| rfc9824v1.txt | rfc9824.txt | |||
|---|---|---|---|---|
| skipping to change at line 15 ¶ | skipping to change at line 15 ¶ | |||
| Category: Standards Track Cloudflare | Category: Standards Track Cloudflare | |||
| ISSN: 2070-1721 O. Gudmundsson | ISSN: 2070-1721 O. Gudmundsson | |||
| Retired/Unaffiliated | Retired/Unaffiliated | |||
| August 2025 | August 2025 | |||
| Compact Denial of Existence in DNSSEC | Compact Denial of Existence in DNSSEC | |||
| Abstract | Abstract | |||
| This document describes a technique to generate a signed DNS response | This document describes a technique to generate a signed DNS response | |||
| on demand for a non-existent name by claiming that the name exists | on demand for a nonexistent name by claiming that the name exists but | |||
| but doesn't have any data for the queried record type. Such answers | doesn't have any data for the queried record type. Such responses | |||
| require only one minimally covering NSEC or NSEC3 record, allow | require only one minimally covering NSEC or NSEC3 record, allow | |||
| online signing servers to minimize signing operations and response | online signing servers to minimize signing operations and response | |||
| sizes, and prevent zone content disclosure. | sizes, and prevent zone content disclosure. | |||
| This document updates RFCs 4034 and 4035. | This document updates RFCs 4034 and 4035. | |||
| Status of This Memo | Status of This Memo | |||
| This is an Internet Standards Track document. | This is an Internet Standards Track document. | |||
| skipping to change at line 56 ¶ | skipping to change at line 56 ¶ | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Revised BSD License text as described in Section 4.e of the | include Revised BSD License text as described in Section 4.e of the | |||
| Trust Legal Provisions and are provided without warranty as described | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction and Motivation | 1. Introduction and Motivation | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| 2. Distinguishing Non-existent Names | 2. Distinguishing Nonexistent Names | |||
| 3. Generating Responses with NSEC | 3. Generating Responses with NSEC | |||
| 3.1. Responses for Non-existent Names | 3.1. Responses for Nonexistent Names | |||
| 3.2. Responses for Non-existent Types | 3.2. Responses for Nonexistent Types | |||
| 3.3. Responses for Wildcard Matches | 3.3. Responses for Wildcard Matches | |||
| 3.4. Responses for Unsigned Referrals | 3.4. Responses for Unsigned Referrals | |||
| 3.5. Responses to Explicit Queries for NXNAME | 3.5. Responses to Explicit Queries for NXNAME | |||
| 4. Generating Responses with NSEC3 | 4. Generating Responses with NSEC3 | |||
| 5. Response Code Restoration | 5. Response Code Restoration | |||
| 5.1. Signaled Response Code Restoration | 5.1. Signaled Response Code Restoration | |||
| 6. Operational Implications | 6. Operational Implications | |||
| 7. Updates to RFCs | 7. Updates to RFCs | |||
| 7.1. Updates to RFC 4034 | 7.1. Updates to RFC 4034 | |||
| 7.2. Updates to RFC 4035 | 7.2. Updates to RFC 4035 | |||
| skipping to change at line 87 ¶ | skipping to change at line 87 ¶ | |||
| Acknowledgements | Acknowledgements | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction and Motivation | 1. Introduction and Motivation | |||
| One of the functions of DNS Security Extensions (DNSSEC) [RFC9364] is | One of the functions of DNS Security Extensions (DNSSEC) [RFC9364] is | |||
| "authenticated denial of existence", i.e., proving that a DNS name or | "authenticated denial of existence", i.e., proving that a DNS name or | |||
| record type does not exist. Normally, this is done by means of | record type does not exist. Normally, this is done by means of | |||
| signed NSEC or NSEC3 records. In the precomputed signature model, | signed NSEC or NSEC3 records. In the precomputed signature model, | |||
| these records chain together existing names, or cryptographic hashes | these records chain together existing names, or cryptographic hashes | |||
| of them, in the zone. In the online signing model, described in NSEC | of them, in the zone. In the online signing model, described for | |||
| and NSEC3 "White Lies" [RFC4470] [RFC7129], they are used to | NSEC in [RFC4470] and for NSEC3 White Lies in [RFC7129], they are | |||
| dynamically compute an epsilon function around the queried name. The | used to dynamically compute an epsilon function around the QNAME. | |||
| Type Bit Maps field in the data of the NSEC or NSEC3 record asserts | The Type Bit Maps field in the data of the NSEC or NSEC3 record | |||
| which resource record (RR) types are present at the name. | asserts which resource record (RR) types are present at the name. | |||
| The response for a non-existent name requires up to two signed NSEC | The response for a nonexistent name requires up to two signed NSEC | |||
| records or up to three signed NSEC3 records (and for online signers, | records or up to three signed NSEC3 records (and for online signers, | |||
| the associated cryptographic computation) to prove that (1) the name | the associated cryptographic computation) to prove that (1) the name | |||
| did not explicitly exist in the zone and (2) it could not have been | did not explicitly exist in the zone and (2) it could not have been | |||
| synthesized by a wildcard. | synthesized by a wildcard. | |||
| This document describes an alternative technique, "Compact Denial of | This document describes an alternative technique, "Compact Denial of | |||
| Existence" or "Compact Answers", to generate a signed DNS response on | Existence" or "Compact Answers", to generate a signed DNS response on | |||
| demand for a non-existent name by claiming that the name exists but | demand for a nonexistent name by claiming that the name exists but | |||
| has no resource records associated with the queried type, i.e., it | has no resource record sets associated with the queried type, i.e., | |||
| returns a NODATA response rather than an NXDOMAIN response. A NODATA | it returns a NODATA response rather than an NXDOMAIN response. A | |||
| response, which has a response code (RCODE) of NOERROR and an empty | NODATA response, which has a response code (RCODE) of NOERROR and an | |||
| ANSWER section, requires only one NSEC or NSEC3 record matching the | empty ANSWER section, requires only one NSEC or NSEC3 record matching | |||
