DNS Transport over TCP - Operational RequirementsDataplane.orgChicagoIL60605United States of America+1 312 493 0305jtk@dataplane.orghttps://dataplane.org/jtk/Verisign12061 Bluemont WayRestonVA20190United States of America+1 703 948 3200dwessels@verisign.comhttps://verisign.com
Operations and Management
Domain Name System OperationsDNSTCPThis document updates RFCs 1123 and 1536. This
document requires the operational practice of permitting
DNS messages to be carried over TCP on the Internet as a Best
Current Practice. This operational requirement is aligned with the
implementation requirements in RFC 7766. The use of TCP includes
both DNS over unencrypted TCP as well as over an encrypted TLS
session. The document also considers the consequences of this
form of DNS communication and the potential operational issues that
can arise when this Best Current Practice is not upheld.Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further information
on BCPs is available in Section 2 of RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. Requirements Language
. History of DNS over TCP
. Uneven Transport Usage and Preference
. Waiting for Large Messages and Reliability
. EDNS(0)
. Fragmentation and Truncation
. "Only Zone Transfers Use TCP"
. Reuse, Pipelining, and Out-of-Order Processing
. DNS-over-TCP Requirements
. Network and System Considerations
. Connection Establishment and Admission
. Connection Management
. Connection Termination
. DNS over TLS
. Defaults and Recommended Limits
. DNS-over-TCP Filtering Risks
. Truncation, Retries, and Timeouts
. DNS Root Zone KSK Rollover
. Logging and Monitoring
. IANA Considerations
. Security Considerations
. Privacy Considerations
. References
. Normative References
. Informative References
. RFCs Related to DNS Transport over TCP
. RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
. RFC 1536 - Common DNS Implementation Errors and Suggested Fixes
. RFC 1995 - Incremental Zone Transfer in DNS
. RFC 1996 - A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
. RFC 2181 - Clarifications to the DNS Specification
. RFC 2694 - DNS extensions to Network Address Translators (DNS_ALG)
. RFC 3225 - Indicating Resolver Support of DNSSEC
. RFC 4472 - Operational Considerations and Issues with IPv6 DNS
. RFC 5452 - Measures for Making DNS More Resilient against Forged Answers
. RFC 5507 - Design Choices When Expanding the DNS
. RFC 5625 - DNS Proxy Implementation Guidelines
. RFC 5936 - DNS Zone Transfer Protocol (AXFR)
. RFC 7534 - AS112 Nameserver Operations
. RFC 6762 - Multicast DNS
. RFC 6891 - Extension Mechanisms for DNS (EDNS(0))
. IAB RFC 6950 - Architectural Considerations on Application Features in the DNS
. RFC 7477 - Child-to-Parent Synchronization in DNS
. RFC 7720 - DNS Root Name Service Protocol and Deployment Requirements
. RFC 7766 - DNS Transport over TCP - Implementation Requirements
. RFC 7828 - The edns-tcp-keepalive EDNS(0) Option
. RFC 7858 - Specification for DNS over Transport Layer Security (TLS)
. RFC 7873 - Domain Name System (DNS) Cookies
. RFC 7901 - CHAIN Query Requests in DNS
. RFC 8027 - DNSSEC Roadblock Avoidance
. RFC 8094 - DNS over Datagram Transport Layer Security (DTLS)
. RFC 8162 - Using Secure DNS to Associate Certificates with Domain Names for S/MIME
. RFC 8324 - DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look?
. RFC 8467 - Padding Policies for Extension Mechanisms for DNS (EDNS(0))
. RFC 8482 - Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY
. RFC 8483 - Yeti DNS Testbed
. RFC 8484 - DNS Queries over HTTPS (DoH)
. RFC 8490 - DNS Stateful Operations
. RFC 8501 - Reverse DNS in IPv6 for Internet Service Providers
. RFC 8806 - Running a Root Server Local to a Resolver
. RFC 8906 - A Common Operational Problem in DNS Servers: Failure to Communicate
. RFC 8932 - Recommendations for DNS Privacy Service Operators
. RFC 8945 - Secret Key Transaction Authentication for DNS (TSIG)
Acknowledgments
Authors' Addresses
IntroductionDNS messages are delivered using UDP or TCP communications.
While most DNS transactions are carried over UDP, some operators
have been led to believe that any DNS-over-TCP traffic is unwanted
or unnecessary for general DNS operation. When DNS over TCP has
been restricted, a variety of communication failures and debugging
challenges often arise. As DNS and new naming system features have
evolved, TCP as a transport has become increasingly important for
the correct and safe operation of an Internet DNS. Reflecting
modern usage, the DNS standards declare that
support for TCP is a required part of the DNS implementation
specifications . This document is the
equivalent of formal requirements for the operational community,
encouraging system administrators, network engineers, and security
staff to ensure DNS-over-TCP communications support is on par with
DNS-over-UDP communications. It updates to clarify that all DNS resolvers and recursive
servers
MUST support and service both TCP and UDP queries and also
updates to remove the misconception
that TCP is only useful for zone transfers.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
History of DNS over TCPThe curious state of disagreement between operational best practices
and guidance for DNS transport protocols derives from conflicting
messages operators have received from other operators, implementors,
and even the IETF. Sometimes these mixed signals have been
explicit; on other occasions, conflicting messages have been implicit. This
section presents an interpretation of the storied and conflicting
history that led to this document. This section is included for
informational purposes only.Uneven Transport Usage and PreferenceIn the original suite of DNS specifications, and clearly specify
that DNS messages could be carried in either
UDP or TCP, but they also state that there is a preference for UDP as the
best transport for queries in the general case. As stated in
:
While virtual circuits can be used for any DNS activity,
datagrams are preferred for queries due to their lower overhead
and better performance.
Another early, important, and influential document, , marks the preference for a transport protocol more explicitly:
DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
and it further stipulates that:
A name server MAY limit the resources it devotes to TCP
queries, but it SHOULD NOT refuse to service a TCP query just
because it would have succeeded with UDP.
Culminating in , DNS over TCP
came to be associated primarily with the zone transfer mechanism,
while most DNS queries and responses were seen as the dominion of
UDP.Waiting for Large Messages and ReliabilityIn the original specifications, the maximum DNS-over-UDP
message size was enshrined at 512 bytes. However, even while
prefers UDP for non-zone transfer
queries, it foresaw that DNS over TCP would become more popular in the future to overcome this limitation:
[...] it is also clear that some new DNS record types
defined in the future will contain information exceeding the
512 byte limit that applies to UDP, and hence will require
TCP.
At least two new, widely anticipated developments were set to
elevate the need for DNS-over-TCP transactions. The first was
dynamic updates defined in , and the
second was the set of extensions collectively known as "DNSSEC",
whose operational considerations were originally given in
(note that has been obsoleted by ). The
former suggests that
...requestors who require an accurate response
code must use TCP.
while the latter warns that
... larger keys
increase the size of the KEY and SIG RRs. This increases the chance
of DNS UDP packet overflow and the possible necessity for using
higher overhead TCP in responses.
Yet, defying some expectations, DNS over TCP remained little used
in real traffic across the Internet in the late 1990s. Dynamic updates saw
little deployment between autonomous networks. Around the time
DNSSEC was first defined, another new feature helped solidify
UDP transport dominance for message transactions.EDNS(0)In 1999, the IETF published the Extension Mechanisms for DNS (EDNS(0)) in (which was obsoleted by in 2013). That document
standardized a way for communicating DNS nodes to perform
rudimentary capabilities negotiation. One such capability
written into the base specification and present in every EDNS(0)-compatible
message is the value of the maximum UDP payload size
the sender can support. This unsigned 16-bit field specifies,
in bytes, the maximum (possibly fragmented) DNS message size a
node is capable of receiving over UDP. In practice, typical values are
a subset of the 512- to 4096-byte range. EDNS(0) became
widely deployed over the next several years, and numerous surveys
(see and )
have shown that many systems support larger UDP MTUs
with EDNS(0).The natural effect of EDNS(0) deployment meant DNS messages
larger than 512 bytes would be less reliant on TCP than they
might otherwise have been. While a non-negligible population of
DNS systems lacked EDNS(0) or fell back to TCP when necessary,
DNS clients still strongly prefer UDP to TCP.
