DNS Transport over TCP - Operational Requirements
draft-ietf-dnsop-dns-tcp-requirements-05
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9210.
Expired & archived
|
|
---|---|---|---|
Authors | John Kristoff , Duane Wessels | ||
Last updated | 2020-05-05 (Latest revision 2019-11-02) | ||
Replaces | draft-kristoff-dnsop-dns-tcp-requirements | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-12)
by Dan Romascanu
Ready w/issues
ARTART Last Call review
(of
-12)
by Jean Mahoney
Ready w/nits
TSVART Last Call review
(of
-12)
by Mirja Kühlewind
Ready w/issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | Suzanne Woolf | ||
IESG | IESG state | Became RFC 9210 (Best Current Practice) | |
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | Suzanne Woolf <suzworldwide@gmail.com> |
draft-ietf-dnsop-dns-tcp-requirements-05
", STD 75, RFC 6891, DOI 10.17487/RFC6891, April 2013, <https://www.rfc-editor.org/info/rfc6891>. [RFC6950] Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba, "Architectural Considerations on Application Features in the DNS", RFC 6950, DOI 10.17487/RFC6950, October 2013, <https://www.rfc-editor.org/info/rfc6950>. [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, <https://www.rfc-editor.org/info/rfc7413>. Kristoff & Wessels Expires May 4, 2020 [Page 17] Internet-Draft DNS Transport over TCP November 2019 [RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS", RFC 7477, DOI 10.17487/RFC7477, March 2015, <https://www.rfc-editor.org/info/rfc7477>. [RFC7720] Blanchet, M. and L-J. Liman, "DNS Root Name Service Protocol and Deployment Requirements", BCP 40, RFC 7720, DOI 10.17487/RFC7720, December 2015, <https://www.rfc-editor.org/info/rfc7720>. [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and D. Wessels, "DNS Transport over TCP - Implementation Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, <https://www.rfc-editor.org/info/rfc7766>. [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The edns-tcp-keepalive EDNS0 Option", RFC 7828, DOI 10.17487/RFC7828, April 2016, <https://www.rfc-editor.org/info/rfc7828>. [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016, <https://www.rfc-editor.org/info/rfc7858>. [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, <https://www.rfc-editor.org/info/rfc7873>. [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, DOI 10.17487/RFC7901, June 2016, <https://www.rfc-editor.org/info/rfc7901>. [RFC7918] Langley, A., Modadugu, N., and B. Moeller, "Transport Layer Security (TLS) False Start", RFC 7918, DOI 10.17487/RFC7918, August 2016, <https://www.rfc-editor.org/info/rfc7918>. [RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy, "DNSSEC Roadblock Avoidance", BCP 207, RFC 8027, DOI 10.17487/RFC8027, November 2016, <https://www.rfc-editor.org/info/rfc8027>. [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram Transport Layer Security (DTLS)", RFC 8094, DOI 10.17487/RFC8094, February 2017, <https://www.rfc-editor.org/info/rfc8094>. Kristoff & Wessels Expires May 4, 2020 [Page 18] Internet-Draft DNS Transport over TCP November 2019 [RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to Associate Certificates with Domain Names for S/MIME", RFC 8162, DOI 10.17487/RFC8162, May 2017, <https://www.rfc-editor.org/info/rfc8162>. [RFC8324] Klensin, J., "DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look?", RFC 8324, DOI 10.17487/RFC8324, February 2018, <https://www.rfc-editor.org/info/rfc8324>. [RFC8467] Mayrhofer, A., "Padding Policies for Extension Mechanisms for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467, October 2018, <https://www.rfc-editor.org/info/rfc8467>. [RFC8483] Song, L., Ed., Liu, D., Vixie, P., Kato, A., and S. Kerr, "Yeti DNS Testbed", RFC 8483, DOI 10.17487/RFC8483, October 2018, <https://www.rfc-editor.org/info/rfc8483>. [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, <https://www.rfc-editor.org/info/rfc8484>. [RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., Lemon, T., and T. Pusateri, "DNS Stateful Operations", RFC 8490, DOI 10.17487/RFC8490, March 2019, <https://www.rfc-editor.org/info/rfc8490>. [RFC8501] Howard, L., "Reverse DNS in IPv6 for Internet Service Providers", RFC 8501, DOI 10.17487/RFC8501, November 2018, <https://www.rfc-editor.org/info/rfc8501>. [ROLL_YOUR_ROOT] Mueller, M., Thomas, M., Wessels, D., Hardaker, W., Chung, T., Toorop, W., and R. Rijswijk-Deij, "Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover", Oct 2019, <TBD>. [RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting (DNS RRL)", ISC-TN 2012-1 Draft1, April 2012. [Stevens] Stevens, W., Fenner, B., and A. Rudoff, "UNIX Network Programming Volume 1, Third Edition: The Sockets Networking