| queried name. This has two advantages: The DNS response size is | the QNAME. This has two advantages: The DNS response size is | |||
| smaller, and it reduces the online cryptographic work involved in | smaller, and it reduces the online cryptographic work involved in | |||
| generating the response. | generating the response. | |||
| The use of minimally covering NSEC or NSEC3 records also prevents | The use of minimally covering NSEC or NSEC3 records also prevents | |||
| adversaries from enumerating the entire contents of DNS zones by | adversaries from enumerating the entire contents of DNS zones by | |||
| walking the NSEC chain or performing an offline dictionary attack on | walking the NSEC chain or performing an offline dictionary attack on | |||
| the hashes in the NSEC3 chain. | the hashes in the NSEC3 chain. | |||
| This document assumes a reasonable level of familiarity with DNS | This document assumes a reasonable level of familiarity with DNS | |||
| operations and protocol terms. Much of the terminology is explained | operations and protocol terms. Much of the terminology is explained | |||
| in further detail in "DNS Terminology" [RFC9499]. | in further detail in "DNS Terminology" [RFC9499]. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. Distinguishing Non-existent Names | 2. Distinguishing Nonexistent Names | |||
| This method generates NODATA responses for non-existent names that | This method generates NODATA responses for nonexistent names that | |||
| don't match a DNS wildcard. Since there are clearly no record types | don't match a DNS wildcard. Since there are clearly no record types | |||
| for such names, the NSEC Type Bit Maps field in the response will | for such names, the NSEC Type Bit Maps field in the response will | |||
| only contain the NSEC and RRSIG types (and in the case of NSEC3, the | only contain the NSEC and RRSIG types (and in the case of NSEC3, the | |||
| Type Bit Maps field will be empty). Tools that need to accurately | Type Bit Maps field will be empty). Tools that need to accurately | |||
| identify non-existent names in responses cannot rely on this specific | identify nonexistent names in responses cannot rely on this specific | |||
| type bitmap because Empty Non-Terminal (ENT) names (which positively | type bitmap because Empty Non-Terminal (ENT) names (which positively | |||
| exist) also have no record types at the name and will return exactly | exist) also have no record types at the name and will return exactly | |||
| the same Type Bit Maps field. | the same Type Bit Maps field. | |||
| This specification defines the use of a synthetic RR type to signal | This specification defines the use of NXNAME (128), a synthetic RR | |||
| the presence of a non-existent name. The mnemonic for this RR type | type to signal the presence of a nonexistent name. See Section 9. | |||
| is NXNAME, chosen to clearly distinguish it from the response code | The mnemonic for this RR type is NXNAME, chosen to clearly | |||
| mnemonic NXDOMAIN. | distinguish it from the response code mnemonic NXDOMAIN. | |||
| +========+=======+=============================+ | ||||
| | TYPE | Value | Meaning | | ||||
| +========+=======+=============================+ | ||||
| | NXNAME | 128 | NXDOMAIN indicator for | | ||||
| | | | Compact Denial of Existence | | ||||
| +--------+-------+-----------------------------+ | ||||
| Table 1 | ||||
| This RR type is added to the NSEC Type Bit Maps field for responses | This RR type is added to the NSEC Type Bit Maps field for responses | |||
| to non-existent names, in addition to the required RRSIG and NSEC | to nonexistent names, in addition to the required RRSIG and NSEC | |||
| types. If NSEC3 is being used, this RR type is the sole entry in the | types. If NSEC3 is being used, this RR type is the sole entry in the | |||
| Type Bit Maps field. It is a "Meta-TYPE", as defined in [RFC6895], | Type Bit Maps field. It is a "Meta-TYPE", as defined in [RFC6895], | |||
| and it stores no data in a DNS zone and cannot be usefully queried. | and it stores no data in a DNS zone and cannot be usefully queried. | |||
| Section 3.5 describes what a DNS resolver or authoritative server | Section 3.5 describes what a DNS resolver or authoritative server | |||
| should do if it receives an explicit query for NXNAME. | should do if it receives an explicit query for NXNAME. | |||
| No special handling of this RR type is required on the part of DNS | No special handling of this RR type is required on the part of DNS | |||
| resolvers. However, resolvers may optionally implement the behavior | resolvers. However, resolvers may optionally implement the behavior | |||
| described in Section 5.1 ("Signaled Response Code Restoration") to | described in Section 5.1 ("Signaled Response Code Restoration") to | |||
| better restore NXDOMAIN visibility to various applications that may | better restore NXDOMAIN visibility to various applications that may | |||
| remain oblivious to the new NXNAME signal. | remain oblivious to the new NXNAME signal. | |||
| 3. Generating Responses with NSEC | 3. Generating Responses with NSEC | |||
| This section describes various types of answers generated by | This section describes various types of answers generated by | |||
| authoritative servers implementing Compact Denial of Existence using | authoritative servers implementing Compact Denial of Existence using | |||
| NSEC. Section 4 describes changes needed to support NSEC3. | NSEC. Section 4 describes changes needed to support NSEC3. | |||
| 3.1. Responses for Non-existent Names | 3.1. Responses for Nonexistent Names | |||
| When the authoritative server receives a query for a non-existent | When the authoritative server receives a query for a nonexistent name | |||
| name in a zone that it serves, a NODATA response (response code | in a zone that it serves, a NODATA response (response code NOERROR, | |||
| NOERROR, empty Answer section) is generated with a dynamically | empty Answer section) is generated with a dynamically constructed | |||
| constructed NSEC record with the owner name matching the queried name | NSEC record with the owner name matching the QNAME placed in the | |||
| (QNAME) placed in the Authority section. | Authority section. | |||
| The Next Domain Name field SHOULD be set to the immediate | The Next Domain Name field SHOULD be set to the immediate | |||
| lexicographic successor of the QNAME. This is accomplished by adding | lexicographic successor of the QNAME. This is accomplished by adding | |||
