DNS Error Reporting

Document Type Active Internet-Draft (candidate for dnsop WG)
Authors Roy Arends  , Matt Larson 
Last updated 2021-04-06 (latest revision 2020-10-30)
Stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream WG state Call For Adoption By WG Issued
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Independent Submission                                         R. Arends
Internet-Draft                                                 M. Larson
Intended status: Standards Track                                   ICANN
Expires: May 1, 2021                                    October 28, 2020

                          DNS Error Reporting


   DNS Error Reporting is a lightweight error reporting mechanism that
   provides the operator of an authoritative server with reports on DNS
   resource records that fail to resolve or validate, that a Domain
   Owner or DNS Hosting organization can use to improve domain hosting.
   The reports are based on Extended DNS Errors [RFC8914].

   When a domain name fails to resolve or validate due to a
   misconfiguration or an attack, the operator of the authoritative
   server may be unaware of this.  To mitigate this lack of feedback,
   this document describes a method for a validating recursive resolver
   to automatically signal an error to an agent specified by the
   authoritative server.  DNS Error Reporting uses the DNS to report

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 1, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Requirements Notation
   3.  Terminology
   4.  Overview
     4.1.  Managing Caching Optimizations
     4.2.  Example
   5.  EDNS0 Option Specification
   6.  DNS Error Reporting Specification
     6.1.  Reporting Resolver Specification
       6.1.1.  Constructing the Reporting Query
     6.2.  Authoritative Server Specification
     6.3.  Reporting Agent Specification
     6.4.  Choosing a Reporting Agent Domain
   7.  Limitations
   8.  IANA Considerations
   9.  Security Considerations
   10. Acknowledgements
   11. Informative References
   Authors' Addresses

1.  Introduction

   When an authoritative server serves a stale DNSSEC signed zone, the
   cryptographic signatures over the resource record sets (RRsets) may
   have lapsed.  A validating recursive resolver will fail to validate
   these resource records.

   Similarly, when there is a mismatch between the DS records at a
   parent zone and the key signing key at the child zone, a validating
   recursive resolver will fail to authenticate records in the child

   These are two of several failure scenarios that may go unnoticed for
   some time by the operator of a zone.

   There is no direct relationship between operators of validating
   recursive resolvers and authoritative servers.  Outages are often
   noticed indirectly, by end users, and reported via social media, if
   reported at all.

   When records fail to validate there is no facility to report this
   failure in an automated way.  If there is any indication that an
   error or warning has happened, it is buried in log files of the
   validating resolver, if these errors are logged at all.

   This document describes a facility that can be used by validating
   recursive resolvers to report errors in an automated way.

   It allows an authoritative server to signal a reporting agent where
   the validating recursive resolver can report issues if it is
   configured to do so.

   The burden of reporting a failure falls on the validating recursive
   resolver.  It is important that the effort needed to report failure
   is low, with minimal impact to its main functions.  To accomplish
   this goal, the DNS itself is utilized to report the error.

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
Show full document text