For example, as of 2014,
DNS-over-TCP transactions remained a very small fraction of
overall DNS traffic received by root name servers .Fragmentation and TruncationAlthough EDNS(0) provides a way for endpoints to signal support for
DNS messages exceeding 512 bytes, the realities of a diverse and
inconsistently deployed Internet may result in some large messages
being unable to reach their destination. Any IP datagram whose size
exceeds the MTU of a link it transits will be fragmented and then
reassembled by the receiving host. Unfortunately, it is not uncommon
for middleboxes and firewalls to block IP fragments. If one or more
fragments do not arrive, the application does not receive the message,
and the request times out.For IPv4-connected hosts, the MTU is often an Ethernet
payload size of 1500 bytes. This means that the largest unfragmented
UDP DNS message that can be sent over IPv4 is likely 1472 bytes,
although tunnel encapsulation may reduce that maximum message
size in some cases.For
IPv6, the situation is a little more complicated. First, IPv6 headers
are 40 bytes (versus 20 without options in IPv4). Second, approximately
one-third of DNS recursive resolvers
use the minimum MTU of 1280 bytes .
Third, fragmentation in IPv6 can only be
done by the host originating the datagram. The need to fragment is
conveyed in an ICMPv6 "Packet Too Big" message. The originating host
indicates a fragmented datagram with IPv6 extension headers.
Unfortunately, it is quite common for both ICMPv6 and IPv6 extension
headers to be blocked by middleboxes. According to
, some 35% of IPv6-capable
recursive resolvers were unable to receive a fragmented IPv6 packet.
When the originating host receives a signal that
fragmentation is required, it is expected to populate its path
MTU cache for that destination. The application will then retry
the query after a timeout since the host does not generally retain
copies of messages sent over UDP for potential retransmission.The practical consequence of all this is that DNS requestors
must be prepared to retry queries with different EDNS(0) maximum
message size values. Administrators of are likely to be
familiar with seeing the following message in their system logs: "success resolving ... after reducing the
advertised EDNS(0) UDP packet size to 512 octets".Often, reducing the EDNS(0) UDP packet size leads to a
successful response. That is, the necessary data fits within the
smaller message size. However, when the data does not fit, the
server sets the truncated flag in its response, indicating the
client should retry over TCP to receive the whole response. This
is undesirable from the client's point of view because it adds
more latency and is potentially undesirable from the server's point
of view due to the increased resource requirements of TCP.Note that a receiver is unable to differentiate between packets
lost due to congestion and packets (fragments) intentionally
dropped by firewalls or middleboxes. Over network paths with
non-trivial amounts of packet loss, larger, fragmented DNS responses
are more likely to never arrive and time out compared to smaller,
unfragmented responses. Clients might be misled into retrying
queries with different EDNS(0) UDP packet size values for the
wrong reason.The issues around fragmentation, truncation, and TCP are
driving certain implementation and policy decisions in the DNS.
Notably, Cloudflare implemented a technique that minimizes the number of DNSSEC denial-of-existence records (for its online signing platform)
and uses an Elliptic Curve Digital
Signature Algorithm (ECDSA) such that
its signed responses fit easily in 512 bytes. The Key Signing Key (KSK) Rollover
Design Team spent a lot of time
thinking and worrying about response sizes. There is growing
sentiment in the DNSSEC community that RSA key sizes beyond
2048 bits are impractical and that critical infrastructure zones
should transition to elliptic curve algorithms to keep response
sizes manageable .More recently, renewed security concerns about fragmented DNS
messages (see and )
are leading implementors to consider smaller responses and lower
default EDNS(0) UDP payload size values for both queriers and
responders ."Only Zone Transfers Use TCP"Today, the majority of the DNS community expects, or at least
has a desire, to see DNS-over-TCP transactions occur without
interference . However, there has also been a long-held belief by
some operators, particularly for security-related reasons, that
DNS-over-TCP services should be purposely limited or not provided
at all . A popular meme is
that DNS over TCP is only ever used for zone
transfers and is generally unnecessary otherwise, with filtering
all DNS-over-TCP traffic even described as a best practice.The position on restricting DNS over TCP had some
justification given that historical implementations of DNS
name servers provided very little in the way of TCP connection
management (for example, see for more details). However, modern
standards and implementations are nearing parity with the more
sophisticated TCP management techniques employed by, for example,
HTTP(S) servers and load balancers.Reuse, Pipelining, and Out-of-Order ProcessingThe idea that a TCP connection can support multiple transactions
goes back as far as , which states:
"Multiple messages may be sent over a virtual circuit." Although
, which updates the former, omits this
particular detail, it has been generally accepted that a TCP connection
can be used for more than one query and response. clarifies that servers are not
required to preserve the order of queries and responses over
any transport.
, which updates the former, further
encourages query pipelining over TCP to achieve performance on
par with UDP.
A server that sends out-of-order responses to pipelined queries
avoids head-of-line blocking when the response for a later
query is ready before the response to an earlier query.However, TCP can potentially suffer from a different
head-of-line blocking problem due to packet loss.
Since TCP itself enforces ordering, a single lost segment
delays delivery of data in any following segments until
the lost segment is retransmitted and successfully received.DNS-over-TCP RequirementsAn average increase in DNS message size (e.g., due to DNSSEC),
the continued development of new DNS features (), and a denial-of-service mitigation
technique () all show that
DNS-over-TCP transactions are as important to the correct and safe
operation of the Internet DNS as ever, if not more so.
Furthermore, there has been research that argues
connection-oriented DNS transactions may provide security and
privacy advantages over UDP transport .
In fact, the standard for DNS over TLS
is just this sort of specification. Therefore, this document makes
explicit that it is undesirable for network operators to
artificially inhibit DNS-over-TCP transport. is updated as follows:OLD:
DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
NEW:
All DNS resolvers and servers MUST support and service
both UDP and TCP queries.
Note that:
DNS servers (including forwarders) MUST support and service
TCP for receiving queries so that clients can reliably receive
responses that are larger than what either side considers too large
for UDP.
DNS clients MUST support TCP for sending
queries so that they can retry truncated UDP responses as necessary.
Furthermore, the requirement in around limiting the resources a server devotes
to queries is hereby updated:OLD:
A name server MAY limit the resources it devotes to TCP queries,
but it SHOULD NOT refuse to service a TCP query just
because it would have succeeded with UDP.
NEW:
A name server MAY limit the resources it devotes to queries, but
it MUST NOT refuse to service a query just because it would have
succeeded with another transport protocol.
Lastly, is updated to eliminate
the misconception that TCP is only useful for zone transfers:OLD:
DNS implements the classic request-response scheme of
client-server interaction. UDP is, therefore, the chosen protocol
for communication though TCP is used for zone transfers.
NEW:
DNS implements the classic request-response scheme of
client-server interaction.
The filtering of DNS over TCP is harmful in the general
case. DNS resolver and server operators MUST support and provide
DNS service over both UDP and TCP transports. Likewise, network
operators MUST allow DNS service over both UDP and TCP transports.
