DNS Transport over TCP - Operational Requirements
draft-ietf-dnsop-dns-tcp-requirements-05
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9210.
Expired & archived
|
|
|---|---|---|---|
| Authors | John Kristoff , Duane Wessels | ||
| Last updated | 2020-05-05 (Latest revision 2019-11-02) | ||
| Replaces | draft-kristoff-dnsop-dns-tcp-requirements | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Last Call review
(of
-12)
by Dan Romascanu
Ready w/issues
ARTART Last Call review
(of
-12)
by Jean Mahoney
Ready w/nits
TSVART Last Call review
(of
-12)
by Mirja Kühlewind
Ready w/issues
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | WG Document | |
| Document shepherd | Suzanne Woolf | ||
| IESG | IESG state | Became RFC 9210 (Best Current Practice) | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | Suzanne Woolf <suzworldwide@gmail.com> |
draft-ietf-dnsop-dns-tcp-requirements-05
", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013,
<https://www.rfc-editor.org/info/rfc6891>.
[RFC6950] Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba,
"Architectural Considerations on Application Features in
the DNS", RFC 6950, DOI 10.17487/RFC6950, October 2013,
<https://www.rfc-editor.org/info/rfc6950>.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
<https://www.rfc-editor.org/info/rfc7413>.
Kristoff & Wessels Expires May 4, 2020 [Page 17]
Internet-Draft DNS Transport over TCP November 2019
[RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS",
RFC 7477, DOI 10.17487/RFC7477, March 2015,
<https://www.rfc-editor.org/info/rfc7477>.
[RFC7720] Blanchet, M. and L-J. Liman, "DNS Root Name Service
Protocol and Deployment Requirements", BCP 40, RFC 7720,
DOI 10.17487/RFC7720, December 2015,
<https://www.rfc-editor.org/info/rfc7720>.
[RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
D. Wessels, "DNS Transport over TCP - Implementation
Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016,
<https://www.rfc-editor.org/info/rfc7766>.
[RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The
edns-tcp-keepalive EDNS0 Option", RFC 7828,
DOI 10.17487/RFC7828, April 2016,
<https://www.rfc-editor.org/info/rfc7828>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
<https://www.rfc-editor.org/info/rfc7873>.
[RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901,
DOI 10.17487/RFC7901, June 2016,
<https://www.rfc-editor.org/info/rfc7901>.
[RFC7918] Langley, A., Modadugu, N., and B. Moeller, "Transport
Layer Security (TLS) False Start", RFC 7918,
DOI 10.17487/RFC7918, August 2016,
<https://www.rfc-editor.org/info/rfc7918>.
[RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy,
"DNSSEC Roadblock Avoidance", BCP 207, RFC 8027,
DOI 10.17487/RFC8027, November 2016,
<https://www.rfc-editor.org/info/rfc8027>.
[RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
Transport Layer Security (DTLS)", RFC 8094,
DOI 10.17487/RFC8094, February 2017,
<https://www.rfc-editor.org/info/rfc8094>.
Kristoff & Wessels Expires May 4, 2020 [Page 18]
Internet-Draft DNS Transport over TCP November 2019
[RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to
Associate Certificates with Domain Names for S/MIME",
RFC 8162, DOI 10.17487/RFC8162, May 2017,
<https://www.rfc-editor.org/info/rfc8162>.
[RFC8324] Klensin, J., "DNS Privacy, Authorization, Special Uses,
Encoding, Characters, Matching, and Root Structure: Time
for Another Look?", RFC 8324, DOI 10.17487/RFC8324,
February 2018, <https://www.rfc-editor.org/info/rfc8324>.
[RFC8467] Mayrhofer, A., "Padding Policies for Extension Mechanisms
for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467,
October 2018, <https://www.rfc-editor.org/info/rfc8467>.
[RFC8483] Song, L., Ed., Liu, D., Vixie, P., Kato, A., and S. Kerr,
"Yeti DNS Testbed", RFC 8483, DOI 10.17487/RFC8483,
October 2018, <https://www.rfc-editor.org/info/rfc8483>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>.
[RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
Lemon, T., and T. Pusateri, "DNS Stateful Operations",
RFC 8490, DOI 10.17487/RFC8490, March 2019,
<https://www.rfc-editor.org/info/rfc8490>.
[RFC8501] Howard, L., "Reverse DNS in IPv6 for Internet Service
Providers", RFC 8501, DOI 10.17487/RFC8501, November 2018,
<https://www.rfc-editor.org/info/rfc8501>.
