritative answers to queri es | |||
about the root. This has become a common implementation choice for recursive | about the root. This has become a common implementation choice for recursive | |||
resolvers, and is the topic of this document. </t> | resolvers and is the topic of this document. </t> | |||
<t>This document describes the steps needed for this common implementation | ||||
<t>This document describes the steps needed for this common implementation | ||||
choice. Note that this is not the only way to start a recursive name server with | choice. Note that this is not the only way to start a recursive name server with | |||
an empty cache, but it is the only one described in <xref target='RFC1034'/>. | an empty cache, but it is the only one described in <xref target="RFC1034" forma t="default"/>. | |||
Some implementers have chosen other directions, some of which work well and | Some implementers have chosen other directions, some of which work well and | |||
others of which fail (sometimes disastrously) under different conditions. | others of which fail (sometimes disastrously) under different conditions. | |||
For example, an implementation that only gets the addresses of the root name | For example, an implementation that only gets the addresses of the root name | |||
servers from configuration, not from the DNS as described in this document, | servers from configuration, not from the DNS as described in this document, | |||
will have stale data that could cause slower resolution.</t> | will have stale data that could cause slower resolution.</t> | |||
<t>This document only deals with recursive name servers (also called "recu rsive resolvers" and just "resolvers") for the IN class.</t> | ||||
<t>This document only deals with recursive name servers (recursive resolvers, | <t>See <xref target="changes" format="default"/> for the list of changes from | |||
resolvers) for the IN class.</t> | <xref target="RFC8109"/>.</t> | |||
<section title='Terminology'> | ||||
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", | ||||
and "OPTIONAL" in this document are to be interpreted as described in | ||||
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, th | ||||
ey | ||||
appear in all capitals, as shown here.</t> | ||||
<t> | <section numbered="true" toc="default"> | |||
See <xref target="RSSAC026v2"/> for terminology that relates to the root server | <name>Terminology</name> | |||
system. | <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", | |||
See <xref target="RFC9499"/> for terminology that relates to the DNS in general. | "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", | |||
"<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", | ||||
"<bcp14>SHOULD NOT</bcp14>", | ||||
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | ||||
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document | ||||
are to be interpreted as described in BCP 14 | ||||
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only | ||||
when, they appear in all capitals, as shown here.</t> | ||||
<t> | ||||
See <xref target="RSSAC026v2" format="default"/> for terminology that relates to | ||||
the root server system. | ||||
See <xref target="RFC9499" format="default"/> for terminology that relates to th | ||||
e DNS in general. | ||||
</t> | </t> | |||
</section> | ||||
</section> | </section> | |||
<section numbered="true" toc="default"> | ||||
</section> | <name>Description of Priming</name> | |||
<t>Priming is the act of finding the list of root | ||||
<section title="Description of Priming"> | ||||
<t>Priming is the act of finding the list of root | ||||
servers from a configuration that lists some or all of the purported IP | servers from a configuration that lists some or all of the purported IP | |||
addresses of some or all of those root servers. | addresses of some or all of those root servers. | |||
In priming, a recursive resolver starts with no cached information about the roo t servers, | In priming, a recursive resolver starts with no cached information about the roo t servers, | |||
and finishes with a full list of their names and their addresses in its cache.</ | and it finishes with a full list of their names and addresses in its cache.</t> | |||
t> | <t>Priming is described in Sections <xref target="RFC1034" section="5 | |||
.3.2" sectionFormat="bare"/> and <xref target="RFC1034" section="5.3.3" sectionF | ||||
<t>Priming is described in Sections 5.3.2 and 5.3.3 of <xref target='RFC1034'/>. | ormat="bare"/> of <xref target="RFC1034" format="default"/>. (It is called "SBEL | |||
(It is called "SBELT", a "safety belt" structure, in that document.) | T", a "safety belt" structure, in that document.) | |||
The scenario used in that description, that of a recursive server that is also | The scenario used in that description, that of a recursive server that is also | |||
authoritative, is no longer as common.</t> | authoritative, is no longer as common.</t> | |||
<t>The configured list of IP addresses for the root servers usually comes | ||||
<t>The configured list of IP addresses for the root servers usually comes from t | from the | |||
he | ||||