It is acknowledged that DNS-over-TCP service can pose operational
challenges that are not present when running DNS over UDP alone,
and vice versa. However,
the potential damage incurred by prohibiting DNS-over-TCP
service is more detrimental to the continued utility and success of
the DNS than when its usage is allowed.Network and System ConsiderationsThis section describes measures that systems and applications
can take to optimize performance over TCP and to protect themselves
from TCP-based resource exhaustion and attacks.Connection Establishment and AdmissionResolvers and other DNS clients should be aware that some
servers might not be reachable over TCP. For this reason, clients
MAY track and limit the number of TCP connections and
connection attempts to a single server. Reachability problems
can be caused by network elements close to the server, close
to the client, or anywhere along the path between them. Mobile
clients that cache connection failures MAY do so on a per-network
basis or MAY clear such a cache upon change of network.Additionally, DNS clients
MAY enforce a short timeout on unestablished connections
rather than rely on the host operating system's TCP connection
timeout, which is often around 60-120 seconds (i.e., due to an
initial retransmission timeout of 1 second, the exponential
back-off rules of , and a limit of six
retries as is the default in Linux).The SYN flooding attack is a denial-of-service method
affecting hosts that run TCP server processes . This attack can be very effective if
not mitigated. One of the most effective mitigation techniques
is SYN cookies, described in , which allows the server to avoid allocating
any state until the successful completion of the three-way
handshake.Services not intended for use by the public Internet,
such as most recursive name servers, SHOULD be protected
with access controls. Ideally, these controls are placed in
the network, well before any unwanted TCP packets can
reach the DNS server host or application. If this is not
possible, the controls can be placed in the application
itself. In some situations (e.g., attacks), it may be necessary
to deploy access controls for DNS services that should
otherwise be globally reachable. See also .The FreeBSD and NetBSD operating systems have an "accept filter" feature
()
that postpones delivery of TCP connections to applications
until a complete, valid request has been received. The
dns_accf(9) filter ensures that a valid DNS message is
received. If not, the bogus connection never reaches the
application.
The Linux TCP_DEFER_ACCEPT feature, while more limited in scope,
can provide some of the same benefits as the BSD accept filter
feature.
These features are implemented as low-level socket options
and are not activated automatically. If applications wish to
use these features, they need to make specific calls to set the
right options, and administrators may also need to configure the
applications to appropriately use the features.Per , applications and administrators
are advised to remember that TCP MAY be used before sending
any UDP queries. Networks and applications MUST NOT be configured
to refuse TCP queries that were not preceded by a UDP query.TCP Fast Open (TFO) allows TCP
clients to shorten the handshake for subsequent connections
to the same server. TFO saves one round-trip time in the
connection setup. DNS servers SHOULD enable TFO when possible.
Furthermore, DNS servers clustered behind a single service
address (e.g., anycast or load balancing) SHOULD either use the
same TFO server key on all instances or disable TFO for all members of the cluster.DNS clients MAY also enable TFO. At the time of this writing, it is not implemented or is disabled by default on some operating systems.
describes applications and operating systems
that support TFO.Connection ManagementSince host memory for TCP state is a finite resource, DNS
clients and
servers SHOULD actively manage their connections. Applications
that do not actively manage their connections
can encounter resource exhaustion leading to denial of
service. For DNS, as in other protocols, there is a trade-off
between keeping connections open for potential future use and
the need to free up resources for new connections that will arrive.Operators of DNS server software SHOULD be aware that operating
system and application vendors MAY impose a limit on the total
number of established connections. These limits may be designed
to protect against DDoS attacks or performance degradation.
Operators SHOULD understand how to increase these limits if
necessary and the consequences of doing so. Limits imposed by
the application SHOULD be lower than limits imposed by the
operating system so that the application can apply its own
policy to connection management, such as closing the oldest
idle connections first.DNS server software MAY provide a configurable limit on
the number of established connections per source IP address
or subnet. This can be used to ensure that a single or small
set of users cannot consume all TCP resources and deny
service to other users. Note, however, that if this limit
is enabled, it possibly limits client performance while leaving
some TCP resources unutilized. Operators SHOULD be aware of
these trade-offs and ensure this limit, if configured,
is set appropriately based on the number and diversity
of their users and whether users connect from unique IP addresses or
through a shared Network Address Translator (NAT) .DNS server software SHOULD provide a configurable timeout
for idle TCP connections. This can be used to free up resources
for new connections and to ensure that idle
connections are eventually closed. At the same time, it possibly
limits client performance while leaving some TCP resources unutilized.
For very busy name servers, this
might be set to a low value, such as a few seconds. For
less busy servers, it might be set to a higher value, such
as tens of seconds. DNS clients and servers SHOULD signal
their timeout values using the edns-tcp-keepalive EDNS(0)
option .DNS server software MAY provide a configurable limit on
the number of transactions per TCP connection.
This can help protect against unfair connection use (e.g., not releasing
connection slots to other clients) and network evasion attacks.Similarly, DNS server software MAY provide a configurable
limit on the total duration of a TCP connection.
This can help protect against unfair connection use, slow read attacks,
and network evasion attacks.Since clients may not be aware of server-imposed limits,
clients utilizing TCP for DNS need to always be prepared to
re-establish connections or otherwise retry outstanding
queries.Connection TerminationThe TCP peer that initiates a
connection close retains the socket in the TIME_WAIT state
for some amount of time, possibly a few minutes.
It is generally preferable for clients to initiate the
close of a TCP connection so that busy servers do not
accumulate many sockets in the TIME_WAIT state, which can
cause performance problems or even denial of service.
The edns-tcp-keepalive EDNS(0) option
can be used to encourage clients to close connections.On systems where large numbers of sockets in TIME_WAIT
are observed (as either a client or a server) and are affecting
an application's performance, it may be tempting to tune local TCP
parameters. For example, the Linux kernel has
a "sysctl" parameter named net.ipv4.tcp_tw_reuse, which allows
connections in the TIME_WAIT state to be reused in specific
circumstances. Note, however, that this affects only outgoing (client)
connections and has no impact on servers. In most cases, it is NOT RECOMMENDED to change parameters related to the TIME_WAIT state.
It should only be done by those with detailed knowledge of both TCP
and the affected application.DNS over TLSDNS messages may be sent over TLS to provide privacy
between stubs and recursive resolvers.
is a Standards Track document describing how this works.
Although DNS over TLS utilizes TCP port 853 instead of port 53, this
document applies equally well to DNS over TLS. Note, however,
that DNS over TLS is only defined between stubs and
recursives at the time of this writing.The use of TLS places even stronger operational burdens
on DNS clients and servers. Cryptographic functions for
authentication and encryption require additional processing.
Unoptimized connection setup with TLS 1.3
takes one additional round trip compared to TCP.
Connection setup
times can be reduced with TCP Fast Open and TLS False Start for TLS 1.2. TLS 1.3 session resumption does not
reduce round-trip latency because no application profile for use of
TLS 0-RTT data with DNS has been published at the time of this
writing. However, TLS session resumption can reduce the number of
cryptographic operations, and in TLS 1.2, session resumption does
reduce the number of additional round trips from two to one.Defaults and Recommended LimitsA survey of features and defaults was conducted for popular
open-source DNS server implementations at the time of writing.
This section documents those defaults and makes recommendations
for configurable limits that can be used in the absence of any
other information. Any recommended values in this document are
only intended as a starting point for administrators that are
unsure of what sorts of limits might be reasonable. Operators SHOULD
use application-specific monitoring, system logs, and system
monitoring tools to gauge whether their service is operating
within or exceeding these limits and adjust accordingly.Most open-source DNS server implementations provide a
configurable limit on the total number of established connections.
Default values range from 20 to 150. In most cases, where the
majority of queries take place over UDP, 150 is a reasonable limit.
For services or environments where most queries take place over
TCP or TLS, 5000 is a more appropriate limit.Only some open-source implementations provide a way to limit
the number of connections per source IP address or subnet, but
the default is to have no limit. For environments or situations
where it may be necessary to enable this limit, 25 connections
per source IP address is a reasonable starting point. The limit
should be increased when aggregated by subnet or for services
where most queries take place over TCP or TLS.Most open-source implementations provide a configurable idle
timeout on connections. Default values range from 2 to 30 seconds.