API", November 2003. [TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N. Somaiya, "Connection-oriented DNS to Improve Privacy and Security", 2015. Kristoff & Wessels Expires May 4, 2020 [Page 19] Internet-Draft DNS Transport over TCP November 2019 [TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache Servers", NANOG 32 Reston, VA USA, 2004. [VERISIGN] Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los Angeles, 2014. [WIKIPEDIA_TFO] Wikipedia, "TCP Fast Open", May 2018, <https://en.wikipedia.org/wiki/TCP_Fast_Open>. Appendix A. Standards Related to DNS Transport over TCP This section enumerates all known IETF RFC documents that are currently of status standard, informational, best common practice or experimental and either implicitly or explicitly make assumptions or statements about the use of TCP as a transport for the DNS germane to this document. A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION The internet standard [RFC1035] is the base DNS specification that explicitly defines support for DNS over TCP. A.2. IETF RFC 1536 - Common DNS Implementation Errors and Suggested Fixes The informational document [RFC1536] states UDP is the "chosen protocol for communication though TCP is used for zone transfers." That statement should now be considered in its historical context and is no longer a proper reflection of modern expectations. A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS The [RFC1995] standards track document documents the use of TCP as the fallback transport when IXFR responses do not fit into a single UDP response. As with AXFR, IXFR messages are typically delivered over TCP by default in practice. A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) The [RFC1996] standards track document suggests a zone master may decide to issue NOTIFY messages over TCP. In practice NOTIFY messages are generally sent over UDP, but this specification leaves open the possibility that the choice of transport protocol is up to Kristoff & Wessels Expires May 4, 2020 [Page 20] Internet-Draft DNS Transport over TCP November 2019 the master, and therefore a slave ought to be able to operate over both UDP and TCP. A.5. IETF RFC 2181 - Clarifications to the DNS Specification The [RFC2181] standards track document includes clarifying text on how a client should react to the TC flag set on responses. It is advised the the response should be discarded and the query resent using TCP. A.6. IETF RFC 2694 - DNS extensions to Network Address Translators (DNS_ALG) The informational document [RFC2694] enumerates considerations for network address translation (NAT) middle boxes to properly handle DNS traffic. This document is noteworthy in its suggestion that DNS over TCP is "[t]ypically" used for zone transfer requests, further evidence that helps explain why DNS over TCP may often have been treated very differently than DNS over UDP in operational networks. A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC The [RFC3225] standards track document makes statements indicating DNS over TCP is "detrimental" as a result of increased traffic, latency, and server load. This document is a companion to the next document in the RFC series expressing the requirement for EDNS0 support for DNSSEC. A.8. IETF RFC 3326 - DNSSEC and IPv6 A6 aware server/resolver message size requirements The [RFC3226] standards track document, although updated by later DNSSEC strongly argued in favor of UDP messages over TCP largely for performance reasons. The document declares EDNS0 a requirement for DNSSEC servers and advocated packet fragmentation may be preferable to TCP in certain situations A.9. IETF RFC 4472 - Operational Considerations and Issues with IPv6 DNS This informational document [RFC4472] notes that IPv6 data may increase DNS responses beyond what would fit in a UDP message. Particularly noteworthy, perhaps less common today then when this document was written, refers to implementations that truncate data without setting the TC bit to encourge the client to resend the query using TCP. Kristoff & Wessels Expires May 4, 2020 [Page 21] Internet-Draft DNS Transport over TCP November 2019 A.10. IETF RFC 5452 - Measures for Making DNS More Resilient against Forged Answers This informational document [RFC5452] arose as public DNS systems began to experience widespread abuse from spoofed queries, resulting in amplification and reflection attacks against unwitting victims. One of the leading justifications for supporting DNS over TCP to thwart these attacks is briefly described in this document's 9.3 Spoof Detection and Countermeasure section. A.11. IETF RFC 5507 - Design Choices When Expanding the DNS This informational document [RFC5507] was largely an attempt to dissuade new DNS data types from overloading the TXT resource record type. In so doing it summarizes the conventional wisdom of DNS design and implementation practices. The authors suggest TCP overhead and stateful properties pose challenges compared to UDP, and imply that UDP is generally preferred for performance and robustness. A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines This best current practice document [RFC5625] provides DNS proxy implementation guidance including the mandate that a proxy "MUST [...] be prepared to receive and forward queries over TCP" even though it suggests historically TCP transport has not been strictly mandatory in stub resolvers or recursive servers. A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) The [RFC5936] standards track document provides a detailed specification for the zone transfer protocol, as originally outlined in the early DNS standards. AXFR operation is limited to TCP and not specified for UDP. This document discusses TCP usage at length. A.14. IETF RFC 5966 - DNS Transport over TCP - Implementation Requirements This standards track document [RFC5966] instructs DNS implementers to provide support for carrying DNS over TCP messages in their software. The authors explicitly make no recommendations to operators, which we seek to address here. A.15. IETF RFC 6304 - AS112 Nameserver Operations [RFC6304] is an informational document enumerating the requirements for operation of AS112 project DNS servers. New AS112 nodes are tested for their ability to provide service on both UDP and TCP Kristoff & Wessels Expires May 4, 2020 [Page 22] Internet-Draft DNS Transport over TCP November 2019 transports, with the implication that TCP service is an expected part of normal operations. A.16. IETF RFC 6762 - Multicast DNS In this standards track document [RFC6762] the TC bit is deemed to have essentially the same meaning as described in the original DNS specifications. That is, if a response with the TCP bit set is receiver "[...] the querier SHOULD reissue its query using TCP in order to receive the larger response." A.17. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) This standards track document [RFC6891] helped slow the use and need for DNS over TCP messages. This document highlights concerns over server load and scalability in widespread use of DNS over TCP. A.18. IETF RFC 6950 - Architectural Considerations on Application Features in the DNS An informational document [RFC6950] that draws attention to large data in the DNS. TCP is referenced in the context as a common fallback mechnanism and counter to some spoofing attacks. A.19. IETF RFC 7477 - Child-to-Parent Synchronization in DNS This standards track document [RFC7477] specifies a RRType and protocol to signal and synchronize NS, A, and AAAA resource record changes from a child to parent zone. Since this protocol may require multiple requests and responses, it recommends utilizing DNS over TCP to ensure the conversation takes place between a consistent pair of end nodes. A.20. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment Requirements This best current practice[RFC7720] declares root name service "MUST support UDP [RFC768] and TCP [RFC793] transport of DNS queries and responses." A.21. IETF RFC 7766 - DNS Transport over TCP - Implementation Requirements The standards track document [RFC7766] might be considered the direct ancestor of this operational requirements document. The implementation requirements document codifies mandatory support for DNS over TCP in compliant DNS software. Kristoff & Wessels Expires May 4, 2020 [Page 23] Internet-Draft DNS Transport over TCP November 2019 A.22. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option This standards track document [RFC7828] defines an EDNS0 option to negotiate an idle timeout value for long-lived DNS over TCP connections. Consequently, this document is only applicable and relevant to DNS over TCP sessions and between implementations that support this option. A.23. IETF RFC 7858 - Specification for DNS over Transport Layer Security (TLS) This standards track document [RFC7858] defines a method for putting DNS messages into a TCP-based encrypted channel using TLS. This specification is noteworthy for explicitly targetting the stub-to- recursive traffic, but does not preclude its application from recursive-to-authoritative traffic. A.24. IETF RFC 7873 - Domain Name System (DNS) Cookies This standards track document [RFC7873] describes an EDNS0 option to provide additional protection against query and answer forgery. This specification mentions DNS over TCP as a reasonable fallback mechanism when