vendor or distributor of the recursive server software. | vendor or distributor of the recursive server software. | |||
Although this list is generally accurate and complete at the time of distributio n, | Although this list is generally accurate and complete at the time of distributio n, | |||
it may become outdated over time.</t> | it may become outdated over time.</t> | |||
<t>The domain names for the root servers are called the | ||||
<t>The domain names for the root servers are called the | ||||
"root server identifiers". | "root server identifiers". | |||
Although this list has remained stable since 1997, the associated IPv4 and IPv6 addresses for these root server identifiers occasionally change. | Although this list has remained stable since 1997, the associated IPv4 and IPv6 addresses for these root server identifiers occasionally change. | |||
Research indicates that, following such changes, certain resolvers fail to updat | Research indicates that, following such changes, certain resolvers fail to updat | |||
e to the new addresses; for further details, refer to <xref target="OLD-J"/>.</t | e to the new addresses; for further details, refer to <xref target="OLD-J" forma | |||
> | t="default"/>.</t> | |||
<t>Therefore, it is important that resolvers are able to cope with change, | ||||
<t>Therefore, it is important that resolvers are able to cope with change, | ||||
even without relying upon configuration updates to be applied by their operator. | even without relying upon configuration updates to be applied by their operator. | |||
Root server identifier and address changes are the main reasons that resolvers | Root server identifier and address changes are the main reasons that resolvers | |||
need to use priming to get a full and accurate list of root servers, | need to use priming to get a full and accurate list of root servers, | |||
instead of just using a statically configured list. | instead of just using a statically configured list. | |||
</t> | </t> | |||
<t> | ||||
<t> | See <xref target="RSSAC023v2" format="default"/> for a history of the root serve | |||
See <xref target="RSSAC023v2"/> for a history of the root server system. | r system. | |||
</t> | </t> | |||
<t>Although this document is targeted at the global DNS, it could apply to | ||||
<t>Although this document is targeted at the global DNS, it also could apply to | a private | |||
a private | DNS as well. These terms are defined in <xref target="RFC9499" format="default"/ | |||
DNS as well. These terms are defined in <xref target="RFC9499"/>.</t> | >.</t> | |||
<t>Some systems serve a copy of the full root zone on the same server as t | ||||
<t>Some systems serve a copy of the full root zone on the same server as the res | he resolver, | |||
olver, | e.g., as described in <xref target="RFC8806" format="default"/>. | |||
such as is described in <xref target="RFC8806"/>. | In such a setup, the resolver primes its cache using the same methods as those | |||
In such a setup, the resolver primes its cache using the same methods as describ | described in the rest of this document.</t> | |||
ed in the rest of this document.</t> | <section numbered="true" toc="default"> | |||
<name>Content of Priming Information</name> | ||||
<section title="Content of Priming Information"> | <t>As described above, the configuration for priming is a list of IP add | |||
resses. | ||||
<t>As described above, the configuration for priming is a list of IP addresses. | ||||
The priming information in software may be in any format that gives the software the | The priming information in software may be in any format that gives the software the | |||
addresses associated with at least some of the root server identifiers.</t> | addresses associated with at least some of the root server identifiers.</t> | |||
<t>Some software has configuration that also contains the root server id | ||||
<t>Some software has configuration that also contains the root server identifier | entifiers (such as "L.ROOT-SERVERS.NET"), | |||
s (such as "L.ROOT-SERVERS.NET"), | ||||
sometimes as comments and sometimes as data consumed by the software. | sometimes as comments and sometimes as data consumed by the software. | |||
For example, the "root hints file" published by IANA at <https://www.internic .net/domain/named.root> | For example, the "root hints file" published by IANA at <eref target="https://ww w.internic.net/domain/named.root" brackets="angle"/> | |||
is derived directly from the root zone and contains all of the addresses | is derived directly from the root zone and contains all of the addresses | |||
of the root server identifiers found in the root zone. | of the root server identifiers found in the root zone. | |||
It is in DNS zone file presentation format, and includes the root server identif | It is in DNS zone file presentation format and includes the root server identifi | |||
iers. | ers. | |||
Although there is no harm to adding these names, they are not useful in | Although there is no harm in adding these names, they are not useful in | |||
the priming process.</t> | the priming process.</t> | |||
</section> | ||||
</section> | </section> | |||
<section numbered="true" toc="default"> | ||||
</section> | <name>Priming Queries</name> | |||