In most cases, 10 seconds is a reasonable default for this limit.
Longer timeouts improve connection reuse, but busy servers may
need to use a lower limit.Only some open-source implementations provide a way to limit
the number of transactions per connection, but the default is to
have no limit. This document does not offer advice on particular
values for such a limit.Only some open-source implementations provide a way to limit
the duration of connection, but the default is to have no limit.
This document does not offer advice on particular values for such
a limit.DNS-over-TCP Filtering RisksNetworks that filter DNS over TCP risk losing access to
significant or important pieces of the DNS namespace. For a
variety of reasons, a DNS answer may require a DNS-over-TCP query.
This may include large message sizes, lack of EDNS(0) support, or DDoS
mitigation techniques (including Response Rate Limiting ); additionally, perhaps some future capability that is as
yet unforeseen will also demand TCP transport.For example, describes a latency-avoiding
technique that sends extra data in DNS responses. This makes
responses larger and potentially increases the effectiveness of DDoS reflection
attacks. The specification mandates the use of TCP or DNS
cookies .Even if any or all particular answers have consistently been
returned successfully with UDP in the past, this continued behavior
cannot be guaranteed when DNS messages are exchanged between
autonomous systems. Therefore, filtering of DNS over TCP is
considered harmful and contrary to the safe and successful operation
of the Internet. This section enumerates some of the known risks
at the time of this writing when networks filter DNS over
TCP.Truncation, Retries, and TimeoutsNetworks that filter DNS over TCP may inadvertently cause
problems for third-party resolvers as experienced by . For example, a resolver receives queries
for a moderately popular domain. The resolver forwards the queries
to the domain's authoritative name servers, but those servers
respond with the TC bit set. The resolver retries over TCP,
but the authoritative server blocks DNS over TCP. The pending
connections consume resources on the resolver until they time out.
If the number
and frequency of these truncated-and-then-blocked queries are sufficiently high,
the resolver wastes valuable resources on queries that can never be answered.
This condition is generally not easily or completely mitigated by the
affected DNS resolver operator.DNS Root Zone KSK RolloverThe plans for deploying DNSSEC KSK for the root zone highlighted
a potential problem in retrieving the root zone key set . During some phases of the KSK rollover process,
root zone DNSKEY responses were
larger than 1280 bytes, the IPv6 minimum MTU for links
carrying IPv6 traffic .
There was some concern
that any DNS server unable to receive large
DNS messages over UDP, or any DNS message over TCP, would experience
disruption while performing DNSSEC validation .However, during the
year-long postponement of the KSK rollover, there were no reported problems
that could be attributed to the 1414 octet DNSKEY response when both
the old and new keys were published in the zone. Additionally, there
were no reported problems during the two-month period when the old key was
published as revoked and the DNSKEY response was 1425 octets in size .Logging and MonitoringDevelopers of applications that log or monitor DNS
SHOULD NOT ignore TCP due to the perception that it is rarely used or
is hard to process. Operators SHOULD ensure that
their monitoring and logging applications properly capture
DNS messages over TCP. Otherwise, attacks, exfiltration
attempts, and normal traffic may go undetected.DNS messages over TCP are in no way guaranteed to arrive
in single segments. In fact, a clever attacker might attempt
to hide certain messages by forcing them over very small TCP
segments. Applications that capture network packets (e.g.,
with libpcap ) SHOULD implement and perform full
TCP stream reassembly and analyze the reassembled stream instead of the individual packets.
Otherwise, they are vulnerable to network evasion attacks .
Furthermore, such applications need to protect
themselves from resource exhaustion attacks by limiting the amount
of memory allocated to tracking unacknowledged connection state data.
dnscap is an
open-source example of a DNS logging program that implements
TCP stream reassembly.Developers SHOULD also keep in mind connection reuse,
query pipelining, and out-of-order responses when building and testing
DNS monitoring applications.As an alternative to packet capture, some DNS server software
supports dnstap as an integrated monitoring
protocol intended to facilitate wide-scale DNS monitoring.IANA ConsiderationsThis document has no IANA actions.Security ConsiderationsThis document, providing operational requirements, is the
companion to the implementation requirements of DNS over TCP
provided in . The security considerations
from still apply.Ironically, returning truncated DNS-over-UDP answers in order
to induce a client query to switch to DNS over TCP has become
a common response to source-address-spoofed, DNS denial-of-service
attacks . Historically, operators have
been wary of TCP-based attacks, but in recent years, UDP-based
flooding attacks have proven to be the most common protocol attack
on the DNS. Nevertheless, a high rate of short-lived DNS
transactions over TCP may pose challenges. In fact, details a class of IP fragmentation attacks
on DNS transactions if the IP Identifier field (16 bits in IPv4 and 32 bits in IPv6) can be predicted and a
system is coerced to fragment rather than retransmit messages.
While many operators have provided DNS-over-TCP service for many
years without duress, past experience is no guarantee of future
success.DNS over TCP is similar to many other Internet TCP services.
TCP threats and many mitigation strategies have been
well documented in a series of documents such as , , , and .As mentioned in , applications
that implement TCP stream reassembly need to limit the amount of
memory allocated to connection tracking. A failure to do so could
lead to a total failure of the logging or monitoring application.
Imposition of resource limits creates a trade-off between allowing
some stream reassembly to continue and allowing some evasion attacks
to succeed.This document recommends that DNS servers enable TFO when possible.
recommends that a pool of servers behind a load balancer with a shared
server IP address also share the key used to generate Fast Open cookies
to prevent inordinate fallback to the three-way handshake (3WHS). This guidance remains
accurate but comes with a caveat: compromise of one server would reveal
this group-shared key and allow for attacks involving the other servers
in the pool by forging invalid Fast Open cookies.Privacy ConsiderationsSince DNS over both UDP and TCP uses the same underlying message
format, the use of one transport instead of the other does not change
the privacy characteristics of the message content (i.e., the name
being queried). A number of protocols have recently been developed to
provide DNS privacy, including DNS over TLS ,
DNS over DTLS , DNS over HTTPS
, with even more on the way.Because TCP is somewhat more complex than UDP, some
characteristics of a TCP conversation may enable DNS client fingerprinting and
tracking that is not possible with UDP. For example, the choice of
initial sequence numbers, window size, and options might be able
to identify a particular TCP implementation or even individual
hosts behind shared resources such as NATs.ReferencesNormative ReferencesDomain names - implementation and specificationThis RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Clarifications to the DNS SpecificationThis document considers some areas that have been identified as problems with the specification of the Domain Name System, and proposes remedies for the defects identified. [STANDARDS-TRACK]Extension Mechanisms for DNS (EDNS(0))The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow.This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS.DNS Transport over TCP - Implementation RequirementsThis document specifies the requirement for support of TCP as a transport protocol for DNS implementations and provides guidelines towards DNS-over-TCP performance on par with that of DNS-over-UDP. This document obsoletes RFC 5966 and therefore updates RFC 1035 and RFC 1123.The edns-tcp-keepalive EDNS0 OptionDNS messages between clients and servers may be received over either UDP or TCP. UDP transport involves keeping less state on a busy server, but can cause truncation and retries over TCP. Additionally, UDP can be exploited for reflection attacks. Using TCP would reduce retransmits and amplification. However, clients commonly use TCP only for retries and servers typically use idle timeouts on the order of seconds.This document defines an EDNS0 option ("edns-tcp-keepalive") that allows DNS servers to signal a variable idle timeout. This signalling encourages the use of long-lived TCP connections by allowing the state associated with TCP transport to be managed effectively with minimal impact on the DNS transaction time.Domain Name System (DNS) CookiesDNS Cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and amplification/ forgery or cache poisoning attacks by off-path attackers. DNS Cookies are tolerant of NAT, NAT-PT (Network Address Translation - Protocol Translation), and anycast and can be incrementally deployed. (Since DNS Cookies are only returned to the IP address from which they were originally received, they cannot be used to generally track Internet users.)Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Informative ReferencesFreeBSD accept_filter(9)FreeBSDDNS XLFragmentation Avoidance in DNSJapan Registry Services Co., Ltd.none EDNS0 enables a DNS server to send large responses using UDP and is
widely deployed. Path MTU discovery remains widely undeployed due to
security issues, and IP fragmentation has exposed weaknesses in
application protocols. Currently, DNS is known to be the largest
user of IP fragmentation. It is possible to avoid IP fragmentation
in DNS by limiting response size where possible, and signaling the
need to upgrade from UDP to TCP transport where necessary. This
document proposes to avoid IP fragmentation in DNS.