[ROLL_YOUR_ROOT]
Mueller, M., Thomas, M., Wessels, D., Hardaker, W., Chung,
T., Toorop, W., and R. Rijswijk-Deij, "Roll, Roll, Roll
Your Root: A Comprehensive Analysis of the First Ever
DNSSEC Root KSK Rollover", Oct 2019, <TBD>.
[RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting
(DNS RRL)", ISC-TN 2012-1 Draft1, April 2012.
[Stevens] Stevens, W., Fenner, B., and A. Rudoff, "UNIX Network
Programming Volume 1, Third Edition: The Sockets
Networking API", November 2003.
[TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N.
Somaiya, "Connection-oriented DNS to Improve Privacy and
Security", 2015.
Kristoff & Wessels Expires May 4, 2020 [Page 19]
Internet-Draft DNS Transport over TCP November 2019
[TOYAMA] Toyama, K., Ishibashi, K., Ishino, M., Yoshimura, C., and
K. Fujiwara, "DNS Anomalies and Their Impacts on DNS Cache
Servers", NANOG 32 Reston, VA USA, 2004.
[VERISIGN]
Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in
Root Server DITL Data", DNS-OARC 2014 Fall Workshop Los
Angeles, 2014.
[WIKIPEDIA_TFO]
Wikipedia, "TCP Fast Open", May 2018,
<https://en.wikipedia.org/wiki/TCP_Fast_Open>.
Appendix A. Standards Related to DNS Transport over TCP
This section enumerates all known IETF RFC documents that are
currently of status standard, informational, best common practice or
experimental and either implicitly or explicitly make assumptions or
statements about the use of TCP as a transport for the DNS germane to
this document.
A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
The internet standard [RFC1035] is the base DNS specification that
explicitly defines support for DNS over TCP.
A.2. IETF RFC 1536 - Common DNS Implementation Errors and Suggested
Fixes
The informational document [RFC1536] states UDP is the "chosen
protocol for communication though TCP is used for zone transfers."
That statement should now be considered in its historical context and
is no longer a proper reflection of modern expectations.
A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS
The [RFC1995] standards track document documents the use of TCP as
the fallback transport when IXFR responses do not fit into a single
UDP response. As with AXFR, IXFR messages are typically delivered
over TCP by default in practice.
A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)
The [RFC1996] standards track document suggests a zone master may
decide to issue NOTIFY messages over TCP. In practice NOTIFY
messages are generally sent over UDP, but this specification leaves
open the possibility that the choice of transport protocol is up to
Kristoff & Wessels Expires May 4, 2020 [Page 20]
Internet-Draft DNS Transport over TCP November 2019
the master, and therefore a slave ought to be able to operate over
both UDP and TCP.
A.5. IETF RFC 2181 - Clarifications to the DNS Specification
The [RFC2181] standards track document includes clarifying text on
how a client should react to the TC flag set on responses. It is
advised the the response should be discarded and the query resent
using TCP.
A.6. IETF RFC 2694 - DNS extensions to Network Address Translators
(DNS_ALG)
The informational document [RFC2694] enumerates considerations for
network address translation (NAT) middle boxes to properly handle DNS
traffic. This document is noteworthy in its suggestion that DNS over
TCP is "[t]ypically" used for zone transfer requests, further
evidence that helps explain why DNS over TCP may often have been
treated very differently than DNS over UDP in operational networks.
A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC
The [RFC3225] standards track document makes statements indicating
DNS over TCP is "detrimental" as a result of increased traffic,
latency, and server load. This document is a companion to the next
document in the RFC series expressing the requirement for EDNS0
support for DNSSEC.
A.8. IETF RFC 3326 - DNSSEC and IPv6 A6 aware server/resolver message
size requirements
The [RFC3226] standards track document, although updated by later
DNSSEC strongly argued in favor of UDP messages over TCP largely for
performance reasons. The document declares EDNS0 a requirement for
DNSSEC servers and advocated packet fragmentation may be preferable
to TCP in certain situations
A.9. IETF RFC 4472 - Operational Considerations and Issues with IPv6
DNS
This informational document [RFC4472] notes that IPv6 data may
increase DNS responses beyond what would fit in a UDP message.
Particularly noteworthy, perhaps less common today then when this
document was written, refers to implementations that truncate data
without setting the TC bit to encourge the client to resend the query
using TCP.
Kristoff & Wessels Expires May 4, 2020 [Page 21]
Internet-Draft DNS Transport over TCP November 2019
A.10. IETF RFC 5452 - Measures for Making DNS More Resilient against
Forged Answers
This informational document [RFC5452] arose as public DNS systems
began to experience widespread abuse from spoofed queries, resulting
in amplification and reflection attacks against unwitting victims.
One of the leading justifications for supporting DNS over TCP to
thwart these attacks is briefly described in this document's 9.3
Spoof Detection and Countermeasure section.
A.11. IETF RFC 5507 - Design Choices When Expanding the DNS
This informational document [RFC5507] was largely an attempt to
dissuade new DNS data types from overloading the TXT resource record
type. In so doing it summarizes the conventional wisdom of DNS
design and implementation practices. The authors suggest TCP
overhead and stateful properties pose challenges compared to UDP, and
imply that UDP is generally preferred for performance and robustness.
A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines
This best current practice document [RFC5625] provides DNS proxy
implementation guidance including the mandate that a proxy "MUST
[...] be prepared to receive and forward queries over TCP" even
though it suggests historically TCP transport has not been strictly
mandatory in stub resolvers or recursive servers.
A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR)
The [RFC5936] standards track document provides a detailed
specification for the zone transfer protocol, as originally outlined
in the early DNS standards. AXFR operation is limited to TCP and not
specified for UDP. This document discusses TCP usage at length.
A.14. IETF RFC 5966 - DNS Transport over TCP - Implementation
Requirements
This standards track document [RFC5966] instructs DNS implementers to
provide support for carrying DNS over TCP messages in their software.
The authors explicitly make no recommendations to operators, which we
seek to address here.
A.15. IETF RFC 6304 - AS112 Nameserver Operations
[RFC6304] is an informational document enumerating the requirements
for operation of AS112 project DNS servers. New AS112 nodes are
tested for their ability to provide service on both UDP and TCP
Kristoff & Wessels Expires May 4, 2020 [Page 22]
Internet-Draft DNS Transport over TCP November 2019
transports, with the implication that TCP service is an expected part
of normal operations.
A.16. IETF RFC 6762 - Multicast DNS
In this standards track document [RFC6762] the TC bit is deemed to
have essentially the same meaning as described in the original DNS
specifications. That is, if a response with the TCP bit set is
receiver "[...] the querier SHOULD reissue its query using TCP in
order to receive the larger response."
A.17. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0))
This standards track document [RFC6891] helped slow the use and need
for DNS over TCP messages. This document highlights concerns over
server load and scalability in widespread use of DNS over TCP.
A.18. IETF RFC 6950 - Architectural Considerations on Application
Features in the DNS
An informational document [RFC6950] that draws attention to large
data in the DNS. TCP is referenced in the context as a common
fallback mechnanism and counter to some spoofing attacks.
A.19. IETF RFC 7477 - Child-to-Parent Synchronization in DNS
This standards track document [RFC7477] specifies a RRType and
protocol to signal and synchronize NS, A, and AAAA resource record
changes from a child to parent zone. Since this protocol may require
multiple requests and responses, it recommends utilizing DNS over TCP
to ensure the conversation takes place between a consistent pair of
end nodes.
A.20. IETF RFC 7720 - DNS Root Name Service Protocol and Deployment
Requirements
This best current practice[RFC7720] declares root name service "MUST
support UDP [RFC768] and TCP [RFC793] transport of DNS queries and
responses."
A.21. IETF RFC 7766 - DNS Transport over TCP - Implementation
Requirements
The standards track document [RFC7766] might be considered the direct
ancestor of this operational requirements document. The
implementation requirements document codifies mandatory support for
DNS over TCP in compliant DNS software.
Kristoff & Wessels Expires May 4, 2020 [Page 23]
Internet-Draft DNS Transport over TCP November 2019
A.22. IETF RFC 7828 - The edns-tcp-keepalive EDNS0 Option
This standards track document [RFC7828] defines an EDNS0 option to
negotiate an idle timeout value for long-lived DNS over TCP
connections. Consequently, this document is only applicable and
relevant to DNS over TCP sessions and between implementations that
support this option.
A.23. IETF RFC 7858 - Specification for DNS over Transport Layer
Security (TLS)
This standards track document [RFC7858] defines a method for putting
DNS messages into a TCP-based encrypted channel using TLS. This
specification is noteworthy for explicitly targetting the stub-to-
recursive traffic, but does not preclude its application from
recursive-to-authoritative traffic.
A.24. IETF RFC 7873 - Domain Name System (DNS) Cookies
This standards track document [RFC7873] describes an EDNS0 option to
provide additional protection against query and answer forgery. This
specification mentions DNS over TCP as a reasonable fallback
mechanism when DNS Cookies are not available. The specification does
make mention of DNS over TCP processing in two specific situations.
In one, when a server receives only a client cookie in a request, the
server should consider whether the request arrived over TCP and if
so, it should consider accepting TCP as sufficient to authenticate
the request and respond accordingly. In another, when a client
receives a BADCOOKIE reply using a fresh server cookie, the client
should retry using TCP as the transport.
A.25. IETF RFC 7901 - CHAIN Query Requests in DNS
This experimental specification [RFC7901] describes an EDNS0 option
that can be used by a security-aware validating resolver to request
and obtain a complete DNSSEC validation path for any single query.
This document requires the use of DNS over TCP or a source IP address
verified transport mechanism such as EDNS-COOKIE.[RFC7873]
A.26. IETF RFC 8027 - DNSSEC Roadblock Avoidance
This document [RFC8027] details observed problems with DNSSEC
deployment and mitigation techniques. Network traffic blocking and
restrictions, including DNS over TCP messages, are highlighted as one
reason for DNSSEC deployment issues. While this document suggests
these sorts of problems are due to "non-compliant infrastructure" and
is of type BCP, the scope of the document is limited to detection and
mitigation techniques to avoid so-called DNSSEC roadblocks.
Kristoff & Wessels Expires May 4, 2020 [Page 24]
Internet-Draft DNS Transport over TCP November 2019
A.27. IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS)
This experimental specification [RFC8094] details a protocol that
uses a datagram transport (UDP), but stipulates that "DNS clients and
servers that implement DNS over DTLS MUST also implement DNS over TLS
in order to provide privacy for clients that desire Strict Privacy
[...]". This requirement implies DNS over TCP must be supported in
case the message size is larger than the path MTU.
A.28. IETF RFC 8162 - Using Secure DNS to Associate Certificates with
Domain Names for S/MIME
This experimental specification [RFC8162] describes a technique to
authenticate user X.509 certificates in an S/MIME system via the DNS.
The document points out that the new experimental resource record
types are expected to carry large payloads, resulting in the
suggestion that "applications SHOULD use TCP -- not UDP -- to perform
queries for the SMIMEA resource record."
A.29. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses,
Encoding, Characters, Matching, and Root Structure: Time for
Another Look?
An informational document [RFC8324] that briefly discusses the common
role and challenges of DNS over TCP throughout the history of DNS.
A.30. IETF RFC 8467 - Padding Policies for Extension Mechanisms for DNS
(EDNS(0))
An experimental document [RFC8467] reminds implementers to consider
the underlying transport protocol (e.g. TCP) when calculating the
padding length when artificially increasing the DNS message size with
an EDNS(0) padding option.
A.31. IETF RFC 8483 - Yeti DNS Testbed
This informational document [RFC8483] describes a testbed environment
that highlights some DNS over TCP behaviors, including issues
involving packet fragmentation and operational requirements for TCP
stream assembly in order to conduct DNS measurement and analysis.
A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH)
This standards track document [RFC8484] defines a protocol for
sending DNS queries and responses over HTTPS. This specification
assumes TLS and TCP for the underlying security and transport layers
respectively. Self-described as a a technique that more closely
Kristoff & Wessels Expires May 4, 2020 [Page 25]
Internet-Draft DNS Transport over TCP November 2019
resembles a tunneling mechanism, DoH nevertheless likely implies DNS
over TCP in some sense if not directly.
A.33. IETF RFC 8490 - DNS Stateful Operations
This standards track document [RFC8490] updates the base protocol
specification with a new OPCODE to help manage stateful operations in
persistent sessions such as those that might be used by DNS over TCP.
A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service
Providers
This informational document [RFC8501] identifies potential
operational challenges with Dynamic DNS including denial-of-service
threats. The document suggests TCP may provide some advantages, but
that updating hosts would need to be explicitly configured to use TCP
instead of UDP.
Authors' Addresses
John Kristoff
DePaul University
Chicago, IL 60604
US
Phone: +1 312 493 0305
Email: jtk@depaul.edu
URI: https://aharp.iorc.depaul.edu
Duane Wessels
Verisign
12061 Bluemont Way
Reston, VA 20190
US
Phone: +1 703 948 3200
Email: dwessels@verisign.com
URI: http://verisigninc.com
Kristoff & Wessels Expires May 4, 2020 [Page 26]