<t>A priming query is a DNS query whose response provides root server iden | ||||
<section title='Priming Queries'> | tifiers and addresses. | |||
<t>A priming query is a DNS query whose response provides root server identifier | ||||
s and addresses. | ||||
It has a QNAME of ".", a QTYPE of NS, and a QCLASS of IN; | It has a QNAME of ".", a QTYPE of NS, and a QCLASS of IN; | |||
it is sent to one of the addresses in the configuration for the recursive resolv er. | it is sent to one of the addresses in the configuration for the recursive resolv er. | |||
The priming query can be sent over either UDP or TCP. If the query is sent over UDP, | The priming query can be sent over either UDP or TCP. If the query is sent over UDP, | |||
the source port SHOULD be randomly selected (see <xref target='RFC5452'/>) to ha | the source port <bcp14>SHOULD</bcp14> be randomly selected (see <xref target="RF | |||
mper on-path attacks. | C5452" format="default"/>) to hamper on-path attacks. | |||
DNS cookies <xref target='RFC7873'/> can also be used to hamper on-path attacks. | DNS cookies <xref target="RFC7873" format="default"/> can also be used to hamper | |||
The Recursion Desired (RD) bit SHOULD be set to 0. The meaning when RD is set | on-path attacks. | |||
to 1 is undefined for priming queries and outside the scope of this document.</t | The Recursion Desired (RD) bit <bcp14>SHOULD</bcp14> be set to 0. The meaning wh | |||
> | en RD is set | |||
to 1 is undefined for priming queries and is outside the scope of this document. | ||||
<t>The recursive resolver SHOULD use EDNS0 <xref target='RFC6891'/> for priming | </t> | |||
queries and SHOULD announce and handle a reassembly size of at least 1024 octets | <t>The recursive resolver <bcp14>SHOULD</bcp14> use EDNS0 <xref target="RF | |||
<xref target='RFC3226'/>. Doing so allows responses that cover the size of a | C6891" format="default"/> for priming | |||
full priming response (see <xref target='primrespsize'/>) for the current | queries and <bcp14>SHOULD</bcp14> announce and handle a reassembly size of at le | |||
ast 1024 octets | ||||
<xref target="RFC3226" format="default"/>. Doing so allows responses that cover | ||||
the size of a | ||||
full priming response (see <xref target="primrespsize" format="default"/>) for t | ||||
he current | ||||
set of root servers. | set of root servers. | |||
See <xref target="dnssec_prime"/> for discussion of setting the | See <xref target="dnssec_prime" format="default"/> for discussion of setting the | |||
DNSSEC OK (DO) bit (defined in <xref target='RFC4033'/>).</t> | DNSSEC OK (DO) bit (defined in <xref target="RFC4033" format="default"/>).</t> | |||
<section numbered="true" toc="default"> | ||||
<section title='Repeating Priming Queries'> | <name>Repeating Priming Queries</name> | |||
<t>The recursive resolver <bcp14>SHOULD</bcp14> send a priming query onl | ||||
<t>The recursive resolver SHOULD send a priming query only when it is needed, | y when it is needed, | |||
such as when the resolver starts with an empty cache or when the NS RRset for | such as when the resolver starts with an empty cache or when the NS resource rec | |||
ord set (RRset) for | ||||
the root zone has expired. | the root zone has expired. | |||
Because the NS records for the root zone are not special, the recursive resolver | Because the NS records for the root zone are not special, the recursive resolver | |||
expires those NS records according to their TTL values. | expires those NS records according to their TTL values. | |||
(Note that a recursive resolver MAY | (Note that a recursive resolver <bcp14>MAY</bcp14> | |||
pre-fetch the NS RRset before it expires.)</t> | pre-fetch the NS RRset before it expires.)</t> | |||
<t>If a resolver chooses to pre-fetch the root NS RRset before that RRse | ||||
<t>If a resolver chooses to pre-fetch the root NS RRset before that RRset has ex | t has expired in its cache, | |||
pired in its cache, | ||||
it needs to choose whether to use the addresses for the root NS RRset that it al ready has in its cache | it needs to choose whether to use the addresses for the root NS RRset that it al ready has in its cache | |||
or to use the addresses it has in its configuration. | or to use the addresses it has in its configuration. | |||
Such a resolver SHOULD send queries to the addresses in its cache in order to re duce the chance of delay | Such a resolver <bcp14>SHOULD</bcp14> send queries to the addresses in its cache in order to reduce the chance of delay | |||
due to out-of-date addresses in its configuration.</t> | due to out-of-date addresses in its configuration.</t> | |||
<t>If a priming query does not get a response, the recursive | ||||
<t>If a priming query does not get a response, the recursive | resolver <bcp14>MUST</bcp14> retry the query with a different target address fro | |||
resolver MUST retry the query with a different target address from the | m the | |||
configuration.</t> | configuration.</t> | |||
</section> | ||||
</section> | <section numbered="true" toc="default"> | |||
<name>Target Selection</name> | ||||
<section title='Target Selection'> | <t>In order to spread the load across all the root server identifiers, t | |||