| a leading label with a single null (zero-value) octet. The Type Bit | a leading label with a single null (zero-value) octet. The Type Bit | |||
| Maps field MUST only have the bits set for the following RR Types: | Maps field MUST only have the bits set for the following RR Types: | |||
| RRSIG, NSEC, and NXNAME. | RRSIG, NSEC, and NXNAME. | |||
| For example, a request for the non-existent name "a.example.com." | For example, a request for the nonexistent name "a.example.com." | |||
| would result in the generation of the following NSEC record (in DNS | would result in the generation of the following NSEC record (in DNS | |||
| presentation format): | presentation format): | |||
| a.example.com. 3600 IN NSEC \000.a.example.com. RRSIG NSEC NXNAME | a.example.com. 3600 IN NSEC \000.a.example.com. RRSIG NSEC NXNAME | |||
| The NSEC record MUST have corresponding RRSIGs generated. | The NSEC record MUST have corresponding RRSIGs generated. | |||
| 3.2. Responses for Non-existent Types | 3.2. Responses for Nonexistent Types | |||
| When the authoritative server receives a query for a name that exists | When the authoritative server receives a query for a name that exists | |||
| but has no resource record sets associated with the queried type, it | but has no resource record sets associated with the queried type, it | |||
| generates a NODATA response with a dynamically constructed signed | generates a NODATA response with a dynamically constructed signed | |||
| NSEC record in the Authority section. The owner name of the NSEC | NSEC record in the Authority section. The owner name of the NSEC | |||
| record matches the queried name. The Next Domain Name field is set | record matches the QNAME. The Next Domain Name field is set to the | |||
| to the immediate lexicographic successor of the QNAME. The Type Bit | immediate lexicographic successor of the QNAME. The Type Bit Maps | |||
| Maps field lists the available RR types at the name. | field lists the available RR types at the name. | |||
| An Empty Non-Terminal is a special subset of this category, where the | An ENT is a special subset of this category, where the name has no | |||
| name has no resource record sets of any type (but has descendant | resource record sets of any type (but has descendant names that do). | |||
| names that do). For a query for an Empty Non-Terminal, the NSEC Type | For a query for an ENT, the NSEC Type Bit Maps field will only | |||
| Bit Maps field will only contain RRSIG and NSEC. (Note that this is | contain RRSIG and NSEC. (Note that this is substantially different | |||
| substantially different than the ENT response in precomputed NSEC, | than the ENT response in precomputed NSEC, where the NSEC record has | |||
| where the NSEC record has the same type bitmap but "covers" rather | the same type bitmap but "covers" rather than matches the ENT and has | |||
| than matches the ENT and has the Next Domain Name field set to the | the Next Domain Name field set to the next lexicographic descendant | |||
| next lexicographic descendant of the ENT in the zone.) | of the ENT in the zone.) | |||
| 3.3. Responses for Wildcard Matches | 3.3. Responses for Wildcard Matches | |||
| For wildcard matches, the authoritative server will provide a | For wildcard matches, the authoritative server will provide a | |||
| dynamically signed response that claims that the queried name exists | dynamically signed response that claims that the QNAME exists | |||
| explicitly. Specifically, the answer RRset will have an RRSIG record | explicitly. Specifically, the answer RRset will have an RRSIG record | |||
| demonstrating an exact match (i.e., the label count in the RRSIG | demonstrating an exact match (i.e., the label count in the RRSIG | |||
| RDATA will be equal to the number of labels in the query name minus | RDATA will be equal to the number of labels in the query name minus | |||
| the root label). This obviates the need to include an NSEC record in | the root label). This obviates the need to include an NSEC record in | |||
| the Authority section of the response that shows that no closer match | the Authority section of the response that shows that no closer match | |||
| than the wildcard was possible. | than the wildcard was possible. | |||
| For a wildcard NODATA match (where the queried name matches a | For a wildcard NODATA match (where the QNAME matches a wildcard but | |||
| wildcard but no data for the queried type exists), a response akin to | no data for the queried type exists), a response akin to a non- | |||
| a non-wildcard NODATA is returned. The Answer section is empty, and | wildcard NODATA is returned. The Answer section is empty, and the | |||
| the Authority section contains a single NSEC record that matches the | Authority section contains a single NSEC record that matches the | |||
| query name with a Type Bit Maps field representing the list of types | query name with a Type Bit Maps field representing the list of types | |||
| available at the wildcard. | available at the wildcard. | |||
| 3.4. Responses for Unsigned Referrals | 3.4. Responses for Unsigned Referrals | |||
| Per the DNSSEC protocol, a referral to an unsigned subzone includes | Per the DNSSEC protocol, a referral to an unsigned subzone includes | |||
| an NSEC record whose owner name matches the subzone and proves the | an NSEC record whose owner name matches the subzone and proves the | |||
| delegation is unsigned by the absence of the Delegation Signer (DS) | delegation is unsigned by the absence of the Delegation Signer (DS) | |||
| RR type bit in the Type Bit Maps field. | RR type bit in the Type Bit Maps field. | |||
| skipping to change at line 255 ¶ | skipping to change at line 246 ¶ | |||
| For example, a referral response for the subzone sub.example.com | For example, a referral response for the subzone sub.example.com | |||
| would include an NSEC record like the following: | would include an NSEC record like the following: | |||
| sub.example.com. 3600 IN NSEC sub\000.example.com. NS RRSIG NSEC | sub.example.com. 3600 IN NSEC sub\000.example.com. NS RRSIG NSEC | |||
| 3.5. Responses to Explicit Queries for NXNAME | 3.5. Responses to Explicit Queries for NXNAME | |||
| NXNAME is a Meta-TYPE that should not appear anywhere in a DNS | NXNAME is a Meta-TYPE that should not appear anywhere in a DNS | |||
| message apart from the NSEC type bitmap of a Compact Answer response | message apart from the NSEC type bitmap of a Compact Answer response | |||