Work in ProgressBIND 9Internet Systems ConsortiumUnderstanding and Preparing for DNS EvolutionFirewalls and Internet Security: Repelling the Wily HackerFirst EditionEconomical With The Truth: Making DNSSEC Answers CheapCloudflareDNS-over-TCP Considered VulnerableRoot Zone KSK Rollover PlanICANNWhen are TCP queries sent?DNSCAPDNS-OARCdnstapMaking the Case for Elliptic Curves in DNSSECDNS Flag Day 2020DNS Software and Service ProvidersFragmentation Considered PoisonousDealing with IPv6 fragmentation in the DNSKSK Rollover List ArchivesICANN2017 DNSSEC KSK RolloverRIPE 74Tcpdump and LibpcapThe Tcpdump GroupNetalyzr: Illuminating The Edge NetworkDefeating Sniffers and Intrusion Detection SystemsPhrack MagazineUser Datagram ProtocolTransmission Control ProtocolDomain names: Implementation specificationThis RFC discusses the implementation of domain name servers and resolvers, specifies the format of transactions, and discusses the use of domain names in the context of existing mail systems and other network software.Domain names - concepts and facilitiesThis RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.Requirements for Internet Hosts - Application and SupportThis RFC is an official specification for the Internet community. It incorporates by reference, amends, corrects, and supplements the primary protocol standards documents relating to hosts. [STANDARDS-TRACK]Common DNS Implementation Errors and Suggested FixesThis memo describes common errors seen in DNS implementations and suggests some fixes. This memo provides information for the Internet community. It does not specify an Internet standard.Incremental Zone Transfer in DNSThis document proposes extensions to the DNS protocols to provide an incremental zone transfer (IXFR) mechanism. [STANDARDS-TRACK]A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)This memo describes the NOTIFY opcode for DNS, by which a master server advises a set of slave servers that the master's data has been changed and that a query should be initiated to discover the new data. [STANDARDS-TRACK]Dynamic Updates in the Domain Name System (DNS UPDATE)Using this specification of the UPDATE opcode, it is possible to add or delete RRs or RRsets from a specified zone. Prerequisites are specified separately from update operations, and can specify a dependency upon either the previous existence or nonexistence of an RRset, or the existence of a single RR. [STANDARDS-TRACK]DNS Security Operational ConsiderationsThis document discusses these operational aspects for keys and signatures used in connection with the KEY and SIG DNS resource records. This memo provides information for the Internet community.Extension Mechanisms for DNS (EDNS0)The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow clients to advertise their capabilities to servers. This document describes backward compatible mechanisms for allowing the protocol to grow. [STANDARDS-TRACK]DNS extensions to Network Address Translators (DNS_ALG)This document identifies the need for DNS extensions to NATs and outlines how a DNS Application Level Gateway (DNS_ALG) can meet the need. This memo provides information for the Internet community.Traditional IP Network Address Translator (Traditional NAT)The NAT operation described in this document extends address translation introduced in RFC 1631 and includes a new type of network address and TCP/UDP port translation. In addition, this document corrects the Checksum adjustment algorithm published in RFC 1631 and attempts to discuss NAT operation and limitations in detail. This memo provides information for the Internet community.Indicating Resolver Support of DNSSECIn order to deploy DNSSEC (Domain Name System Security Extensions) operationally, DNSSEC aware servers should only perform automatic inclusion of DNSSEC RRs when there is an explicit indication that the resolver can understand those RRs. This document proposes the use of a bit in the EDNS0 header to provide that explicit indication and describes the necessary protocol changes to implement that notification. [STANDARDS-TRACK]DNSSEC and IPv6 A6 aware server/resolver message size requirementsThis document mandates support for EDNS0 (Extension Mechanisms for DNS) in DNS entities claiming to support either DNS Security Extensions or A6 records. This requirement is necessary because these new features increase the size of DNS messages. If EDNS0 is not supported fall back to TCP will happen, having a detrimental impact on query latency and DNS server load. This document updates RFC 2535 and RFC 2874, by adding new requirements. [STANDARDS-TRACK]Operational Considerations and Issues with IPv6 DNSThis memo presents operational considerations and issues with IPv6 Domain Name System (DNS), including a summary of special IPv6 addresses, documentation of known DNS implementation misbehavior, recommendations and considerations on how to perform DNS naming for service provisioning and for DNS resolver IPv6 support, considerations for DNS updates for both the forward and reverse trees, and miscellaneous issues. This memo is aimed to include a summary of information about IPv6 DNS considerations for those who have experience with IPv4 DNS. This memo provides information for the Internet community.Defending TCP Against Spoofing AttacksRecent analysis of potential attacks on core Internet infrastructure indicates an increased vulnerability of TCP connections to spurious resets (RSTs), sent with forged IP source addresses (spoofing). TCP has always been susceptible to such RST spoofing attacks, which were indirectly protected by checking that the RST sequence number was inside the current receive window, as well as via the obfuscation of TCP endpoint and port numbers. For pairs of well-known endpoints often over predictable port pairs, such as BGP or between web servers and well-known large-scale caches, increases in the path bandwidth-delay product of a connection have sufficiently increased the receive window space that off-path third parties can brute-force generate a viable RST sequence number. The susceptibility to attack increases with the square of the bandwidth, and thus presents a significant vulnerability for recent high-speed networks. This document addresses this vulnerability, discussing proposed solutions at the transport level and their inherent challenges, as well as existing network level solutions and the feasibility of their deployment. This document focuses on vulnerabilities due to spoofed TCP segments, and includes a discussion of related ICMP spoofing attacks on TCP connections. This memo provides information for the Internet community.TCP SYN Flooding Attacks and Common MitigationsThis document describes TCP SYN flooding attacks, which have been well-known to the community for several years. Various countermeasures against these attacks, and the trade-offs of each, are described. This document archives explanations of the attack and common defense techniques for the benefit of TCP implementers and administrators of TCP servers or networks, but does not make any standards-level recommendations. This memo provides information for the Internet community.Preventing Use of Recursive Nameservers in Reflector AttacksThis document describes ways to prevent the use of default configured recursive nameservers as reflectors in Denial of Service (DoS) attacks. It provides recommended configuration as measures to mitigate the attack. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Measures for Making DNS More Resilient against Forged AnswersThe current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder.Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation.By describing certain behavior that has previously not been standardized, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 2181. [STANDARDS-TRACK]Design Choices When Expanding the DNSIABThis note discusses how to extend the DNS with new data for a new application. DNS extension discussions too often focus on reuse of the TXT Resource Record Type. This document lists different mechanisms to extend the DNS, and concludes that the use of a new DNS Resource Record Type is the best solution. This memo provides information for the Internet community.DNS Proxy Implementation GuidelinesThis document provides guidelines for the implementation of DNS proxies, as found in broadband gateways and other similar network devices. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.ICMP Attacks against TCPThis document discusses the use of the Internet Control Message Protocol (ICMP) to perform a variety of attacks against the Transmission Control Protocol (TCP). Additionally, this document describes a number of widely implemented modifications to TCP's handling of ICMP error messages that help to mitigate these issues. This document is not an Internet Standards Track specification; it is published for informational purposes.DNS Zone Transfer Protocol (AXFR)The standard means within the Domain Name System protocol for maintaining coherence among a zone's authoritative name servers consists of three mechanisms. Authoritative Transfer (AXFR) is one of the mechanisms and is defined in RFC 1034 and RFC 1035.The definition of AXFR has proven insufficient in detail, thereby forcing implementations intended to be compliant to make assumptions, impeding interoperability. Yet today we have a satisfactory set of implementations that do interoperate. This document is a new definition of AXFR -- new in the sense that it records an accurate definition of an interoperable AXFR mechanism. [STANDARDS-TRACK]Improving TCP's Robustness to Blind In-Window AttacksTCP has historically been considered to be protected against spoofed off-path packet injection attacks by relying on the fact that it is difficult to guess the 4-tuple (the source and destination IP addresses and the source and destination ports) in combination with the 32-bit sequence number(s). A combination of increasing window sizes and applications using longer-term connections (e.g., H-323 or Border Gateway Protocol (BGP) [STANDARDS-TRACK]DNS Transport over TCP - Implementation RequirementsThis document updates the requirements for the support of TCP as a transport protocol for DNS implementations. [STANDARDS-TRACK]Computing TCP's Retransmission TimerThis document defines the standard algorithm that Transmission Control Protocol (TCP) senders are required to use to compute and manage their retransmission timer. It expands on the discussion in Section 4.2.3.1 of RFC 1122 and upgrades the requirement of supporting the algorithm from a SHOULD to a MUST. This document obsoletes RFC 2988. [STANDARDS-TRACK]Multicast DNSAs networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, but not limited to, host names) in the absence of a conventional managed DNS server is useful.Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names.The primary benefits of Multicast DNS names are that (i) they require little or no administration or configuration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures.DNSSEC Operational Practices, Version 2This document describes a set of practices for operating the DNS with security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC.The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies.This document obsoletes RFC 4641, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the DNSSEC operations.Architectural Considerations on Application Features in the DNSA number of Internet applications rely on the Domain Name System (DNS) to support their operations. Many applications use the DNS to locate services for a domain; some, for example, transform identifiers other than domain names into formats that the DNS can process, and then fetch application data or service location data from the DNS. Proposals incorporating sophisticated application behavior using DNS as a substrate have raised questions about the role of the DNS as an application platform. This document explores the architectural consequences of using the DNS to implement certain application features, and it provides guidance to future application designers as to the limitations of the DNS as a substrate and the situations in which alternative designs should be considered.TCP Fast OpenThis document describes an experimental TCP mechanism called TCP Fast Open (TFO). TFO allows data to be carried in the SYN and SYN-ACK packets and consumed by the receiving end during the initial connection handshake, and saves up to one full round-trip time (RTT) compared to the standard TCP, which requires a three-way handshake (3WHS) to complete before data can be exchanged. However, TFO deviates from the standard TCP semantics, since the data in the SYN could be replayed to an application in some rare circumstances. Applications should not use TFO unless they can tolerate this issue, as detailed in the Applicability section.Child-to-Parent Synchronization in DNSThis document specifies how a child zone in the DNS can publish a record to indicate to a parental agent that the parental agent may copy and process certain records from the child zone. The existence of the record and any change in its value can be monitored by a parental agent and acted on depending on local policy.AS112 Nameserver OperationsMany sites connected to the Internet make use of IPv4 addresses that are not globally unique. Examples are the addresses designated in RFC 1918 for private use within individual sites.Devices in such environments may occasionally originate Domain Name System (DNS) queries (so-called "reverse lookups") corresponding to those private-use addresses. Since the addresses concerned have only local significance, it is good practice for site administrators to ensure that such queries are answered locally. However, it is not uncommon for such queries to follow the normal delegation path in the public DNS instead of being answered within the site.It is not possible for public DNS servers to give useful answers to such queries. In addition, due to the wide deployment of private-use addresses and the continuing growth of the Internet, the volume of such queries is large and growing. The AS112 project aims to provide a distributed sink for such queries in order to reduce the load on the corresponding authoritative servers. The AS112 project is named after the Autonomous System Number (ASN) that was assigned to it.This document describes the steps required to install a new AS112 node and offers advice relating to such a node's operation.This document obsoletes RFC 6304.DNS Root Name Service Protocol and Deployment RequirementsThe DNS root name service is a critical part of the Internet architecture. The protocol and deployment requirements for the DNS root name service are defined in this document. Operational requirements are out of scope.Specification for DNS over Transport Layer Security (TLS)This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.CHAIN Query Requests in DNSThis document defines an EDNS0 extension that can be used by a security-aware validating resolver configured to use a forwarding resolver to send a single query, requesting a complete validation path along with the regular query answer. The reduction in queries potentially lowers the latency and reduces the need to send multiple queries at once. This extension mandates the use of source-IP- verified transport such as TCP or UDP with EDNS-COOKIE, so it cannot be abused in amplification attacks.Transport Layer Security (TLS) False StartThis document specifies an optional behavior of Transport Layer Security (TLS) client implementations, dubbed "False Start". It affects only protocol timing, not on-the-wire protocol data, and can be implemented unilaterally. A TLS False Start reduces handshake latency to one round trip.DNSSEC Roadblock AvoidanceThis document describes problems that a Validating DNS resolver, stub-resolver, or application might run into within a non-compliant infrastructure. It outlines potential detection and mitigation techniques. The scope of the document is to create a shared approach to detect and overcome network issues that a DNSSEC software/system may face.DNS over Datagram Transport Layer Security (DTLS)DNS queries and responses are visible to network elements on the path between the DNS client and its server. These queries and responses can contain privacy-sensitive information, which is valuable to protect.This document proposes the use of Datagram Transport Layer Security (DTLS) for DNS, to protect against passive listeners and certain active attacks. As latency is critical for DNS, this proposal also discusses mechanisms to reduce DTLS round trips and reduce the DTLS handshake size. The proposed mechanism runs over port 853.Using Secure DNS to Associate Certificates with Domain Names for S/MIMEThis document describes how to use secure DNS to associate an S/MIME user's certificate with the intended domain name, similar to the way that DNS-Based Authentication of Named Entities (DANE), RFC 6698, does for TLS.Internet Protocol, Version 6 (IPv6) SpecificationThis document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460.DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look?The basic design of the Domain Name System was completed almost 30 years ago. The last half of that period has been characterized by significant changes in requirements and expectations, some of which either require changes to how the DNS is used or can be accommodated only poorly or not at all. This document asks the question of whether it is time to either redesign and replace the DNS to match contemporary requirements and expectations (rather than continuing to try to design and implement incremental patches that are not fully satisfactory) or draw some clear lines about functionality that is not really needed or that should be performed in some other way.The Transport Layer Security (TLS) Protocol Version 1.3This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.Padding Policies for Extension Mechanisms for DNS (EDNS(0))RFC 7830 specifies the "Padding" option for Extension Mechanisms for DNS (EDNS(0)) but does not specify the actual padding length for specific applications. This memo lists the possible options ("padding policies"), discusses the implications of each option, and provides a recommended (experimental) option.Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANYThe Domain Name System (DNS) specifies a query type (QTYPE) "ANY". The operator of an authoritative DNS server might choose not to respond to such queries for reasons of local policy, motivated by security, performance, or other reasons.The DNS specification does not include specific guidance for the behavior of DNS servers or clients in this situation. This document aims to provide such guidance.This document updates RFCs 1034 and 1035.Yeti DNS TestbedYeti DNS is an experimental, non-production root server testbed that provides an environment where technical and operational experiments can safely be performed without risk to production root server infrastructure. This document aims solely to document the technical and operational experience of deploying a system that is similar to but different from the Root Server system (on which the Internet's Domain Name System is designed and built).DNS Queries over HTTPS (DoH)This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.DNS Stateful OperationsThis document defines a new DNS OPCODE for DNS Stateful Operations (DSO). DSO messages communicate operations within persistent stateful sessions using Type Length Value (TLV) syntax. Three TLVs are defined that manage session timeouts, termination, and encryption padding, and a framework is defined for extensions to enable new stateful operations. This document updates RFC 1035 by adding a new DNS header OPCODE that has both different message semantics and a new result code. This document updates RFC 7766 by redefining a session, providing new guidance on connection reuse, and providing a new mechanism for handling session idle timeouts.Reverse DNS in IPv6 for Internet Service ProvidersIn IPv4, Internet Service Providers (ISPs) commonly provide IN-ADDR.ARPA information for their customers by prepopulating the zone with one PTR record for every available address. This practice does not scale in IPv6. This document analyzes different approaches and considerations for ISPs in managing the IP6.ARPA zone.Running a Root Server Local to a ResolverSome DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server; those resolvers may have difficulty getting responses from the root servers, such as during a network attack. Some DNS recursive resolver operators want to prevent snooping by third parties of requests sent to DNS root servers. In both cases, resolvers can greatly decrease the round-trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software. This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator.This document obsoletes RFC 7706.A Common Operational Problem in DNS Servers: Failure to CommunicateThe DNS is a query/response protocol. Failing to respond to queries, or responding incorrectly, causes both immediate operational problems and long-term problems with protocol development. This document identifies a number of common kinds of queries to which some servers either fail to respond or respond incorrectly. This document also suggests procedures for zone operators to apply to identify and remediate the problem. The document does not look at the DNS data itself, just the structure of the responses.Recommendations for DNS Privacy Service OperatorsThis document presents operational, policy, and security considerations for DNS recursive resolver operators who choose to offer DNS privacy services. With these recommendations, the operator can make deliberate decisions regarding which services to provide, as well as understanding how those decisions and the alternatives impact the privacy of users. This document also presents a non-normative framework to assist writers of a Recursive operator Privacy Statement, analogous to DNS Security Extensions (DNSSEC) Policies and DNSSEC Practice Statements described in RFC 6841.Secret Key Transaction Authentication for DNS (TSIG)This document describes a protocol for transaction-level authentication using shared secrets and one-way hashing. It can be used to authenticate dynamic updates to a DNS zone as coming from an approved client or to authenticate responses as coming from an approved name server.No recommendation is made here for distributing the shared secrets; it is expected that a network administrator will statically configure name servers and clients using some out-of-band mechanism.This document obsoletes RFCs 2845 and 4635.Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK RolloverDNS Response Rate Limiting (DNS RRL)ISC-TN-2012-1-Draft1Connection-Oriented DNS to Improve Privacy and SecurityDNS Anomalies and Their Impacts on DNS Cache ServersNANOG 32An Analysis of TCP Traffic in Root Server DITL DataDNS-OARC 2014 Fall WorkshopTCP Fast OpenWikipediaRFCs Related to DNS Transport over TCPThis section enumerates all known RFCs with a status of
Internet Standard, Proposed Standard,
Informational, Best Current Practice,
or Experimental that either implicitly or explicitly make
assumptions or statements about the use of TCP as a transport for
the DNS germane to this document.RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATIONThe Internet Standard is the
base DNS specification that explicitly defines support for DNS
over TCP.RFC 1536 - Common DNS Implementation Errors and Suggested FixesThe Informational document
states that UDP is "the chosen protocol for communication though TCP
is used for zone transfers." That statement should now be
considered in its historical context and is no longer a proper
reflection of modern expectations.RFC 1995 - Incremental Zone Transfer in DNSThe Proposed Standard
documents the use of TCP as the fallback transport when Incremental Zone Transfer (IXFR)
responses do not fit into a single UDP response. As with Authoritative Transfer (AXFR),
IXFR messages are typically delivered over TCP by default in
practice.RFC 1996 - A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)The Proposed Standard
suggests that a primary server may decide to issue NOTIFY messages over
TCP. In practice, NOTIFY messages are generally sent over UDP,
but this specification leaves open the possibility that the
choice of transport protocol is up to the primary server; therefore,
a secondary server ought to be able to operate over both UDP and TCP.RFC 2181 - Clarifications to the DNS SpecificationThe Proposed Standard
includes clarifying text on how a client should react to the TC
bit set on responses. It is advised that the response be
discarded and the query resent using TCP.RFC 2694 - DNS extensions to Network Address Translators (DNS_ALG)The Informational document
enumerates considerations for NAT
devices to properly handle DNS traffic. This document is
noteworthy in its suggestion that
"[t]ypically, TCP is used for AXFR requests,"
as further evidence that helps
explain why DNS over TCP may have often been treated very
differently than DNS over UDP in operational networks.RFC 3225 - Indicating Resolver Support of DNSSECThe Proposed Standard
makes statements indicating that DNS over TCP is "detrimental" as a
result of increased traffic, latency, and server load. This
document is a companion to the next document in the RFC
Series that describes the requirement for EDNS(0) support for DNSSEC.RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver message size requirementsAlthough updated by later DNSSEC RFCs,
the Proposed Standard
strongly argues in favor of
UDP messages instead of TCP, largely for performance reasons.
The document declares EDNS(0) a requirement for DNSSEC servers and
advocates that packet fragmentation may be preferable to TCP in
certain situations.RFC 4472 - Operational Considerations and Issues with IPv6 DNSThe Informational document notes
that IPv6 data may increase DNS responses beyond what would fit in
a UDP message. What is particularly noteworthy, but perhaps less common today
than when this document was written, is that it refers to implementations that
truncate data without setting the TC bit to encourage the client to
resend the query using TCP.RFC 5452 - Measures for Making DNS More Resilient against Forged AnswersThe Proposed Standard arose
as public DNS systems began to experience widespread abuse from spoofed
queries, resulting in amplification and reflection attacks against
unwitting victims. One of the leading justifications for supporting
DNS over TCP to thwart these attacks is briefly described in ("Spoof Detection and Countermeasure").RFC 5507 - Design Choices When Expanding the DNSThe Informational document was
largely an attempt to dissuade new DNS data types from overloading the
TXT resource record type. In so doing, it summarizes the conventional
wisdom of DNS design and implementation practices. The authors
suggest TCP overhead and stateful properties pose challenges compared
to UDP and imply that UDP is generally preferred for performance and
robustness.RFC 5625 - DNS Proxy Implementation GuidelinesThe Best Current Practice document
provides DNS proxy implementation guidance including the mandate that a
proxy "MUST [...] be prepared to receive and forward queries over TCP"
even though it suggests that, historically, TCP transport has not been strictly
mandatory in stub resolvers or recursive servers.RFC 5936 - DNS Zone Transfer Protocol (AXFR)The Proposed Standard
provides a detailed specification for the zone transfer protocol,
as originally outlined in the early DNS standards. AXFR operation
is limited to TCP and not specified for UDP. This document
discusses TCP usage at length.RFC 7534 - AS112 Nameserver OperationsThe Informational document
enumerates the requirements for operation of AS112 project DNS
servers. New AS112 nodes are tested for their ability to provide
service on both UDP and TCP transports, with the implication that
TCP service is an expected part of normal operations.RFC 6762 - Multicast DNSIn the Proposed Standard , the
TC bit is deemed to have essentially the same meaning as described
in the original DNS specifications. That is, if a response with the
TC bit set is received, "[...] the querier SHOULD reissue its query
using TCP in order to receive the larger response."RFC 6891 - Extension Mechanisms for DNS (EDNS(0))The Internet Standard
helped slow the use of and need for DNS-over-TCP messages. This
document highlights concerns over server load and scalability in
widespread use of DNS over TCP.IAB RFC 6950 - Architectural Considerations on Application Features in the DNSThe Informational document draws
attention to large data in the DNS. TCP is referenced in the
context as a common fallback mechanism and counter to some spoofing
attacks.RFC 7477 - Child-to-Parent Synchronization in DNSThe Proposed Standard
specifies an RRType and a protocol to signal and synchronize NS, A,
and AAAA resource record changes from a child-to-parent zone.