he | ||||
<t>In order to spread the load across all the root server identifiers, the | recursive resolver <bcp14>SHOULD</bcp14> select the target for a priming query r | |||
recursive resolver SHOULD select the target for a priming query randomly from | andomly from | |||
the list of addresses. The recursive resolver might choose either IPv4 or IPv6 | the list of addresses. The recursive resolver might choose either IPv4 or IPv6 | |||
addresses based on its knowledge of whether the system on which it is running | addresses based on its knowledge of whether the system on which it is running | |||
has adequate connectivity on either type of address.</t> | has adequate connectivity on either type of address.</t> | |||
<t>Note that this recommended method is not the only way to choose from | ||||
<t>Note that this recommended method is not the only way to choose from the list | the list | |||
in a recursive resolver's configuration. Two other common methods include | in a recursive resolver's configuration. Two other common methods include | |||
picking the first from the list, and remembering which address in the list gave | picking the first from the list, and remembering which address in the list gave | |||
the fastest response earlier and using that one. There are probably other | the fastest response earlier and using that one. There are probably other | |||
methods in use today. However, the random method listed above | methods in use today. However, the random method | |||
SHOULD be used for priming.</t> | <bcp14>SHOULD</bcp14> be used for priming.</t> | |||
</section> | ||||
</section> | <section anchor="dnssec_prime" numbered="true" toc="default"> | |||
<name>DNSSEC with Priming Queries</name> | ||||
<section title='DNSSEC with Priming Queries' anchor="dnssec_prime"> | <t>The root NS RRset is signed and can be validated by a DNSSEC validati | |||
ng resolver. | ||||
<t>The root NS RRset is signed and can be validated by a DNSSEC validating resol | At the time this document was published, the addresses for the names in the root | |||
ver. | NS RRset are in the "root-servers.net" zone. | |||
At the time this document is published, the addresses for the names in the root | ||||
NS RRset are in the "root-servers.net" zone. | ||||
All root servers are also authoritative for the "root-servers.net" zone, | All root servers are also authoritative for the "root-servers.net" zone, | |||
which allows priming responses to include the appropriate root name server A and AAAA RRsets. | which allows priming responses to include the appropriate root name server A and AAAA RRsets. | |||
However, because at the time this document is published the "root-servers.net" z one is not signed, | However, because at the time this document was published the "root-servers.net" zone is not signed, | |||
the root name server A and AAAA RRsets cannot be validated. | the root name server A and AAAA RRsets cannot be validated. | |||
An attacker that is able to provide a spoofed priming response can provide alter native A and AAAA RRsets | An attacker that is able to provide a spoofed priming response can provide alter native A and AAAA RRsets | |||
and thus fool a resolver into considering addresses under the control of the att acker to be authoritative for the root zone.</t> | and thus fool a resolver into considering addresses under the control of the att acker to be authoritative for the root zone.</t> | |||
<t>A rogue root name server can view all queries from the resolver to th | ||||
e root and alter all unsigned parts of responses, | ||||
such as the parent-side NS RRsets and glue in referral responses. | ||||
A resolver can be fooled into trusting child (Top-Level Domain (TLD)) NS address | ||||
es that are under the control of the attacker as being authoritative if the reso | ||||
lver: | ||||
<t>A rogue root name server can view all queries from the resolver to the root a | </t> | |||
nd alter all unsigned parts of responses, | <ul> | |||
such as the parent side NS RRsets and glue in referral responses. | <li>follows referrals from a rogue root server,</li> | |||
A resolver can be fooled into trusting child (TLD) NS addresses that are under t | <li>and does not explicitly query the authoritative NS RRset at the ap | |||
he control of the attacker as being authoritative if the resolver: | ex of the child (TLD) zone,</li> | |||
<li>and does not explicitly query for the authoritative A and AAAA RRs | ||||
<ul> | ets for the child (TLD) NS RRsets.</li> | |||
<li>follows referrals from a rogue root server,</li> | </ul> | |||
<li>and does not explicitly query the authoritative NS RRset at the apex of the | <t> | |||
child (TLD) zone,</li> | ||||
<li>and does not explicitly query for the authoritative A and AAAA RRsets for th | ||||
e child (TLD) NS RRsets.</li> | ||||
</ul> | ||||
With such resolvers, an attacker that controls a rogue root server effectively c ontrols the entire domain name space | With such resolvers, an attacker that controls a rogue root server effectively c ontrols the entire domain name space | |||