| for a non-existent name. However, if a DNS server implementing this | for a nonexistent name. However, if a DNS server implementing this | |||
| specification receives an explicit query for the NXNAME RR type, this | specification receives an explicit query for the NXNAME RR type, this | |||
| section describes what the response should be. | section describes what the response should be. | |||
| If an explicit query for the NXNAME RR type is received, the DNS | If an explicit query for the NXNAME RR type is received, the DNS | |||
| server MUST return a Format Error (response code FORMERR). A | server MUST return a Format Error (response code FORMERR). A | |||
| resolver should not forward these queries upstream or attempt | resolver should not forward these queries upstream or attempt | |||
| iterative resolution. Many DNS server implementations already return | iterative resolution. Many DNS server implementations already return | |||
| errors for all types in the range for Meta-TYPEs and QTYPEs, except | errors for all types in the range for Meta-TYPEs and QTYPEs, except | |||
| those types that are already defined to support queries. | those types that are already defined to support queries. | |||
| Optionally, a DNS server MAY also include the following Extended DNS | Optionally, a DNS server MAY also include the following Extended DNS | |||
| Error (EDE) code [RFC8914] in the response: | Error (EDE) code [RFC8914] in the response: 30 (Invalid Query Type). | |||
| See Section 9. | ||||
| +===========+====================+ | ||||
| | INFO-CODE | Purpose | | ||||
| +===========+====================+ | ||||
| | 30 | Invalid Query Type | | ||||
| +-----------+--------------------+ | ||||
| Table 2 | ||||
| Note that this EDE code is generally applicable to any RR type that | Note that this EDE code is generally applicable to any RR type that | |||
| should not appear in DNS queries. | should not appear in DNS queries. | |||
| 4. Generating Responses with NSEC3 | 4. Generating Responses with NSEC3 | |||
| NSEC3 [RFC5155] uses hashed names to provide zone enumeration | NSEC3 [RFC5155] uses hashed names to provide zone enumeration | |||
| defense. This protection is already better provided by minimally | defense. This protection is already better provided by minimally | |||
| covering NSEC records. NSEC3's Opt-Out feature also provides no | covering NSEC records. NSEC3's Opt-Out feature also provides no | |||
| specific benefit for online signing implementations (minimally | specific benefit for online signing implementations (minimally | |||
| skipping to change at line 310 ¶ | skipping to change at line 294 ¶ | |||
| 0, an additional hash iteration count of 0, and an empty salt. In | 0, an additional hash iteration count of 0, and an empty salt. In | |||
| DNS presentation format, this is "1 0 0 -". | DNS presentation format, this is "1 0 0 -". | |||
| The owner name of the NSEC3 resource record is the NSEC3 hash of the | The owner name of the NSEC3 resource record is the NSEC3 hash of the | |||
| relevant domain name, encoded in Base32 with Extended Hex Alphabet | relevant domain name, encoded in Base32 with Extended Hex Alphabet | |||
| ([RFC4648], Section 7), prepended as a single label to the name of | ([RFC4648], Section 7), prepended as a single label to the name of | |||
| the zone. The Next Hashed Owner Name is the immediate name successor | the zone. The Next Hashed Owner Name is the immediate name successor | |||
| of the unencoded binary form of the previous hash, which can be | of the unencoded binary form of the previous hash, which can be | |||
| computed by adding one to the binary hash value. | computed by adding one to the binary hash value. | |||
| In responses for non-existent names, the Type Bit Maps field will | In responses for nonexistent names, the Type Bit Maps field will | |||
| contain only the NXNAME Meta-TYPE. In responses to Empty Non- | contain only the NXNAME Meta-TYPE. In responses to ENT names, the | |||
| Terminal names, the Type Bit Maps field will be empty. | Type Bit Maps field will be empty. | |||
| For example, a request for the non-existent name "a.example.com." | For example, a request for the nonexistent name "a.example.com." | |||
| would result in the generation of the following NSEC3 record: | would result in the generation of the following NSEC3 record: | |||
| H64KFA4P1ACER2EBPS9QSDK6DNP8B3JQ.example.com. IN NSEC3 1 0 0 - ( | H64KFA4P1ACER2EBPS9QSDK6DNP8B3JQ.example.com. IN NSEC3 1 0 0 - ( | |||
| H64KFA4P1ACER2EBPS9QSDK6DNP8B3JR NXNAME ) | H64KFA4P1ACER2EBPS9QSDK6DNP8B3JR NXNAME ) | |||
| Unlike Compact Denial of Existence with NSEC, no special form of the | Unlike Compact Denial of Existence with NSEC, no special form of the | |||
| next name field for unsigned referrals is needed. The Next Hashed | Next Hashed Owner Name field for unsigned referrals is needed. The | |||
| Owner Name field remains the NSEC3 hash of original owner name plus | Next Hashed Owner Name field remains the NSEC3 hash of original owner | |||
| one. | name plus one. | |||
| 5. Response Code Restoration | 5. Response Code Restoration | |||
| For non-existent names, implementations should try to preserve the | For nonexistent names, implementations should try to preserve the | |||
| response code value of 3 (NXDOMAIN) whenever possible. This is | response code value of 3 (NXDOMAIN) whenever possible. This is | |||
| generally possible for non-DNSSEC-enabled queries, namely those that | generally possible for non-DNSSEC-enabled queries, namely those that | |||
| do not set the DNSSEC_OK EDNS flag (DO bit). For such queries, | do not set the DO bit ("DNSSEC answer OK") in the EDNS0 OPT header. | |||
| authoritative servers implementing Compact Denial of Existence could | For such queries, authoritative servers implementing Compact Denial | |||
| return a normal NXDOMAIN response. However, there may be limited | of Existence could return a normal NXDOMAIN response. However, there | |||
| benefit to doing this since most modern DNS resolvers are DNSSEC | may be limited benefit to doing this since most modern DNS resolvers | |||
| aware, and per Section 3 of [RFC3225], DNSSEC-aware recursive servers | are DNSSEC aware, and per Section 3 of [RFC3225], DNSSEC-aware | |||
| are required to set the DO bit on outbound queries, regardless of the | recursive servers are required to set the DO bit on outbound queries, | |||