Since this protocol may require multiple requests and responses,
it recommends utilizing DNS over TCP to ensure the conversation
takes place between a consistent pair of end nodes.RFC 7720 - DNS Root Name Service Protocol and Deployment RequirementsThe Best Current Practice document
declares that root name service "MUST support UDP and TCP
transport of DNS queries and responses."RFC 7766 - DNS Transport over TCP - Implementation RequirementsThe Proposed Standard
instructs DNS implementors to provide support for carrying DNS-over-TCP messages in their software and
might be considered the direct ancestor of this operational
requirements document.
The implementation requirements document
codifies mandatory support for DNS-over-TCP in compliant DNS
software but
makes no recommendations to operators, which we seek to address
here.RFC 7828 - The edns-tcp-keepalive EDNS(0) OptionThe Proposed Standard
defines an EDNS(0) option to negotiate an idle timeout value for
long-lived DNS-over-TCP connections. Consequently, this document
is only applicable and relevant to DNS-over-TCP sessions and
between implementations that support this option.RFC 7858 - Specification for DNS over Transport Layer Security (TLS)The Proposed Standard
defines a method for putting DNS messages into a TCP-based
encrypted channel using TLS. This specification is noteworthy
for explicitly targeting the stub-to-recursive traffic but
does not preclude its application from recursive-to-authoritative
traffic.RFC 7873 - Domain Name System (DNS) CookiesThe Proposed Standard
describes an EDNS(0) option to provide additional protection
against query and answer forgery. This specification mentions
DNS over TCP as an alternative mechanism when DNS cookies
are not available. The specification does make mention of DNS-over-TCP processing in two specific situations. In one, when a
server receives only a client cookie in a request, the server
should consider whether the request arrived over TCP, and if so,
it should consider accepting TCP as sufficient to authenticate
the request and respond accordingly. In another, when a client
receives a BADCOOKIE reply using a fresh server cookie, the
client should retry using TCP as the transport.RFC 7901 - CHAIN Query Requests in DNSThe Experimental specification
describes an EDNS(0) option that can be used by a security-aware
validating resolver to request and obtain a complete DNSSEC
validation path for any single query. This document requires the
use of DNS over TCP or a transport
mechanism verified by a source IP address such as EDNS-COOKIE .RFC 8027 - DNSSEC Roadblock AvoidanceThe Best Current Practice document details observed
problems with DNSSEC deployment and mitigation techniques.
Network traffic blocking and restrictions, including DNS-over-TCP
messages, are highlighted as one reason for DNSSEC deployment
issues. While this document suggests these sorts of problems are
due to "non-compliant infrastructure", the
scope of the document is limited to detection and mitigation
techniques to avoid so-called DNSSEC roadblocks.RFC 8094 - DNS over Datagram Transport Layer Security (DTLS)The Experimental specification
details a protocol that uses a datagram transport (UDP) but
stipulates that "DNS clients and servers that implement DNS over
DTLS MUST also implement DNS over TLS in order to provide privacy
for clients that desire Strict Privacy [...]." This requirement
implies DNS over TCP must be supported in case the message size
is larger than the path MTU.RFC 8162 - Using Secure DNS to Associate Certificates with Domain Names for S/MIMEThe Experimental specification
describes a technique to authenticate user X.509 certificates
in an S/MIME system via the DNS. The document points out that
the new experimental resource record types are expected to carry
large payloads, resulting in the suggestion that "applications
SHOULD use TCP -- not UDP -- to perform queries for the SMIMEA
resource record."RFC 8324 - DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look? The Informational document
briefly discusses the common role and challenges of DNS over TCP
throughout the history of DNS.RFC 8467 - Padding Policies for Extension Mechanisms for DNS (EDNS(0))The Experimental document
reminds implementors to consider the underlying transport
protocol (e.g., TCP) when calculating the padding length when
artificially increasing the DNS message size with an EDNS(0)
padding option.RFC 8482 - Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANYThe Proposed Standard
describes alternative ways that DNS servers can respond to queries
of type ANY, which are sometimes used to provide amplification
in DDoS attacks. The specification notes that responders may
behave differently, depending on the transport. For example,
minimal-sized responses may be used over UDP transport, while
full responses may be given over TCP.RFC 8483 - Yeti DNS TestbedThe Informational document
describes a testbed environment that highlights some DNS-over-TCP
behaviors, including issues involving packet fragmentation and
operational requirements for TCP stream assembly in order to
conduct DNS measurement and analysis.RFC 8484 - DNS Queries over HTTPS (DoH)The Proposed Standard
defines a protocol for sending DNS queries and responses over
HTTPS. This specification assumes TLS and TCP for the underlying
security and transport layers, respectively. Self-described as a
technique that more closely resembles a tunneling mechanism,
DoH nevertheless likely implies DNS over TCP in some sense, if not
directly.RFC 8490 - DNS Stateful OperationsThe Proposed Standard
updates the base protocol specification with a new OPCODE to
help manage stateful operations in persistent sessions, such
as those that might be used by DNS over TCP.RFC 8501 - Reverse DNS in IPv6 for Internet Service ProvidersThe Informational document
identifies potential operational challenges with dynamic DNS,
including denial-of-service threats. The document suggests TCP
may provide some advantages but that updating hosts would need
to be explicitly configured to use TCP instead of UDP.RFC 8806 - Running a Root Server Local to a ResolverThe Informational document
describes how to obtain and operate a local copy of the root zone
with examples showing how to pull from authoritative sources using
a DNS-over-TCP zone transfer.RFC 8906 - A Common Operational Problem in DNS Servers: Failure to CommunicateThe Best Current Practice document
discusses a number of DNS operational failure scenarios and how to
avoid them. This includes discussions involving DNS-over-TCP queries,
EDNS over TCP, and a testing methodology that includes a section on
verifying DNS-over-TCP functionality.RFC 8932 - Recommendations for DNS Privacy Service OperatorsThe Best Current Practice document
presents privacy considerations to DNS privacy service operators.
These mechanisms sometimes include the use of TCP and are therefore
susceptible to information leakage such as TCP-based fingerprinting.
This document also references an earlier draft version of this document.RFC 8945 - Secret Key Transaction Authentication for DNS (TSIG)The Internet Standard
recommends that a client use TCP if truncated TSIG messages are
received.AcknowledgmentsThis document was initially motivated by feedback from students
who pointed out that they were hearing contradictory information
about filtering DNS-over-TCP messages. Thanks in particular to a
teaching colleague, JPL, who perhaps unknowingly encouraged the
initial research into the differences between what the community has
historically said and did. Thanks to all the NANOG 63 attendees
who provided feedback for an early talk on this subject.The following individuals provided an array of feedback to help
improve this document: , , , , , , , ,
, and . The authors are also indebted to the contributions
stemming from discussion in the TCPM Working Group meeting at
IETF 104. Any remaining errors or imperfections are the sole
responsibility of the document authors.Authors' AddressesDataplane.orgChicagoIL60605United States of America+1 312 493 0305jtk@dataplane.orghttps://dataplane.org/jtk/Verisign12061 Bluemont WayRestonVA20190United States of America+1 703 948 3200dwessels@verisign.comhttps://verisign.com