and can view all queries and alter all unsigned data undetected unless other pro tections are configured at the resolver.</t> | and can view all queries and alter all unsigned data undetected unless other pro tections are configured at the resolver.</t> | |||
<t>An attacker controlling a rogue root name server also has complete co | ||||
<t>An attacker controlling a rogue root name server also has complete control ov | ntrol over all unsigned delegations | |||
er all unsigned delegations, | and over the entire domain name space in the case of non-DNSSEC validating resol | |||
and over the entire domain name space in case of non DNSSEC validating resolvers | vers.</t> | |||
.</t> | <t>If the "root-servers.net" zone is later signed or if the root servers | |||
are named in a | ||||
<t>If the "root-servers.net" zone is later signed, or if the root servers are na | ||||
med in a | ||||
different zone and that zone is signed, having DNSSEC validation for the priming queries | different zone and that zone is signed, having DNSSEC validation for the priming queries | |||
might be valuable. | might be valuable. | |||
The benefits and costs of resolvers validating the responses will depend heavily on | The benefits and costs of resolvers validating the responses will depend heavily on | |||
the naming scheme used.</t> | the naming scheme used.</t> | |||
</section> | ||||
</section> | </section> | |||
<section numbered="true" toc="default"> | ||||
</section> | <name>Priming Responses</name> | |||
<t>A priming query is a normal DNS query. Thus, a root server cannot | ||||
<section title='Priming Responses'> | ||||
<t>A priming query is a normal DNS query. Thus, a root server cannot | ||||
distinguish a priming query from any other query for the root NS RRset. Thus, | distinguish a priming query from any other query for the root NS RRset. Thus, | |||
the root server's response will also be a normal DNS response.</t> | the root server's response will also be a normal DNS response.</t> | |||
<section numbered="true" toc="default" anchor="expected-prop-priming"> | ||||
<section title='Expected Properties of the Priming Response'> | <name>Expected Properties of the Priming Response</name> | |||
<t>The priming response <bcp14>MUST</bcp14> have an RCODE of NOERROR and | ||||
<t>The priming response MUST have an RCODE of NOERROR, and MUST have the | <bcp14>MUST</bcp14> have the | |||
Authoritative Answer (AA) bit set. Also, it MUST have an NS RRset in the Answer | Authoritative Answer (AA) bit set. Also, it <bcp14>MUST</bcp14> have an NS RRset | |||
section (because the | in the Answer section (because the | |||
NS RRset originates from the root zone), and an empty Authority section (because | NS RRset originates from the root zone) and an empty Authority section (because | |||
the | the | |||
NS RRset already appears in the Answer section). There will also be an Additiona l section with A | NS RRset already appears in the Answer section). There will also be an Additiona l section with A | |||
and/or AAAA RRsets for the root servers pointed at by the NS RRset.</t> | and/or AAAA RRsets for the root servers pointed at by the NS RRset.</t> | |||
<t>Resolver software <bcp14>SHOULD</bcp14> treat the response to the pri | ||||
<t>Resolver software SHOULD treat the response to the priming query as a normal | ming query as a normal | |||
DNS response, just as it would use any other data fed to its cache. Resolver | DNS response, just as it would use any other data fed to its cache. Resolver | |||
software SHOULD NOT expect 13 NS RRs | software <bcp14>SHOULD NOT</bcp14> expect 13 NS RRs | |||
because, historically, some root servers have returned fewer.</t> | because, historically, some root servers have returned fewer.</t> | |||
</section> | ||||
</section> | <section anchor="primrespsize" numbered="true" toc="default"> | |||
<name>Completeness of the Response</name> | ||||
<section title='Completeness of the Response' anchor='primrespsize'> | <t>At the time this document was published, | |||
there are 13 root server operators operating a total of more than 1500 root serv | ||||
<t>At the time this document is published, | er instances. | |||
there are 13 root server operators operating a total of more than 1,500 root ser | ||||
ver instances. | ||||
Each instance has one IPv4 address and one IPv6 address. | Each instance has one IPv4 address and one IPv6 address. | |||
The combined size of all the A and AAAA RRsets | The combined size of all the A and AAAA RRsets | |||
exceeds the original 512-octet payload limit from <xref target="RFC1035"/>.</t> | exceeds the original 512-octet payload limit specified in <xref target="RFC1035" | |||
format="default"/>.</t> | ||||
<t>In the event of a response where the Additional section omits certain root se | <t>In the event of a response where the Additional section omits certain | |||
rver | root server | |||
address information, re-issuing of the priming query does not help with those ro | address information, reissuing of the priming query does not help with those roo | |||
ot name | t name | |||
servers that respond with a fixed order of addresses in the Additional section. Instead, | servers that respond with a fixed order of addresses in the Additional section. Instead, | |||