DNS Cookies are not available. The specification does make mention of DNS over TCP processing in two specific situations. In one, when a server receives only a client cookie in a request, the server should consider whether the request arrived over TCP and if so, it should consider accepting TCP as sufficient to authenticate the request and respond accordingly. In another, when a client receives a BADCOOKIE reply using a fresh server cookie, the client should retry using TCP as the transport. A.25. IETF RFC 7901 - CHAIN Query Requests in DNS This experimental specification [RFC7901] describes an EDNS0 option that can be used by a security-aware validating resolver to request and obtain a complete DNSSEC validation path for any single query. This document requires the use of DNS over TCP or a source IP address verified transport mechanism such as EDNS-COOKIE.[RFC7873] A.26. IETF RFC 8027 - DNSSEC Roadblock Avoidance This document [RFC8027] details observed problems with DNSSEC deployment and mitigation techniques. Network traffic blocking and restrictions, including DNS over TCP messages, are highlighted as one reason for DNSSEC deployment issues. While this document suggests these sorts of problems are due to "non-compliant infrastructure" and is of type BCP, the scope of the document is limited to detection and mitigation techniques to avoid so-called DNSSEC roadblocks. Kristoff & Wessels Expires May 4, 2020 [Page 24] Internet-Draft DNS Transport over TCP November 2019 A.27. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS) This experimental specification [RFC8094] details a protocol that uses a datagram transport (UDP), but stipulates that "DNS clients and servers that implement DNS over DTLS MUST also implement DNS over TLS in order to provide privacy for clients that desire Strict Privacy [...]". This requirement implies DNS over TCP must be supported in case the message size is larger than the path MTU. A.28. IETF RFC 8162 - Using Secure DNS to Associate Certificates with Domain Names for S/MIME This experimental specification [RFC8162] describes a technique to authenticate user X.509 certificates in an S/MIME system via the DNS. The document points out that the new experimental resource record types are expected to carry large payloads, resulting in the suggestion that "applications SHOULD use TCP -- not UDP -- to perform queries for the SMIMEA resource record." A.29. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look? An informational document [RFC8324] that briefly discusses the common role and challenges of DNS over TCP throughout the history of DNS. A.30. IETF RFC 8467 - Padding Policies for Extension Mechanisms for DNS (EDNS(0)) An experimental document [RFC8467] reminds implementers to consider the underlying transport protocol (e.g. TCP) when calculating the padding length when artificially increasing the DNS message size with an EDNS(0) padding option. A.31. IETF RFC 8483 - Yeti DNS Testbed This informational document [RFC8483] describes a testbed environment that highlights some DNS over TCP behaviors, including issues involving packet fragmentation and operational requirements for TCP stream assembly in order to conduct DNS measurement and analysis. A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) This standards track document [RFC8484] defines a protocol for sending DNS queries and responses over HTTPS. This specification assumes TLS and TCP for the underlying security and transport layers respectively. Self-described as a a technique that more closely Kristoff & Wessels Expires May 4, 2020 [Page 25] Internet-Draft DNS Transport over TCP November 2019 resembles a tunneling mechanism, DoH nevertheless likely implies DNS over TCP in some sense if not directly. A.33. IETF RFC 8490 - DNS Stateful Operations This standards track document [RFC8490] updates the base protocol specification with a new OPCODE to help manage stateful operations in persistent sessions such as those that might be used by DNS over TCP. A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service Providers This informational document [RFC8501] identifies potential operational challenges with Dynamic DNS including denial-of-service threats. The document suggests TCP may provide some advantages, but that updating hosts would need to be explicitly configured to use TCP instead of UDP. Authors' Addresses John Kristoff DePaul University Chicago, IL 60604 US Phone: +1 312 493 0305 Email: jtk@depaul.edu URI: https://aharp.iorc.depaul.edu Duane Wessels Verisign 12061 Bluemont Way Reston, VA 20190 US Phone: +1 703 948 3200 Email: dwessels@verisign.com URI: http://verisigninc.com Kristoff & Wessels Expires May 4, 2020 [Page 26]