| status of the DO bit on incoming requests. | regardless of the status of the DO bit on incoming requests. | |||
| A validating resolver that understands the NXNAME signal from an | A validating resolver that understands the NXNAME signal from an | |||
| authoritative server could modify the response code from NOERROR to | authoritative server could modify the response code from NOERROR to | |||
| NXDOMAIN in responses they return to downstream queriers that have | NXDOMAIN in responses they return to downstream queriers that have | |||
| not set the DO bit in their requests. | not set the DO bit in their requests. | |||
| 5.1. Signaled Response Code Restoration | 5.1. Signaled Response Code Restoration | |||
| This section describes an optional but recommended scheme to permit | This section describes an optional but recommended scheme to permit | |||
| signaled restoration of the NXDOMAIN RCODE for DNSSEC-enabled | signaled restoration of the NXDOMAIN RCODE for DNSSEC-enabled | |||
| skipping to change at line 360 ¶ | skipping to change at line 344 ¶ | |||
| flag. | flag. | |||
| +0 (MSB) +1 (LSB) | +0 (MSB) +1 (LSB) | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| 0: | EXTENDED-RCODE | VERSION | | 0: | EXTENDED-RCODE | VERSION | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| 2: |DO|CO| Z | | 2: |DO|CO| Z | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| When this flag is sent in a query by a resolver, it indicates that | When this flag is sent in a query by a resolver, it indicates that | |||
| the resolver will accept a signed NXNAME enhanced NODATA response for | the resolver will accept a NODATA response with a signed NXNAME for a | |||
| a non-existent name, together with the response code field set to | nonexistent name, together with the response code field set to | |||
| NXDOMAIN (3). | NXDOMAIN (3). | |||
| In responses to such queries, a Compact Denial authoritative server | In responses to such queries, an authoritative server implementing | |||
| implementing this signaling scheme will set the Compact Answers OK | both Compact Denial of Existence and this signaling scheme will set | |||
| EDNS header flag and, for non-existent names, will additionally set | the Compact Answers OK EDNS header flag and, for nonexistent names, | |||
| the response code field to NXDOMAIN. | will additionally set the response code field to NXDOMAIN. | |||
| EDNS is a hop-by-hop signal, so resolvers will need to record the | EDNS is a hop-by-hop signal, so resolvers will need to record the | |||
| presence of this flag in associated cache data and respond to | presence of this flag in associated cache data and respond to | |||
| downstream DNSSEC-enabled queriers appropriately. If the querier | downstream DNSSEC-enabled queriers appropriately. If the querier | |||
| does not set the Compact Answers OK flag, the resolver will need to | does not set the Compact Answers OK flag, the resolver will need to | |||
| reset the response code back to NOERROR (0) for an NXNAME response. | reset the response code back to NOERROR (0) for an NXNAME response. | |||
| 6. Operational Implications | 6. Operational Implications | |||
| For DNSSEC-enabled queries, a signed zone at an authoritative server | For DNSSEC-enabled queries, a signed zone at an authoritative server | |||
| implementing Compact Answers will never return a response with a | implementing Compact Answers will never return a response with a | |||
| response code of NXDOMAIN, unless they have implemented the optional | response code of NXDOMAIN, unless they have implemented the optional | |||
| response code restoration feature described in Section 5.1. | response code restoration feature described in Section 5.1. | |||
| Similarly, resolvers not implementing this feature will also not be | Similarly, resolvers not implementing this feature will also not be | |||
| able to return NXDOMAIN. In the absence of this, tools that rely on | able to return NXDOMAIN. In the absence of this, tools that rely on | |||
| accurately determining non-existent names will need to infer them | accurately determining nonexistent names will need to infer them from | |||
| from the presence of the NXNAME RR type in the Type Bit Maps field of | the presence of the NXNAME RR type in the Type Bit Maps field of the | |||
| the NSEC record in NODATA responses from these servers. | NSEC record in NODATA responses from these servers. | |||
| Address lookup functions typically invoked by applications may need | Address lookup functions typically invoked by applications may need | |||
| to do more work when dealing with implementations of Compact Answers. | to do more work when dealing with implementations of Compact Answers. | |||
| For example, a NODATA response to the lookup of a AAAA record for a | For example, a NODATA response to the lookup of a AAAA record for a | |||
| non-existent name can cause such functions to issue another query at | nonexistent name can cause such functions to issue another query at | |||
| the same name for an A record, whereas an NXDOMAIN response to the | the same name for an A record, whereas an NXDOMAIN response to the | |||
| first query could suppress additional queries for other types at that | first query could suppress additional queries for other types at that | |||
| name. Address lookup functions could be enhanced to issue DNSSEC- | name. Address lookup functions could be enhanced to issue DNSSEC- | |||
| enabled queries and to examine the NSEC Type Bit Maps field in | enabled queries and to examine the NSEC Type Bit Maps field in | |||
| responses to accurately determine non-existent names. Note that this | responses to accurately determine nonexistent names. Note that this | |||
| is less of a concern with connection functions like Happy Eyeballs | is less of a concern with connection functions like Happy Eyeballs | |||
| [RFC8305] that typically issue back-to-back DNS queries without | [RFC8305] that typically issue back-to-back DNS queries without | |||
| waiting for individual responses. | waiting for individual responses. | |||
| Protocol optimizations that enable DNS resolvers to synthesize | Protocol optimizations that enable DNS resolvers to synthesize | |||
| NXDOMAIN or wildcard responses, like those described in [RFC8020] and | NXDOMAIN or wildcard responses, like those described in [RFC8020] and | |||
| [RFC8198], cannot be realized from responses that use Compact Denial | [RFC8198], cannot be realized from responses that use Compact Denial | |||