the recursive resolver needs to issue direct queries for A and AAAA RRsets for t he | the recursive resolver needs to issue direct queries for A and AAAA RRsets for t he | |||
remaining names. At the time this document is published, these RRsets would be a uthoritatively available from the root | remaining names. At the time this document was published, these RRsets would be authoritatively available from the root | |||
name servers.</t> | name servers.</t> | |||
<t>If some root server addresses are omitted from the Additional section | ||||
<t>If some root server addresses are omitted from the Additional section, there | , there is no expectation that the TC bit in the | |||
is no expectation that the TC bit in the | response will be set to 1. At the time this document was published, many of the | |||
response will be set to 1. At the time that this document is written, many of th | ||||
e | ||||
root servers are not setting the TC bit when omitting addresses from the Additio nal section.</t> | root servers are not setting the TC bit when omitting addresses from the Additio nal section.</t> | |||
<t>Note that <xref target="RFC9471"/> updates <xref target="RFC1035"/> with resp | <!-- DNE text (set off by blockquotes) --> | |||
ect to the use of the TC bit. | <t>Note that <xref target="RFC9471" format="default"/> updates <xref tar | |||
It says "If message size constraints prevent the inclusion of all glue records f | get="RFC1034" format="default"/> with respect to the use of the TC bit. | |||
or in-domain name servers, | It says</t> | |||
the server must set the TC (Truncated) flag to inform the client that the respon | ||||
se is incomplete | ||||
and that the client should use another transport to retrieve the full response." | ||||
Because the priming response is not a referral, root server addresses in the pri | ||||
ming response are not considered glue records. | ||||
Thus, <xref target="RFC9471"/> does not apply to the priming response and root s | ||||
ervers are not required to set the TC bit if not all root server addresses fit w | ||||
ithin message size constraints. | ||||
There are no requirements on the number of root server addresses that a root ser | ||||
ver must include in a priming response.</t> | ||||
</section> | ||||
</section> | ||||
<section title='Post-Priming Strategies'> | <blockquote>If message size constraints prevent the inclusion of all glue record | |||
s for in-domain name servers over the chosen transport, | ||||
the server <bcp14>MUST</bcp14> set the TC (Truncated) flag to inform the client | ||||
that the response is incomplete | ||||
and that the client <bcp14>SHOULD</bcp14> use another transport to retrieve the | ||||
full response.</blockquote> | ||||
<t>When a resolver has a zone's NS RRset in cache, and it receives a query | <t>Because the priming response is not a referral, root server addresses in the | |||
priming response are not considered glue records. | ||||
Thus, <xref target="RFC9471" format="default"/> does not apply to the priming re | ||||
sponse and root servers are not required to set the TC bit if not all root serve | ||||
r addresses fit within message size constraints. | ||||
There are no requirements on the number of root server addresses that a root ser | ||||
ver must include in a priming response.</t> | ||||
</section> | ||||
</section> | ||||
<section numbered="true" toc="default"> | ||||
<name>Post-Priming Strategies</name> | ||||
<t>When a resolver has a zone's NS RRset in its cache and it receives a qu | ||||
ery | ||||
for a domain in that zone that cannot be answered from its cache, | for a domain in that zone that cannot be answered from its cache, | |||
the resolver has to choose which NS to send queries to. | the resolver has to choose which NS to send queries to. | |||
(This statement is as true for the root zone as for any other zone in the DNS.) | (This statement is as true for the root zone as for any other zone in the DNS.) | |||
Two common strategies for choosing are "determine the fastest name server and al ways use it" and | Two common strategies for choosing are "determine the fastest name server and al ways use it" and | |||
"create buckets of fastness and pick randomly in the buckets". | "create buckets of fastness and pick randomly in the buckets". | |||
This document gives no preference to any particular strategy other than to sugge st that | This document does not specify a preference for any particular strategy other th an to suggest that | |||
resolvers not treat the root zone as special for this decision.</t> | resolvers not treat the root zone as special for this decision.</t> | |||
</section> | ||||
</section> | <section numbered="true" toc="default"> | |||
<name>Security Considerations</name> | ||||
<section title='Security Considerations'> | <t>Spoofing a response to a priming query can be used to redirect all | |||
<t>Spoofing a response to a priming query can be used to redirect all | ||||
of the queries originating from a victim recursive resolver to one | of the queries originating from a victim recursive resolver to one | |||
or more servers for the attacker. Until the responses to priming queries | or more servers for the attacker. Until the responses to priming queries | |||
are protected with DNSSEC, there is no definitive way to prevent such | are protected with DNSSEC, there is no definitive way to prevent such | |||
redirection.</t> | redirection.</t> | |||
<t>An on-path attacker who sees a priming query coming from a resolver can | ||||
<t>An on-path attacker who sees a priming query coming from a resolver can injec | inject false | |||
t false | ||||
answers before a root server can give correct answers. If the attacker's answers are | answers before a root server can give correct answers. If the attacker's answers are | |||
accepted, this can set up the ability to give further false answers for future q ueries to | accepted, this can set up the ability to give further false answers for future q ueries to | |||
the resolver. False answers for root servers are more dangerous than, say, false answers | the resolver. False answers for root servers are more dangerous than, say, false answers | |||
for Top-Level Domains (TLDs), because the root is the highest node of the DNS. S | for TLDs, because the root is the highest node of the DNS. See | |||
ee | <xref target="dnssec_prime" format="default"/> for more discussion.</t> | |||
<xref target="dnssec_prime"/> for more discussion.</t> | <t>In both of the scenarios listed here, a validating resolver will be abl | |||
e to detect the attack | ||||
<t>In both of the scenarios above, a validating resolver will be able to detect | if its chain of queries comes for a zone that is signed, but not for those that | |||
the attack | are unsigned.</t> | |||
if its chain of queries comes to a zone that is signed, but not for those that a | </section> | |||
re unsigned.</t> | <section numbered="true" toc="default"> | |||
<name>IANA Considerations</name> | ||||
</section> | <t>This document has no IANA actions.</t> | |||
</section> | ||||
<section title='IANA Considerations'> | </middle> | |||
<back> | ||||
<t>This document does not require any IANA actions.</t> | <references> | |||
<name>References</name> | ||||
</section> | <references> | |||
<name>Normative References</name> | ||||
</middle> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | |||
034.xml"/> | ||||
<back> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1 | |||
035.xml"/> | ||||
<references title="Normative References"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1034.x | 119.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1035.x | 226.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.x | 033.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3226.x | 452.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4033.x | 891.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5452.x | 873.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6891.x | 109.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7873.x | 174.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8109.x | 471.xml"/> | |||
ml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.x | 499.xml"/> | |||
ml"/> | </references> | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9471.x | <references> | |||
ml"/> | <name>Informative References</name> | |||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9499.x | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | |||
ml"/> | 806.xml"/> | |||
</references> | ||||
<references title="Informative References"> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8806.xml" | ||||
/> | ||||
<reference anchor="OLD-J" | ||||
target="https://indico.dns-oarc.net/event/24/contributions/378/"> | ||||
<front> | ||||
<title>Thirteen Years of 'Old J Root'</title> | ||||
<author initials='D.' surname='Wessels' fullname='Duane Wessels'> | ||||
<organization/> | ||||
</author> | ||||
<date year="2015"/></front> | ||||
</reference> | ||||
<reference anchor="RSSAC023v2" | ||||
target="https://www.icann.org/en/system/files/files/rssac-023-17jun20-en.pdf"> | ||||
<front> | ||||
<title>History of the Root Server System</title> | ||||
<author/> | ||||
<date year="2016"/></front> | ||||
</reference> | ||||
<reference anchor="RSSAC026v2" | ||||
target="https://www.icann.org/en/system/files/files/rssac-026-lexicon-12mar20-en | ||||
.pdf"> | ||||
<front> | ||||
<title>RSSAC Lexicon</title> | ||||
<author/> | ||||
<date year="2020"/></front> | ||||
</reference> | ||||
</references> | ||||
<section title='Changes from RFC 8109' anchor='changes'> | ||||
<t>This document obsoletes <xref target="RFC8109"/>. The significant changes fro | <reference anchor="OLD-J" target="https://indico.dns-oarc.net/event/24/c | |||
m RFC 8109 | ontributions/378/"> | |||
are: | <front> | |||
<title>Thirteen Years of 'Old J Root'</title> | ||||
<author initials="D." surname="Wessels" fullname="Duane Wessels"> | ||||
<organization/> | ||||
</author> | ||||
<author initials="J." surname="Castonguay" fullname="Jason Castongua | ||||
y"> | ||||
<organization/> | ||||
</author> | ||||
<author initials="P." surname="Barber" fullname="Piet Barber"> | ||||
<organization/> | ||||
</author> | ||||
<date month="October" year="2015"/> | ||||
</front> | ||||
<refcontent>DNS-OARC Fall 2015 Workshop</refcontent> | ||||
</reference> | ||||