| of Existence. In general, no online signing scheme that employs | of Existence. In general, no online signing scheme that employs | |||
| minimally covering NSEC or NSEC3 records (including this one) permits | minimally covering NSEC or NSEC3 records (including this one) permits | |||
| NXDOMAIN or wildcard response synthesis in the style described in | NXDOMAIN or wildcard response synthesis in the style described in | |||
| skipping to change at line 427 ¶ | skipping to change at line 411 ¶ | |||
| | Bits representing pseudo-types MUST be clear, as they do not | | Bits representing pseudo-types MUST be clear, as they do not | |||
| | appear in zone data. If encountered, they MUST be ignored upon | | appear in zone data. If encountered, they MUST be ignored upon | |||
| | being read. | | being read. | |||
| This paragraph is updated to the following: | This paragraph is updated to the following: | |||
| | Bits representing pseudo-types MUST be clear, as they do not | | Bits representing pseudo-types MUST be clear, as they do not | |||
| | appear in zone data. If encountered, they MUST be ignored upon | | appear in zone data. If encountered, they MUST be ignored upon | |||
| | being read. There is one exception to this rule for Compact | | being read. There is one exception to this rule for Compact | |||
| | Denial of Existence (RFC 9824), where the NXNAME pseudo-type is | | Denial of Existence (RFC 9824), where the NXNAME pseudo-type is | |||
| | allowed to appear in responses to non-existent names. | | allowed to appear in responses to nonexistent names. | |||
| | | ||||
| | Note: As a practical matter, no known resolver insists that | Note: As a practical matter, no known resolver insists that pseudo- | |||
| | pseudo-types must be clear in the NSEC Type Bit Maps, so this | types must be clear in the NSEC Type Bit Maps field, so this | |||
| | restriction (prior to its revision) has posed no problem for the | restriction (prior to its revision) has posed no problem for the | |||
| | deployment of this mechanism. | deployment of this mechanism. | |||
| 7.2. Updates to RFC 4035 | 7.2. Updates to RFC 4035 | |||
| Section 2.3 of [RFC4035] ("Including NSEC RRs in a Zone") states the | Section 2.3 of [RFC4035] ("Including NSEC RRs in a Zone") states the | |||
| following: | following: | |||
| | An NSEC record (and its associated RRSIG RRset) MUST NOT be the | | An NSEC record (and its associated RRSIG RRset) MUST NOT be the | |||
| | only RRset at any particular owner name. That is, the signing | | only RRset at any particular owner name. That is, the signing | |||
| | process MUST NOT create NSEC or RRSIG RRs for owner name nodes | | process MUST NOT create NSEC or RRSIG RRs for owner name nodes | |||
| | that were not the owner name of any RRset before the zone was | | that were not the owner name of any RRset before the zone was | |||
| skipping to change at line 463 ¶ | skipping to change at line 447 ¶ | |||
| | that were not the owner name of any RRset before the zone was | | that were not the owner name of any RRset before the zone was | |||
| | signed. The main reasons for this are a desire for namespace | | signed. The main reasons for this are a desire for namespace | |||
| | consistency between signed and unsigned versions of the same zone | | consistency between signed and unsigned versions of the same zone | |||
| | and a desire to reduce the risk of response inconsistency in | | and a desire to reduce the risk of response inconsistency in | |||
| | security oblivious recursive name servers. This concern only | | security oblivious recursive name servers. This concern only | |||
| | applies to implementations of DNSSEC that employ precomputed | | applies to implementations of DNSSEC that employ precomputed | |||
| | signatures. There is an exception to this rule for online signing | | signatures. There is an exception to this rule for online signing | |||
| | implementations of DNSSEC (e.g., minimally covering NSEC and | | implementations of DNSSEC (e.g., minimally covering NSEC and | |||
| | Compact Denial of Existence), where dynamically generated NSEC | | Compact Denial of Existence), where dynamically generated NSEC | |||
| | records can be produced for owner names that don't exist or are | | records can be produced for owner names that don't exist or are | |||
| | empty non-terminals. | | ENTs. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| Online signing of DNS records requires authoritative servers for the | Online signing of DNS records requires authoritative servers for the | |||
| DNS zone to have access to the private signing keys. Exposing | DNS zone to have access to the private signing keys. Exposing | |||
| signing keys on Internet-reachable servers makes them more vulnerable | signing keys on Internet-reachable servers makes them more vulnerable | |||
| to attack. | to attack. | |||
| Additionally, generating signatures on demand is more computationally | Additionally, generating signatures on demand is more computationally | |||
| intensive than returning precomputed signatures. Although the | intensive than returning precomputed signatures. Although the | |||
| Compact Answers scheme reduces the number of online signing | Compact Answers scheme reduces the number of online signing | |||
| operations compared to previous techniques like White Lies, it still | operations compared to previous techniques like White Lies, it still | |||
| may make authoritative servers more vulnerable to computational | may make authoritative servers more vulnerable to computational | |||
| denial-of-service attacks than precomputed signatures. The use of | denial-of-service attacks than precomputed signatures. The use of | |||
| signature algorithms (like those based on elliptic curves) that have | signature algorithms (like those based on elliptic curves) that have | |||
| a comparatively low cost for signing is recommended. | a comparatively low cost for signing is recommended. | |||
| Some security tools rely on detection of non-existent domain names by | Some security tools rely on detection of nonexistent domain names by | |||
| examining the response code field of DNS response messages. A | examining the response code field of DNS response messages. A | |||
| NOERROR (rather than NXDOMAIN) code in that field will impact such | NOERROR (rather than NXDOMAIN) code in that field will impact such | |||
| tools. Implementation of the optional response code restoration | tools. Implementation of the optional response code restoration | |||
| scheme will help recover NXDOMAIN visibility for these tools. Note | scheme will help recover NXDOMAIN visibility for these tools. Note | |||
| that the DNS header is not cryptographically protected, so the | that the DNS header is not cryptographically protected, so the | |||
| response code field cannot be authenticated. Thus, inferring the | response code field cannot be authenticated. Thus, inferring the | |||
| status of a response from signed data in the body of the DNS message | status of a response from signed data in the body of the DNS message | |||
| is actually more secure. These tools could be enhanced to recognize | is actually more secure. These tools could be enhanced to recognize | |||
| the (signed) NXNAME signal. | the (signed) NXNAME signal. | |||
| Because this method does not allow for aggressive negative caching | Because this method does not allow for aggressive negative caching | |||
| among resolvers, it allows for certain types of denial-of-service | among resolvers, it allows for certain types of denial-of-service | |||
| attacks to be more effective. This includes so-called Pseudorandom | attacks to be more effective. This includes so-called Pseudorandom | |||
| Subdomain Attacks [PRSD-ATTACK], where random names are queried, | Subdomain Attacks [PRSD-ATTACK], where random names are queried, | |||
| either directly via botnets or across a wide range of public resolver | either directly via botnets or across a wide range of public resolver | |||
| services, in order to intentionally generate non-existent responses | services, in order to intentionally generate nonexistent responses | |||
| from the authoritative servers for a domain. If the resolver cannot | from the authoritative servers for a domain. If the resolver cannot | |||
| synthesize NXDOMAIN responses from NSEC records, it must pass all | synthesize NXDOMAIN responses from NSEC records, it must pass all | |||
| queries on to the domain's authority servers, making resource | queries on to the domain's authority servers, making resource | |||
| exhaustion more likely at those latter servers if they do not have | exhaustion more likely at those latter servers if they do not have | |||
| the capacity to absorb those additional queries. | the capacity to absorb those additional queries. | |||
| If the motivating aspects of this specification (minimizing response | If the motivating aspects of this specification (minimizing response | |||
| size and computational costs) are not a concern, DNSSEC deployments | size and computational costs) are not a concern, DNSSEC deployments | |||
| can opt for a different method (e.g., traditional online signing or | can opt for a different method (e.g., traditional online signing or | |||
| precomputed signatures) and avoid imposing the challenges of NXDOMAIN | precomputed signatures) and avoid imposing the challenges of NXDOMAIN | |||
| skipping to change at line 525 ¶ | skipping to change at line 509 ¶ | |||
| the size of the Type Bit Maps field, which reduces the overall size | the size of the Type Bit Maps field, which reduces the overall size | |||
| of the DNS response message. | of the DNS response message. | |||
| +========+=======+=============================+===========+ | +========+=======+=============================+===========+ | |||
| | Type | Value | Meaning | Reference | | | Type | Value | Meaning | Reference | | |||
| +========+=======+=============================+===========+ | +========+=======+=============================+===========+ | |||
| | NXNAME | 128 | NXDOMAIN indicator for | RFC 9824 | | | NXNAME | 128 | NXDOMAIN indicator for | RFC 9824 | | |||
| | | | Compact Denial of Existence | | | | | | Compact Denial of Existence | | | |||
| +--------+-------+-----------------------------+-----------+ | +--------+-------+-----------------------------+-----------+ | |||
| Table 3 | Table 1 | |||
| IANA has also allocated the following flag in the "EDNS Header Flags | IANA has also allocated the following flag in the "EDNS Header Flags | |||
| (16 bits)" registry in the "Domain Name System (DNS) Parameters" | (16 bits)" registry in the "Domain Name System (DNS) Parameters" | |||
| registry group. This flag is described in Section 5.1. | registry group. This flag is described in Section 5.1. | |||
| +=======+======+====================+===========+ | +=======+======+====================+===========+ | |||
| | Bit | Flag | Description | Reference | | | Bit | Flag | Description | Reference | | |||
| +=======+======+====================+===========+ | +=======+======+====================+===========+ | |||
| | Bit 1 | CO | Compact Answers OK | RFC 9824 | | | Bit 1 | CO | Compact Answers OK | RFC 9824 | | |||
| +-------+------+--------------------+-----------+ | +-------+------+--------------------+-----------+ | |||
| Table 4 | Table 2 | |||
| Last, IANA has allocated the following code point in the "Extended | Last, IANA has allocated the following code point in the "Extended | |||
| DNS Error Codes" registry in the "Domain Name System (DNS) | DNS Error Codes" registry in the "Domain Name System (DNS) | |||
| Parameters" registry group. This code point is described in | Parameters" registry group. This code point is described in | |||
| Section 3.5. | Section 3.5. | |||
| +===========+====================+===========+ | +===========+====================+===========+ | |||
| | INFO-CODE | Purpose | Reference | | | INFO-CODE | Purpose | Reference | | |||
| +===========+====================+===========+ | +===========+====================+===========+ | |||
| | 30 | Invalid Query Type | RFC 9824 | | | 30 | Invalid Query Type | RFC 9824 | | |||
| +-----------+--------------------+-----------+ | +-----------+--------------------+-----------+ | |||
| Table 5 | Table 3 | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at line 663 ¶ | skipping to change at line 647 ¶ | |||
| DOI 10.17487/RFC8305, December 2017, | DOI 10.17487/RFC8305, December 2017, | |||
| <https://www.rfc-editor.org/info/rfc8305>. | <https://www.rfc-editor.org/info/rfc8305>. | |||
| [RFC9499] Hoffman, P. and K. Fujiwara, "DNS Terminology", BCP 219, | [RFC9499] Hoffman, P. and K. Fujiwara, "DNS Terminology", BCP 219, | |||
| RFC 9499, DOI 10.17487/RFC9499, March 2024, | RFC 9499, DOI 10.17487/RFC9499, March 2024, | |||
| <https://www.rfc-editor.org/info/rfc9499>. | <https://www.rfc-editor.org/info/rfc9499>. | |||
| Appendix A. Other Approaches | Appendix A. Other Approaches | |||
| In the past, some implementations of Compact Denial of Existence have | In the past, some implementations of Compact Denial of Existence have | |||
| used other means to differentiate NXDOMAIN from Empty Non-Terminals. | used other means to differentiate NXDOMAIN from ENTs. | |||
| One method employed by both Cloudflare and Amazon Route53 for a | One method employed by both Cloudflare and Amazon Route53 for a | |||
| period of time was the following: For responses to Empty Non- | period of time was the following: For responses to ENTs, they | |||
| Terminals, they synthesized the NSEC Type Bit Maps to include all | synthesized the NSEC Type Bit Maps field to include all record types | |||
| record types supported except for the queried type. This method has | supported except for the queried type. This method has the | |||
| the undesirable effect of no longer being able to reliably determine | undesirable effect of no longer being able to reliably determine the | |||
| the existence of ENTs and of making the Type Bit Maps field larger | existence of ENTs and of making the Type Bit Maps field larger than | |||
| than it needs to be. It also has the potential to confuse validators | it needs to be. It also has the potential to confuse validators and | |||
| and others tools that infer type existence from the NSEC record. | others tools that infer type existence from the NSEC record. | |||
| Another way to distinguish NXDOMAIN from ENT is to define the | Another way to distinguish NXDOMAIN from ENT is to define the | |||
| synthetic RR type for ENTs instead, as specified in [ENT-SENTINEL]. | synthetic RR type for ENTs instead, as specified in [ENT-SENTINEL]. | |||
| This method was successfully deployed in the field by NS1 for a | This method was successfully deployed in the field by NS1 for a | |||
| period of time. This typically imposes less work on the server since | period of time. This typically imposes less work on the server since | |||
| NXDOMAIN responses are a lot more common than ENTs. At the time it | NXDOMAIN responses are a lot more common than ENTs. At the time it | |||
| was deployed, it also allowed a common bitmap pattern ("NSEC RRSIG") | was deployed, it also allowed a common bitmap pattern ("NSEC RRSIG") | |||
| to identify NXDOMAIN across this and other implementations that | to identify NXDOMAIN across this and other implementations that | |||
| returned a broad bitmap pattern for Empty Non-Terminals. However, | returned a broad bitmap pattern for ENTs. However, the advantage of | |||
| the advantage of the NXNAME RR type is that it explicitly identifies | the NXNAME RR type is that it explicitly identifies NXDOMAIN | |||
| NXDOMAIN responses and allows them to be distinguished conclusively | responses and allows them to be distinguished conclusively from | |||
| from potential ENT responses in other online signing NSEC | potential ENT responses in other online signing NSEC implementations. | |||
| implementations. | ||||
| Appendix B. Historical Implementation Notes | Appendix B. Historical Implementation Notes | |||
| At the time of publication, the basic Compact Denial of Existence | At the time of publication, the basic Compact Denial of Existence | |||
| method using NSEC is implemented by Cloudflare, NS1, Amazon Route53, | method using NSEC is implemented by Cloudflare, NS1, Amazon Route53, | |||
| and Knot DNS's optional online signing module. From early 2021 until | and Knot DNS's optional online signing module. From early 2021 until | |||
| November 2023, NS1 had deployed the Empty Non-Terminal distinguisher | November 2023, NS1 had deployed the ENT distinguisher [ENT-SENTINEL] | |||
| [ENT-SENTINEL] using the private RR type code 65281. A version of | using the private RR type code 65281. A version of the NXNAME | |||
| the NXNAME distinguisher using the private RR type code 65238 was | distinguisher using the private RR type code 65238 was deployed by | |||
| deployed by both Cloudflare (from July 2023) and NS1 (from November | both Cloudflare (from July 2023) and NS1 (from November 2023) until | |||
| 2023) until roughly September 2024. Since September 2024, both | roughly September 2024. Since September 2024, both Cloudflare and | |||
| Cloudflare and NS1 have deployed NXNAME using the officially | NS1 have deployed NXNAME using the officially allocated code point of | |||
| allocated code point of 128. Oracle Cloud Initiative implemented | 128. Oracle Cloud Initiative implemented Compact Denial of Existence | |||
| Compact Denial of Existence using NSEC3 in October 2024. | using NSEC3 in October 2024. | |||
| Acknowledgements | Acknowledgements | |||
| The Compact Answers technique (then called "Black Lies") was | The Compact Answers technique (then called "Black Lies") was | |||
| originally proposed in [BLACK-LIES] by Filippo Valsorda and Olafur | originally proposed in [BLACK-LIES] by Filippo Valsorda and Olafur | |||
| Gudmundsson and implemented by Cloudflare. The Empty Non-Terminal | Gudmundsson and implemented by Cloudflare. The ENT distinguisher RR | |||
| distinguisher RR type was originally proposed in [ENT-SENTINEL] by | type was originally proposed in [ENT-SENTINEL] by Shumon Huque and | |||
| Shumon Huque and deployed by NS1. The NXNAME type is based on the | deployed by NS1. The NXNAME type is based on the FDOM type proposed | |||
| FDOM type proposed in [NXDOMAIN-TYPE] by Gudmundsson and Valsorda. | in [NXDOMAIN-TYPE] by Gudmundsson and Valsorda. | |||
| Especially detailed discussions on many technical aspects of this | Especially detailed discussions on many technical aspects of this | |||
| document were conducted with Paul Vixie, Jan Včelák, Viktor Dukhovni, | document were conducted with Paul Vixie, Jan Včelák, Viktor Dukhovni, | |||
| Ed Lewis, and John Levine. The authors would also like to thank the | Ed Lewis, and John Levine. The authors would also like to thank the | |||
| many other members of the IETF DNS Operations Working Group for | many other members of the IETF DNS Operations Working Group for | |||
| helpful comments and discussions. | helpful comments and discussions. | |||
| Authors' Addresses | Authors' Addresses | |||
| Shumon Huque | Shumon Huque | |||
| End of changes. 43 change blocks. | ||||
| 131 lines changed or deleted | 114 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||