<list style="symbols"> | <reference anchor="RSSAC023v2" target="https://www.icann.org/en/system/f | |||
iles/files/rssac-023-17jun20-en.pdf"> | ||||
<front> | ||||
<title>History of the Root Server System</title> | ||||
<author/> | ||||
<date month="June" year="2020"/> | ||||
</front> | ||||
<refcontent>A Report from the ICANN Root Server System Advisory Commit | ||||
tee (RSSAC)</refcontent> | ||||
<refcontent>RSSAC023v2</refcontent> | ||||
</reference> | ||||
<t>Added section on the content of priming information.</t> | <reference anchor="RSSAC026v2" target="https://www.icann.org/en/system/f | |||
iles/files/rssac-026-lexicon-12mar20-en.pdf"> | ||||
<front> | ||||
<title>RSSAC Lexicon</title> | ||||
<author/> | ||||
<date month="March" year="2020"/> | ||||
</front> | ||||
<refcontent>An Advisory from the ICANN Root Server System Advisory Com | ||||
mittee (RSSAC)</refcontent> | ||||
<refcontent>RSSAC026v2</refcontent> | ||||
</reference> | ||||
<t>Added paragraph about no expectation that the TC bit in responses will be set | </references> | |||
.</t> | </references> | |||
<section anchor="changes" numbered="true" toc="default"> | ||||
<name>Changes from RFC 8109</name> | ||||
<t>This document obsoletes <xref target="RFC8109" format="default"/>. The | ||||
significant changes from RFC 8109 | ||||
are as follows: | ||||
<t>Added paragraph about RFC 9471 and requirements on authoritative servers and | </t> | |||
the TC bit. | <ul spacing="normal"> | |||
<li> | ||||
<t>Added section on the content of priming information.</t> | ||||
</li> | ||||
<li> | ||||
<t>Added paragraph about no expectation that the TC bit in responses w | ||||
ill be set.</t> | ||||
</li> | ||||
<li> | ||||
<t>Added paragraph about RFC 9471 and requirements on authoritative se | ||||
rvers and the TC bit. | ||||
This clarified the role of glue records and truncation for responses from the ro ot zone.</t> | This clarified the role of glue records and truncation for responses from the ro ot zone.</t> | |||
</li> | ||||
<t>Changed "man-in-the-middle" to "machine-in-the-middle" to be both | <li> | |||
<t>Changed "man-in-the-middle" to "machine-in-the-middle" to be both | ||||
more inclusive and more technically accurate.</t> | more inclusive and more technically accurate.</t> | |||
</li> | ||||
<t>Clarified that there are other effects of machine-in-the-middle attacks.</t> | <li> | |||
<t>Clarified that there are other effects of machine-in-the-middle att | ||||
<t>Clarified language for root server domain names as "root server identifiers". | acks.</t> | |||
</t> | </li> | |||
<li> | ||||
<t>Added short discussion of post-priming strategies.</t> | <t>Clarified language for root server domain names as "root server ide | |||
ntifiers".</t> | ||||
<t>Added informative references to RSSAC documents.</t> | </li> | |||
<li> | ||||
<t>Added short discussion about this document and private DNS.</t> | <t>Added short discussion of post-priming strategies.</t> | |||
</li> | ||||
<t>Clarified that machine-in-the-middle attacks could be successful for non-sign | <li> | |||
ed TLDs.</t> | <t>Added informative references to Root Server System Advisory Committ | |||
ee (RSSAC) documents.</t> | ||||
<t>Added discussion of where resolvers that pre-fetch should get the root NS add | </li> | |||
resses.</t> | <li> | |||
<t>Added short discussion about this document and private DNS.</t> | ||||
<t>Elevated the expectations in "Expected Properties of the Priming Response" to | </li> | |||
MUST-level.</t> | <li> | |||
<t>Clarified that machine-in-the-middle attacks could be successful fo | ||||
<t>Clarified that "currently" means at the time that this document is published. | r non-signed TLDs.</t> | |||
</t> | </li> | |||
<li> | ||||
<t>Added a note about priming and RFC 8806.</t> | <t>Added discussion of where resolvers that pre-fetch should get the r | |||
oot NS addresses.</t> | ||||
<t>Added a reference to research about discontinued root server addresses.</t> | </li> | |||
<li> | ||||
</list></t> | <t>Elevated the expectations in <xref target="expected-prop-priming"/> | |||
("<xref target="expected-prop-priming" format="title"/>") to <bcp14>MUST</bcp14 | ||||
</section> | >-level.</t> | |||
</li> | ||||
<section title='Acknowledgements'> | <li> | |||
<t>Clarified that "currently" means "at the time this document was pub | ||||
<t>RFC 8109 was the product of the DNSOP WG and benefitted from the reviews done | lished".</t> | |||
there. | </li> | |||
This document also benefitted from review by Duane Wessels.</t> | <li> | |||
<t>Added a note about priming and RFC 8806.</t> | ||||
</section> | </li> | |||
<li> | ||||
</back> | <t>Added a reference to research about discontinued root server addres | |||
ses.</t> | ||||
</li> | ||||
</ul> | ||||
</section> | ||||
<section numbered="false" toc="default"> | ||||
<name>Acknowledgements</name> | ||||
<t>RFC 8109 was the product of the DNSOP WG and benefited from the reviews | ||||
done there. | ||||
This document also benefited from review by <contact fullname="Duane Wessels"/>. | ||||
</t> | ||||
</section> | ||||
</back> | ||||
</rfc> | </rfc> | |||
End of changes. 61 change blocks. | ||||
411 lines changed or deleted | 423 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |